github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
9bf5aeca77ee115c1001f4abe0001eab4afa8114
containerd/.github/workflows/ci.yml
Sebastiaan van Stijn e9f63f64f5 update go to go1.20.5, go1.19.10 
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-04 11:03:38 +02:00

553 lines
18 KiB
YAML
Raw Blame History

name: CI
on:
# When added to a merge queue.
# See https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue#triggering-merge-group-checks-with-github-actions
merge_group:
pull_request:
branches: ['main', 'release/**']
env:
# Go version we currently use to build containerd across all CI.
# Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
GO_VERSION: "1.20.5"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
#
# golangci-lint
#
linters:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Linters
runs-on: ${{ matrix.os }}
timeout-minutes: 10
strategy:
matrix:
os: [ubuntu-20.04, macos-12, windows-2019]
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- uses: golangci/golangci-lint-action@v3
with:
version: v1.52.2
skip-cache: true
args: --timeout=8m
#
# Project checks
#
project:
name: Project Checks
if: github.repository == 'containerd/containerd'
runs-on: ubuntu-20.04
timeout-minutes: 5
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
with:
path: src/github.com/containerd/containerd
fetch-depth: 100
- uses: containerd/project-checks@v1.1.0
with:
working-directory: src/github.com/containerd/containerd
repo-access-token: ${{ secrets.GITHUB_TOKEN }}
- name: verify go modules and vendor directory
run: |
sudo apt-get install -y jq
make verify-vendor
working-directory: src/github.com/containerd/containerd
#
# Protobuf checks
#
protos:
name: Protobuf
runs-on: ubuntu-20.04
timeout-minutes: 5
defaults:
run:
working-directory: src/github.com/containerd/containerd
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
with:
path: src/github.com/containerd/containerd
- name: Set env
shell: bash
run: |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
- name: Install protobuf
run: |
sudo -E PATH=$PATH script/setup/install-protobuf
sudo chmod +x /usr/local/bin/protoc
sudo chmod og+rx /usr/local/include/google /usr/local/include/google/protobuf /usr/local/include/google/protobuf/compiler
sudo chmod -R og+r /usr/local/include/google/protobuf/
protoc --version
- run: script/setup/install-dev-tools
- run: make proto-fmt
- run: make check-protos check-api-descriptors
man:
name: Manpages
runs-on: ubuntu-20.04
timeout-minutes: 5
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- run: go install github.com/cpuguy83/go-md2man/v2@v2.0.2
- run: make man
# Make sure binaries compile with other minor platforms.
# Well-known architectures are covered in release.yml.
crossbuild:
name: Crossbuild Binaries
needs: [project, linters, protos, man]
runs-on: ubuntu-20.04
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
include:
- goos: linux
goarch: arm
goarm: "7"
- goos: linux
goarch: arm
goarm: "5"
- goos: freebsd
goarch: amd64
- goos: freebsd
goarch: arm64
- goos: windows
goarch: arm
goarm: "7"
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- run: |
set -e -x
packages=""
platform="${{matrix.goos}}/${{matrix.goarch}}"
if [ -n "${{matrix.goarm}}" ]; then
platform+="/v${{matrix.goarm}}"
fi
case "${platform}" in
linux/arm/v5)
packages+=" crossbuild-essential-armel"
echo "CGO_ENABLED=1" >> $GITHUB_ENV
echo "CC=arm-linux-gnueabi-gcc" >> $GITHUB_ENV
;;
linux/arm/v7)
packages+=" crossbuild-essential-armhf"
echo "CGO_ENABLED=1" >> $GITHUB_ENV
echo "CC=arm-linux-gnueabihf-gcc" >> $GITHUB_ENV
;;
windows/arm/v7)
echo "CGO_ENABLED=0" >> $GITHUB_ENV
;;
esac
if [ -n "${packages}" ]; then
sudo apt-get update && sudo apt-get install -y ${packages}
fi
name: Install deps
- name: Build
env:
GOOS: ${{matrix.goos}}
GOARCH: ${{matrix.goarch}}
GOARM: ${{matrix.goarm}}
run: |
make build
make binaries
#
# Build containerd binaries
#
binaries:
name: Binaries
runs-on: ${{ matrix.os }}
timeout-minutes: 10
needs: [project, linters, protos, man]
strategy:
matrix:
os: [ubuntu-20.04, macos-12, windows-2019, windows-2022]
go-version: ["1.20.5", "1.19.10"]
