github.com/rootless-containers/rootlesskit/v2@v2.3.4/.github/workflows/main.yaml (about) 1 name: Main 2 on: [push, pull_request] 3 jobs: 4 test-unit: 5 name: "Unit test" 6 runs-on: ubuntu-24.04 7 steps: 8 - name: "Check out" 9 uses: actions/checkout@v4 10 - name: "Build unit test image" 11 run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-unit --target test-unit . 12 - name: "Unit test" 13 run: docker run --rm --privileged rootlesskit:test-unit 14 test-cross: 15 name: "Cross compilation test" 16 runs-on: ubuntu-24.04 17 steps: 18 - uses: actions/checkout@v4 19 - name: "Build binaries" 20 run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact . 21 test-integration: 22 name: "Integration test" 23 runs-on: ubuntu-24.04 24 steps: 25 - name: "Set up AppArmor" 26 run: | 27 cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit" 28 abi <abi/4.0>, 29 include <tunables/global> 30 31 /home/user/bin/rootlesskit flags=(unconfined) { 32 userns, 33 } 34 EOT 35 sudo systemctl restart apparmor.service 36 - name: "Check out" 37 uses: actions/checkout@v4 38 - name: "Build integration test image" 39 run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration --target test-integration . 40 - name: "Integration test: exit-code" 41 run: docker run --rm --privileged rootlesskit:test-integration ./integration-exit-code.sh 42 - name: "Integration test: propagation" 43 run: docker run --rm --privileged rootlesskit:test-integration ./integration-propagation.sh 44 - name: "Integration test: propagation (with `mount --make-rshared /`)" 45 run: docker run --rm --privileged rootlesskit:test-integration sh -exc "sudo mount --make-rshared / && ./integration-propagation.sh" 46 - name: "Integration test: restart" 47 run: docker run --rm --privileged rootlesskit:test-integration ./integration-restart.sh 48 - name: "Integration test: port" 49 # NOTE: "--net=host" is a bad hack to enable IPv6 50 run: docker run --rm --net=host --privileged rootlesskit:test-integration ./integration-port.sh 51 - name: "Integration test: IPv6 routing" 52 run: docker run --rm --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 rootlesskit:test-integration ./integration-ipv6.sh 53 - name: "Integration test: systemd socket activation" 54 run: docker run --rm --net=none --privileged rootlesskit:test-integration ./integration-systemd-socket.sh 55 - name: "Integration test: Network (network driver=slirp4netns)" 56 run: | 57 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh slirp4netns 58 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh slirp4netns --detach-netns 59 - name: "Integration test: Network (network driver=vpnkit)" 60 run: | 61 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh vpnkit 62 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh vpnkit --detach-netns 63 - name: "Integration test: Network (network driver=lxc-user-nic)" 64 run: | 65 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh lxc-user-nic 66 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh lxc-user-nic --detach-netns 67 - name: "Integration test: Network (network driver=pasta)" 68 run: | 69 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta 70 docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta --detach-netns 71 # ===== Benchmark: Network (MTU=1500) ===== 72 - name: "Benchmark: Network (MTU=1500, network driver=slirp4netns)" 73 run: | 74 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 75 rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 76 - name: "Benchmark: Network (MTU=1500, network driver=slirp4netns with sandbox and seccomp)" 77 run: | 78 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 79 rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto 80 - name: "Benchmark: Network (MTU=1500, network driver=slirp4netns with sandbox and seccomp) with detach-netns" 81 run: | 82 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 83 rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --detach-netns 84 # NOTE: MTU greater than 16424 is known not to work for VPNKit. 85 # Also, MTU greather than 4K might not be effective for VPNKit: https://twitter.com/mugofsoup/status/1017665057738641408 86 - name: "Benchmark: Network (MTU=1500, network driver=vpnkit)" 87 run: | 88 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 89 rootlesskit:test-integration ./benchmark-iperf3-net.sh vpnkit 1500 90 - name: "Benchmark: Network (MTU=1500, network driver=vpnkit) with detach-netns" 91 run: | 92 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 93 rootlesskit:test-integration ./benchmark-iperf3-net.sh vpnkit 1500 --detach-netns 94 - name: "Benchmark: Network (MTU=1500, network driver=pasta)" 95 run: | 96 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 97 rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 1500 98 - name: "Benchmark: Network (MTU=1500, network driver=pasta) with detach-netns" 99 run: | 100 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 101 rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 1500 --detach-netns 102 - name: "Benchmark: Network (MTU=1500, network driver=lxc-user-nic)" 103 run: | 104 docker run --rm --privileged \ 105 rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 1500 106 - name: "Benchmark: Network (MTU=1500, network driver=lxc-user-nic) with detach-netns" 107 run: | 108 docker run --rm --privileged \ 109 rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 1500 --detach-netns 110 - name: "Benchmark: Network (MTU=1500, rootful veth for comparison)" 111 run: | 112 docker run --rm --privileged \ 113 rootlesskit:test-integration ./benchmark-iperf3-net.sh rootful_veth 1500 114 # ===== Benchmark: Network (MTU=65520) ===== 115 - name: "Benchmark: Network (MTU=65520, network driver=slirp4netns)" 116 run: | 117 