On 23.4.2018 18:18, Andrei Stepanov wrote:
I want to execute the playbook as root inside a container.
There are test-runner and test-environment
(
https://fedoraproject.org/wiki/CI/Standard_Test_Interface)
I understood that this is a specification. As a user, I'm not really
interested in a specification, I want to be able to create integration
tests with ease. I feel lost in all the MUSTs, etc.
Standard_Test_Interface expects that tests start at test-runner.
There could be some preparation steps on test-runner (like installing
packages, etc). To make this possible and STI defines unified
requirements: "MUST execute the playbook as root" on test-runner.
CI pipeline runs all playbooks with root credentials.
I understand that. Yet I struggle to understand the following:
How do I test that my tests are correct without running them on my own
machine under root? Please provide examples, preferably link to a how to
(or if it is not yet documented, we can do that together).
Could you please say: id churchyard ?
I'm in the docker group.
uid=1000(churchyard) gid=1000(churchyard)
groups=1000(churchyard),10(wheel),18(dialout),135(mock),1002(taskotron),1004(docker)
The point is: user that can start/stop/act on containers can do any
modification to all system. It is the same as you act from root account.
Short: "Giving them full root access to the host system."
Long:
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-...
I understand that this is not secure. However I wrote the tests and I am
not running some arbitrary (possibly malicious) code. I just want to do
this to avoid the tests to create and modify files in my system.
-----------------------
Let me explain a bit about what's my "goal", so we are not burning time
on Y problem.
I wrote a script that runs some commands (pdflatex in particular). If
that script exits with 0, I consider it good. If it exits with >0, I
consider it bad. I can successfully run the script on my machine to test
if my pdflatex works as expected.
Now I want to put this into CI, so when a new version of texlive is
built, this script runs on a system with the newly built latex. If it
fails, somebody needs to be notified.
In order to do this, I went trough [1] and I created a bunch of
boilerplate in yaml to run the script (which is tedious, but acceptable,
I guess).
Now I want to verify that my yaml boilerplate works. I want to say:
run-this-standard-test-in-docker --image fedora:rawhide \
--nvr texlive-2017-3.fc29
Yet I struggle to find a way how.
Note that the following works for me as well:
run-this-standard-test-in-mock --mock fedora-rawhide-x86_64 \
--nvr texlive-2017-3.fc29
[1]
https://fedoraproject.org/wiki/CI/Tests#Wrapping
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok