From d69462b7a1b1a92b83cada3cca0c8fa6d1bccc5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:07:15 +0200 Subject: [PATCH 01/14] feat(Dockerfiles): switch from s2i python images to plain ubi/cs9 ones The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us. Additionally, using plain ubi makes things more explicit. --- base/ubi9-python-3.11/Dockerfile | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index e6f327a52..a44387fbf 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -1,4 +1,15 @@ -FROM registry.access.redhat.com/ubi9/python-311:latest +FROM registry.access.redhat.com/ubi9/ubi:latest + +# perform the setup that python s2i image used to do for us +# but this way it uses a lot less disk space (hundreds of megabytes less) +ENV VIRTUAL_ENV="/opt/app-root" +ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" +RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \ + --comment "Default Application User" --shell /bin/bash default && \ + dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + python3.11 -m venv "${VIRTUAL_ENV}" + +USER 1001 ARG SOURCE_CODE=base/ubi9-python-3.11 @@ -20,7 +31,7 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]" # Install Python dependencies from Pipfile.lock file COPY ${SOURCE_CODE}/Pipfile.lock ./ -RUN echo "Installing softwares and packages" && micropipenv install && rm -f ./Pipfile.lock +RUN echo "Installing software and packages" && micropipenv install && rm -f ./Pipfile.lock # OS Packages needs to be installed as root USER root From 073a1cf2812db0e79a86a680bb8a1acb494bf888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:12:30 +0200 Subject: [PATCH 02/14] fixup, setup venv running as 1001 --- base/ubi9-python-3.11/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index a44387fbf..00b99e55a 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -10,6 +10,7 @@ RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-ro python3.11 -m venv "${VIRTUAL_ENV}" USER 1001 +RUN python3.8 -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 From 10a22ac6e52f8f3ba00baef232f1a95d635c4475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:23:59 +0200 Subject: [PATCH 03/14] fixup, mkdir home directory first --- base/ubi9-python-3.11/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 00b99e55a..7f9a3df97 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -4,7 +4,8 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # but this way it uses a lot less disk space (hundreds of megabytes less) ENV VIRTUAL_ENV="/opt/app-root" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \ +RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 ${VIRTUAL_ENV} && \ + useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ python3.11 -m venv "${VIRTUAL_ENV}" From 7654516d3cf90401fbf991f78ce3c92cac610391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:35:09 +0200 Subject: [PATCH 04/14] fixup, fetch fix-permissions script --- base/ubi9-python-3.11/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 7f9a3df97..8fe7dea82 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -8,10 +8,10 @@ RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ - python3.11 -m venv "${VIRTUAL_ENV}" +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions USER 1001 -RUN python3.8 -m venv "${VIRTUAL_ENV}" +RUN python3.11 -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 From 465bc6d7ff742b6be81acf6f42b22cc11c50e325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:46:53 +0200 Subject: [PATCH 05/14] fixup, set APP_ROOT env variable --- base/ubi9-python-3.11/Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 8fe7dea82..781a1d18b 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -2,10 +2,11 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) -ENV VIRTUAL_ENV="/opt/app-root" +ENV APP_ROOT="/opt/app-root" +ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 ${VIRTUAL_ENV} && \ - useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ +RUN mkdir --parents --mode 0771 "${APP_ROOT}/src" && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions From ebb10fbd110b6f0684622eab4320000d5a70ca17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:59:05 +0200 Subject: [PATCH 06/14] fixup, set more s2i env variables --- base/ubi9-python-3.11/Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 