ci(e2e): add CentOS Stream 10 Docker/Podman/SELinux suite#2093
Open
ericcurtin wants to merge 1 commit into
Open
ci(e2e): add CentOS Stream 10 Docker/Podman/SELinux suite#2093ericcurtin wants to merge 1 commit into
ericcurtin wants to merge 1 commit into
Conversation
7 tasks
Contributor
Author
|
I think an org admin has to turn on RHEL 10 runners though |
Collaborator
|
This looks good to me, but I think you're right on needing an admin. cc @drew @TaylorMutch |
Contributor
Author
We could theoretically do CentOS Stream VMs to work around this, would be good enough... |
Collaborator
|
@ericcurtin yeah, good point. It probably makes sense too since CentOS Stream more community upstream oriented than RHEL. I do love me some RHEL but this is probably a better fit for CentOS Stream. |
PR NVIDIA#2092 adds SELinux relabeling (:z/:Z) support to the Docker and Podman driver bind mounts, but our existing E2E lanes run inside the Ubuntu-based ghcr.io/nvidia/openshell/ci container image, which does not enforce SELinux. That leaves the new relabeling behavior, and any future SELinux-sensitive change, without a host that can actually deny a mislabeled mount. The original version of this suite required an org admin to provision a GitHub-hosted RHEL 10 "larger runner", which isn't something CI changes in this repo can provision. Per discussion on PR NVIDIA#2093, swap that for a CentOS Stream 10 VM booted under QEMU/KVM on the existing self-hosted linux-amd64-cpu8 runner (already used by driver-vm-linux.yml with --privileged), driven entirely over SSH. This needs no new runner class: it downloads a CentOS Stream 10 GenericCloud image, seeds it with cloud-init over a generated ISO, boots it with hardware-accelerated QEMU, and copies the checked-out repo in over scp/tar. Once the guest is up, the suite installs Docker Engine and Podman side by side, confirms SELinux is Enforcing, runs the standard e2e:docker and e2e:podman suites, and fails the job if the audit log shows AVC denials during the run. It remains wired in as optional/non-blocking via the test:e2e-centos label (renamed from test:e2e-rhel), matching the existing test:e2e-kubernetes pattern. Documentation in CI.md and CONTRIBUTING.md is updated to reflect the renamed label and workflow. Signed-off-by: Eric Curtin <eric.curtin@docker.com>
maxamillion
previously approved these changes
Jul 2, 2026
elezar
reviewed
Jul 3, 2026
| description: "GitHub Actions runner label (must be a RHEL 10 image)" | ||
| required: false | ||
| type: string | ||
| default: "linux-amd64-rhel10" |
Member
There was a problem hiding this comment.
These need to be enabled at an org-level. We will have to follow-up internally as to whether this is possible.
0a5b5ed to
0831f62
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an opt-in E2E suite that boots a CentOS Stream 10 VM under QEMU/KVM
on the existing self-hosted
linux-amd64-cpu8runner, installs DockerEngine alongside Podman, verifies SELinux is enforcing, and runs the
standard
e2e:dockerande2e:podmansuites against both engines on thesame SELinux-enforcing guest, per the discussion in #2092.
Related Issue
Follow-up to the CI request in #2092 (comment).
Changes
.github/workflows/e2e-centos-selinux.yml:linux-amd64-cpu8runner (the sameclass already used by
driver-vm-linux.ymlwith--privileged) —no new org-provisioned runner class is required.
cloud-init over a generated ISO, and boots it under hardware-accelerated
QEMU/KVM. Fails fast if
/dev/kvmisn't exposed to the job.rest of the suite entirely over SSH.
get.docker.comalongside Podman (RHEL-familydistros ship Podman but not Docker) and applies the
--ip-forward-no-dropdockerdoverride so both engines coexist.Enforcing, so the suite can't silentlypass on a permissive guest.
mise run e2e:dockerthenmise run e2e:podmanagainst thebuilt supervisor image inside the guest.
fails the job if any are found, surfacing SELinux/bind-mount
relabeling regressions (e.g. the
:z/:Zsupport being added infeat(docker,podman): add SELinux label support for bind mounts #2092).
branch-e2e.ymlbehind a newtest:e2e-centoslabel (renamed from
test:e2e-rhel), following the existingtest:e2e-kubernetespattern (optional, not part of the required CIgate, since it boots a VM inside the job rather than using standard
runner infrastructure).
e2e-label-help.yml,CI.md, andCONTRIBUTING.mdto documentthe renamed label.
Note on the earlier RHEL-runner approach
An earlier version of this suite required an org admin to provision a
GitHub-hosted RHEL 10 "larger runner", which isn't something CI changes in
this repo can provision on their own. This revision replaces that with a
CentOS Stream 10 VM booted under QEMU/KVM on the existing self-hosted
runner instead, so the suite needs no new runner class and can run as soon
as this PR merges.
Testing
actionlint(no newfindings; pre-existing
runner-labelwarnings are unrelated, caused byno
actionlint.yamlrunner-label config in the repo)mise run markdown:lintpassesupdate_license_headers.py --check) passes/dev/kvm-capablerunner available, and no Rust/Python source changed, so
mise run pre-commit's Rust/Python checks weren't re-runChecklist