Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@ jobs:
python: "3"
- platform: "astralinux_1_7"
python: "3"
- platform: "rockylinux_8"
python: "3"
- platform: "rockylinux_9"
python: "3"
- platform: "rockylinux_10"
python: "3"

env:
BASE_SIGN: "${{ matrix.platform }}-py${{ matrix.python }}"
Expand Down
107 changes: 107 additions & 0 deletions Dockerfile--rockylinux_10.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
################################################################################
# Testgres OsOperations. Docker file for RockLinux 10.
#
# Authors:
# - Marg.G (mark@google.com)
#
ARG PYTHON_VERSION=3

# --------------------------------------------- base1
FROM rockylinux/rockylinux:10 AS base1

# In RHEL 9/10, the repository for dev packages is called CRB (instead of powertools)
RUN dnf install -y 'dnf-command(config-manager)' && \
dnf config-manager --set-enabled crb

# Consolidating system utilities, including iproute (to prevent tests from failing)
# Added the --allowerasing flag so dnf can seamlessly replace curl-minimal with full-fledged curl
RUN dnf install -y --allowerasing \
sudo \
curl \
ca-certificates \
openssh-server \
openssh-clients \
sshpass \
time \
util-linux \
procps-ng \
iproute \
git \
&& dnf clean all

# In RHEL 9/10, to generate host keys inside Docker, you need to call this binary
RUN /usr/libexec/openssh/sshd-keygen rsa && \
/usr/libexec/openssh/sshd-keygen ed25519

# --------------------------------------------- base2_with_python-3
FROM base1 AS base2_with_python-3

# Rocky 9/10 installs python3.9 or higher (depending on the repository)
RUN dnf install -y \
python3 \
python3-devel \
&& dnf clean all

ENV PYTHON_BINARY=/usr/bin/python3

# --------------------------------------------- final
FROM base2_with_python-${PYTHON_VERSION} AS final

EXPOSE 22

RUN useradd -m test && usermod -aG wheel test

# Enable sudo without a password
RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

# HACK FOR RHEL 9/10: Allow legacy key types and disable UsePAM.
# Additionally, allow passwordless root/test authentication for testing.
RUN echo "test:*" | chpasswd -e && \
sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config && \
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/sshd_config

COPY --chown=test:test . /home/test/testgres
WORKDIR /home/test/testgres

ENV LANG=C.UTF-8

RUN chmod 700 /home/test/ && \
mkdir -p /home/test/.ssh && \
chown -R test:test /home/test/.ssh

# Our ENTRYPOINT with a stub
ENTRYPOINT ["sh", "-c", " \
set -eux; \
echo 'SYSTEM START: PREPARING SSH'; \
/usr/sbin/sshd; \
ls -la /home/test/.ssh/; \
\"$@\" \
", "DUMMY-DUMMY-DUMMY"]

# In CMD, we change the key generation from the deprecated -t rsa to the modern -t ed25519!
# This ensures that Rocky 9/10 will accept this key without any cryptographic policy issues.
CMD ["bash", "-c", " \
set -eux; \
echo \"HOME DIR IS [`realpath ~/`]\"; \
echo \"WORK DIR IS [$(pwd)]\"; \
if [ ! -f /home/test/.ssh/id_ed25519 ]; then \
su test -c \"ssh-keygen -t ed25519 -f /home/test/.ssh/id_ed25519 -q -N ''\"; \
su test -c \"cat /home/test/.ssh/id_ed25519.pub >> /home/test/.ssh/authorized_keys\"; \
chmod 600 /home/test/.ssh/authorized_keys; \
fi; \
ls -la /home/test/.ssh/; \
su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \
su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \
if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \
su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \
fi; \
if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \
cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
ls -la /home/test/.ssh/; \
fi; \
ls -la ./; \
su test -c \"bash ./run_tests3.sh\"; \
"]
110 changes: 110 additions & 0 deletions Dockerfile--rockylinux_8.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
################################################################################
# Testgres OsOperations. Docker file for RockLinux 8.
#
# Authors:
# - Marg.G (mark@google.com)
#
ARG PYTHON_VERSION=3

# --------------------------------------------- base1
FROM rockylinux:8 AS base1

# Enable the PowerTools repository (called crb or powertools in Rocky/Alma),
# since without it, dnf won't find the python3-devel packages for building extensions.
RUN dnf install -y 'dnf-command(config-manager)' && \
dnf config-manager --set-enabled powertools

# Combine the installation of system utilities, SSH into one layer
RUN dnf install -y \
sudo \
curl \
ca-certificates \
openssh-server \
openssh-clients \
sshpass \
time \
util-linux \
procps-ng \
git \
iproute \
&& dnf clean all

# --------------------------------------------- base2_with_python-3
FROM base1 AS base2_with_python-3

RUN dnf install -y \
python39 \
python39-devel \
&& dnf clean all

ENV PYTHON_BINARY=/usr/bin/python3.9

# --------------------------------------------- final
FROM base2_with_python-${PYTHON_VERSION} AS final

EXPOSE 22
# In RHEL/CentOS, SSH host keys are generated via sshd-keygen
RUN ssh-keygen -A

# In the RedHat family, the equivalent of the wheel/sudo group is the wheel group
RUN useradd -m test && usermod -aG wheel test

# Enable sudo without a password
RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

# Setting a blank password and disabling UsePAM (like in Astra),
# since SELinux/PAM in RHEL blocks blank passwords over SSH.
#
# On local tests it produces:
# WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems.
#
# But without "sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config" remote tests
# does not work!
#
RUN echo "test:*" | chpasswd -e && \
sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config

