github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/.cirrus.yml (about) 1 --- 2 # We use Cirrus for CentOS (native) and Fedora (in Vagrant), because neither 3 # CentOS nor Fedora is available on GHA natively, so the only option is VM. 4 # In GHA, nested virtualization is only supported on macOS instances, which 5 # are slow and flaky. 6 7 # NOTE Cirrus execution environments lack a terminal, needed for 8 # some integration tests. So we use `ssh -tt` command to fake a terminal. 9 10 task: 11 timeout_in: 30m 12 13 env: 14 DEBIAN_FRONTEND: noninteractive 15 HOME: /root 16 # yamllint disable rule:key-duplicates 17 matrix: 18 DISTRO: fedora 19 20 name: vagrant DISTRO:$DISTRO 21 22 compute_engine_instance: 23 image_project: cirrus-images 24 image: family/docker-kvm 25 platform: linux 26 nested_virtualization: true 27 # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits 28 cpu: 4 29 # Memory limit: `4GB * NCPU` 30 memory: 16G 31 32 host_info_script: | 33 uname -a 34 # ----- 35 cat /etc/os-release 36 # ----- 37 df -T 38 # ----- 39 cat /proc/cpuinfo 40 install_libvirt_vagrant_script: | 41 curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg 42 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list 43 sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list 44 apt-get update 45 apt-get install -y libvirt-daemon libvirt-daemon-system vagrant 46 systemctl enable --now libvirtd 47 apt-get build-dep -y vagrant ruby-libvirt 48 apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev 49 vagrant plugin install vagrant-libvirt 50 vagrant_cache: 51 fingerprint_script: cat Vagrantfile.$DISTRO 52 folder: /root/.vagrant.d/boxes 53 vagrant_up_script: | 54 ln -sf Vagrantfile.$DISTRO Vagrantfile 55 # Retry if it fails (download.fedoraproject.org returns 404 sometimes) 56 vagrant up --no-tty || vagrant up --no-tty 57 mkdir -p -m 0700 /root/.ssh 58 vagrant ssh-config >> /root/.ssh/config 59 guest_info_script: | 60 ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus && rpm -q container-selinux"' 61 check_config_script: | 62 ssh default /vagrant/script/check-config.sh 63 unit_tests_script: | 64 ssh default 'sudo -i make -C /vagrant localunittest' 65 integration_systemd_script: | 66 ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes" 67 integration_fs_script: | 68 ssh -tt default "sudo -i make -C /vagrant localintegration" 69 integration_systemd_rootless_script: | 70 ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes" 71 integration_fs_rootless_script: | 72 ssh -tt default "sudo -i make -C /vagrant localrootlessintegration" 73 74 task: 75 timeout_in: 30m 76 77 env: 78 HOME: /root 79 CIRRUS_WORKING_DIR: /home/runc 80 GO_VERSION: "1.21" 81 BATS_VERSION: "v1.9.0" 82 RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux 83 # yamllint disable rule:key-duplicates 84 matrix: 85 DISTRO: centos-7 86 DISTRO: centos-stream-8 87 DISTRO: centos-stream-9 88 89 name: ci / $DISTRO 90 91 compute_engine_instance: 92 image_project: centos-cloud 93 image: family/$DISTRO 94 platform: linux 95 cpu: 4 96 memory: 8G 97 98 install_dependencies_script: | 99 case $DISTRO in 100 centos-7) 101 (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo) 102 # EPEL is needed for jq and fuse-sshfs. 103 rpm -q epel-release || rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 104 # sysctl 105 echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf 106 sysctl --system 107 ;; 108 centos-stream-8) 109 yum config-manager --set-enabled powertools # for glibc-static 110 ;; 111 centos-stream-9) 112 dnf config-manager --set-enabled crb # for glibc-static 113 dnf -y install epel-release epel-next-release # for fuse-sshfs 114 # Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup. 115 # The default (since systemd v252) is "pids memory cpu". 116 mkdir -p /etc/systemd/system/user@.service.d 117 printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf 118 systemctl daemon-reload 119 ;; 120 esac 121 # Work around dnf mirror failures by retrying a few times. 122 for i in $(seq 0 2); do 123 sleep $i 124 yum install -y $RPMS && break 125 done 126 [ $? -eq 0 ] # fail if yum failed 127 128 # Double check that all rpms were installed (yum from CentOS 7 129 # does not exit with an error if some packages were not found). 130 # Use --whatprovides since some packages are renamed. 131 rpm -q --whatprovides $RPMS 132 # install Go 133 PREFIX="https://go.dev/dl/" 134 # Find out the latest minor release URL. 135 eval $(curl -fsSL "${PREFIX}?mode=json" | jq -r --arg Ver "$GO_VERSION" '.[] | select(.version | startswith("go\($Ver)")) | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | "filename=\"" + .filename + "\""') 136 curl -fsSL "$PREFIX$filename" | tar Cxz /usr/local 137 # install bats 138 cd /tmp 139 git clone https://github.com/bats-core/bats-core 140 cd bats-core 141 git checkout $BATS_VERSION 142 ./install.sh /usr/local 143 cd - 144 # Add a user for rootless tests 145 useradd -u2000 -m -d/home/rootless -s/bin/bash rootless 146 # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh 147 ssh-keygen -t ecdsa -N "" -f /root/rootless.key 148 mkdir -m 0700 -p /home/rootless/.ssh 149 cp /root/rootless.key /home/rootless/.ssh/id_ecdsa 150 cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys 151 chown -R rootless.rootless /home/rootless 152 # set PATH 153 echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc 154 # Setup ssh localhost for terminal emulation (script -e did not work) 155 ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" 156 cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys 157 chmod 400 /root/.ssh/authorized_keys 158 ssh-keyscan localhost >> /root/.ssh/known_hosts 159 echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config 160 sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config 161 systemctl restart sshd 162 host_info_script: | 163 uname -a 164 # ----- 165 /usr/local/go/bin/go version 166 # ----- 167 systemctl --version 168 # ----- 169 cat /etc/os-release 170 # ----- 171 df -T 172 # ----- 173 sestatus 174 # ----- 175 cat /proc/cpuinfo 176 check_config_script: | 177 /home/runc/script/check-config.sh 178 unit_tests_script: | 179 ssh -tt localhost "make -C /home/runc localunittest" 180 integration_systemd_script: | 181 ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes" 182 integration_fs_script: | 183 ssh -tt localhost "make -C /home/runc localintegration" 184 integration_systemd_rootless_script: | 185 case $DISTRO in 186 centos-7|centos-stream-8) 187 echo "SKIP: integration_systemd_rootless_script requires cgroup v2" 188 ;; 189 *) 190 ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes" 191 esac 192 integration_fs_rootless_script: | 193 case $DISTRO in 194 centos-7) 195 # Most probably EPERM on cgroup.procs is caused by some missing kernel 196 # patch. The other issue is SELinux, but even with SELinux fixes in 197 # https://github.com/opencontainers/runc/pull/4068 it still doesn't work. 198 # Does not make sense in trying to fix this since it's an older distro. 199 echo "SKIP: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs" 200 ;; 201 *) 202 ssh -tt localhost "make -C /home/runc localrootlessintegration" 203 ;; 204 esac