flatcar: validate sysext on a running VM#1080
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds an end-to-end CI validation that a Dalec-built systemd-sysext can be fetched and activated inside a Flatcar VM under QEMU.
Changes:
- Add a Bash harness to build a sysext, boot Flatcar under QEMU, fetch the sysext via Ignition, and assert it runs as expected.
- Add a Dalec fixture spec used to build the test sysext and validate its stdout.
- Add a GitHub Actions workflow to run the runtime validation on PRs/pushes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
test/flatcar-runtime.sh |
Builds the sysext, provisions a Flatcar VM, serves the sysext over HTTP, and validates activation/execution via SSH. |
test/fixtures/flatcar-runtime.yml |
Defines the sysext fixture contents and a basic runtime assertion for the emitted binary output. |
.github/workflows/flatcar-runtime.yml |
CI workflow to set up Docker/QEMU, cache Flatcar artifacts, and execute the runtime test script. |
| sudo systemd-sysext status --no-pager | grep -F '${SYSEXT_NAME}' | ||
| test -x /usr/bin/${SYSEXT_NAME} | ||
| test \"\$(/usr/bin/${SYSEXT_NAME})\" = '${EXPECTED_OUTPUT}' |
| python3 -m http.server \ | ||
| --bind 0.0.0.0 \ | ||
| --directory "${OUTPUT_DIR}" \ | ||
| "${HTTP_PORT}" > "${WORK_DIR}/http.log" 2>&1 & |
| - name: Validate sysext on Flatcar | ||
| run: test/flatcar-runtime.sh |
| readonly HTTP_PORT="${FLATCAR_HTTP_PORT:-8000}" | ||
| readonly SSH_PORT="${FLATCAR_SSH_PORT:-2222}" |
| sudo apt update | ||
| sudo apt install -y moby-engine=29.4.* moby-buildx=0.33.* moby-cli=29.4.* moby-containerd=2.3.* |
cpuguy83
left a comment
There was a problem hiding this comment.
If we are going toa dd this level of testing, I think it should be in the integration suite.
We should also be able to do this with buildkit, though it will need a buildkitd that allows for higher privileged containers.
aabbe6d to
dcfd282
Compare
Yeah, that makes sense. i was thinking of keeping it separate to keep the flow totally untouched. But reworked to use the same integration suite. |
dcfd282 to
555c32e
Compare
Signed-off-by: Kartik Joshi <karikjoshi21@gmail.com>
555c32e to
722c832
Compare
What this PR does / why we need it:
Adds a Flatcar runtime validation workflow that:
flatcar/testing/sysexttarget.rawimage under/etc/extensionssystemd-sysextand verifies the extension binary executesThe official Flatcar QEMU image and wrapper script are SHA-512 pinned. The test uses KVM when available and falls back to QEMU software emulation.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Refs #969
Special notes for your reviewer:
This complements artifact-level integration coverage by validating the output on a running Flatcar VM. It does not add a Flatcar-native package toolchain.
Validation:
go run ./cmd/lint ./...make testmake check-generatedactionlint .github/workflows/flatcar-runtime.ymlflatcar-runtimeGitHub Actions job passed: Flatcar listed the extension insystemd-sysext statusand executed its binary successfully