github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
474c79bd52b90cdd93da72bee9ca1d72e839797c
containerd/.github/workflows/ci.yml
Jacob Blain Christen b4376e9865 Update Vagrantfile for testing SELinux 
`vagrant up` will build and install containerd and all dependencies,
setting up proper SELinux contexts on the runc and containerd binaries.
The VM is configured to be SELinux Enforcing by default but this gets
changed during various CI passes via a matrix param to Disabled and
Permissive before running tests. I have an open PR to fix the
container-selinux policy for containerd at
https://github.com/containers/container-selinux/pull/98 which once
accepted we will want to update the CI matrix to use Enforcing mode
instead of Permissive.

All tests currently pass in SELinux permissive mode with containerd
configured with `enable_selinux=true`. To see which tests are failing
with SELinux enforcing and an already spun up VM:
`SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri`
To test SELinux enforcing in a new VM:
`vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri`

The `selinux` shell provisioner, parameterized by the SELINUX envvar,
will configure the system as you would expect, with the side effect that
containerd is configured with `enable_selinux=true` via
`/etc/containerd/config.toml` for Permissive or Enforcing modes and
`enable_selinux=false` when SELINUX=Disabled.

Provided that virtualization is suported, this Vagrantfile and provisioners
make it easy to test containerd/cri for conformance under SELinux on
non-SELinux systems.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-08-10 01:55:44 -07:00

456 lines
13 KiB
YAML
Raw Blame History

name: CI
on:
push:
branches:
- master
- 'release/**'
pull_request:
branches:
- master
- 'release/**'
jobs:
#
# golangci-lint
#
linters:
name: Linters
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
matrix:
os: [ubuntu-18.04, macos-10.15] # TODO: pass linters on 'windows-2019'
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
- name: Checkout
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Install dev tools
env:
GO111MODULE: off
shell: bash
run: script/setup/install-dev-tools
working-directory: src/github.com/containerd/containerd
- name: Make check
shell: bash
run: make check
working-directory: src/github.com/containerd/containerd
#
# Project checks
#
project:
name: Project Checks
runs-on: ubuntu-18.04
timeout-minutes: 5
steps:
#
# Install Go
#
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
#
# Checkout repos
#
- name: Checkout this repo
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
fetch-depth: 25
- name: Checkout project repo
uses: actions/checkout@v2
with:
repository: containerd/project
path: src/github.com/containerd/project
#
# Go get dependencies
#
- name: Install dependencies
env:
GO111MODULE: off
run: |
go get -u github.com/vbatts/git-validation
go get -u github.com/kunalkushwaha/ltag
go get -u github.com/LK4D4/vndr
#
# DCO / File headers / Vendor directory validation
#
- name: DCO
env:
GITHUB_COMMIT_URL: ${{ github.event.pull_request.commits_url }}
DCO_VERBOSITY: "-q"
DCO_RANGE: ""
working-directory: src/github.com/containerd/containerd
run: |
set -x
if [ -z "${GITHUB_COMMIT_URL}" ]; then
DCO_RANGE=$(jq -r '.after + "..HEAD"' ${GITHUB_EVENT_PATH})
else
DCO_RANGE=$(curl ${GITHUB_COMMIT_URL} | jq -r '.[0].parents[0].sha +".."+ .[-1].sha')
fi
../project/script/validate/dco
- name: Headers
run: ../project/script/validate/fileheader ../project/
working-directory: src/github.com/containerd/containerd
- name: Vendor
run: ../project/script/validate/vendor
working-directory: src/github.com/containerd/containerd
#
# Protobuf checks
#
protos:
name: Protobuf
runs-on: ubuntu-18.04
timeout-minutes: 5
steps:
- name: Set up Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
- name: Checkout
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Install protobuf
env:
GO111MODULE: off
working-directory: src/github.com/containerd/containerd
run: |
sudo env PATH=$PATH GOPATH=$GOPATH script/setup/install-protobuf
sudo chmod +x /usr/local/bin/protoc
sudo chmod og+rx /usr/local/include/google /usr/local/include/google/protobuf /usr/local/include/google/protobuf/compiler
sudo chmod -R og+r /usr/local/include/google/protobuf/
protoc --version
- name: Install dev tools
env:
GO111MODULE: off
run: script/setup/install-dev-tools
working-directory: src/github.com/containerd/containerd
- name: Make
env:
GO111MODULE: off
working-directory: src/github.com/containerd/containerd
run: |
export PATH=$PATH:$(go env GOPATH)/bin
make check-protos check-api-descriptors
man:
name: Manpages
runs-on: ubuntu-18.04
timeout-minutes: 5
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
- name: Checkout
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Install dependencies
run: GO111MODULE=on go get github.com/cpuguy83/go-md2man/v2@v2.0.0
- name: Make
run: make man
working-directory: src/github.com/containerd/containerd
#
# Build containerd binaries
#
binaries:
name: Binaries
runs-on: ${{ matrix.os }}
timeout-minutes: 10
needs: [project, linters, protos, man]
strategy:
matrix:
os: [ubuntu-18.04, macos-10.15, windows-2019]
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
- name: Checkout
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Make
run: |
make build
make binaries
working-directory: src/github.com/containerd/containerd
#
# Integration and CRI tests
#
integration-windows:
name: Windows Integration
runs-on: windows-2019
timeout-minutes: 30
needs: [project, linters, protos, man]
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/src/github.com/containerd/containerd/bin"
- name: Checkout containerd
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Checkout Microsoft/hcsshim
uses: actions/checkout@v2
with:
repository: Microsoft/hcsshim
path: src/github.com/Microsoft/hcsshim
- name: Install Build Deps
shell: bash
run: |
cd src/github.com/containerd/containerd
script/setup/install-dev-tools
- name: Binaries
shell: bash
run: |
set -o xtrace
export CGO_ENABLED=1
cd src/github.com/containerd/containerd
mingw32-make.exe binaries
bindir="$(pwd)"
SHIM_COMMIT=$(grep Microsoft/hcsshim vendor.conf | awk '{print $2}')
cd ../../Microsoft/hcsshim
git fetch --tags origin "${SHIM_COMMIT}"