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 118 rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 65520 119 - name: "Benchmark: Network (MTU=65520, network driver=slirp4netns with sandbox and seccomp)" 120 run: | 121 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 122 rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto 123 - name: "Benchmark: Network (MTU=65520, network driver=pasta)" 124 run: | 125 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 126 rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 65520 127 - name: "Benchmark: Network (MTU=65520, network driver=lxc-user-nic)" 128 run: | 129 docker run --rm --privileged \ 130 rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 65520 131 - name: "Benchmark: Network (MTU=65520, rootful veth for comparison)" 132 run: | 133 docker run --rm --privileged \ 134 rootlesskit:test-integration ./benchmark-iperf3-net.sh rootful_veth 65520 135 # ===== Benchmark: TCP Ports ===== 136 - name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=slirp4netns)" 137 run: | 138 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 139 rootlesskit:test-integration ./benchmark-iperf3-port.sh slirp4netns 140 - name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=slirp4netns) with detach-netns" 141 run: | 142 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 143 rootlesskit:test-integration ./benchmark-iperf3-port.sh slirp4netns --detach-netns 144 - name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=builtin)" 145 run: | 146 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 147 rootlesskit:test-integration ./benchmark-iperf3-port.sh builtin 148 - name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=builtin) with detach-netns" 149 run: | 150 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 151 rootlesskit:test-integration ./benchmark-iperf3-port.sh builtin --detach-netns 152 - name: "Benchmark: TCP Ports (network driver=pasta, port driver=implicit)" 153 run: | 154 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 155 rootlesskit:test-integration ./benchmark-iperf3-port.sh implicit --net=pasta 156 - name: "Benchmark: TCP Ports (network driver=pasta, port driver=implicit) with detach-netns" 157 run: | 158 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 159 rootlesskit:test-integration ./benchmark-iperf3-port.sh implicit --net=pasta --detach-netns 160 # ===== Benchmark: UDP Ports ===== 161 - name: "Benchmark: UDP Ports (port driver=slirp4netns)" 162 run: | 163 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 164 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns 165 - name: "Benchmark: UDP Ports (port driver=slirp4netns) with detach-netns" 166 run: | 167 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 168 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns --detach-netns 169 - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit)" 170 run: | 171 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 172 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta 173 - name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit) with detach-netns" 174 run: | 175 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 176 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta --detach-netns 177 - name: "Benchmark: UDP Ports (port driver=builtin)" 178 run: | 179 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 180 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin 181 - name: "Benchmark: UDP Ports (port driver=builtin) with detach-netns" 182 run: | 183 docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ 184 rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin --detach-netns 185 186 test-integration-docker: 187 name: "Integration test (Docker)" 188 runs-on: ubuntu-24.04 189 strategy: 190 fail-fast: false 191 matrix: 192 # The design of the proxy was changed in Docker v28. 193 # rootlesskit-docker-proxy is no longer used since Docker v28. 194 docker_version: [27.5.1, 28.0.1] 195 steps: 196 - name: "Set up AppArmor" 197 run: | 198 cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit" 199 abi <abi/4.0>, 200 include <tunables/global> 201 202 /home/user/bin/rootlesskit flags=(unconfined) { 203 userns, 204 } 205 EOT 206 sudo systemctl restart apparmor.service 207 - name: "Check out" 208 uses: actions/checkout@v4 209 - name: "Build integration test image" 210 run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker --build-arg DOCKER_VERSION . 211 env: 212 DOCKER_VERSION: ${{ matrix.docker_version }} 213 - name: "Create a custom network to avoid IP confusion" 214 run: docker network create custom 215 - name: "Docker Integration test: net=slirp4netns, port-driver=builtin" 216 run: | 217 docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker 218 sleep 2 219 docker exec test docker info 220 docker exec test ./integration-docker.sh 221 docker rm -f test 222 - name: "Docker Integration test: net=slirp4netns, port-driver=slirp4netns" 223 run: | 224 docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns rootlesskit:test-integration-docker 225 sleep 2 226 docker exec test docker info 227 docker exec test ./integration-docker.sh 228 docker rm -f test 229 - name: "Docker Integration test: net=vpnkit, port-driver=builtin" 230 run: | 231 docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=vpnkit -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker 232 sleep 2 233 docker exec test docker info 234 docker exec test ./integration-docker.sh 235 docker rm -f test 236 - name: "Docker Integration test: net=pasta, port-driver=implicit" 237 run: | 238 docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit rootlesskit:test-integration-docker 239 sleep 2 240 docker exec test docker info 241 docker exec test ./integration-docker.sh 242 docker rm -f test