search

fedora-ci / mini-tps

Installability test for RPMs
GNU General Public License v2.0
1 stars 6 forks source link

Installability tests fail when testing core packages #64

Open LecrisUT opened 1 month ago

LecrisUT commented 1 month ago

See for example systemd PR, most tests fail or are skipped because system-udev is pre-installed. Any ideas how to unblock these tests? What about running these in a chroot, rpm-ostree or any other way to isolate these environments.

ppisar commented 1 month ago

"dnf --installroot=/some/directory install system-udev" will install system-udev (and its dependecies) to an empty system. Empty from RPM and DNF point of view.

Though, I don't know whether it is implemented with chroot or whether it isolates another name spaces. That means fancy RPM scriptlets which inspect running processes or expect mounted /proc or /sys might fail.

Mock is good at creating an empty system (it populates /etc/localtime and maybe more). If you redefined what "mock init" does (config_opts['chroot_setup_cmd']) to "install system-udev", you would get a neat test.

Another option is install the packages with "dnf reinstall" command.

ppisar commented 1 month ago

Another option is install the packages with "dnf reinstall" command. No. DNF errors if the package has not yet been installed.

LecrisUT commented 1 month ago

I think making sure to run dnf with --installroot would be the best solution. Afaik these changes need to be done in this repo. Would it work to override YUMDNFCMD to have the default flag? E.g. for commands like history?

https://github.com/fedora-ci/mini-tps/blob/7bdb084bfa8ef31ab28cdac5c4d37baabd667176/mtps-setup#L38-L49

How does the AVC check work with a different root?

LecrisUT commented 1 month ago

Oh, I actually meant to ping @jpopelka about these issues.

ppisar commented 1 month ago

I believe that "dnf --installroot" is a disguise for "rpm --root". rpm(8) reads:

       --root DIRECTORY
              Use the file system tree rooted at DIRECTORY for all operations.  Note that this means
              the  database within DIRECTORY will be used for dependency checks and any scriptlet(s)
              (e.g. %post if installing, or %prep if building, a package) will be run  after  a  ch‐
              root(2) to DIRECTORY.

              Note that rpm assumes the environment inside the root is set up by the caller, such as
              any mounts needed for the operation inside the root directory.

So it's a chroot.

Regarding AVC, SELinux evaluates rules on labels. Not on file names. The only place where file names are used are default file labels. But default labels are computed by userspace which will read them from the chrooted file system and evaluate relatively to its chroot. So I don't think it's a problem. I recommend contacting an RPM maintainer for more details.

keszybz commented 1 month ago

"dnf --installroot=/some/directory install system-udev" will install system-udev (and its dependecies) to an empty system. Empty from RPM and DNF point of view.

+1. I just wrote something similar on the mailing list before looking here.

My version:

dnf install --enablerepo=/path/to/repo/with/updates --installroot=/var/tmp/inst-package1
 /path/to/repo/with/updates/package1.rpm
dnf install --enablerepo=/path/to/repo/with/updates --installroot=/var/tmp/inst-package2
 /path/to/repo/with/updates/package2.rpm

The invocation of dnf should be wrapped in 'bwrap' to set up /dev, /proc for the invocation.