git checkout "${SHIM_COMMIT}"
GO111MODULE=on go build -mod=vendor -o "${bindir}/containerd-shim-runhcs-v1.exe" ./cmd/containerd-shim-runhcs-v1
- name: Integration 1
shell: bash
run: |
cd src/github.com/containerd/containerd
export CGO_ENABLED=1
mingw32-make.exe integration
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/175
- name: Integration 2
shell: bash
run: |
cd src/github.com/containerd/containerd
export TESTFLAGS_PARALLEL=1
export CGO_ENABLED=1
mingw32-make.exe integration
integration-linux:
name: Linux Integration
runs-on: ubuntu-18.04
timeout-minutes: 15
needs: [project, linters, protos, man]
strategy:
matrix:
runtime: [io.containerd.runtime.v1.linux, io.containerd.runc.v1, io.containerd.runc.v2]
runc: [runc, crun]
exclude:
- runtime: io.containerd.runc.v1
runc: crun
- runtime: io.containerd.runtime.v1.linux
runc: crun
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: '1.13.15'
- name: Setup gosu
shell: bash
run: |
GOSU=/usr/local/bin/gosu
arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"
sudo wget -O ${GOSU} "https://github.com/tianon/gosu/releases/download/1.12/gosu-$arch"
sudo chmod +x ${GOSU}
sudo chown root ${GOSU}
sudo chmod +s ${GOSU}
- name: Set env
shell: bash
run: |
echo "::set-env name=GOPATH::${{ github.workspace }}"
echo "::add-path::${{ github.workspace }}/bin"
- name: Checkout containerd
uses: actions/checkout@v2
with:
path: src/github.com/containerd/containerd
- name: Install containerd dependencies
env:
RUNC_FLAVOR: ${{ matrix.runc }}
run: |
sudo PATH=$PATH script/setup/install-seccomp
gosu root script/setup/install-runc
script/setup/install-cni
script/setup/install-critools
working-directory: src/github.com/containerd/containerd
- name: Install criu
run: |
sudo apt-get install -y \
libprotobuf-dev \
libprotobuf-c-dev \
protobuf-c-compiler \
protobuf-compiler \
python-protobuf \
libnl-3-dev \
libnet-dev \
libcap-dev \
python-future
wget https://github.com/checkpoint-restore/criu/archive/v3.13.tar.gz -O criu.tar.gz
tar -zxf criu.tar.gz
cd criu-3.13
sudo make install-criu
- name: Install containerd
env:
CGO_ENABLED: 1
run: |
make binaries
sudo make install
working-directory: src/github.com/containerd/containerd
- name: Integration 1
env:
GOPROXY: direct
TEST_RUNTIME: ${{ matrix.runtime }}
RUNC_FLAVOR: ${{ matrix.runc }}
run: |
sudo GOPATH=$GOPATH GOPROXY=$GOPROXY TEST_RUNTIME=$TEST_RUNTIME RUNC_FLAVOR=$RUNC_FLAVOR make integration EXTRA_TESTFLAGS=-no-criu TESTFLAGS_RACE=-race
working-directory: src/github.com/containerd/containerd
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/1759
- name: Integration 2
env:
GOPROXY: direct
TEST_RUNTIME: ${{ matrix.runtime }}
RUNC_FLAVOR: ${{ matrix.runc }}
run: |
sudo GOPATH=$GOPATH GOPROXY=$GOPROXY TEST_RUNTIME=$TEST_RUNTIME RUNC_FLAVOR=$RUNC_FLAVOR TESTFLAGS_PARALLEL=1 make integration EXTRA_TESTFLAGS=-no-criu
working-directory: src/github.com/containerd/containerd
- name: CRI test
env:
TEST_RUNTIME: ${{ matrix.runtime }}
run: |
BDIR="$(mktemp -d -p $PWD)"
mkdir -p ${BDIR}/{root,state}
cat > ${BDIR}/config.toml <<EOF
[plugins.cri.containerd.default_runtime]
runtime_type = \"${TEST_RUNTIME}\"
EOF
ls /etc/cni/net.d
sudo PATH=$PATH BDIR=$BDIR /usr/local/bin/containerd -a ${BDIR}/c.sock -root ${BDIR}/root -state ${BDIR}/state -log-level debug &> ${BDIR}/containerd-cri.log &
sudo PATH=$PATH BDIR=$BDIR /usr/local/bin/ctr -a ${BDIR}/c.sock version
sudo PATH=$PATH BDIR=$BDIR GOPATH=$GOPATH critest --runtime-endpoint=unix:///${BDIR}/c.sock --parallel=8
TEST_RC=$?
test $TEST_RC -ne 0 && cat ${BDIR}/containerd-cri.log
sudo pkill containerd
sudo BDIR=$BDIR rm -rf ${BDIR}
test $TEST_RC -eq 0 || /bin/false
cgroup2:
name: CGroupsV2 and SELinux Integration
# nested virtualization is only available on macOS hosts
runs-on: macos-10.15
timeout-minutes: 40
needs: [project, linters, protos, man]
strategy:
matrix:
runc: [runc, crun]
steps:
- name: Checkout containerd
uses: actions/checkout@v2
- name: Start vagrant
run: vagrant up
- name: Integration
env:
RUNC_FLAVOR: ${{ matrix.runc }}
# SELinux: replace Permissive with Enforcing after https://github.com/containers/container-selinux/pull/98
# is merged and the package becomes generally available.
SELINUX: Permissive
run: vagrant up --provision-with=selinux,install-runc,test-integration
- name: CRI test
env:
RUNC_FLAVOR: ${{ matrix.runc }}
# SELinux: replace Permissive with Enforcing after https://github.com/containers/container-selinux/pull/98
# is merged and the package becomes generally available.
SELINUX: Permissive
run: vagrant up --provision-with=selinux,install-runc,test-cri
Reference in New Issue View Git Blame Copy Permalink