Merge all Prow CI scripts into one

ci/Dockerfile.cosa-build

@@ -18,7 +18,7 @@ FROM build-test-qemu-img:latest
 ENV COSA_DIR=/tmp/cosa
 ENV COSA_SKIP_OVERLAY=1
 RUN mkdir -p "${COSA_DIR}" && \
-  COSA_NO_KVM=1 /src/ci/prow-build.sh && \
+  COSA_NO_KVM=1 /src/ci/prow-entrypoint.sh build && \
   rm -rf "${COSA_DIR}/cache"
 # We need to make sure that root can read / write to the COSA_DIR so that
 # when this container is actually run, we have permissions to read and
@@ -32,4 +32,3 @@ RUN chgrp -Rf root "${COSA_DIR}" && \
   chmod -Rf g+w "${COSA_DIR}"
 USER builder
 WORKDIR /tmp/cosa
-

ci/Dockerfile.cosa-oci-archive

@@ -8,4 +8,3 @@ RUN /src/ci/simplify-ociarchive-path.sh
 
 FROM scratch
 COPY --from=base /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive
-

ci/Dockerfile.layering-test

@@ -4,4 +4,3 @@
 FROM build-test-qemu-img:latest AS base
 FROM registry.ci.openshift.org/coreos/fedora:35 AS final
 COPY --from=base /usr/local/bin/layering_test /usr/local/bin/layering_test
-

ci/Dockerfile.machine-os-oci-content

@@ -10,4 +10,3 @@
 # absolute path to refer to the OCI archive in the build context allows us
 # to "import" the OCI archive into the CI ImageStream.
 FROM oci-archive:/tmp/build/inputs/magic/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive
-

ci/build-test-qemu.sh

@@ -1,12 +1,2 @@
 #!/bin/bash
-set -xeuo pipefail
-# This script is the entrypoint for PRs to this repo via OpenShift Prow.
-dn=$(dirname $0)
-# Prow jobs don't support adding emptydir today
-export COSA_SKIP_OVERLAY=1
-# Create a temporary cosa workdir if COSA_DIR is not set.
-cosa_dir="${COSA_DIR:-$(mktemp -d)}"
-echo "Using $cosa_dir for build"
-cd "$cosa_dir"
-cosa init --transient /src
-exec ${dn}/prow-build-test-qemu.sh
+true

ci/build-test.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+true

ci/prow-build-test-qemu.sh

@@ -1,71 +1,2 @@
 #!/bin/bash
-set -xeuo pipefail
-# This script is called via build-test-qemu.sh which is the main Prow
-# entrypoint for PRs to this repo, as well as for PRs on other repos,
-# mainly coreos-assembler.  It assumes that `cosa init` has been run.
-
-REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/"
-
-# record information about cosa + rpm-ostree
-if test -d /cosa; then
-    jq . < /cosa/coreos-assembler-git.json
-fi
-rpm-ostree --version
-
-# We generate .repo files which write to the source, but
-# we captured the source as part of the Docker build.
-# In OpenShift default SCC we'll run as non-root, so we need
-# to make a new copy of the source.  TODO fix cosa to be happy
-# if src/config already exists instead of wanting to reference
-# it or clone it.  Or we could write our .repo files to a separate
-# place.
-if test '!' -w src/config; then
-    git clone --recurse src/config src/config.writable
-    rm src/config -rf
-    mv src/config.writable src/config
-fi
-
-#
-# NOTE: If you are adjusting how the repos are fetched in this script, you
-#        must also make the same change in the `prow-build.sh` script
-#
-# Grab the raw value of `mutate-os-release` and use sed to convert the value
-# to X-Y format
-ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]')
-ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|')
-prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
-# we want to use RHEL 8.5 for testing until we can start using 8.6
-# see https://github.com/openshift/release/pull/26193
-curl -L http://base-"${ocpver_mut}"-rhel85.ocp.svc.cluster.local > src/config/ocp.repo
-# fetch the 8.6 appstream repo to enable building of extensions
-# see: https://github.com/openshift/os/issues/795
-curl -Ls http://base-"${ocpver_mut}"-rhel86.ocp.svc.cluster.local | grep -A 3 rhel-8-appstream | sed '1,3 s/rhel-8-appstream/rhel-86-appstream/g' >> src/config/ocp.repo
-cosa buildfetch --url=${prev_build_url}
-cosa fetch
-cosa build
-cosa buildextend-extensions
-cosa kola --basic-qemu-scenarios
-kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade
-cosa kola run --parallel 2
-# Build metal + installer now so we can test them
-cosa buildextend-metal
-cosa buildextend-metal4k
-cosa buildextend-live
-# compress the metal and metal4k images now so we're testing
-# installs with the image format we ship
-cosa compress --artifact=metal --artifact=metal4k
-# Running testiso scenarios on metal artifact
-# Skip the following scenarios: iso-install,iso-offline-install,iso-live-login,iso-as-disk
-# See: https://github.com/openshift/os/issues/666
-kola testiso -S --scenarios pxe-install,pxe-offline-install --output-dir tmp/kola-metal
-# iso-install scenario to sanity-check the metal4k media
-# Skip all the testiso scenarios for metal4k + UEFI
-# See: https://github.com/openshift/os/issues/666
-# kola testiso -S --qemu-native-4k --qemu-multipath --scenarios iso-install --output-dir tmp/kola-metal4k
-# if [ $(uname -i) = x86_64 ] || [ $(uname -i) = aarch64 ]; then
-#     mkdir -p tmp/kola-uefi
-#     kola testiso -S --qemu-firmware uefi --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/insecure
-#     if [ $(uname -i) = x86_64 ]; then
-#         kola testiso -S --qemu-firmware uefi-secure --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/secure
-#     fi
-# fi
+true

