manifests: add passt

manifest-lock.aarch64.json

@@ -990,6 +990,12 @@
     "pam-libs": {
       "evra": "1.5.2-16.fc38.aarch64"
     },
+    "passt": {
+      "evra": "0^20230509.g96f8d55-1.fc38.aarch64"
+    },
+    "passt-selinux": {
+      "evra": "0^20230509.g96f8d55-1.fc38.noarch"
+    },
     "passwd": {
       "evra": "0.80-14.fc38.aarch64"
     },

manifest-lock.ppc64le.json

@@ -990,6 +990,12 @@
     "pam-libs": {
       "evra": "1.5.2-16.fc38.ppc64le"
     },
+    "passt": {
+      "evra": "0^20230509.g96f8d55-1.fc38.ppc64le"
+    },
+    "passt-selinux": {
+      "evra": "0^20230509.g96f8d55-1.fc38.noarch"
+    },
     "passwd": {
       "evra": "0.80-14.fc38.ppc64le"
     },

manifest-lock.s390x.json

@@ -921,6 +921,12 @@
     "pam-libs": {
       "evra": "1.5.2-16.fc38.s390x"
     },
+    "passt": {
+      "evra": "0^20230509.g96f8d55-1.fc38.s390x"
+    },
+    "passt-selinux": {
+      "evra": "0^20230509.g96f8d55-1.fc38.noarch"
+    },
     "passwd": {
       "evra": "0.80-14.fc38.s390x"
     },

manifest-lock.x86_64.json

@@ -996,6 +996,12 @@
     "pam-libs": {
       "evra": "1.5.2-16.fc38.x86_64"
     },
+    "passt": {
+      "evra": "0^20230509.g96f8d55-1.fc38.x86_64"
+    },
+    "passt-selinux": {
+      "evra": "0^20230509.g96f8d55-1.fc38.noarch"
+    },
     "passwd": {
       "evra": "0.80-14.fc38.x86_64"
     },

manifests/user-experience.yaml

@@ -44,6 +44,8 @@ packages:
   - runc
   - skopeo
   - toolbox
+  # passt provides user-mode networking daemons for namespaces
+  - passt
   # nvme-cli for managing nvme disks
   - nvme-cli
   # Used by admins interactively

tests/kola/podman/rootless-pasta-networking

@@ -0,0 +1,53 @@
+#!/bin/bash
+## kola:
+##   description: Verify that rootless pasta networking passt works.
+##   # This test downloads containers and curls from the net.
+##   tags: "platform-independent needs-internet"
+##   # This test doesn't make meaningful changes to the system and
+##   # should be able to be combined with other tests.
+##   exclusive: false
+##   # This test reaches out to the internet and it could take more
+##   # time to pull down the container.
+##   timeoutMin: 3
+
+# See https://github.com/coreos/fedora-coreos-tracker/issues/1436
+
+set -xeuo pipefail
+. $KOLA_EXT_DATA/commonlib.sh
+
+runascoreuserscript='#!/bin/bash
+set -euxo pipefail
+# Just a basic test that uses pasta network and sets the gateway
+podman run -i --net=pasta:-g,8.8.8.8 registry.fedoraproject.org/fedora:38 bash <<"EOF"
+set -euxo pipefail
+# Verify the 8.8.8.8 got set as the gateway. No /sbin/ip so just use /proc/net/route
+cat /proc/net/route | grep 08080808
+# Download something from the internet. Here we use one of the test
+# fixtures from the ignition.resource.remote test.
+result=$(curl https://ignition-test-fixtures.s3.amazonaws.com/resources/anonymous)
+[ "$result" == "kola-anonymous" ] || exit 1
+EOF
+'
+
+runascoreuser() {
+    # NOTE: If we don't use `| cat` the output won't get copied
+    # to our unit and won't show up in the `systemctl status` output
+    # of the ext test.
+    sudo -u core "$@" | cat
+}
+
+main() {
+
+    # Execute script as the core user to exercise rootless podman
+    runascoreuserscriptpath=$(mktemp --suffix=runascoreuser)
+    echo "$runascoreuserscript" > $runascoreuserscriptpath
+    chmod +x $runascoreuserscriptpath
+    chown core $runascoreuserscriptpath
+    if runascoreuser $runascoreuserscriptpath; then
+        ok "Podman with pasta networking succeeded!"
+    else
+        fatal "Podman with pasta networking failed"
+    fi
+}
+
+main