Revert /tmp to tmpfs

Podman *really* needs /tmp to be tmpfs, to detect and
handle reboots. Although there are (at this time) no
reboots involved in CI testing, it's still important
for CI hosts to reflect something close to a real-world
environment. And, there is work underway to check /tmp:

  containers/podman#22141

This PR removes special-case Fedora code that was
disabling a tmpfs /tmp mount. History dates back to
PR containers#30 back in 2020.

Some of the image-build code in this repo performs
reboots and relies on persistent tmp files, so you'll
note a flurry of /tmp -> /var/tmp changes.

And, as a drive-by, document the Windows Chocolatey
install command. Link to Best Practices, and explain
why we disregard some of those.

Signed-off-by: Ed Santiago <[email protected]>

.cirrus.yml

@@ -102,7 +102,7 @@ container_images_task: &container_images
         REG_PASSWORD: ENCRYPTED[255ec05057707c20237a6c7d15b213422779c534f74fe019b8ca565f635dba0e11035a034e533a6f39e146e7435d87b5]
     script: ci/make_container_images.sh;
     package_cache: &package_cache
-        folder: "/tmp/automation_images_tmp/.cache/**"
+        folder: "/var/tmp/automation_images_tmp/.cache/**"
         fingerprint_key: "${TARGET_NAME}-cache-version-1"
 
 

IMG_SFX

@@ -1 +1 @@
-20240328t140922z-f39f38d13
+20240401t180450z-f39f38d13

base_images/cloud.yml

@@ -187,23 +187,23 @@ provisioners:  # Debian images come bundled with GCE integrations provisioned
     - type: 'shell'
       inline:
         - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
 
     - type: 'file'
       source: '{{ pwd }}/'
-      destination: '/tmp/automation_images/'
+      destination: '/var/tmp/automation_images/'
 
     - except: ['debian']
       type: 'shell'
       inline:
         - 'set -e'
-        - '/bin/bash /tmp/automation_images/base_images/fedora_base-setup.sh'
+        - '/bin/bash /var/tmp/automation_images/base_images/fedora_base-setup.sh'
 
     - only: ['debian']
       type: 'shell'
       inline:
         - 'set -e'
-        - 'env DEBIAN_FRONTEND=noninteractive /bin/bash /tmp/automation_images/base_images/debian_base-setup.sh'
+        - 'env DEBIAN_FRONTEND=noninteractive /bin/bash /var/tmp/automation_images/base_images/debian_base-setup.sh'
 
 post-processors:
     # Must be double-nested to guarantee execution order

base_images/debian_base-setup.sh

@@ -58,7 +58,7 @@ source "$REPO_DIRPATH/lib.sh"
 # FIXME: 2024-01-02: Bumped the timebomb expiration date because it's
 #        too hard to find out if it's fixed or not
 #        2024-01-25: again, and 02-26 again and 03-20 again
-timebomb 20240330 "workaround for updating debian 12 to 13"
+timebomb 20240410 "workaround for updating debian 12 to 13"
 $SUDO tee /usr/bin/version_find_latest <<"EOF"
 #!/bin/bash
 #
@@ -147,7 +147,7 @@ $SUDO chmod 755 /usr/bin/version_find_latest
 #     https://github.com/containers/podman/issues/19407
 #     https://bugzilla.redhat.com/show_bug.cgi?id=2230127
 # 2024-01-25 dfsg-3 also has the bug
-timebomb 20240330 "prevent us from getting broken tar-1.35+dfsg-3"
+timebomb 20240410 "prevent us from getting broken tar-1.35+dfsg-3"
 $SUDO tee /etc/apt/preferences.d/$(date +%Y%m%d)-tar <<EOF
 Package: tar
 Pin: version 1.35+dfsg-[23]
@@ -158,7 +158,7 @@ EOF
 #    error: file `/boot/grub/x86_64-efi/bli.mod' not found.
 #    BBS Table full.
 # Block it. Previous grub works fine.
-timebomb 20240330 "prevent us from getting broken grub"
+timebomb 20240410 "prevent us from getting broken grub"
 $SUDO tee /etc/apt/preferences.d/$(date +%Y%m%d)-grub <<EOF
 Package: grub*
 Pin: version 2.12-1+b1

base_images/fedora_base-setup.sh

@@ -95,10 +95,4 @@ if ! ((CONTAINER)); then
         /lib/$METADATA_SERVICE_PATH | $SUDO tee -a /etc/$METADATA_SERVICE_PATH
 fi
 
