diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 7ec3b1d6374..00000000000 --- a/.cirrus.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -# We use Cirrus for RHEL clones because Cirrus can directly run them -# without depending on nested virtualization. - -# NOTE Cirrus execution environments lack a terminal, needed for -# some integration tests. So we use `ssh -tt` command to fake a terminal. - -task: - timeout_in: 30m - - env: - HOME: /root - CIRRUS_WORKING_DIR: /home/runc - GO_VER_PREFIX: "1.25." - BATS_VERSION: "v1.12.0" - LIBPATHRS_VERSION: "0.2.4" - RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils cargo lld wget - # yamllint disable rule:key-duplicates - matrix: - - DISTRO: almalinux-8 - IMAGE_PROJECT: almalinux-cloud - - DISTRO: almalinux-9 - IMAGE_PROJECT: almalinux-cloud - - DISTRO: centos-stream-10 - IMAGE_PROJECT: centos-cloud - - name: ci / $DISTRO - - compute_engine_instance: - image_project: $IMAGE_PROJECT - image: family/$DISTRO - platform: linux - cpu: 4 - memory: 8G - - install_dependencies_script: | - case $DISTRO in - *-8) - dnf config-manager --set-enabled powertools # for glibc-static - ;; - *-9|*-10) - dnf config-manager --set-enabled crb # for glibc-static - dnf -y install epel-release # for fuse-sshfs - # Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup. - # The default (since systemd v252) is "pids memory cpu". - mkdir -p /etc/systemd/system/user@.service.d - printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf - systemctl daemon-reload - ;; - esac - # Work around dnf mirror failures by retrying a few times. - for i in $(seq 0 2); do - sleep $i - dnf install -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs $RPMS && break - done - [ $? -eq 0 ] # fail if dnf failed - - case $DISTRO in - *-8) - # Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545). - # Alas we have to disable container-tools for that. - dnf -y module disable container-tools - dnf -y copr enable adrian/criu-el8 - dnf -y install criu - esac - - # Install libpathrs. - /home/runc/script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr - - # Install Go. - URL_PREFIX="https://go.dev/dl/" - # Find out the latest minor release URL. - filename=$(curl -fsSL "${URL_PREFIX}?mode=json&include=all" | jq -r --arg Ver "go$GO_VER_PREFIX" '. | map(select(.version | contains($Ver))) | first | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | .filename') - curl -fsSL "$URL_PREFIX$filename" | tar Cxz /usr/local - # install bats - cd /tmp - git clone https://github.com/bats-core/bats-core - cd bats-core - git checkout $BATS_VERSION - ./install.sh /usr/local - cd - - # Setup rootless tests. - /home/runc/script/setup_rootless.sh - # set PATH - echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc - # Allow potentially unsafe tests. - echo 'export RUNC_ALLOW_UNSAFE_TESTS=yes' >> /root/.bashrc - # Setup ssh localhost for terminal emulation (script -e did not work) - ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" - cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys - chmod 400 /root/.ssh/authorized_keys - ssh-keyscan localhost >> /root/.ssh/known_hosts - echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config - sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config - systemctl restart sshd - host_info_script: | - uname -a - # ----- - /usr/local/go/bin/go version - # ----- - systemctl --version - # ----- - cat /etc/os-release - # ----- - df -T - # ----- - sestatus - # ----- - cat /proc/cpuinfo - check_config_script: | - /home/runc/script/check-config.sh - unit_tests_script: | - ssh -tt localhost "make -C /home/runc localunittest" - integration_systemd_script: | - ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes" - integration_fs_script: | - ssh -tt localhost "make -C /home/runc localintegration" - integration_systemd_rootless_script: | - case $DISTRO in - *-8) - echo "SKIP: integration_systemd_rootless_script requires cgroup v2" - ;; - *) - ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes" - esac - integration_fs_rootless_script: | - ssh -tt localhost "make -C /home/runc localrootlessintegration" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c8e87d061d1..03d32da8b71 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -210,8 +210,12 @@ jobs: PKG_CONFIG_PATH: /usr/386/lib/pkgconfig run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest - fedora: - timeout-minutes: 30 + lima: + timeout-minutes: 60 + strategy: + fail-fast: false + matrix: + template: [almalinux-8, almalinux-9, centos-stream-10, fedora] runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 @@ -230,13 +234,13 @@ jobs: # CPUs: min(4, host CPU cores) # RAM: min(4 GiB, half of host memory) # Disk: 100 GiB - run: limactl start --plain --name=default template://fedora + run: limactl start --plain --name=default template:${{ matrix.template }} - name: "Initialize VM" run: | set -eux -o pipefail limactl cp -r . default:/tmp/runc - lima sudo /tmp/runc/script/setup_host_fedora.sh + lima sudo /tmp/runc/script/setup_host.sh - name: "Show guest info" run: | @@ -264,6 +268,8 @@ jobs: run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration - name: "Run integration tests (systemd driver, rootless)" + # Needs cgroup v2 + if: ${{ matrix.template != 'almalinux-8' }} run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes - name: "Run