ci: port CentOS Stream test to GitHub Actions using Lima

Move the CentOS Stream 9 based test from Cirrus CI to GitHub
Actions using Lima VMs. Expand coverage to a matrix of CentOS
Stream 9 and 10 on x86_64.

Extract the common Lima VM setup steps (Lima install, image
caching, KVM enablement, VM start, source copy) into a reusable
composite action at .github/actions/lima-vm-setup.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>

Author: adrianreber

.cirrus.yml

@@ -18,36 +18,6 @@ task:
   build_script: |
     make -C scripts/ci vagrant-fedora-no-vdso
 
-task:
-  name: CentOS Stream 9 based test
-  environment:
-    HOME: "/root"
-    CIRRUS_WORKING_DIR: "/tmp/criu"
-
-  compute_engine_instance:
-    image_project: centos-cloud
-    image: family/centos-stream-9
-    platform: linux
-    cpu: 4
-    memory: 8G
-
-  setup_script: |
-    dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
-    dnf -y install epel-release epel-next-release
-    contrib/dependencies/dnf-packages.sh
-    # The image has a too old version of nettle which does not work with gnutls.
-    # Just upgrade to the latest to make the error go away.
-    dnf -y upgrade nettle nettle-devel
-    systemctl stop sssd
-    # Even with selinux in permissive mode the selinux tests will be executed.
-    # The Cirrus CI user runs as a service from selinux point of view and is
-    # much more restricted than a normal shell (system_u:system_r:unconfined_service_t:s0).
-    # The test case above (vagrant-fedora-no-vdso) should run selinux tests in enforcing mode.
-    setenforce 0
-
-  build_script: |
-    make -C scripts/ci local SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 ZDTM_OPTS="-x zdtm/static/socket-raw"
-
 task:
   name: Vagrant Fedora based test (non-root)
   environment:

.github/actions/lima-vm-setup/action.yml

@@ -0,0 +1,31 @@
+name: 'Lima VM Setup'
+description: 'Install Lima, enable KVM, start a VM and copy the CRIU source into it'
+
+inputs:
+  template:
+    description: 'Lima VM template name (e.g. fedora, centos-stream-9)'
+    required: true
+  cache-key-prefix:
+    description: 'Prefix for the Lima image cache key'
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - name: Install Lima
+    uses: lima-vm/lima-actions/setup@v1
+  - name: Cache Lima images
+    uses: actions/cache@v4
+    with:
+      path: ~/.cache/lima
+      key: ${{ inputs.cache-key-prefix }}-${{ github.sha }}
+      restore-keys: ${{ inputs.cache-key-prefix }}-
+  - name: Start VM
+    shell: bash
+    run: limactl start --plain --name=default --cpus=4 --memory=12 template://${{ inputs.template }}
+  - name: Copy source into VM
+    shell: bash
+    run: |
+      lima sudo mkdir -p /home/criu
+      lima sudo chown "$(lima whoami)" /home/criu
+      limactl copy -r . default:/home/criu

.github/workflows/ci.yml

@@ -62,6 +62,31 @@ jobs:
     - name: Run Arch Linux Test
       run: sudo -E make -C scripts/ci archlinux
 
+  centos-stream-test:
+    name: CentOS Stream ${{ matrix.version }}
+    # aarch64 is not supported by lima-vm/lima-actions
+    # https://github.com/lima-vm/lima-actions/pull/1
+    #needs: [alpine-test]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    strategy:
+      matrix:
+        version: [9, 10]
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./.github/actions/lima-vm-setup
+      with:
+        template: centos-stream-${{ matrix.version }}
+        cache-key-prefix: lima-centos-stream-${{ matrix.version }}
+    - name: Setup VM
+      run: lima sudo /home/criu/scripts/ci/lima.sh centos-stream-setup
+    - name: Show VM info
+      run: |
+        lima uname -a
+        lima cat /proc/cmdline
+    - name: Run tests
+      run: ssh -tt lima-default sudo -i /home/criu/scripts/ci/lima.sh centos-stream-test
+
   compat-test:
     needs: [alpine-test]
     runs-on: ubuntu-22.04
@@ -138,21 +163,10 @@ jobs:
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
-    - name: Install Lima
-      uses: lima-vm/lima-actions/setup@v1
-    - name: Cache Lima images
-      uses: actions/cache@v4
+    - uses: ./.github/actions/lima-vm-setup
       with:
-        path: ~/.cache/lima
-        key: lima-fedora-${{ github.sha }}
-        restore-keys: lima-fedora-
-    - name: Start Fedora VM
-      run: limactl start --plain --name=default --cpus=4 --memory=12 template://fedora
-    - name: Copy source into VM
-      run: |
-        lima sudo mkdir -p /home/criu
-        lima sudo chown "$(lima whoami)" /home/criu
-        limactl copy -r . default:/home/criu
+        template: fedora
+        cache-key-prefix: lima-fedora
     - name: Setup VM
       run: lima sudo /home/criu/scripts/ci/lima.sh fedora-rawhide-setup
     - name: Reboot VM to activate new kernel

scripts/ci/lima.sh

@@ -1,18 +1,47 @@
 #!/bin/bash
 
-# This script runs inside a Lima Fedora VM to set up and run
-# the Fedora Rawhide based CI tests with a vanilla kernel.
-# It mirrors the logic from vagrant.sh's setup() and fedora-rawhide().
-#
+# This script runs inside Lima VMs to set up and run CI tests.
+# It is invoked with a command name, e.g.:
+#   lima.sh centos-stream-setup
+#   lima.sh centos-stream-test
 #   lima.sh fedora-rawhide-setup
 #   lima.sh fedora-rawhide-test
 
-
 set -e
 set -x
 
 CRIU_DIR="${CRIU_DIR:-/home/criu}"
 
+centos-stream-setup() {
+	# Enable CRB repository
+	dnf config-manager --set-enabled crb
+	# Install EPEL
+	dnf -y install epel-release
+	# Install build/test dependencies
+	"${CRIU_DIR}"/contrib/dependencies/dnf-packages.sh
+	# Disable sssd to avoid zdtm test failures in pty04
+	systemctl stop sssd || true
+	# Set SELinux to permissive mode; selinux tests still run but
+	# are not blocked by the restricted service context of CI.
+	setenforce 0
+	# The rpc test cases are running as user #1000
+	adduser -u 1000 test
+}
+
+centos-stream-test() {
+	# Increase the max thread limit for the thread-bomb test
+	sysctl -w kernel.threads-max=100000
+
+	# Newer systemd versions limit the number of tasks per user via
+	# cgroup pids controller. Remove the limit for the root user.
+	systemctl set-property user-0.slice TasksMax=infinity
+
+	cd "${CRIU_DIR}"
+	make -C scripts/ci local \
+		SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 \
+		ZDTM_OPTS="-x zdtm/static/socket-raw"
+}
+
 fedora-rawhide-setup() {
 	# Disable sssd to avoid zdtm test failures in pty04 due to sssd socket
 	systemctl mask sssd