diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39c5c9a..29b7e55 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,6 +98,12 @@ jobs: python: "3" - platform: "astralinux_1_7" python: "3" + - platform: "rockylinux_8" + python: "3" + - platform: "rockylinux_9" + python: "3" + - platform: "rockylinux_10" + python: "3" env: BASE_SIGN: "${{ matrix.platform }}-py${{ matrix.python }}" diff --git a/Dockerfile--rockylinux_10.tmpl b/Dockerfile--rockylinux_10.tmpl new file mode 100644 index 0000000..b3a13fa --- /dev/null +++ b/Dockerfile--rockylinux_10.tmpl @@ -0,0 +1,107 @@ +################################################################################ +# Testgres OsOperations. Docker file for RockLinux 10. +# +# Authors: +# - Marg.G (mark@google.com) +# +ARG PYTHON_VERSION=3 + +# --------------------------------------------- base1 +FROM rockylinux/rockylinux:10 AS base1 + +# In RHEL 9/10, the repository for dev packages is called CRB (instead of powertools) +RUN dnf install -y 'dnf-command(config-manager)' && \ + dnf config-manager --set-enabled crb + +# Consolidating system utilities, including iproute (to prevent tests from failing) +# Added the --allowerasing flag so dnf can seamlessly replace curl-minimal with full-fledged curl +RUN dnf install -y --allowerasing \ + sudo \ + curl \ + ca-certificates \ + openssh-server \ + openssh-clients \ + sshpass \ + time \ + util-linux \ + procps-ng \ + iproute \ + git \ + && dnf clean all + +# In RHEL 9/10, to generate host keys inside Docker, you need to call this binary +RUN /usr/libexec/openssh/sshd-keygen rsa && \ + /usr/libexec/openssh/sshd-keygen ed25519 + +# --------------------------------------------- base2_with_python-3 +FROM base1 AS base2_with_python-3 + +# Rocky 9/10 installs python3.9 or higher (depending on the repository) +RUN dnf install -y \ + python3 \ + python3-devel \ + && dnf clean all + +ENV PYTHON_BINARY=/usr/bin/python3 + +# --------------------------------------------- final +FROM base2_with_python-${PYTHON_VERSION} AS final + +EXPOSE 22 + +RUN useradd -m test && usermod -aG wheel test + +# Enable sudo without a password +RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers + +# HACK FOR RHEL 9/10: Allow legacy key types and disable UsePAM. +# Additionally, allow passwordless root/test authentication for testing. +RUN echo "test:*" | chpasswd -e && \ + sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config && \ + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/sshd_config + +COPY --chown=test:test . /home/test/testgres +WORKDIR /home/test/testgres + +ENV LANG=C.UTF-8 + +RUN chmod 700 /home/test/ && \ + mkdir -p /home/test/.ssh && \ + chown -R test:test /home/test/.ssh + +# Our ENTRYPOINT with a stub +ENTRYPOINT ["sh", "-c", " \ + set -eux; \ + echo 'SYSTEM START: PREPARING SSH'; \ + /usr/sbin/sshd; \ + ls -la /home/test/.ssh/; \ + \"$@\" \ +", "DUMMY-DUMMY-DUMMY"] + +# In CMD, we change the key generation from the deprecated -t rsa to the modern -t ed25519! +# This ensures that Rocky 9/10 will accept this key without any cryptographic policy issues. +CMD ["bash", "-c", " \ +set -eux; \ +echo \"HOME DIR IS [`realpath ~/`]\"; \ +echo \"WORK DIR IS [$(pwd)]\"; \ +if [ ! -f /home/test/.ssh/id_ed25519 ]; then \ + su test -c \"ssh-keygen -t ed25519 -f /home/test/.ssh/id_ed25519 -q -N ''\"; \ + su test -c \"cat /home/test/.ssh/id_ed25519.pub >> /home/test/.ssh/authorized_keys\"; \ + chmod 600 /home/test/.ssh/authorized_keys; \ +fi; \ +ls -la /home/test/.ssh/; \ +su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \ +su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \ +if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \ + su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \ +fi; \ +if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \ + cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + ls -la /home/test/.ssh/; \ +fi; \ +ls -la ./; \ +su test -c \"bash ./run_tests3.sh\"; \ +"] diff --git a/Dockerfile--rockylinux_8.tmpl b/Dockerfile--rockylinux_8.tmpl new file mode 100644 index 0000000..e658566 --- /dev/null +++ b/Dockerfile--rockylinux_8.tmpl @@ -0,0 +1,110 @@ +################################################################################ +# Testgres OsOperations. Docker file for RockLinux 8. +# +# Authors: +# - Marg.G (mark@google.com) +# +ARG PYTHON_VERSION=3 + +# --------------------------------------------- base1 +FROM rockylinux:8 AS base1 + +# Enable the PowerTools repository (called crb or powertools in Rocky/Alma), +# since without it, dnf won't find the python3-devel packages for building extensions. +RUN dnf install -y 'dnf-command(config-manager)' && \ + dnf config-manager --set-enabled powertools + +# Combine the installation of system utilities, SSH into one layer +RUN dnf install -y \ + sudo \ + curl \ + ca-certificates \ + openssh-server \ + openssh-clients \ + sshpass \ + time \ + util-linux \ + procps-ng \ + git \ + iproute \ + && dnf clean all + +# --------------------------------------------- base2_with_python-3 +FROM base1 AS base2_with_python-3 + +RUN dnf install -y \ + python39 \ + python39-devel \ + && dnf clean all + +ENV PYTHON_BINARY=/usr/bin/python3.9 + +# --------------------------------------------- final +FROM base2_with_python-${PYTHON_VERSION} AS final + +EXPOSE 22 +# In RHEL/CentOS, SSH host keys are generated via sshd-keygen +RUN ssh-keygen -A + +# In the RedHat family, the equivalent of the wheel/sudo group is the wheel group +RUN useradd -m test && usermod -aG wheel test + +# Enable sudo without a password +RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Setting a blank password and disabling UsePAM (like in Astra), +# since SELinux/PAM in RHEL blocks blank passwords over SSH. +# +# On local tests it produces: +# WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems. +# +# But without "sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config" remote tests +# does not work! +# +RUN echo "test:*" | chpasswd -e && \ + sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config + +COPY --chown=test:test . /home/test/testgres +WORKDIR /home/test/testgres + +ENV LANG=C.UTF-8 + +RUN chmod 700 /home/test/ && \ + mkdir -p /home/test/.ssh && \ + chown -R test:test /home/test/.ssh + +# Our proven ENTRYPOINT with a DUMMY plug +ENTRYPOINT ["sh", "-c", " \ + set -eux; \ + echo 'SYSTEM START: PREPARING SSH'; \ + /usr/sbin/sshd; \ + ls -la /home/test/.ssh/; \ + \"$@\" \ +", "DUMMY-DUMMY-DUMMY"] + +# Standard CMD for tests +CMD ["bash", "-c", " \ +set -eux; \ +echo \"HOME DIR IS [`realpath ~/`]\"; \ +echo \"WORK DIR IS [$(pwd)]\"; \ +if [ ! -f /home/test/.ssh/id_rsa ]; then \ + su test -c \"ssh-keygen -t rsa -f /home/test/.ssh/id_rsa -q -N ''\"; \ + su test -c \"cat /home/test/.ssh/id_rsa.pub >> /home/test/.ssh/authorized_keys\"; \ + chmod 600 /home/test/.ssh/authorized_keys; \ +fi; \ +ls -la /home/test/.ssh/; \ +su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \ +su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \ +if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \ + su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \ +fi; \ +if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \ + cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + ls -la /home/test/.ssh/; \ +fi; \ +ls -la ./; \ +su test -c \"bash ./run_tests3.sh\"; \ +"] diff --git a/Dockerfile--rockylinux_9.tmpl b/Dockerfile--rockylinux_9.tmpl new file mode 100644 index 0000000..a65468d --- /dev/null +++ b/Dockerfile--rockylinux_9.tmpl @@ -0,0 +1,107 @@ +################################################################################ +# Testgres OsOperations. Docker file for RockLinux 9. +# +# Authors: +# - Marg.G (mark@google.com) +# +ARG PYTHON_VERSION=3 + +# --------------------------------------------- base1 +FROM rockylinux/rockylinux:9 AS base1 + +# In RHEL 9/10, the repository for dev packages is called CRB (instead of powertools) +RUN dnf install -y 'dnf-command(config-manager)' && \ + dnf config-manager --set-enabled crb + +# Consolidating system utilities, including iproute (to prevent tests from failing) +# Added the --allowerasing flag so dnf can seamlessly replace curl-minimal with full-fledged curl +RUN dnf install -y --allowerasing \ + sudo \ + curl \ + ca-certificates \ + openssh-server \ + openssh-clients \ + sshpass \ + time \ + util-linux \ + procps-ng \ + iproute \ + git \ + && dnf clean all + +# In RHEL 9/10, to generate host keys inside Docker, you need to call this binary +RUN /usr/libexec/openssh/sshd-keygen rsa && \ + /usr/libexec/openssh/sshd-keygen ed25519 + +# --------------------------------------------- base2_with_python-3 +FROM base1 AS base2_with_python-3 + +# Rocky 9/10 installs python3.9 or higher (depending on the repository) +RUN dnf install -y \ + python3 \ + python3-devel \ + && dnf clean all + +ENV PYTHON_BINARY=/usr/bin/python3 + +# --------------------------------------------- final +FROM base2_with_python-${PYTHON_VERSION} AS final + +EXPOSE 22 + +RUN useradd -m test && usermod -aG wheel test + +# Enable sudo without a password +RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers + +# HACK FOR RHEL 9/10: Allow legacy key types and disable UsePAM. +# Additionally, allow passwordless root/test authentication for testing. +RUN echo "test:*" | chpasswd -e && \ + sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config && \ + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/sshd_config + +COPY --chown=test:test . /home/test/testgres +WORKDIR /home/test/testgres + +ENV LANG=C.UTF-8 + +RUN chmod 700 /home/test/ && \ + mkdir -p /home/test/.ssh && \ + chown -R test:test /home/test/.ssh + +# Our ENTRYPOINT with a stub +ENTRYPOINT ["sh", "-c", " \ + set -eux; \ + echo 'SYSTEM START: PREPARING SSH'; \ + /usr/sbin/sshd; \ + ls -la /home/test/.ssh/; \ + \"$@\" \ +", "DUMMY-DUMMY-DUMMY"] + +# In CMD, we change the key generation from the deprecated -t rsa to the modern -t ed25519! +# This ensures that Rocky 9/10 will accept this key without any cryptographic policy issues. +CMD ["bash", "-c", " \ +set -eux; \ +echo \"HOME DIR IS [`realpath ~/`]\"; \ +echo \"WORK DIR IS [$(pwd)]\"; \ +if [ ! -f /home/test/.ssh/id_ed25519 ]; then \ + su test -c \"ssh-keygen -t ed25519 -f /home/test/.ssh/id_ed25519 -q -N ''\"; \ + su test -c \"cat /home/test/.ssh/id_ed25519.pub >> /home/test/.ssh/authorized_keys\"; \ + chmod 600 /home/test/.ssh/authorized_keys; \ +fi; \ +ls -la /home/test/.ssh/; \ +su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \ +su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \ +if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \ + su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \ +fi; \ +if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \ + cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \ + chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \ + ls -la /home/test/.ssh/; \ +fi; \ +ls -la ./; \ +su test -c \"bash ./run_tests3.sh\"; \ +"]