mirror of https://gitee.com/openkylin/runc.git
199 lines
7.4 KiB
YAML
199 lines
7.4 KiB
YAML
---
|
|
# We use Cirrus for CentOS (native) and Fedora (in Vagrant), because neither
|
|
# CentOS nor Fedora is available on GHA natively, so the only option is VM.
|
|
# In GHA, nested virtualization is only supported on macOS instances, which
|
|
# are slow and flaky.
|
|
|
|
# NOTE Cirrus execution environments lack a terminal, needed for
|
|
# some integration tests. So we use `ssh -tt` command to fake a terminal.
|
|
|
|
task:
|
|
timeout_in: 30m
|
|
|
|
env:
|
|
DEBIAN_FRONTEND: noninteractive
|
|
HOME: /root
|
|
# yamllint disable rule:key-duplicates
|
|
matrix:
|
|
DISTRO: fedora
|
|
|
|
name: vagrant DISTRO:$DISTRO
|
|
|
|
compute_engine_instance:
|
|
image_project: cirrus-images
|
|
image: family/docker-kvm
|
|
platform: linux
|
|
nested_virtualization: true
|
|
# CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
|
|
cpu: 4
|
|
# Memory limit: `4GB * NCPU`
|
|
memory: 16G
|
|
|
|
host_info_script: |
|
|
uname -a
|
|
# -----
|
|
cat /etc/os-release
|
|
# -----
|
|
df -T
|
|
# -----
|
|
cat /proc/cpuinfo
|
|
install_libvirt_vagrant_script: |
|
|
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
|
|
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
|
|
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
|
|
apt-get update
|
|
apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
|
|
systemctl enable --now libvirtd
|
|
apt-get build-dep -y vagrant ruby-libvirt
|
|
apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
|
|
vagrant plugin install vagrant-libvirt
|
|
vagrant_cache:
|
|
fingerprint_script: cat Vagrantfile.$DISTRO
|
|
folder: /root/.vagrant.d/boxes
|
|
vagrant_up_script: |
|
|
ln -sf Vagrantfile.$DISTRO Vagrantfile
|
|
# Retry if it fails (download.fedoraproject.org returns 404 sometimes)
|
|
vagrant up --no-tty || vagrant up --no-tty
|
|
mkdir -p -m 0700 /root/.ssh
|
|
vagrant ssh-config >> /root/.ssh/config
|
|
guest_info_script: |
|
|
ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"'
|
|
check_config_script: |
|
|
ssh default /vagrant/script/check-config.sh
|
|
unit_tests_script: |
|
|
ssh default 'sudo -i make -C /vagrant localunittest'
|
|
integration_systemd_script: |
|
|
ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
|
|
integration_fs_script: |
|
|
ssh -tt default "sudo -i make -C /vagrant localintegration"
|
|
integration_systemd_rootless_script: |
|
|
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
|
|
integration_fs_rootless_script: |
|
|
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
|
|
|
|
task:
|
|
timeout_in: 30m
|
|
|
|
env:
|
|
HOME: /root
|
|
CIRRUS_WORKING_DIR: /home/runc
|
|
GO_VERSION: "1.20"
|
|
BATS_VERSION: "v1.9.0"
|
|
RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
|
|
# yamllint disable rule:key-duplicates
|
|
matrix:
|
|
DISTRO: centos-7
|
|
DISTRO: centos-stream-8
|
|
DISTRO: centos-stream-9
|
|
|
|
name: ci / $DISTRO
|
|
|
|
compute_engine_instance:
|
|
image_project: centos-cloud
|
|
image: family/$DISTRO
|
|
platform: linux
|
|
cpu: 4
|
|
memory: 8G
|
|
|
|
install_dependencies_script: |
|
|
case $DISTRO in
|
|
centos-7)
|
|
(cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
|
|
# EPEL is needed for jq and fuse-sshfs.
|
|
rpm -q epel-release || rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
|
# sysctl
|
|
echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
|
|
sysctl --system
|
|
;;
|
|
centos-stream-8)
|
|
yum config-manager --set-enabled powertools # for glibc-static
|
|
;;
|
|
centos-stream-9)
|
|
dnf config-manager --set-enabled crb # for glibc-static
|
|
dnf -y install epel-release epel-next-release # for fuse-sshfs
|
|
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
|
|
# The default (since systemd v252) is "pids memory cpu".
|
|
mkdir -p /etc/systemd/system/user@.service.d
|
|
printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf
|
|
systemctl daemon-reload
|
|
;;
|
|
esac
|
|
# Work around dnf mirror failures by retrying a few times.
|
|
for i in $(seq 0 2); do
|
|
sleep $i
|
|
yum install -y $RPMS && break
|
|
done
|
|
[ $? -eq 0 ] # fail if yum failed
|
|
|
|
# Double check that all rpms were installed (yum from CentOS 7
|
|
# does not exit with an error if some packages were not found).
|
|
# Use --whatprovides since some packages are renamed.
|
|
rpm -q --whatprovides $RPMS
|
|
# install Go
|
|
PREFIX="https://go.dev/dl/"
|
|
# Find out the latest minor release URL.
|
|
eval $(curl -fsSL "${PREFIX}?mode=json" | jq -r --arg Ver "$GO_VERSION" '.[] | select(.version | startswith("go\($Ver)")) | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | "filename=\"" + .filename + "\""')
|
|
curl -fsSL "$PREFIX$filename" | tar Cxz /usr/local
|
|
# install bats
|
|
cd /tmp
|
|
git clone https://github.com/bats-core/bats-core
|
|
cd bats-core
|
|
git checkout $BATS_VERSION
|
|
./install.sh /usr/local
|
|
cd -
|
|
# Add a user for rootless tests
|
|
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
|
|
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
|
|
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
|
|
mkdir -m 0700 -p /home/rootless/.ssh
|
|
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
|
|
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
|
|
chown -R rootless.rootless /home/rootless
|
|
# set PATH
|
|
echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
|
|
# Setup ssh localhost for terminal emulation (script -e did not work)
|
|
ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
|
cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
|
|
chmod 400 /root/.ssh/authorized_keys
|
|
ssh-keyscan localhost >> /root/.ssh/known_hosts
|
|
echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
|
|
sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
|
|
systemctl restart sshd
|
|
host_info_script: |
|
|
uname -a
|
|
# -----
|
|
/usr/local/go/bin/go version
|
|
# -----
|
|
systemctl --version
|
|
# -----
|
|
cat /etc/os-release
|
|
# -----
|
|
df -T
|
|
# -----
|
|
cat /proc/cpuinfo
|
|
check_config_script: |
|
|
/home/runc/script/check-config.sh
|
|
unit_tests_script: |
|
|
ssh -tt localhost "make -C /home/runc localunittest"
|
|
integration_systemd_script: |
|
|
ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
|
|
integration_fs_script: |
|
|
ssh -tt localhost "make -C /home/runc localintegration"
|
|
integration_systemd_rootless_script: |
|
|
case $DISTRO in
|
|
centos-7|centos-stream-8)
|
|
echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
|
|
;;
|
|
*)
|
|
ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
|
|
esac
|
|
integration_fs_rootless_script: |
|
|
case $DISTRO in
|
|
centos-7)
|
|
echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
|
|
;;
|
|
*)
|
|
ssh -tt localhost "make -C /home/runc localrootlessintegration"
|
|
;;
|
|
esac
|