ci/prow-build.sh

@@ -1,53 +1,2 @@
 #!/bin/bash
-set -xeuo pipefail
-
-# Prow jobs don't support adding emptydir today
-export COSA_SKIP_OVERLAY=1
-# Create a temporary cosa workdir if COSA_DIR is not set.
-cosa_dir="${COSA_DIR:-$(mktemp -d)}"
-echo "Using $cosa_dir for build"
-cd "$cosa_dir"
-cosa init --transient /src
-
-# This script is called via build.sh which is the main Prow
-# entrypoint for PRs to this repo, as well as for PRs on other repos,
-# mainly coreos-assembler.  It assumes that `cosa init` has been run.
-
-REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/"
-
-# record information about cosa + rpm-ostree
-if test -d /cosa; then
-    jq . < /cosa/coreos-assembler-git.json
-fi
-rpm-ostree --version
-
-# We generate .repo files which write to the source, but
-# we captured the source as part of the Docker build.
-# In OpenShift default SCC we'll run as non-root, so we need
-# to make a new copy of the source.  TODO fix cosa to be happy
-# if src/config already exists instead of wanting to reference
-# it or clone it.  Or we could write our .repo files to a separate
-# place.
-if test '!' -w src/config; then
-    git clone --recurse src/config src/config.writable
-    rm src/config -rf
-    mv src/config.writable src/config
-fi
-
-#
-# NOTE: If you are adjusting how the repos are fetched in this script, you
-#        must also make the same change in the `prow-build-test-qemu.sh` script
-#
-# Grab the raw value of `mutate-os-release` and use sed to convert the value
-# to X-Y format
-ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]')
-ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|')
-prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
-
-# Fetch RHEL 8.6 repos
-curl -L http://base-"${ocpver_mut}"-rhel86.ocp.svc.cluster.local > src/config/ocp.repo
-
-cosa buildfetch --url=${prev_build_url}
-cosa fetch
-cosa build
-cosa buildextend-extensions
+true

