Complete migration from Cirrus CI to GHA (Lima)

.github/workflows/test.yml

@@ -210,8 +210,12 @@ jobs:
         PKG_CONFIG_PATH: /usr/386/lib/pkgconfig
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
 
-  fedora:
-    timeout-minutes: 30
+  lima:
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        template: [almalinux-8, almalinux-9, centos-stream-10, fedora]
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
@@ -230,13 +234,13 @@ jobs:
       # CPUs: min(4, host CPU cores)
       # RAM:  min(4 GiB, half of host memory)
       # Disk: 100 GiB
-      run: limactl start --plain --name=default template://fedora
+      run: limactl start --plain --name=default template:${{ matrix.template }}
 
     - name: "Initialize VM"
       run: |
         set -eux -o pipefail
         limactl cp -r . default:/tmp/runc
-        lima sudo /tmp/runc/script/setup_host_fedora.sh
+        lima sudo /tmp/runc/script/setup_host.sh
 
     - name: "Show guest info"
       run: |
@@ -264,6 +268,8 @@ jobs:
       run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
 
     - name: "Run integration tests (systemd driver, rootless)"
+      # Needs cgroup v2
+      if: ${{ matrix.template != 'almalinux-8' }}
       run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
 
     - name: "Run integration tests (fs driver, rootless)"
@@ -273,7 +279,7 @@ jobs:
     needs:
     - test
     - cross-i386
-    - fedora
+    - lima
     runs-on: ubuntu-24.04
     steps:
     - run: echo "All jobs completed"

README.md

@@ -5,7 +5,6 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/588/badge)](https://bestpractices.coreinfrastructure.org/projects/588)
 [![gha/validate](https://github.com/opencontainers/runc/workflows/validate/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate)
 [![gha/ci](https://github.com/opencontainers/runc/workflows/ci/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Aci)
-[![CirrusCI](https://api.cirrus-ci.com/github/opencontainers/runc.svg)](https://cirrus-ci.com/github/opencontainers/runc)
 
 ## Introduction
 

script/setup_host.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# This script is used for initializing the host environment for CI.
+# Supports Fedora and EL-based distributions.
+set -eux -o pipefail
+
+: "${LIBPATHRS_VERSION:=0.2.4}"
+
+# BATS_VERSION is only consumed for the EL8 platform as its bats package is too old.
+: "${BATS_VERSION:=v1.12.0}"
+
+SCRIPTDIR="$(dirname "${BASH_SOURCE[0]}")"
+
+# PLATFORM_ID is not available on Fedora
+PLATFORM_ID=
+grep -q ^PLATFORM_ID /etc/os-release && PLATFORM_ID="$(grep -oP '^PLATFORM_ID="\K[^"]+' /etc/os-release)"
+
+# Initialize DNF
+DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs)
+case "$PLATFORM_ID" in
+platform:el8)
+	# DNF+=(--exclude="kernel,kernel-core") seems to fail
+	"${DNF[@]}" config-manager --set-enabled powertools # for glibc-static
+	"${DNF[@]}" install epel-release
+	;;
+platform:el9 | platform:el10)
+	DNF+=(--exclude="kernel,kernel-core")
+	"${DNF[@]}" config-manager --set-enabled crb # for glibc-static
+	"${DNF[@]}" install epel-release
+	;;
+*)
+	# Fedora
+	DNF+=(--exclude="kernel,kernel-core")
+	;;
+esac
+
+# Install common packages
+RPMS=(cargo container-selinux fuse-sshfs git-core glibc-static golang iptables jq libseccomp-devel lld make policycoreutils wget)
+# Work around dnf mirror failures by retrying a few times.
+for i in $(seq 0 2); do
+	sleep "$i"
+	"${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break
+done
+# shellcheck disable=SC2181
+[ $? -eq 0 ] # fail if dnf failed
+
+# Install CRIU
+if [ "$PLATFORM_ID" = "platform:el8" ]; then
+	# Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545).
+	# Alas we have to disable container-tools for that.
+	"${DNF[@]}" module disable container-tools
+	"${DNF[@]}" copr enable adrian/criu-el8
+fi
+"${DNF[@]}" install criu
+
+# Install BATS
+if [ "$PLATFORM_ID" = "platform:el8" ]; then
+	# The packaged version of bats is too old: `BATS_ERROR_SUFFIX: unbound variable`, `bats_require_minimum_version: command not found`
+	(
+		cd /tmp
+		git clone https://github.com/bats-core/bats-core
+		(
+			cd bats-core
+			git checkout "$BATS_VERSION"
+			./install.sh /usr/local
+			cat >>/etc/profile.d/sh.local <<'EOF'
+PATH="/usr/local/bin:$PATH"
+export PATH
+EOF
+			cat >/etc/sudoers.d/local <<'EOF'
+Defaults    secure_path = "/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
+EOF
+		)
+		rm -rf bats-core
+	)
+else
+	"${DNF[@]}" install bats
+fi
+
+# Clean up DNF
+dnf clean all
+
+# Install libpathrs
+"$SCRIPTDIR"/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
+
+# Setup rootless user.
+"$SCRIPTDIR"/setup_rootless.sh
+
+# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup
+if [ -e /sys/fs/cgroup/cgroup.controllers ]; then
+	mkdir -p /etc/systemd/system/user@.service.d
+	cat >/etc/systemd/system/user@.service.d/delegate.conf <<'EOF'
+[Service]
+# The default (since systemd v252) is "pids memory cpu".
+Delegate=yes
+EOF
+	systemctl daemon-reload
+fi
+
+# Allow potentially unsafe tests.
+echo 'export RUNC_ALLOW_UNSAFE_TESTS=yes' >>/root/.bashrc