Dockerfile.test: add "cri-in-userns" (aka rootless) test stage

The `cri-in-userns` stage is for testing "CRI-in-UserNS", which should be used in conjunction with "Kubelet-in-UserNS": https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless This feature is mostly expected to be used for `kind` and `minikube`. Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/ (Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves) Usage: ``` podman build --target cri-in-userns -t cri-in-userns -f contrib/Dockerfile.test . podman run -it --rm --privileged cri-in-userns ``` The stage is tested on CI with Rootless Podman on Fedora 34 on Vagrant. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-08 18:24:14 +09:00
parent 0573e22e37
commit aefabe5462
5 changed files with 139 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -526,7 +526,7 @@ jobs:
            *-junit.xml

  cgroup2:
-    name: CGroupsV2 and SELinux Integration
+    name: CGroupsV2 - SELinux enforced
    # nested virtualization is only available on macOS hosts
    runs-on: macos-10.15
    timeout-minutes: 45
@@ -580,3 +580,31 @@ jobs:
          path: |
            ${{github.workspace}}/*-junit.xml
            ${{github.workspace}}/critestreport/*
+
+  cgroup2-misc:
+    name: CGroupsV2 - rootless CRI test
+    # nested virtualization is only available on macOS hosts
+    runs-on: macos-10.15
+    timeout-minutes: 45
+    needs: [project, linters, protos, man]
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: "Cache ~/.vagrant.d/boxes"
+        uses: actions/cache@v2
+        with:
+          path: ~/.vagrant.d/boxes
+          key: vagrant-${{ hashFiles('Vagrantfile*') }}
+
+      - name: Vagrant start
+        run: |
+          # Retry if it fails (download.fedoraproject.org returns 404 sometimes)
+          vagrant up || vagrant up
+
+      # slow, so separated from the regular cgroup2 task
+      - name: CRI-in-UserNS test with Rootless Podman
+        run: |
+          vagrant up --provision-with=install-rootless-podman
+          # Execute rootless podman to create the UserNS env
+          vagrant ssh -- podman build --target cri-in-userns -t cri-in-userns -f /vagrant/contrib/Dockerfile.test /vagrant
+          vagrant ssh -- podman run --rm --privileged cri-in-userns