tmt: Add bootc-image-builder integration test for issue #1907 #1922
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a valuable integration test for bootc-image-builder to prevent a regression of issue #1907, specifically addressing a scenario with a particular partition layout. However, a high-severity vulnerability was identified in the new test script tmt/tests/booted/test-bib-build.nu due to the use of podman run --privileged. This poses a significant security risk, potentially leading to container escape and host compromise in the CI/CD environment. It is strongly recommended to replace the --privileged flag with more granular capabilities to adhere to the principle of least privilege. Additionally, the review suggests improvements for better maintainability of the new nushell test script.
Add a TMT test that exercises the mount point check fix from PR bootc-dev#1904. The test builds a container image with an embedded disk.yaml that creates a partition layout WITHOUT a separate /boot partition - just root (/) with /boot/efi as a separate mount point. This partition layout triggers the bug from issue bootc-dev#1907 where bootc's empty rootfs verification would fail with: "Found entry in boot: efi" The issue was that when /boot is a directory on the root filesystem (not a separate partition), but /boot/efi IS a mount point on a different device, the old code incorrectly saw "efi" as a regular directory entry rather than recognizing it was a mount point boundary. Verified that temporarily reverting the fix from PR bootc-dev#1904 causes this test to fail with the expected error message. This was already fixed by bootc-dev@ab65078 but we didn't realize at the time the scope. Closes: bootc-dev#1907 Signed-off-by: Colin Walters <walters@verbum.org>
3 participants
Add a TMT test that exercises the mount point check fix from PR #1904. The test builds a container image with an embedded disk.yaml that creates a partition layout WITHOUT a separate /boot partition - just root (/) with /boot/efi as a separate mount point.
This partition layout triggers the bug from issue #1907 where bootc's empty rootfs verification would fail with:
"Found entry in boot: efi"
The issue was that when /boot is a directory on the root filesystem (not a separate partition), but /boot/efi IS a mount point on a different device, the old code incorrectly saw "efi" as a regular directory entry rather than recognizing it was a mount point boundary.
Verified that temporarily reverting the fix from PR #1904 causes this test to fail with the expected error message.
This was already fixed by ab65078 but we didn't realize at the time the scope.
Closes: #1907