kola: add bootc-base tag for kola tests

[yasminvalim]

Adds a bootc-base tag for Kola tests that do not set register.Test.UserData (no test-specific Ignition/Butane).

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[gemini-code-assist]

Code Review

This pull request introduces a --no-ignition flag to kola to allow running tests on pre-baked QCOW2 images, optimizing certain testing scenarios. However, the implementation of the --ssh-user flag introduces a potential SSH configuration injection vulnerability in mantle/platform/cluster.go as the user-supplied SSHUser string is written directly into the ssh-config file without sanitization. It is recommended to sanitize this input to prevent arbitrary SSH option injection. Additionally, consider improving the readability of the machine creation logic in the QEMU platform code.

[gemini-code-assist]

The SSHUser command-line flag is written directly into the ssh-config file without sanitization. An attacker who can control the command-line arguments to kola can inject arbitrary SSH configuration options by including newlines in the SSHUser string. This can lead to arbitrary command execution if the ssh-config file is used by the user or another tool (e.g., via ProxyCommand).

[gemini-code-assist]

This block for handling Ignition is a bit complex and hard to follow due to the locking and branching. It can be simplified by restructuring the if condition and moving the lock to be more tightly scoped around the operation it protects. This will improve readability and maintainability.

noIgnition := qc.RuntimeConf().NoIgnition
	var conf *conf.Conf
	var confPath string
	var err error
	if !noIgnition {
		qc.mu.Lock()
		conf, err = qc.RenderUserData(userdata, map[string]string{})
		qc.mu.Unlock()
		if err != nil {
			return nil, err
		}

		if conf.IsIgnition() {
			confPath = filepath.Join(dir, "ignition.json")
			if err := conf.WriteFile(confPath); err != nil {
				return nil, err
			}
		} else if !conf.IsEmpty() {
			return nil, fmt.Errorf("qemu only supports Ignition or empty configs")
		}
	}

[dustymabe]

TASK:

Running tests that not need ignition against a container image, instead of starting a VM, would drastically reduce the load on the Jenkins infra.

IDEA:

Adapt kola to be able to run tests without relying on ignition

* Assume that we get an ssh key that can log in as root

* Assume that we get a QCOW image with that ssh key injected

* Copy and run tests scripts over SSH in a QEMU VM

* Consider splitting kola for COSA

Do you have any context for all of this? Running nested container images inside kubernetes/openshift (where we run our pipeline today) isn't trivial so I'm not sure if it will save us much.

Also, the description here is contradictory. It says we should be able to run tests against a container, but then you mention a QCOW with an ssh key inject, which is a VM. What's the real goal here?

[yasminvalim]

TASK:
Running tests that not need ignition against a container image, instead of starting a VM, would drastically reduce the load on the Jenkins infra.
IDEA:
Adapt kola to be able to run tests without relying on ignition

* Assume that we get an ssh key that can log in as root

* Assume that we get a QCOW image with that ssh key injected

* Copy and run tests scripts over SSH in a QEMU VM

* Consider splitting kola for COSA

Do you have any context for all of this? Running nested container images inside kubernetes/openshift (where we run our pipeline today) isn't trivial so I'm not sure if it will save us much.

Also, the description here is contradictory. It says we should be able to run tests against a container, but then you mention a QCOW with an ssh key inject, which is a VM. What's the real goal here?

Hey Dusty, I’ll send over the task and the context I have. To be honest, I’m still figuring it out myself. Since this is a spike, the goal is to investigate and see what’s actually feasible. The DoD in the jira ticket is to create a POC and document the different approaches.

[joelcapitao]

It looks good overall, though I think we can already add systemd/SMBIOS support in this PR to implement SSH key provisioning.
So, instead of injecting SSH keys via Ignition, QEMU would be started with:

-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=<base64-encoded-tmpfiles-config>

That way, we'd be able to run the kola bootc-base tagged tests against bootc image.

[yasminvalim]

@joelcapitao I added the support for SMBIOS and I guess it's good since I tested manually and worked fine. I need to test with bootc too.

[jlebon]

Awesome, thanks for working on this!

I think it's OK to try things out by having some of the built-in tests be base bootc-compatible to start. But the real value is in external tests. Once we add enablement for bootc-base for external tests, I would probably even drop all of the internal tags we added to tests here. I don't think it's a good idea to have kola built-in tests be a chokepoint/maintenance burden as we look to scale out kola usage across !CoreOS.

[jlebon]

createMachine seems to already handle the case where userdata could be nil. Would it be cleaner to instead keep using createMachine, and conditionalize whatever else is needed there on nil userdata?

[yasminvalim]

Not sure I got the point here, but I kept createMachine and moved the Ignition vs SMBIOS split there. For bootc runs we key off --no-ignition rather than userdata == nil, since many normal tests pass nil userdata and still expect default Ignition. When the flag isn’t set, nil userdata still goes through RenderUserDataIfNeeded as before. Is that making sense to you? What would be another approach for this?

[jlebon]

This feels like something that should just already be taken care of when builder was constructed.

[yasminvalim]

I did this based in what I saw in qemuiso/cluster.go (line 91 - 101). As far I understood NewQemuBuilder only knows host defaults. Is that right? What would be the best approach in this case?

[jlebon]

And this too.