On Mon, Apr 23, 2018 at 5:58 PM, Miro Hrončok <mhroncok@redhat.com> wrote:
On 23.4.2018 17:45, Andrei Stepanov wrote:

On Mon, Apr 23, 2018 at 5:31 PM, Miro Hrončok <mhroncok@redhat.com <mailto:mhroncok@redhat.com>> wrote:

    On 23.4.2018 12:55, Andrei Stepanov wrote:

        Miro, Hi!


    Hi Andrei, thanks for your answer.

        Please check how you run tests.
          From the snippet I see that you run as ordinary user.
        ansible-playbook must be run as root.


    I run the tests as a regular user, I want them to be executed in a
    container, being root inside. That should not require me to run it
    as root.

        More logs also would be fine.


    The logs are not helpful, because they indicate the problem: I'm not
    root. Yet I've attached it.

    So let me rephrase the question:

    How do I, as a regular user of my developer machine, run the tests
    in a docker container, being root in the container?

    Note that I can run docker without sudo.

    I don't want the ansible plabook to start creating files in my own
    /usr/local/bin. Which is what I believe would happen if I run it as
    root. I want it to:



 From: https://fedoraproject.org/wiki/CI/Standard_Test_Interface <https://fedoraproject.org/wiki/CI/Standard_Test_Interface>

  * MUST execute the playbook as root

I want to execute the playbook as root inside a container.

There are test-runner and test-environment (https://fedoraproject.org/wiki/CI/Standard_Test_Interface)

Standard_Test_Interface expects that tests start at test-runner.

There could be some preparation steps on test-runner (like installing packages, etc). To make this possible and STI defines unified requirements: "MUST execute the playbook as root" on test-runner.

CI pipeline runs all playbooks with root credentials. 


Also there should be an env variable:
https://fedoraproject.org/wiki/CI/Standard_Test_Roles#Inventory <https://fedoraproject.org/wiki/CI/Standard_Test_Roles#Inventory>

export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory)

Doesn't change a thing.

Miro, may I ask. How do you see system starts TEST_SUBJECTS=docker:docker.io/library/fedora:26 <http://docker.io/library/fedora:26> with ordinary user credentials?

[tests (master)]$ whoami
churchyard
[tests (master)]$ docker run -ti fedora:rawhide /bin/bash
[root@397fa7f75863 /]# whoami
root
[root@397fa7f75863 /]# exit
exit




Could you please say: id churchyard ?
The point is: user that can start/stop/act on containers can do any modification to all system. It is the same as you act from root account.
Short: "Giving them full root access to the host system."
Long: https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

 
If there is no simple way to run the test in mock/container/VM, with a simple command, I'm afraid the whole idea of how the CI is designed is flawed, because the barrier to cross before I can even write and execute a minimal smoke test is extremely high. If this is not possible trough ansible, please provide a wrapper that does exactly this:

 * spins up a mock/docker/VM/etc.
 * copies/mounts/etc. the tests inside
 * installs the selected rpm package inside
 * executes the ansible playbook as root inside
 * reports the tests result outside


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
CI mailing list -- ci@lists.fedoraproject.org
To unsubscribe send an email to ci-leave@lists.fedoraproject.org