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go-version }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- name: Make
run: |
make build
make binaries
#
# Integration and CRI tests
#
integration-windows:
name: Windows Integration
runs-on: ${{ matrix.os }}
timeout-minutes: 90
needs: [project, linters, protos, man]
env:
GOTEST: gotestsum --
strategy:
fail-fast: false
matrix:
os: [windows-2019, windows-2022]
enable_cri_sandboxes: ["", "sandboxed"]
defaults:
run:
shell: bash
working-directory: src/github.com/containerd/containerd
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
with:
path: src/github.com/containerd/containerd
- uses: actions/checkout@v3
with:
repository: kubernetes-sigs/cri-tools
path: src/github.com/kubernetes-sigs/cri-tools
- name: Set env
run: |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
echo "${{ github.workspace }}/src/github.com/containerd/containerd/bin" >> $GITHUB_PATH
echo "${{ github.workspace }}/src/github.com/kubernetes-sigs/cri-tools/build/bin/windows/amd64" >> $GITHUB_PATH
- run: script/setup/install-dev-tools
- name: Binaries
env:
CGO_ENABLED: 1
run: |
set -o xtrace
mingw32-make.exe binaries
cd ../../kubernetes-sigs/cri-tools
make critest
- run: script/setup/install-cni-windows
- env:
TEST_IMAGE_LIST: ${{github.workspace}}/repolist.toml
CRI_TEST_IMAGES: ${{github.workspace}}/cri-test-images.yaml
BUSYBOX_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/busybox:1.29-2"
RESOURCE_CONSUMER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/resource-consumer:1.10"
WEBSERVER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/nginx:1.14-2"
run: |
cat > "${{ env.TEST_IMAGE_LIST }}" << EOF
busybox = "${{ env.BUSYBOX_TESTING_IMAGE_REF }}"
ResourceConsumer = "${{ env.RESOURCE_CONSUMER_TESTING_IMAGE_REF }}"
EOF
cat > "${{ env.CRI_TEST_IMAGES }}" << EOF
defaultTestContainerImage: ${{ env.BUSYBOX_TESTING_IMAGE_REF }}
webServerTestImage: ${{ env.WEBSERVER_TESTING_IMAGE_REF }}
EOF
- name: Get crictl tool
shell: powershell
run: |
# Get critctl tool. Used for cri-integration tests
$CRICTL_DOWNLOAD_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.26.0/crictl-v1.26.0-windows-amd64.tar.gz"
curl.exe -L $CRICTL_DOWNLOAD_URL -o c:\crictl.tar.gz
tar -xvf c:\crictl.tar.gz
mv crictl.exe "${{ github.workspace }}/bin/crictl.exe" # Move crictl somewhere in path
- run: script/setup/install-gotestsum
- run: script/setup/install-teststat
- name: Tests
env:
CGO_ENABLED: 1
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-unit-root.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-unit-root-gotest.json
run: mingw32-make.exe test root-test
- run: if [ -f *-gotest.json ]; then echo '# Root Test' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh ${TESTFILE}
env:
TESTFILE: ${{github.workspace}}/test-unit-root-gotest.json
if: always()
- name: Integration 1
env:
CGO_ENABLED: 1
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json
EXTRA_TESTFLAGS: "-timeout=20m"
run: mingw32-make.exe integration
- run: if [ -f *-gotest.json ]; then echo '# Integration 1' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh ${TESTFILE}
env:
TESTFILE: ${{github.workspace}}/test-integration-serial-gotest.json
if: always()
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/1759
- name: Integration 2
env:
TESTFLAGS_PARALLEL: 1
EXTRA_TESTFLAGS: "-short"
CGO_ENABLED: 1
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json
run: mingw32-make.exe integration
- run: if [ -f *-gotest.json ]; then echo '# Integration 2' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh ${TESTFILE}
env:
TESTFILE: ${{github.workspace}}/test-integration-parallel-gotest.json
if: always()
- name: CRI Integration Test
env:
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
TEST_IMAGE_LIST: ${{github.workspace}}/repolist.toml
run: |
make cri-integration
- name: cri-tools critest
env:
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
CRI_TEST_IMAGES: ${{github.workspace}}/cri-test-images.yaml
shell: powershell
run: |
Start-Process -FilePath containerd.exe -NoNewWindow -RedirectStandardError true -PassThru