ci/prow-entrypoint.sh

@@ -0,0 +1,193 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# Main script acting as entrypoint for all Prow jobs building RHCOS images
+
+# Global variables
+REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/"
+
+# This function is used to update the /etc/passwd file within the COSA container
+# at test-time. The need for this comes from the fact that OpenShift will run a
+# container with a randomized user ID by default to enhance security. Because
+# COSA runs with an unprivileged user ("builder") instead of (container) root,
+# this presents special challenges for file and disk permissions. This particular
+# pattern was inspired by:
+# - https://cloud.redhat.com/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id
+# - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
+setup_user() {
+    user_id="$(id -u)"
+    group_id="$(id -g)"
+
+    grep -v "^builder" /etc/passwd > /tmp/passwd
+    echo "builder:x:${user_id}:${group_id}::/home/builder:/bin/bash" >> /tmp/passwd
+    cat /tmp/passwd > /etc/passwd
+    rm /tmp/passwd
+
+    # Not strictly required, but nice for debugging.
+    id
+    whoami
+}
+
+cosa_init() {
+    # Always create a writable copy of the source repo
+    tmp_src="$(mktemp -d)"
+    cp -a /src "${tmp_src}/os"
+
+    # Either use the COSA_DIR prepared for us or create a temporary cosa workdir
+    cosa_dir="${COSA_DIR:-$(mktemp -d)}"
+    echo "Using $cosa_dir for build"
+    cd "$cosa_dir"
+
+    # Setup source tree
+    cosa init --transient "${tmp_src}/os"
+}
+
+# Do a cosa build & cosa build-extensions only
+# This is called both as part of the build phase and test phase in Prow thus we
+# can not do any kola testing in this function.
+cosa_build() {
+    # Grab the raw value of `mutate-os-release` and use sed to convert the value
+    # to X-Y format
+    ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]')
+    ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|')
+    prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/
+    # Fetch the previous build
+    cosa buildfetch --url="${prev_build_url}"
+
+    # Fetch the repos corresponding to the release we are building
+    rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.)
+    id
+    whoami
+    ls -alh "src/config/"
+    curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo"
+
+    # Build RHCOS & extensions
+    cosa fetch
+    cosa build
+    cosa buildextend-extensions
+}
+
+# Make sure the image is at least booting before runnning expensive tests
+kola_test_basic() {
+    cosa kola run basic
+}
+
+kola_test_basic_scenarios() {
+    cosa kola --basic-qemu-scenarios
+}
+
+kola_test_upgrade() {
+    kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade
+}
+
+kola_test_run() {
+    cosa kola run --parallel 2
+}
+
+kola_test_metal() {
+    # Build metal + installer now so we can test them
+    cosa buildextend-metal && cosa buildextend-metal4k && cosa buildextend-live
+
+    # Compress the metal and metal4k images now so we're testing
+    # installs with the image format we ship
+    cosa compress --artifact=metal --artifact=metal4k
+
+    # Run all testiso scenarios on metal artifact
+    kola testiso -S --scenarios pxe-install,pxe-offline-install,iso-install,iso-offline-install,iso-live-login,iso-as-disk,miniso-install --output-dir tmp/kola-metal
+
+    # Run only the iso-install scenario to sanity-check the metal4k media
+    kola testiso -S --qemu-native-4k --qemu-multipath --scenarios iso-install --output-dir tmp/kola-metal4k
+
+    # Run some uefi & secure boot tests
+    if [[ "$(uname -i)" == "x86_64" ]] || [[ "$(uname -i)" == "aarch64" ]]; then
+        mkdir -p tmp/kola-uefi
+        kola testiso -S --qemu-firmware uefi --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/insecure
+        if [[ "$(uname -i)" == "x86_64" ]]; then
+            kola testiso -S --qemu-firmware uefi-secure --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/secure
+        fi
+    fi
+}
+
+# Basic syntaxt validation for manifests
+validate() {
+    # Create a temporary copy
+    workdir="$(mktemp -d)"
+    echo "Using $workdir as working directory"
+
+    # Figure out if we are running from the COSA image or directly from the Prow src image
+    if [[ -d /src/github.com/openshift/os ]]; then
+        cd "$workdir"
+        git clone /src/github.com/openshift/os os
+    elif [[ -d ./.git ]]; then
+        srcdir="${PWD}"
+        cd "$workdir"
+        git clone "${srcdir}" os
+    else
+        echo "Could not found source directory"
+        exit 1
+    fi
+    cd os
+
+    # First ensure submodules are initialized
+    git submodule update --init --recursive
+    # Basic syntax check
+    ./fedora-coreos-config/ci/validate
+}
+
+main () {
+    if [[ "${#}" -ne 1 ]]; then
+        echo "This script is expected to be called by Prow with the name of the build phase or test to run"
+        exit 1
+    fi
+
+    # Record information about cosa + rpm-ostree
+    if [[ -d /cosa ]]; then
+        jq . < /cosa/coreos-assembler-git.json
+    fi
+    rpm-ostree --version
+
+    case "${1}" in
+        "validate")
+            validate
+            ;;
+        "build")
+            cosa_init
+            cosa_build
+            ;;
+        "build-test-qemu-kola-basic")
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_basic
+            kola_test_basic_scenarios
+            ;;
+        "build-test-qemu-kola-all")
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_basic
+            kola_test_run
+            ;;
+        "build-test-qemu-kola-upgrade")
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_basic
+            kola_test_upgrade
+            ;;
+        "build-test-qemu-kola-metal")
+            setup_user
+            cosa_init
+            cosa_build
+            kola_test_basic
+            kola_test_metal
+            ;;
+        *)
+            echo "Unknown test name"
+            exit 1
+            ;;
+    esac
+}
+
+main "${@}"
+