Changes rock base to bare

Switching to a bare-based image will reduce the overall image size and reduces attack surface area. The image is supposed to run a script, thus we need a few packages installed. Switch the container user to root. It is supposed to have access to certain host folders through hostPath mounts, and thus, it should be able to modify them (e.g.: create /var/log/sriovdp folder). We can no longer use ensure_image_contains_paths to check if files exist in the rock images, since they are now bare-based. Instead, we can use ensure_image_contains_paths_bare, which checks the image layers instead. Because of this, we need sufficient permissions to check the /var/lib/docker folder. Adds an extra sanity check during the integration test, making sure that there is no error reported in Pebble while starting the service.
canonical · Oct 28, 2024 · 33e1b34 · 33e1b34
1 parent 62e0929
commit 33e1b34
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 6 deletions.
diff --git a/3.6.2/rockcraft.yaml b/3.6.2/rockcraft.yaml
@@ -11,9 +11,8 @@ description: |
 license: Apache-2.0
 version: 3.6.2
 
-base: ubuntu@22.04
+base: bare
 build-base: ubuntu@22.04
-run-user: _daemon_
 
 platforms:
   amd64:
@@ -34,6 +33,18 @@ services:
 entrypoint-service: install-cni
 
 parts:
+  add-base-files:
+    plugin: nil
+    stage-packages:
+      - base-files
+      - bash
+      - coreutils
+      - gawk
+    override-build: |
+      # Need to add symlink to awk.
+      mkdir -p $CRAFT_PART_INSTALL/usr/bin
+      ln -s gawk $CRAFT_PART_INSTALL/usr/bin/awk
+
   build-deps:
     plugin: nil
     build-snaps:

diff --git a/tests/integration/test_sriov_net_device_plugin.py b/tests/integration/test_sriov_net_device_plugin.py
@@ -7,7 +7,7 @@
 from pathlib import Path
 
 from k8s_test_harness import harness
-from k8s_test_harness.util import env_util, k8s_util
+from k8s_test_harness.util import constants, env_util, k8s_util
 
 LOG = logging.getLogger(__name__)
 
@@ -71,3 +71,20 @@ def test_integration_sriov_ndp(tmp_path: Path, module_instance: harness.Instance
     k8s_util.wait_for_daemonset(
         module_instance, "kube-sriov-device-plugin-amd64", "kube-system"
     )
+
+    # Sanity check: make sure there isn't an error in Pebble that it couldn't start the service.
+    process = module_instance.exec(
+        [
+            "k8s",
+            "kubectl",
+            "logs",
+            "-n",
+            constants.K8S_NS_KUBE_SYSTEM,
+            "daemonset.apps/kube-sriov-device-plugin-amd64",
+        ],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+
+    assert '(Start service "install-cni") failed' not in process.stdout
diff --git a/tests/sanity/test_sriov_net_device_plugin.py b/tests/sanity/test_sriov_net_device_plugin.py
@@ -20,7 +20,7 @@ def test_sriov_dpdk_rock():
     image = rock.image
 
     # check rock filesystem.
-    docker_util.ensure_image_contains_paths(image, ROCK_EXPECTED_FILES)
+    docker_util.ensure_image_contains_paths_bare(image, ROCK_EXPECTED_FILES)
 
     # check binary.
     process = docker_util.run_in_docker(image, ["sriovdp", "--help"], False)
@@ -31,5 +31,5 @@ def test_sriov_dpdk_rock():
     assert "DDPTool version 1.0.1.12" in process.stdout
 
     # check /entrypoint.sh script.
-    process = docker_util.run_in_docker(image, ["/entrypoint.sh"], False)
+    process = docker_util.run_in_docker(image, ["bash", "-x", "/entrypoint.sh"], False)
     assert "open /etc/pcidp/config.json: no such file or directory" in process.stderr
diff --git a/tests/tox.ini b/tests/tox.ini
@@ -35,8 +35,10 @@ commands =
 description = Run integration tests
 deps =
     -r {tox_root}/requirements-test.txt
+allowlist_externals =
+    sudo
 commands =
-    pytest -v \
+    sudo -E {envpython} -m pytest -v \
         --maxfail 1 \
         --tb native \
         --log-cli-level DEBUG \