From: Hadi Chokr <hadichokr@icloud.com>
Date: Thu, 12 Feb 2026 11:13:46 +0000 (+0100)
Subject: share: add privileged container support for CI and system tests
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=42ef3c50cefd1a49084af3d00ce650646c6c2bdf;p=thirdparty%2Fshadow.git

share: add privileged container support for CI and system tests

Introduce opt-in privileged container execution for CI and local runs.
This enables filesystem-level tests (e.g. BTRFS, mounts) while keeping
unprivileged execution as the default and safe path.

Changes include:
- Separate privileged and unprivileged builders
- Conditional Ansible roles and inventories
- Privileged test execution wiring
- --privileged support in container-build.sh

Signed-off-by: Hadi Chokr <hadichokr@icloud.com>
---

diff --git a/share/ansible/inventory.ini b/share/ansible/inventory.ini
index 46475c8e4..f7f079ace 100644
--- a/share/ansible/inventory.ini
+++ b/share/ansible/inventory.ini
@@ -1 +1,2 @@
 builder ansible_connection=containers.podman.podman
+builder-privileged ansible_connection=containers.podman.podman
diff --git a/share/ansible/playbook.yml b/share/ansible/playbook.yml
index 86d1afd8b..72e94d232 100644
--- a/share/ansible/playbook.yml
+++ b/share/ansible/playbook.yml
@@ -1,4 +1,5 @@
-- name: Start build container
+---
+- name: "Start {{ 'privileged' if privileged_mode | default(false) | bool else 'unprivileged' }} build container"
   hosts: localhost
   vars:
     image:
@@ -6,18 +7,28 @@
       alpine: docker.io/library/alpine:latest
       debian: docker.io/library/debian:latest
       opensuse: docker.io/opensuse/tumbleweed:latest
-
+    container_name: "{{ 'builder-privileged' if privileged_mode | default(false) | bool else 'builder' }}"
   roles:
     - role: build_container
+      vars:
+        privileged: "{{ privileged_mode | default(false) | bool }}"
+        name: "{{ container_name }}"
+  post_tasks:
+    - name: Register container as a host
+      ansible.builtin.add_host:
+        name: "{{ container_name }}"
+        groups: build_target
+        ansible_connection: containers.podman.podman
 
 - name: CI run
-  hosts: builder
-  connection: podman
+  hosts: build_target
   gather_facts: false
   roles:
     - role: ci_run
 
-- name: Run system tests
+- name: "Run {{ 'privileged' if privileged_mode | default(false) | bool else 'unprivileged' }} system tests"
   hosts: localhost
   roles:
     - role: run_system_tests
+      vars:
+        mhc: "{{ 'mhc-privileged.yaml' if privileged_mode | default(false) | bool else 'mhc.yaml' }}"
diff --git a/share/ansible/roles/build_container/README.md b/share/ansible/roles/build_container/README.md
index e55598a19..14fff9df5 100644
--- a/share/ansible/roles/build_container/README.md
+++ b/share/ansible/roles/build_container/README.md
@@ -1,7 +1,7 @@
 Role Name
 =========
 
-Build container images.
+Builds unprivileged and privileged container images.
 
 Role Variables
 --------------
@@ -14,8 +14,9 @@ Example Playbook
 Usage example:
 
     - hosts: localhost
+      become: true
       roles:
-        - role: build_container
+        - role: build_container_privileged
 
 License
 -------
@@ -26,3 +27,4 @@ Author Information
 ------------------
 
 Iker Pedrosa <ipedrosa@redhat.com>
+Hadi Chokr <hadichokr@icloud.com>
diff --git a/share/ansible/roles/build_container/tasks/main.yml b/share/ansible/roles/build_container/tasks/main.yml
index c9a14f07e..187be5a08 100644
--- a/share/ansible/roles/build_container/tasks/main.yml
+++ b/share/ansible/roles/build_container/tasks/main.yml
@@ -1,20 +1,17 @@
----
-# tasks file for build_container
 - name: Pull container image
   containers.podman.podman_image:
     name: '{{ image[distribution] }}'
 
-- name: Create and start container
+- name: "Create and start {{ 'privileged' if privileged | default(false) else 'unprivileged' }} container"
   containers.podman.podman_container:
-    name: builder
+    name: "{{ container_name | default('builder') }}"
     state: started
     image: '{{ image[distribution] }}'
     command: "sleep 1d"
+    privileged: "{{ privileged | default(false) }}"
 
