test/browser: run tests inside the tasks container

This simplifies the "outside" setup quite a bit and gives us the same
tasks container that test runs on the Cockpit CI run under.

test/browser/browser.sh

@@ -1,27 +1,7 @@
 #!/bin/sh
-set -eux
-
-# test plan name, passed on to run-test.sh
-PLAN="$1"
-
-export TEST_BROWSER=${TEST_BROWSER:-firefox}
-
-TESTS="$(realpath $(dirname "$0"))"
-export SOURCE="$(realpath $TESTS/../..)"
-
-# https://tmt.readthedocs.io/en/stable/overview.html#variables
-export LOGS="${TMT_TEST_DATA:-$(pwd)/logs}"
-mkdir -p "$LOGS"
-chmod a+w "$LOGS"
-
-# install firefox (available everywhere in Fedora and RHEL)
-# we don't need the H.264 codec, and it is sometimes not available (rhbz#2005760)
-dnf install --disablerepo=fedora-cisco-openh264 -y --setopt=install_weak_deps=False firefox
 
-# nodejs 10 is too old for current Cockpit test API
-if grep -q platform:el8 /etc/os-release; then
-    dnf module switch-to -y nodejs:16
-fi
+set -eux
+cd "${0%/*}/../.."
 
 # HACK: ensure that critical components are up to date: https://github.com/psss/tmt/issues/682
 dnf update -y podman crun conmon criu
@@ -37,6 +17,11 @@ fi
 # Show critical package versions
 rpm -q runc crun podman criu kernel-core selinux-policy cockpit-podman cockpit-bridge || true
 
+# allow test to set up things on the machine
+mkdir -p /root/.ssh
+curl https://raw.githubusercontent.com/cockpit-project/bots/main/machine/identity.pub >> /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+
 # create user account for logging in
 if ! id admin 2>/dev/null; then
     useradd -c Administrator -G wheel admin
@@ -49,16 +34,6 @@ echo root:foobar | chpasswd
 # avoid sudo lecture during tests
 su -c 'echo foobar | sudo --stdin whoami' - admin
 
-# create user account for running the test
-if ! id runtest 2>/dev/null; then
-    useradd -c 'Test runner' runtest
-    # allow test to set up things on the machine
-    mkdir -p /root/.ssh
-    curl https://raw.githubusercontent.com/cockpit-project/bots/main/machine/identity.pub  >> /root/.ssh/authorized_keys
-    chmod 600 /root/.ssh/authorized_keys
-fi
-chown -R runtest "$SOURCE"
-
 # disable core dumps, we rather investigate them upstream where test VMs are accessible
 echo core > /proc/sys/kernel/core_pattern
 
@@ -75,14 +50,18 @@ for retry in $(seq 5); do
 done
 
 # image setup, shared with upstream tests
-$TESTS/../vm.install
+sh -x test/vm.install
 
 systemctl enable --now cockpit.socket podman.socket
 
-# Run tests as unprivileged user
-# once we drop support for RHEL 8, use this:
-# runuser -u runtest --whitelist-environment=TEST_BROWSER,TEST_ALLOW_JOURNAL_MESSAGES,TEST_AUDIT_NO_SELINUX,SOURCE,LOGS $TESTS/run-test.sh $PLAN
-runuser -u runtest --preserve-environment env USER=runtest HOME=$(getent passwd runtest | cut -f6 -d:) $TESTS/run-test.sh $PLAN
-
-RC=$(cat $LOGS/exitcode)
-exit ${RC:-1}
+# Run tests in the cockpit tasks container, as unprivileged user
+CONTAINER="$(cat .cockpit-ci/container)"
+exec podman \
+    run \
+        --rm \
+        --shm-size=1024m \
+        --security-opt=label=disable \
+        --volume="${TMT_TEST_DATA}":/logs:rw,U --env=LOGS=/logs \
+        --volume="$(pwd)":/source:rw,U --env=SOURCE=/source \
+        "${CONTAINER}" \
+            sh /source/test/browser/run-test.sh "$@"

test/browser/run-test.sh

@@ -1,10 +1,10 @@
-#!/bin/sh
 set -eux
 
 PLAN="$1"
 
+cd "${SOURCE}"
+
 # tests need cockpit's bots/ libraries and test infrastructure
-cd $SOURCE
 rm -f bots  # common local case: existing bots symlink
 make bots test/common
 
@@ -24,6 +24,9 @@ if [ "${TEST_OS#centos-}" != "$TEST_OS" ]; then
     TEST_OS="${TEST_OS}-stream"
 fi
 
+# Chromium sometimes gets OOM killed on testing farm
+export TEST_BROWSER=firefox
+
 # select subset of tests according to plan
 TESTS="$(test/common/run-tests -l)"
 case "$PLAN" in
@@ -39,10 +42,14 @@ EXCLUDES=""
 echo "TEST_ALLOW_JOURNAL_MESSAGES: ${TEST_ALLOW_JOURNAL_MESSAGES:-}"
 echo "TEST_AUDIT_NO_SELINUX: ${TEST_AUDIT_NO_SELINUX:-}"
 
+GATEWAY="$(python3 -c 'import socket; print(socket.gethostbyname("_gateway"))')"
 RC=0
-test/common/run-tests --nondestructive --machine 127.0.0.1:22 --browser 127.0.0.1:9090 $TESTS $EXCLUDES || RC=$?
-
-echo $RC > "$LOGS/exitcode"
+./test/common/run-tests \
+    --nondestructive \
+    --machine "${GATEWAY}":22 \
+    --browser "${GATEWAY}":9090 \
+    $TESTS \
+    $EXCLUDES \
+|| RC=$?
 cp --verbose Test* "$LOGS" || true
-# deliver test result via exitcode file
-exit 0
+exit $RC

test/vm.install

@@ -14,9 +14,10 @@ if grep -q ID.*debian /usr/lib/os-release; then
 fi
 
 # don't force https:// (self-signed cert)
+mkdir -p /etc/cockpit
 printf "[WebService]\\nAllowUnencrypted=true\\n" > /etc/cockpit/cockpit.conf
 
-if type firewall-cmd >/dev/null 2>&1; then
+if systemctl is-active -q firewalld.service; then
     firewall-cmd --add-service=cockpit --permanent
 fi