On Mon, Apr 23, 2018 at 5:58 PM, Miro Hrončok <mhroncok(a)redhat.com> wrote:
On 23.4.2018 17:45, Andrei Stepanov wrote:
>
> On Mon, Apr 23, 2018 at 5:31 PM, Miro Hrončok <mhroncok(a)redhat.com
> <mailto:mhroncok@redhat.com>> wrote:
>
> On 23.4.2018 12:55, Andrei Stepanov wrote:
>
> Miro, Hi!
>
>
> Hi Andrei, thanks for your answer.
>
> Please check how you run tests.
> From the snippet I see that you run as ordinary user.
> ansible-playbook must be run as root.
>
>
> I run the tests as a regular user, I want them to be executed in a
> container, being root inside. That should not require me to run it
> as root.
>
> More logs also would be fine.
>
>
> The logs are not helpful, because they indicate the problem: I'm not
> root. Yet I've attached it.
>
> So let me rephrase the question:
>
> How do I, as a regular user of my developer machine, run the tests
> in a docker container, being root in the container?
>
> Note that I can run docker without sudo.
>
> I don't want the ansible plabook to start creating files in my own
> /usr/local/bin. Which is what I believe would happen if I run it as
> root. I want it to:
>
>
>
> From:
https://fedoraproject.org/wiki/CI/Standard_Test_Interface <
>
https://fedoraproject.org/wiki/CI/Standard_Test_Interface>
>
> * MUST execute the playbook as root
>
I want to execute the playbook as root inside a container.
There are test-runner and test-environment (
https://fedoraproject.org/wiki/CI/Standard_Test_Interface)
Standard_Test_Interface expects that tests start at test-runner.
There could be some preparation steps on test-runner (like installing
packages, etc). To make this possible and STI defines unified requirements:
"MUST execute the playbook as root" on test-runner.
CI pipeline runs all playbooks with root credentials.
Also there should be an env variable:
>
https://fedoraproject.org/wiki/CI/Standard_Test_Roles#Inventory <
>
https://fedoraproject.org/wiki/CI/Standard_Test_Roles#Inventory>
>
> export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo
> /usr/share/ansible/inventory)
>
Doesn't change a thing.
Miro, may I ask. How do you see system starts TEST_SUBJECTS=docker:
> docker.io/library/fedora:26 <
http://docker.io/library/fedora:26> with
> ordinary user credentials?
>
[tests (master)]$ whoami
churchyard
[tests (master)]$ docker run -ti fedora:rawhide /bin/bash
[root@397fa7f75863 /]# whoami
root
[root@397fa7f75863 /]# exit
exit
Could you please say: id churchyard ?
The point is: user that can start/stop/act on containers can do any
modification to all system. It is the same as you act from root account.
Short: "Giving them full root access to the host system."
Long:
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-...
If there is no simple way to run the test in mock/container/VM, with
a
simple command, I'm afraid the whole idea of how the CI is designed is
flawed, because the barrier to cross before I can even write and execute a
minimal smoke test is extremely high. If this is not possible trough
ansible, please provide a wrapper that does exactly this:
* spins up a mock/docker/VM/etc.
* copies/mounts/etc. the tests inside
* installs the selected rpm package inside
* executes the ansible playbook as root inside
* reports the tests result outside
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
CI mailing list -- ci(a)lists.fedoraproject.org
To unsubscribe send an email to ci-leave(a)lists.fedoraproject.org