COPY --chown=test:test . /home/test/testgres
WORKDIR /home/test/testgres

ENV LANG=C.UTF-8

RUN chmod 700 /home/test/ && \
mkdir -p /home/test/.ssh && \
chown -R test:test /home/test/.ssh

# Our proven ENTRYPOINT with a DUMMY plug
ENTRYPOINT ["sh", "-c", " \
set -eux; \
echo 'SYSTEM START: PREPARING SSH'; \
/usr/sbin/sshd; \
ls -la /home/test/.ssh/; \
\"$@\" \
", "DUMMY-DUMMY-DUMMY"]

# Standard CMD for tests
CMD ["bash", "-c", " \
set -eux; \
echo \"HOME DIR IS [`realpath ~/`]\"; \
echo \"WORK DIR IS [$(pwd)]\"; \
if [ ! -f /home/test/.ssh/id_rsa ]; then \
su test -c \"ssh-keygen -t rsa -f /home/test/.ssh/id_rsa -q -N ''\"; \
su test -c \"cat /home/test/.ssh/id_rsa.pub >> /home/test/.ssh/authorized_keys\"; \
chmod 600 /home/test/.ssh/authorized_keys; \
fi; \
ls -la /home/test/.ssh/; \
su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \
su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \
if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \
su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \
fi; \
if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \
cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
ls -la /home/test/.ssh/; \
fi; \
ls -la ./; \
su test -c \"bash ./run_tests3.sh\"; \
"]
107 changes: 107 additions & 0 deletions Dockerfile--rockylinux_9.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
################################################################################
# Testgres OsOperations. Docker file for RockLinux 9.
#
# Authors:
# - Marg.G (mark@google.com)
#
ARG PYTHON_VERSION=3

# --------------------------------------------- base1
FROM rockylinux/rockylinux:9 AS base1

# In RHEL 9/10, the repository for dev packages is called CRB (instead of powertools)
RUN dnf install -y 'dnf-command(config-manager)' && \
dnf config-manager --set-enabled crb

# Consolidating system utilities, including iproute (to prevent tests from failing)
# Added the --allowerasing flag so dnf can seamlessly replace curl-minimal with full-fledged curl
RUN dnf install -y --allowerasing \
sudo \
curl \
ca-certificates \
openssh-server \
openssh-clients \
sshpass \
time \
util-linux \
procps-ng \
iproute \
git \
&& dnf clean all

# In RHEL 9/10, to generate host keys inside Docker, you need to call this binary
RUN /usr/libexec/openssh/sshd-keygen rsa && \
/usr/libexec/openssh/sshd-keygen ed25519

# --------------------------------------------- base2_with_python-3
FROM base1 AS base2_with_python-3

# Rocky 9/10 installs python3.9 or higher (depending on the repository)
RUN dnf install -y \
python3 \
python3-devel \
&& dnf clean all

ENV PYTHON_BINARY=/usr/bin/python3

# --------------------------------------------- final
FROM base2_with_python-${PYTHON_VERSION} AS final

EXPOSE 22

RUN useradd -m test && usermod -aG wheel test

# Enable sudo without a password
RUN echo "test ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

# HACK FOR RHEL 9/10: Allow legacy key types and disable UsePAM.
# Additionally, allow passwordless root/test authentication for testing.
RUN echo "test:*" | chpasswd -e && \
sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config && \
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/sshd_config

COPY --chown=test:test . /home/test/testgres
WORKDIR /home/test/testgres

ENV LANG=C.UTF-8

RUN chmod 700 /home/test/ && \
mkdir -p /home/test/.ssh && \
chown -R test:test /home/test/.ssh

# Our ENTRYPOINT with a stub
ENTRYPOINT ["sh", "-c", " \
set -eux; \
echo 'SYSTEM START: PREPARING SSH'; \
/usr/sbin/sshd; \
ls -la /home/test/.ssh/; \
\"$@\" \
", "DUMMY-DUMMY-DUMMY"]

# In CMD, we change the key generation from the deprecated -t rsa to the modern -t ed25519!
# This ensures that Rocky 9/10 will accept this key without any cryptographic policy issues.
CMD ["bash", "-c", " \
set -eux; \
echo \"HOME DIR IS [`realpath ~/`]\"; \
echo \"WORK DIR IS [$(pwd)]\"; \
if [ ! -f /home/test/.ssh/id_ed25519 ]; then \
su test -c \"ssh-keygen -t ed25519 -f /home/test/.ssh/id_ed25519 -q -N ''\"; \
su test -c \"cat /home/test/.ssh/id_ed25519.pub >> /home/test/.ssh/authorized_keys\"; \
chmod 600 /home/test/.ssh/authorized_keys; \
fi; \
ls -la /home/test/.ssh/; \
su test -c \"ssh-keyscan -H localhost >> /home/test/.ssh/known_hosts\"; \
su test -c \"ssh-keyscan -H 127.0.0.1 >> /home/test/.ssh/known_hosts\"; \
if [ -n \"${TEST_CFG__REMOTE_HOST:-}\" ]; then \
su test -c \"ssh-keyscan -H ${TEST_CFG__REMOTE_HOST} >> /home/test/.ssh/known_hosts\"; \
fi; \
if [ -n \"${TEST_CFG__REMOTE_SSH_KEY:-}\" ]; then \
cp \"${TEST_CFG__REMOTE_SSH_KEY}\" \"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
export TEST_CFG__REMOTE_SSH_KEY=\"${TEST_CFG__REMOTE_SSH_KEY}_ci\"; \
chown test:test \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
chmod 600 \"${TEST_CFG__REMOTE_SSH_KEY}\"; \
ls -la /home/test/.ssh/; \
fi; \
ls -la ./; \
su test -c \"bash ./run_tests3.sh\"; \
"]