get-process | sls containerd
start-sleep 5
# This test is exceedingly flaky only on ws2022 so skip for now to keep CI happy.
# Info: https://github.com/containerd/containerd/issues/6652
if( '${{ matrix.os }}' -eq 'windows-2022' )
{
$skip = "-ginkgo.skip=runtime should support exec with tty=true and stdin=true"
}
critest.exe --runtime-endpoint=npipe://.//pipe//containerd-containerd --test-images-file='${{env.CRI_TEST_IMAGES}}' --report-dir='${{github.workspace}}/critestreport' $skip
- uses: actions/upload-artifact@v3
if: always()
with:
name: TestResults ${{ matrix.os }}
path: |
${{github.workspace}}/*-junit.xml
${{github.workspace}}/*-gotest.json
${{github.workspace}}/report/*.log
integration-linux:
name: Linux Integration
runs-on: ubuntu-20.04
timeout-minutes: 40
needs: [project, linters, protos, man]
strategy:
fail-fast: false
matrix:
runtime:
- io.containerd.runc.v2
runc: [runc, crun]
enable_cri_sandboxes: ["", "sandboxed"]
env:
GOTEST: gotestsum --
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- name: Install containerd dependencies
env:
RUNC_FLAVOR: ${{ matrix.runc }}
run: |
sudo apt-get update
sudo apt-get install -y gperf
script/setup/install-seccomp
script/setup/install-runc
script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}')
script/setup/install-critools
script/setup/install-failpoint-binaries
- name: Install criu
run: |
sudo add-apt-repository -y ppa:criu/ppa
sudo apt-get update
sudo apt-get install -y criu
- name: Install containerd
env:
CGO_ENABLED: 1
run: |
make binaries GO_BUILD_FLAGS="-mod=vendor"
sudo -E PATH=$PATH make install
- run: script/setup/install-gotestsum
- run: script/setup/install-teststat
- name: Tests
env:
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-unit-root-junit.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-unit-root-gotest.json
run: |
make test
sudo -E PATH=$PATH make root-test
- run: if [ -f *-gotest.json ]; then echo '# Root Test' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh *-gotest.json
if: always()
- name: Integration 1
env:
TEST_RUNTIME: ${{ matrix.runtime }}
RUNC_FLAVOR: ${{ matrix.runc }}
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json
run: |
extraflags=""
[ "${RUNC_FLAVOR}" == "crun" ] && {
extraflags="EXTRA_TESTFLAGS=-no-criu";
}
sudo -E PATH=$PATH make integration ${extraflags} TESTFLAGS_RACE=-race
- run: if [ -f *-gotest.json ]; then echo '# Integration 1' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh *-gotest.json
if: always()
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/1759
- name: Integration 2
env:
TEST_RUNTIME: ${{ matrix.runtime }}
RUNC_FLAVOR: ${{ matrix.runc }}
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml
GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json
run: |
extraflags=""
[ "${RUNC_FLAVOR}" == "crun" ] && {
extraflags="EXTRA_TESTFLAGS=-no-criu";
}
sudo -E PATH=$PATH TESTFLAGS_PARALLEL=1 make integration ${extraflags}
- run: if [ -f *-gotest.json ]; then echo '# Integration 2' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh *-gotest.json
if: always()
- name: CRI Integration Test
env:
TEST_RUNTIME: ${{ matrix.runtime }}
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
run: |
CONTAINERD_RUNTIME=$TEST_RUNTIME make cri-integration
- name: cri-tools critest
env:
TEST_RUNTIME: ${{ matrix.runtime }}
ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
run: |
sudo -E PATH=$PATH ./script/critest.sh "${{github.workspace}}/report"
# Log the status of this VM to investigate issues like
# https://github.com/containerd/containerd/issues/4969
- name: Host Status
if: always()
run: |
set -x
mount
df
losetup -l
- uses: actions/upload-artifact@v3
if: always()
with:
name: TestResults ${{ matrix.runtime }} ${{matrix.runc}}
path: |
*-junit.xml
*-gotest.json
${{github.workspace}}/report/*.xml
${{github.workspace}}/report/*.log
tests-mac-os:
name: MacOS unit tests
runs-on: macos-12
timeout-minutes: 10
needs: [project, linters, protos, man]
env:
GOTEST: gotestsum --
steps:
- uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache: false # see actions/setup-go#368
- uses: actions/checkout@v3
- run: script/setup/install-gotestsum
- run: script/setup/install-teststat
- name: Tests
env:
GOTESTSUM_JUNITFILE: "${{ github.workspace }}/macos-test-junit.xml"
GOTESTSUM_JSONFILE: "${{ github.workspace }}/macos-test-gotest.json"
run: make test
- run: if [ -f *-gotest.json ]; then echo '# Unit Tests' >> $GITHUB_STEP_SUMMARY; teststat -markdown *-gotest.json >> $GITHUB_STEP_SUMMARY; fi
if: always()
- run: script/test/test2annotation.sh *-gotest.json
if: always()
- uses: actions/upload-artifact@v3
if: always()
with:
name: TestResults MacOS
path: |
*-junit.xml
*-gotest.json
Reference in New Issue View Git Blame Copy Permalink