test(cpu-usage): fix archlinux container build and keep images between runs

markuslf · markuslf · commit 932b29b8cc6b · 2026-04-13T14:38:22.000+02:00
Two fixes so the cpu-usage integration test actually runs on
archlinux-vlatest and subsequent runs reuse cached layers:

- The cached archlinux:latest base image can be months out of date,
  so its archlinux-keyring no longer trusts the current packagers
  and pacman -Syu fails with "signature ... is unknown trust".
  Refresh the keyring via pacman-key --init / --populate and pull
  in a fresh archlinux-keyring package before the full upgrade.
  Also pass --disable-sandbox so pacman 7.x's landlock download
  helper does not need to create the sandbox user inside rootless
  podman, which is not allowed.
- Testcontainers' DockerImage defaults to clean_up=True, which
  untags the built image and prunes dangling parent layers on
  every run. That wipes the cached build context and turns each
  invocation into a full rebuild from the base image. Setting
  clean_up=False keeps the image on the host so subsequent runs
  hit the layer cache and finish in seconds instead of minutes.
diff --git a/check-plugins/cpu-usage/unit-test/containerfiles/archlinux-vlatest b/check-plugins/cpu-usage/unit-test/containerfiles/archlinux-vlatest
@@ -1,9 +1,19 @@
 # Base image: Official Arch Linux
 FROM archlinux:latest
 
-# Update and install Python 3, pip, and required build tools
-RUN pacman -Syu --noconfirm && \
-    pacman -S --noconfirm python python-pip gcc && \
+# Arch is rolling release, and the cached archlinux:latest base image
+# can be months out of date; its archlinux-keyring no longer trusts
+# the current packagers. Refresh the keyring from the shipped files
+# and pull in the latest archlinux-keyring package before -Syu so the
+# full upgrade can verify signatures.
+#
+# --disable-sandbox disables pacman 7.x's landlock/alpm download
+# sandbox, which cannot be applied inside rootless podman.
+RUN pacman-key --init && \
+    pacman-key --populate && \
+    pacman -Sy --noconfirm --disable-sandbox archlinux-keyring && \
+    pacman -Syu --noconfirm --disable-sandbox && \
+    pacman -S --noconfirm --disable-sandbox python python-pip gcc && \
     pacman -Scc --noconfirm
 
 # Set the working directory in the container
diff --git a/check-plugins/cpu-usage/unit-test/run b/check-plugins/cpu-usage/unit-test/run
@@ -85,10 +85,16 @@ class TestCheck(unittest.TestCase):
 def _check_containerfile(test, containerfile):
     print(f'\n=== Testing {containerfile} ===', flush=True)
     image_tag = f'lfmp-cpu-usage-{containerfile}'.lower()
+    # clean_up=False keeps the built image on the host so the next
+    # run reuses all cached layers instead of rebuilding from the
+    # base image. Testcontainers' default (clean_up=True) not only
+    # untags the image but also prunes dangling parent layers, which
+    # wipes the cache and makes every run a full rebuild.
     with DockerImage(
         path=HERE,
         dockerfile_path=f'containerfiles/{containerfile}',
         tag=image_tag,
+        clean_up=False,
     ) as image:
         # `,Z` relabels the mount for SELinux on podman/rhel hosts so
         # the container can actually read the bind-mounted files.
