test-devcontainer: Build image before testing

cgwalters · cgwalters · commit aa0fa0500db3 · 2026-01-28T13:39:58.000-05:00
The test was pulling pre-built images from the registry, but those
don't have the selftest script until this PR is merged. Build the
image locally first using the existing just targets.

Also switch from docker to podman for consistency with the build.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/.github/workflows/test-devcontainer.yml b/.github/workflows/test-devcontainer.yml
@@ -27,12 +27,37 @@ jobs:
       - name: Set up runner
         uses: bootc-dev/actions/bootc-ubuntu-setup@main
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build devcontainer image
+        run: just devenv-build-${{ matrix.os }}
+
+      - name: Create override config for local image
+        run: |
+          cat > /tmp/devcontainer-override.json << 'EOF'
+          {
+            "image": "localhost/bootc-devenv-${{ matrix.os }}:latest",
+            "runArgs": [
+              "--security-opt", "label=disable",
+              "--security-opt", "unmask=/proc/*",
+              "--device", "/dev/net/tun",
+              "--device", "/dev/kvm"
+            ],
+            "postCreateCommand": {
+              "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+            }
+          }
+          EOF
+
+      - name: Start devcontainer
+        run: |
+          npx --yes @devcontainers/cli up \
+            --workspace-folder . \
+            --docker-path podman \
+            --override-config /tmp/devcontainer-override.json \
+            --remove-existing-container
 
       - name: Test nested podman in devcontainer
-        run: just devcontainer-test ${{ env.REGISTRY }}/${{ github.repository_owner }}/devenv-${{ matrix.os }}:latest
+        run: |
+          npx @devcontainers/cli exec \
+            --workspace-folder . \
+            --docker-path podman \
+            /usr/libexec/devenv-selftest.sh
diff --git a/Justfile b/Justfile
@@ -13,9 +13,25 @@ devenv-build-c10s:
 # Build devenv image with local tag (defaults to Debian)
 devenv-build: devenv-build-debian
 
-# Test nested podman and VMs work in a devcontainer image
-# Usage: just devcontainer-test <image>
-# Example: just devcontainer-test ghcr.io/bootc-dev/devenv-debian:latest
-# Note: Uses --privileged because Docker doesn't support podman's unmask=/proc/* option
-devcontainer-test image:
-	docker run --rm --privileged "{{ image }}" /usr/libexec/devenv-selftest.sh
+# Test devcontainer with a locally built image
+# Usage: just devcontainer-test <os>
+# Example: just devcontainer-test debian
+devcontainer-test os:
+	#!/bin/bash
+	set -euo pipefail
+	cat > /tmp/devcontainer-override.json << 'EOF'
+	{
+	  "image": "localhost/bootc-devenv-{{os}}:latest",
+	  "runArgs": [
+	    "--security-opt", "label=disable",
+	    "--security-opt", "unmask=/proc/*",
+	    "--device", "/dev/net/tun",
+	    "--device", "/dev/kvm"
+	  ],
+	  "postCreateCommand": {
+	    "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+	  }
+	}
+	EOF
+	npx --yes @devcontainers/cli up --workspace-folder . --docker-path podman --override-config /tmp/devcontainer-override.json --remove-existing-container
+	npx @devcontainers/cli exec --workspace-folder . --docker-path podman /usr/libexec/devenv-selftest.sh
diff --git a/devenv/Containerfile.c10s b/devenv/Containerfile.c10s
@@ -77,7 +77,11 @@ ENV KANI_HOME=/usr/local/kani
 COPY devenv-init.sh /usr/local/bin/
 COPY userns-setup /usr/lib/devenv/userns-setup
 COPY devenv-selftest.sh /usr/libexec/
-RUN chmod 755 /usr/libexec/devenv-selftest.sh /usr/lib/devenv/userns-setup
+# Set file capabilities for newuidmap/newgidmap (C10s shadow-utils doesn't set these by default,
+# unlike Debian's uidmap package). Required for nested rootless podman.
+RUN chmod 755 /usr/libexec/devenv-selftest.sh /usr/lib/devenv/userns-setup && \
+    setcap cap_setuid+ep /usr/bin/newuidmap && \
+    setcap cap_setgid+ep /usr/bin/newgidmap
 
 WORKDIR /
 # Create user before declaring volumes so home directory has correct ownership
diff --git a/devenv/devenv-selftest.sh b/devenv/devenv-selftest.sh
@@ -1,13 +1,11 @@
 #!/bin/bash
 # Test that nested podman and VMs work correctly in this devcontainer.
-# This script is designed to be run inside the container after devenv-init.sh.
+# This script is designed to be run inside the container after devenv-init.sh
+# has already been executed (e.g., via postCreateCommand).
 set -euo pipefail
 
 echo "=== Testing nested podman and VMs ==="
 
-echo "Running devenv-init.sh..."
-sudo /usr/local/bin/devenv-init.sh
-
 echo "Podman version:"
 podman --version
 