-if [[ "$OS_RELEASE_ID" == "fedora" ]] && ((OS_RELEASE_VER>=33)); then
-    # Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783509
-    echo "Disabling automatic /tmp (tmpfs) mount"
-    $SUDO systemctl mask tmp.mount
-fi
-
 finalize

cache_images/cloud.yml

@@ -183,30 +183,30 @@ provisioners:
     - type: 'shell'
       inline:
         - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
 
     - type: 'file'
       source: '{{ pwd }}/'
-      destination: "/tmp/automation_images"
+      destination: "/var/tmp/automation_images"
 
     - only: ['rawhide']
       type: 'shell'
       expect_disconnect: true  # VM will be rebooted at end of script
       inline:
         - 'set -e'
-        - '/bin/bash /tmp/automation_images/cache_images/rawhide_setup.sh'
+        - '/bin/bash /var/tmp/automation_images/cache_images/rawhide_setup.sh'
 
     - except: ['debian']
       type: 'shell'
       inline:
         - 'set -e'
-        - '/bin/bash /tmp/automation_images/cache_images/fedora_setup.sh'
+        - '/bin/bash /var/tmp/automation_images/cache_images/fedora_setup.sh'
 
     - only: ['debian']
       type: 'shell'
       inline:
         - 'set -e'
-        - 'env DEBIAN_FRONTEND=noninteractive /bin/bash /tmp/automation_images/cache_images/debian_setup.sh'
+        - 'env DEBIAN_FRONTEND=noninteractive /bin/bash /var/tmp/automation_images/cache_images/debian_setup.sh'
 
 post-processors:
     # This is critical for human-interaction.  Copntents will be used

cache_images/fedora_packaging.sh

@@ -194,7 +194,7 @@ msg "Installing general build/test dependencies"
 bigto $SUDO dnf install -y "${INSTALL_PACKAGES[@]}"
 
 # 2024-03-28 pasta 03-26 stable on some, but we want it in all
-timebomb 20240330 "pasta not yet in stable for all arches"
+timebomb 20240410 "pasta not yet in stable for all arches"
 if [[ "$OS_RELEASE_VER" -le 41 ]]; then
     arch=$(uname -m)
     n=passt

ci/Containerfile

@@ -8,7 +8,7 @@ FROM registry.fedoraproject.org/fedora:${FEDORA_RELEASE}
 ARG PACKER_VERSION
 MAINTAINER https://github.com/containers/automation_images/ci
 
-ENV CIRRUS_WORKING_DIR=/tmp/automation_images \
+ENV CIRRUS_WORKING_DIR=/var/tmp/automation_images \
     PACKER_INSTALL_DIR=/usr/local/bin \
     PACKER_VERSION=$PACKER_VERSION \
     CONTAINER=1

image_builder/gce.yml

@@ -45,16 +45,16 @@ provisioners:
     - type: 'shell'
       inline:
         - 'set -e'
-        - 'mkdir -p /tmp/automation_images'
+        - 'mkdir -p /var/tmp/automation_images'
 
     - type: 'file'
       source: '{{ pwd }}/'
-      destination: '/tmp/automation_images/'
+      destination: '/var/tmp/automation_images/'
 
     - type: 'shell'
       inline:
         - 'set -e'
-        - '/bin/bash /tmp/automation_images/image_builder/setup.sh'
+        - '/bin/bash /var/tmp/automation_images/image_builder/setup.sh'
 
 post-processors:
     # Must be double-nested to guarantee execution order

lib.sh

@@ -300,7 +300,7 @@ common_finalize() {
     $SUDO rm -rf /var/lib/cloud/instanc*
     $SUDO rm -rf /root/.ssh/*
     $SUDO rm -rf /etc/ssh/*key*
-    $SUDO rm -rf /tmp/*
+    $SUDO rm -rf /tmp/* /var/tmp/automation_images
     $SUDO rm -rf /tmp/.??*
     echo -n "" | $SUDO tee /etc/machine-id
     $SUDO sync

win_images/win-lib.ps1

@@ -35,7 +35,11 @@ function retryInstall {
                 $pkg = @("--version", $Matches.2, $Matches.1)
             }
 
-            choco install -y --allow-downgrade --execution-timeout=300 $pkg
+            # Chocolatey best practices as of 2024-04:
+            #   https://docs.chocolatey.org/en-us/choco/commands/#scripting-integration-best-practices-style-guide
+            # Some of those are suboptimal, e.g., using "upgrade" to mean "install",
+            # hardcoding a specific API URL. We choose to reject those.
+            choco install $pkg -y --allow-downgrade --execution-timeout=300
             if ($LASTEXITCODE -eq 0) {
                 break
             }