integration tests (fs driver, rootless)" @@ -273,7 +279,7 @@ jobs: needs: - test - cross-i386 - - fedora + - lima runs-on: ubuntu-24.04 steps: - run: echo "All jobs completed" diff --git a/README.md b/README.md index 5d643b179bb..e87c7d78b0c 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,6 @@ [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/588/badge)](https://bestpractices.coreinfrastructure.org/projects/588) [![gha/validate](https://github.com/opencontainers/runc/workflows/validate/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate) [![gha/ci](https://github.com/opencontainers/runc/workflows/ci/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Aci) -[![CirrusCI](https://api.cirrus-ci.com/github/opencontainers/runc.svg)](https://cirrus-ci.com/github/opencontainers/runc) ## Introduction diff --git a/script/setup_host.sh b/script/setup_host.sh new file mode 100755 index 00000000000..e424262630d --- /dev/null +++ b/script/setup_host.sh @@ -0,0 +1,100 @@ +#!/bin/bash +# This script is used for initializing the host environment for CI. +# Supports Fedora and EL-based distributions. +set -eux -o pipefail + +: "${LIBPATHRS_VERSION:=0.2.4}" + +# BATS_VERSION is only consumed for the EL8 platform as its bats package is too old. +: "${BATS_VERSION:=v1.12.0}" + +SCRIPTDIR="$(dirname "${BASH_SOURCE[0]}")" + +# PLATFORM_ID is not available on Fedora +PLATFORM_ID= +grep -q ^PLATFORM_ID /etc/os-release && PLATFORM_ID="$(grep -oP '^PLATFORM_ID="\K[^"]+' /etc/os-release)" + +# Initialize DNF +DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs) +case "$PLATFORM_ID" in +platform:el8) + # DNF+=(--exclude="kernel,kernel-core") seems to fail + "${DNF[@]}" config-manager --set-enabled powertools # for glibc-static + "${DNF[@]}" install epel-release + ;; +platform:el9 | platform:el10) + DNF+=(--exclude="kernel,kernel-core") + "${DNF[@]}" config-manager --set-enabled crb # for glibc-static + "${DNF[@]}" install epel-release + ;; +*) + # Fedora + DNF+=(--exclude="kernel,kernel-core") + ;; +esac + +# Install common packages +RPMS=(cargo container-selinux fuse-sshfs git-core glibc-static golang iptables jq libseccomp-devel lld make policycoreutils wget) +# Work around dnf mirror failures by retrying a few times. +for i in $(seq 0 2); do + sleep "$i" + "${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break +done +# shellcheck disable=SC2181 +[ $? -eq 0 ] # fail if dnf failed + +# Install CRIU +if [ "$PLATFORM_ID" = "platform:el8" ]; then + # Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545). + # Alas we have to disable container-tools for that. + "${DNF[@]}" module disable container-tools + "${DNF[@]}" copr enable adrian/criu-el8 +fi +"${DNF[@]}" install criu + +# Install BATS +if [ "$PLATFORM_ID" = "platform:el8" ]; then + # The packaged version of bats is too old: `BATS_ERROR_SUFFIX: unbound variable`, `bats_require_minimum_version: command not found` + ( + cd /tmp + git clone https://github.com/bats-core/bats-core + ( + cd bats-core + git checkout "$BATS_VERSION" + ./install.sh /usr/local + cat >>/etc/profile.d/sh.local <<'EOF' +PATH="/usr/local/bin:$PATH" +export PATH +EOF + cat >/etc/sudoers.d/local <<'EOF' +Defaults secure_path = "/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" +EOF + ) + rm -rf bats-core + ) +else + "${DNF[@]}" install bats +fi + +# Clean up DNF +dnf clean all + +# Install libpathrs +"$SCRIPTDIR"/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr + +# Setup rootless user. +"$SCRIPTDIR"/setup_rootless.sh + +# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup +if [ -e /sys/fs/cgroup/cgroup.controllers ]; then + mkdir -p /etc/systemd/system/user@.service.d + cat >/etc/systemd/system/user@.service.d/delegate.conf <<'EOF' +[Service] +# The default (since systemd v252) is "pids memory cpu". +Delegate=yes +EOF + systemctl daemon-reload +fi + +# Allow potentially unsafe tests. +echo 'export RUNC_ALLOW_UNSAFE_TESTS=yes' >>/root/.bashrc diff --git a/script/setup_host_fedora.sh b/script/setup_host_fedora.sh deleted file mode 100755 index 20ffa56dbb8..00000000000 --- a/script/setup_host_fedora.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -set -eux -o pipefail -DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude="kernel,kernel-core") -RPMS=(bats git-core glibc-static golang jq libseccomp-devel cargo lld make wget) -# Work around dnf mirror failures by retrying a few times. -for i in $(seq 0 2); do - sleep "$i" - "${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break -done - -# criu-4.1-1 has a known bug (https://github.com/checkpoint-restore/criu/issues/2650) -# which is fixed in criu-4.1-2 (currently in updates-testing). TODO: remove this later. -if [[ $(rpm -q criu) == "criu-4.1-1.fc"* ]]; then - "${DNF[@]}" --enablerepo=updates-testing update criu -fi - -dnf clean all - -SCRIPTDIR="$(dirname "${BASH_SOURCE[0]}")" - -LIBPATHRS_VERSION="0.2.4" -"$SCRIPTDIR"/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr - -# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp. -mount -o remount,suid /tmp - -# Setup rootless user. -"$SCRIPTDIR"/setup_rootless.sh - -# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup -mkdir -p /etc/systemd/system/user@.service.d -cat >/etc/systemd/system/user@.service.d/delegate.conf <= 244 (Fedora >= 32, Ubuntu >= 20.04). -Delegate=yes -EOF -systemctl daemon-reload