-- name: Create repo
-  ansible.builtin.shell:
-    podman exec builder mkdir -p /usr/local/src
-
-- name: Copy repo
-  ansible.builtin.shell:
-    podman cp ../../ builder:/usr/local/src/shadow
+- name: Prepare source tree
+  ansible.builtin.shell: |
+    podman exec {{ container_name | default('builder') }} rm -rf /usr/local/src/shadow
+    podman exec {{ container_name | default('builder') }} mkdir -p /usr/local/src
+    podman cp ../../ {{ container_name | default('builder') }}:/usr/local/src/shadow
diff --git a/share/ansible/roles/ci_run/tasks/alpine.yml b/share/ansible/roles/ci_run/tasks/alpine.yml
index e6d1ca991..85c3a56d7 100644
--- a/share/ansible/roles/ci_run/tasks/alpine.yml
+++ b/share/ansible/roles/ci_run/tasks/alpine.yml
@@ -9,17 +9,23 @@
       - autoconf
       - automake
       - bash
+      - btrfs-progs
       - build-base
       - cmocka-dev
       - coreutils
+      - cython
       - expect
       - gettext-dev
       - git
       - libbsd-dev
       - libeconf-dev
+      - libssh-dev
       - libtool
       - libxslt
+      - musl-dev
+      - util-linux
       - pkgconf
+      - python3-dev
     state: present
 
 - name: Make sure expect is found
diff --git a/share/ansible/roles/ci_run/tasks/debian.yml b/share/ansible/roles/ci_run/tasks/debian.yml
index cff6fd345..091917477 100644
--- a/share/ansible/roles/ci_run/tasks/debian.yml
+++ b/share/ansible/roles/ci_run/tasks/debian.yml
@@ -9,6 +9,7 @@
 - name: Ensure dependencies are installed
   ansible.builtin.apt:
     name:
+      - btrfs-progs
       - expect
       - gpg
       - libbsd-dev
diff --git a/share/ansible/roles/ci_run/tasks/fedora.yml b/share/ansible/roles/ci_run/tasks/fedora.yml
index 4dbcac866..5b48032bb 100644
--- a/share/ansible/roles/ci_run/tasks/fedora.yml
+++ b/share/ansible/roles/ci_run/tasks/fedora.yml
@@ -7,6 +7,7 @@
   ansible.builtin.dnf:
     use_backend: dnf4
     name:
+      - btrfs-progs
       - dnf-plugins-core
       - expect
       - gawk
diff --git a/share/ansible/roles/ci_run/tasks/opensuse.yml b/share/ansible/roles/ci_run/tasks/opensuse.yml
index 5888f4ebe..aeca69c3c 100644
--- a/share/ansible/roles/ci_run/tasks/opensuse.yml
+++ b/share/ansible/roles/ci_run/tasks/opensuse.yml
@@ -8,6 +8,7 @@
     name:
       - autoconf
       - automake
+      - btrfs-progs
       - diffutils
       - expect
       - gawk
diff --git a/share/ansible/roles/run_system_tests/tasks/main.yml b/share/ansible/roles/run_system_tests/tasks/main.yml
index 1b447564f..e4898231e 100644
--- a/share/ansible/roles/run_system_tests/tasks/main.yml
+++ b/share/ansible/roles/run_system_tests/tasks/main.yml
@@ -3,12 +3,20 @@
 - name: Prepare environment and run system tests
   ansible.builtin.shell: |
     set -ex
-    pushd ../../tests/system/
+    pushd ../../tests/system
+
+    export PYTHONPATH="$(pwd)/../..:${PYTHONPATH}"
+
     python3 -m venv .venv
     source .venv/bin/activate
-    pip3 install -r ./requirements.txt
+    pip3 install -r requirements.txt
+
     exec 3>&1 1> >(tee pytest.log) 2>&1
-    pytest --mh-config=mhc.yaml --mh-lazy-ssh -vvv
+    pytest \
+      --mh-config={{ mhc }} \
+      --mh-lazy-ssh \
+      -vvv
+
     popd
   args:
     executable: /bin/bash
diff --git a/share/container-build.sh b/share/container-build.sh
index a0d81ecce..8fab56634 100755
--- a/share/container-build.sh
+++ b/share/container-build.sh
@@ -1,15 +1,24 @@
-#! /bin/bash
-
+#!/usr/bin/env bash
 #
 # SPDX-FileCopyrightText:  2023, Iker Pedrosa <ipedrosa@redhat.com>
 # SPDX-FileCopyrightText:  2024, Iker Pedrosa <ipedrosa@redhat.com>
+# SPDX-FileCopyrightText:  2026, Hadi Chokr <hadichokr@icloud.com>
 #
 # SPDX-License-Identifier:  BSD-3-Clause
 #
-
-set -eE
-cd share/ansible/
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=alpine'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=debian'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=fedora'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=opensuse'
+set -e
+cd "$(dirname "$0")/ansible"
+PRIVILEGED=false
+for arg in "$@"; do
+    case "$arg" in
+        --privileged)
+            PRIVILEGED=true
+            ;;
+    esac
+done
+for distro in alpine debian fedora opensuse; do
+    ansible-playbook playbook.yml \
+        -i inventory.ini \
+        -e "distribution=${distro}" \
+        -e "privileged_mode=${PRIVILEGED}"
+done