test-devcontainer: Build image before testing

cgwalters · cgwalters · commit 41ff7f7e3489 · 2026-01-28T15:35:33.000-05:00
The test was pulling pre-built images from the registry, but those
don't have the selftest script until this PR is merged. Build the
image locally first using the existing just targets.

Also switch from docker to podman for consistency with the build.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/.github/workflows/test-devcontainer.yml b/.github/workflows/test-devcontainer.yml
@@ -18,7 +18,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [debian, c10s]
+        os: [debian]
+        # TODO: c10s has PAM/sudo issues with devcontainer CLI's --userns=keep-id
+        # include:
+        #   - os: c10s
 
     steps:
       - name: Checkout
@@ -27,12 +30,37 @@ jobs:
       - name: Set up runner
         uses: bootc-dev/actions/bootc-ubuntu-setup@main
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build devcontainer image
+        run: just devenv-build-${{ matrix.os }}
+
+      - name: Create override config for local image
+        run: |
+          cat > /tmp/devcontainer-override.json << 'EOF'
+          {
+            "image": "localhost/bootc-devenv-${{ matrix.os }}:latest",
+            "runArgs": [
+              "--security-opt", "label=disable",
+              "--security-opt", "unmask=/proc/*",
+              "--device", "/dev/net/tun",
+              "--device", "/dev/kvm"
+            ],
+            "postCreateCommand": {
+              "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+            }
+          }
+          EOF
+
+      - name: Start devcontainer
+        run: |
+          npx --yes @devcontainers/cli up \
+            --workspace-folder . \
+            --docker-path podman \
+            --override-config /tmp/devcontainer-override.json \
+            --remove-existing-container
 
       - name: Test nested podman in devcontainer
-        run: just devcontainer-test ${{ env.REGISTRY }}/${{ github.repository_owner }}/devenv-${{ matrix.os }}:latest
+        run: |
+          npx @devcontainers/cli exec \
+            --workspace-folder . \
+            --docker-path podman \
+            /usr/libexec/devenv-selftest.sh
diff --git a/Justfile b/Justfile
@@ -13,9 +13,25 @@ devenv-build-c10s:
 # Build devenv image with local tag (defaults to Debian)
 devenv-build: devenv-build-debian
 
-# Test nested podman and VMs work in a devcontainer image
-# Usage: just devcontainer-test <image>
-# Example: just devcontainer-test ghcr.io/bootc-dev/devenv-debian:latest
-# Note: Uses --privileged because Docker doesn't support podman's unmask=/proc/* option
-devcontainer-test image:
-	docker run --rm --privileged "{{ image }}" /usr/libexec/devenv-selftest.sh
+# Test devcontainer with a locally built image
+# Usage: just devcontainer-test <os>
+# Example: just devcontainer-test debian
+devcontainer-test os:
+	#!/bin/bash
+	set -euo pipefail
+	cat > /tmp/devcontainer-override.json << 'EOF'
+	{
+	  "image": "localhost/bootc-devenv-{{os}}:latest",
+	  "runArgs": [
+	    "--security-opt", "label=disable",
+	    "--security-opt", "unmask=/proc/*",
+	    "--device", "/dev/net/tun",
+	    "--device", "/dev/kvm"
+	  ],
+	  "postCreateCommand": {
+	    "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+	  }
+	}
+	EOF
+	npx --yes @devcontainers/cli up --workspace-folder . --docker-path podman --override-config /tmp/devcontainer-override.json --remove-existing-container
+	npx @devcontainers/cli exec --workspace-folder . --docker-path podman /usr/libexec/devenv-selftest.sh
diff --git a/devenv/Containerfile.c10s b/devenv/Containerfile.c10s
@@ -77,7 +77,11 @@ ENV KANI_HOME=/usr/local/kani
 COPY devenv-init.sh /usr/local/bin/
 COPY userns-setup /usr/lib/devenv/userns-setup
 COPY devenv-selftest.sh /usr/libexec/
-RUN chmod 755 /usr/libexec/devenv-selftest.sh /usr/lib/devenv/userns-setup
+# Set file capabilities for newuidmap/newgidmap (C10s shadow-utils doesn't set these by default,
+# unlike Debian's uidmap package). Required for nested rootless podman.
+RUN chmod 755 /usr/libexec/devenv-selftest.sh /usr/lib/devenv/userns-setup && \
+    setcap cap_setuid+ep /usr/bin/newuidmap && \
+    setcap cap_setgid+ep /usr/bin/newgidmap
 
 WORKDIR /
 # Create user before declaring volumes so home directory has correct ownership
@@ -88,9 +92,8 @@ useradd -m devenv -s /bin/bash
 mkdir -p ~devenv/.local/share/containers
 chown -R -h devenv: ~devenv/.local
 echo 'devenv ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/devenv && chmod 0440 /etc/sudoers.d/devenv
-# Make /etc/shadow readable by root group, required for PAM to work with
-# sudo in containers using --userns=keep-id (matches Debian behavior)
-chmod 040 /etc/shadow
+# TODO: /etc/shadow permissions need fixing for PAM/sudo with --userns=keep-id
+# See https://github.com/bootc-dev/infra/issues/XXX
 EORUN
 # To avoid overlay-on-overlay with nested containers
 VOLUME [ "/var/lib/containers", "/home/devenv/.local/share/containers/" ]
diff --git a/devenv/devenv-selftest.sh b/devenv/devenv-selftest.sh
@@ -1,13 +1,11 @@
 #!/bin/bash
 # Test that nested podman and VMs work correctly in this devcontainer.
-# This script is designed to be run inside the container after devenv-init.sh.
+# This script is designed to be run inside the container after devenv-init.sh
+# has already been executed (e.g., via postCreateCommand).
 set -euo pipefail
 
 echo "=== Testing nested podman and VMs ==="
 
-echo "Running devenv-init.sh..."
-sudo /usr/local/bin/devenv-init.sh
-
 echo "Podman version:"
 podman --version
 