781a1d18b..ce0f342f5 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -5,14 +5,16 @@ FROM registry.access.redhat.com/ubi9/ubi:latest ENV APP_ROOT="/opt/app-root" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN mkdir --parents --mode 0771 "${APP_ROOT}/src" && chown --recursive 1001:0 ${APP_ROOT} && \ +ENV PYTHON_VERSION=3.11 +ENV PIP_NO_CACHE_DIR=off +RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions USER 1001 -RUN python3.11 -m venv "${VIRTUAL_ENV}" +RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 @@ -52,7 +54,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc rm -f /tmp/openshift-client-linux.tar.gz # Fix permissions to support pip in Openshift environments -RUN chmod -R g+w /opt/app-root/lib/python3.11/site-packages && \ +RUN chmod -R g+w /opt/app-root/lib/python${PYTHON_VERSION}/site-packages && \ fix-permissions /opt/app-root -P WORKDIR /opt/app-root/src From a9648393d696012a4b51742bd4c6c0e3bd7af4c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:18:09 +0200 Subject: [PATCH 07/14] fixup, copy in /usr/bin/rpm-file-permissions from s2i --- base/ubi9-python-3.11/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index ce0f342f5..3a38ef59b 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && c useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ -COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" From bd9b105b9216ac124bc0f513f118df7756e082f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:30:59 +0200 Subject: [PATCH 08/14] fixup, vscode extensions get installed into HOME --- base/ubi9-python-3.11/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 3a38ef59b..4b9ed7f24 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -3,6 +3,7 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) ENV APP_ROOT="/opt/app-root" +ENV HOME="${APP_ROOT}" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" ENV PYTHON_VERSION=3.11 From 20f302993b32c802dcdf7b08d90facf3ed18fec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:38:27 +0200 Subject: [PATCH 09/14] fixup, set the HOME env variable correctly this time --- base/ubi9-python-3.11/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 4b9ed7f24..c375a1a56 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -3,13 +3,13 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) ENV APP_ROOT="/opt/app-root" -ENV HOME="${APP_ROOT}" +ENV HOME="${APP_ROOT}/src" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" ENV PYTHON_VERSION=3.11 ENV PIP_NO_CACHE_DIR=off -RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ - useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ +RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ From 62b153881a693def4657536ad8437f0a1c43f301 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:31:52 +0200 Subject: [PATCH 10/14] fixups for python 3.11 when it got added --- base/c9s-python-3.11/Dockerfile | 19 ++++++++++++++++++- base/ubi9-python-3.11/Dockerfile | 2 +- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/base/c9s-python-3.11/Dockerfile b/base/c9s-python-3.11/Dockerfile index 05a9363bd..976b9fd3c 100644 --- a/base/c9s-python-3.11/Dockerfile +++ b/base/c9s-python-3.11/Dockerfile @@ -1,4 +1,21 @@ -FROM quay.io/sclorg/python-311-c9s:c9s +FROM quay.io/centos/centos:stream9 + +# perform the setup that python image used to do for us +# but this way it uses a lot less disk space (hundreds of megabytes less) +ENV APP_ROOT="/opt/app-root" +ENV HOME="${APP_ROOT}/src" +ENV VIRTUAL_ENV="${APP_ROOT}" +ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" +ENV PYTHON_VERSION=3.11 +ENV PIP_NO_CACHE_DIR=off +RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ + --comment "Default Application User" --shell /bin/bash default && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ + +USER 1001 +RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/c9s-python-3.11 diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index c375a1a56..fa77c597d 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ ENV PIP_NO_CACHE_DIR=off RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ - dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 From 380b6c58c33ba6178e447a7516483fa594517093 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:48:31 +0200 Subject: [PATCH 11/14] fixup extra slash --- base/ubi9-python-3.11/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index fa77c597d..b02cf38f4 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ ENV PIP_NO_CACHE_DIR=off RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ - dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 From 1a43289ce4b94d80ccd7528e080be210daa5afd7 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:58:32 +0200 Subject: [PATCH 12/14] fixup install extra packages on c9s py.11 (that we already have on py3.9) --- base/c9s-python-3.11/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/c9s-python-3.11/Dockerfile b/base/c9s-python-3.11/Dockerfile index 976b9fd3c..ead683375 100644 --- a/base/c9s-python-3.11/Dockerfile +++ b/base/c9s-python-3.11/Dockerfile @@ -41,7 +41,11 @@ COPY ${SOURCE_CODE}/Pipfile.lock ./ USER root # Install usefull OS packages -RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y \ + mesa-libGL \ + patch \ + wget \ + && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001 From 1e8dd3140d980ff573d56d3ae746959f31825d8a Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:59:10 +0200 Subject: [PATCH 13/14] fixup install extra packages on ubi9 py.11 (that we already have on py3.9) --- base/ubi9-python-3.11/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index b02cf38f4..e45cf0f57 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -43,7 +43,11 @@ RUN echo "Installing software and packages" && micropipenv install && rm -f ./Pi USER root # Install usefull OS packages -RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y \ + mesa-libGL \ + patch \ + wget \ + && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001 From 57f2e8f21027fadafc575c79e76de942c19e352c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Feb 2025 15:00:53 +0100 Subject: [PATCH 14/14] NO-ISSUE: chore(tests/containers): fix fake fips tests for macOS rootless podman machine ``` base_image_test.py:146: in test_oc_command_runs_fake_fips assert ecode == 0, output.decode() E AssertionError: assertion failed [!result.is_error]: Unable to open /proc/sys/vm/mmap_min_addr E (VMAllocationTracker.cpp:317 init) E E assert 137 == 0 ``` ``` lima cat /proc/sys/vm/mmap_min_addr 65536 ``` ``` podman machine ssh cat /proc/sys/vm/mmap_min_addr 65536 ``` ``` podman run --entrypoint /bin/bash --rm -it ghcr.io/jiridanek/notebooks/workbench-images:base-ubi9-python-3.11-jd_ubi_base_1e8dd3140d980ff573d56d3ae746959f31825d8a WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64) bash-5.1$ cat /proc/sys/vm/mmap_min_addr 65536 ``` --- tests/containers/base_image_test.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/containers/base_image_test.py b/tests/containers/base_image_test.py index 3a6a2f728..e47ee8c5b 100644 --- a/tests/containers/base_image_test.py +++ b/tests/containers/base_image_test.py @@ -5,6 +5,7 @@ import json import logging import pathlib +import platform import re import tempfile import textwrap @@ -135,16 +136,23 @@ def test_oc_command_runs_fake_fips(self, image: str, subtests: pytest_subtests.S tmp_crypto.chmod(0o777) container = testcontainers.core.container.DockerContainer(image=image, user=54321, group_add=[0]) - container.with_volume_mapping(str(tmp_crypto), "/proc/sys", mode="ro,z") + + # if /proc/sys/crypto/fips_enabled exists, only replace this file, + # otherwise (Ubuntu case), assume entire /proc/sys/crypto does not exist + if platform.system().lower() == "darwin" or pathlib.Path("/proc/sys/crypto/fips_enabled").exists(): + container.with_volume_mapping(str(tmp_crypto / 'crypto' / 'fips_enabled'), "/proc/sys/crypto/fips_enabled", mode="ro,z") + else: + container.with_volume_mapping(str(tmp_crypto), "/proc/sys", mode="ro,z") + container.with_command("/bin/sh -c 'sleep infinity'") try: container.start() with subtests.test("/proc/sys/crypto/fips_enabled is 1"): - ecode, output = container.exec(["/bin/sh", "-c", "sysctl crypto.fips_enabled"]) + ecode, output = container.exec(["/bin/sh", "-c", "cat /proc/sys/crypto/fips_enabled"]) assert ecode == 0, output.decode() - assert "crypto.fips_enabled = 1\n" == output.decode(), output.decode() + assert "1\n" == output.decode(), f"Unexpected crypto/fips_enabled content: {output.decode()}" # 0: enabled, 1: partial success, 2: not enabled with subtests.test("/fips-mode-setup --is-enabled reports 1"):