CI was timing out after 15 minutes on the crun tests; extending
the timeout to 20 minutes (we can make it shorter again if we know
the exact time it takes to run)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Noticed this in the CI output:
Requested golangci-lint 'v1.29', using 'v1.29.0', calculation took 7969ms
Installing golangci-lint v1.29.0...
Downloading https://github.com/golangci/golangci-lint/releases/download/v1.29.0/golangci-lint-1.29.0-darwin-amd64.tar.gz ...
Using nearly 8 seconds to convert v1.29 to v1.29.0 seems a bit long,
so hard-coding to the full version to speedup CI somewhat.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With container-selinux policy updated to 2.145+ (the default for Fedora 32+) we
can enable SELinux=Enforcing mode in the CI workflow and pass all integration
and CRI tests except one, see https://github.com/containerd/containerd/issues/4460,
which has been marked as skipped.
Tested locally with:
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
These checks had to be disabled to get the CRI merge completed.
Now these should be added back.
After CRI merge, more time for lint is needed on mac.
Signed-off-by: Derek McGowan <derek@mcg.dev>
`vagrant up` will build and install containerd and all dependencies,
setting up proper SELinux contexts on the runc and containerd binaries.
The VM is configured to be SELinux Enforcing by default but this gets
changed during various CI passes via a matrix param to Disabled and
Permissive before running tests. I have an open PR to fix the
container-selinux policy for containerd at
https://github.com/containers/container-selinux/pull/98 which once
accepted we will want to update the CI matrix to use Enforcing mode
instead of Permissive.
All tests currently pass in SELinux permissive mode with containerd
configured with `enable_selinux=true`. To see which tests are failing
with SELinux enforcing and an already spun up VM:
`SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri`
To test SELinux enforcing in a new VM:
`vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri`
The `selinux` shell provisioner, parameterized by the SELINUX envvar,
will configure the system as you would expect, with the side effect that
containerd is configured with `enable_selinux=true` via
`/etc/containerd/config.toml` for Permissive or Enforcing modes and
`enable_selinux=false` when SELINUX=Disabled.
Provided that virtualization is suported, this Vagrantfile and provisioners
make it easy to test containerd/cri for conformance under SELinux on
non-SELinux systems.
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Recent changes removed the need for libseccomp-dev when building
containerd. The btrfs tools package is already installed on GH Actions
runners and was already a no-op so the whole step can be removed.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This will ensure that we can always get the current Windows OS build
version, without being put into Windows 8 compatibility mode.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
We are going to deprecate shim v1 (#4365), but it is still early to
disable the tests for them
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
GH runners now have a systemd-run containerd running on the standard
socket, impacting the CRI test's expectation of our CI-built containerd
running there.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
The previous names were confusing because v1 may look like shim API v1 (io.containerd.runtime.v1.linux").
Also, v2 may look like cgroup v2.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- always apt-get update before installing packages
- move to tagged official create_release action
The official GH create_release action now has support for body text from
file.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
[BeforeEach] [k8s.io] Security Context
/home/runner/work/containerd/containerd/src/github.com/kubernetes-sigs/cri-tools/pkg/framework/framework.go:50
W0624 12:26:28.532644 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
W0624 12:26:28.532700 30569 util_unix.go:103] Using "/var/run/containerd/containerd.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/containerd/containerd.sock".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Remove dependency on libcontainer/system
- Get rid of socat for port forwarding
- Roll docker/distribution back to latest (v2.7.1) release
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
- vendor: kubernetes v1.18.2
Fix client watch reestablishment handling of client-side timeouts
- Add config flag to default empty seccomp profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
set working-dir for <<Setup gosu>> step
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
fix job permissions
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
Integration tests were running with latest Go release rather than the
version used everywhere else. Also, we don't need to install protoc from
tarball and also apt-get the package for Ubuntu when used as a
dependency for criu build.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Also few changes to names of workflow jobs. Integration tests can get
canceled without full completing at 10 minutes. Make sure we only use
checkout v2 action.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
