README, test: add --log-driver=passthrough-tty for term progress

This commit documents that `--log-driver=passthrough-tty` is needed to get "nice" progress reporting. This is not great, as it is one more option that is needed to get passed and its a potential attack vector (but given that we already give `--privileged` we are not really making things worse here). The alternative is to use a progress bar that does not need the raw-terminal or just write our own, using `\x1B[3`, `\x1B[0J` and redraw manually. Doing this is just going to be a bit more work.
osbuild · Dec 11, 2024 · ab70e9d · ab70e9d
1 parent 313b4f7
commit ab70e9d
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ sudo podman run \
     --rm \
     -it \
     --privileged \
+    --log-driver=passthrough-tty \
     --pull=newer \
     --security-opt label=type:unconfined_t \
     -v ./config.toml:/config.toml:ro \
@@ -119,6 +120,7 @@ Usage:
     --rm \
     -it \
     --privileged \
+    --log-driver=passthrough-tty \
     --pull=newer \
     --security-opt label=type:unconfined_t \
     -v ./output:/output \
@@ -208,6 +210,7 @@ For example:
   --rm \
   -it \
   --privileged \
+  --log-driver=passthrough-tty \
   --pull=newer \
   --security-opt label=type:unconfined_t \
   -v $HOME/.aws:/root/.aws:ro \
@@ -248,6 +251,7 @@ $ sudo podman run \
   --rm \
   -it \
   --privileged \
+  --log-driver=passthrough-tty \
   --pull=newer \
   --security-opt label=type:unconfined_t \
   --env-file=aws.secrets \
@@ -292,6 +296,7 @@ sudo podman run \
     --rm \
     -it \
     --privileged \
+    --log-driver=passthrough-tty \
     --pull=newer \
     --security-opt label=type:unconfined_t \
     -v ./config.toml:/config.toml:ro \

diff --git a/test/test_progress.py b/test/test_progress.py
@@ -1,12 +1,18 @@
+import os
 import subprocess
 
+import pytest
+
 # pylint: disable=unused-import
 from test_opts import container_storage_fixture
 from containerbuild import build_container_fixture, build_fake_container_fixture
 
 
-def bib_cmd(container_storage, output_path, build_fake_container):
-    return [
+def test_progress_debug(tmp_path, container_storage, build_fake_container):
+    output_path = tmp_path / "output"
+    output_path.mkdir(exist_ok=True)
+
+    cmdline = [
         "podman", "run", "--rm",
         "--privileged",
         "--security-opt", "label=type:unconfined_t",
@@ -16,13 +22,6 @@ def bib_cmd(container_storage, output_path, build_fake_container):
         "build",
         "quay.io/centos-bootc/centos-bootc:stream9",
     ]
-
-
-def test_progress_debug(tmp_path, container_storage, build_fake_container):
-    output_path = tmp_path / "output"
-    output_path.mkdir(exist_ok=True)
-
-    cmdline = bib_cmd(container_storage, output_path, build_fake_container)
     cmdline.append("--progress=debug")
     res = subprocess.run(cmdline, capture_output=True, check=True, text=True)
     assert res.stderr.count("Start progressbar") == 1
@@ -31,3 +30,34 @@ def test_progress_debug(tmp_path, container_storage, build_fake_container):
     assert res.stderr.count("Build complete") == 1
     assert res.stderr.count("Stop progressbar") == 1
     assert res.stdout.strip() == ""
+
+
+def test_progress_term(tmp_path, container_storage, build_fake_container):
+    output_path = tmp_path / "output"
+    output_path.mkdir(exist_ok=True)
+
+    # XXX: we cannot use RawTerminal mode (which Pb requires) with podman,
+    # except when using "--log-driver=passthrough-tty"
+    cmdline = [
+        "podman", "run", "--rm",
+        "--privileged",
+        # Note that this is needed to get the pb.ProgressBar support
+        "--log-driver=passthrough-tty",
+        "--security-opt", "label=type:unconfined_t",
+        "-v", f"{container_storage}:/var/lib/containers/storage",
+        "-v", f"{output_path}:/output",
+        build_fake_container,
+        "build",
+        # this should not be needed but we add it to ensure it breaks early
+        # if it cannot access the tty
+        "--progress=term",
+        "quay.io/centos-bootc/centos-bootc:stream9",
+    ]
+    # simulate running in a pty (subprocess.run() won't cut it)
+    cmdline = ["systemd-run", "--pty"] + cmdline
+    res = subprocess.run(cmdline, capture_output=True, text=True, check=False)
+    assert res.returncode == 0
+    # systemd-run gives us stderr on stdout (i.e. it just combines the
+    # two streams)
+    # smoke test that we see a progress
+    assert "[|] Manifest generation step" in res.stdout