1---
2# We use Cirrus for CentOS (native) and Fedora (in Vagrant), because neither
3# CentOS nor Fedora is available on GHA natively, so the only option is VM.
4# In GHA, nested virtualization is only supported on macOS instances, which
5# are slow and flaky.
6
7# NOTE Cirrus execution environments lack a terminal, needed for
8# some integration tests. So we use `ssh -tt` command to fake a terminal.
9
10task:
11 timeout_in: 30m
12
13 env:
14 DEBIAN_FRONTEND: noninteractive
15 HOME: /root
16 # yamllint disable rule:key-duplicates
17 matrix:
18 DISTRO: fedora
19
20 name: vagrant DISTRO:$DISTRO
21
22 compute_engine_instance:
23 image_project: cirrus-images
24 image: family/docker-kvm
25 platform: linux
26 nested_virtualization: true
27 # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
28 cpu: 4
29 # Memory limit: `4GB * NCPU`
30 memory: 16G
31
32 host_info_script: |
33 uname -a
34 # -----
35 cat /etc/os-release
36 # -----
37 df -T
38 # -----
39 cat /proc/cpuinfo
40 install_libvirt_vagrant_script: |
41 curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
42 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
43 sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
44 apt-get update
45 apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
46 systemctl enable --now libvirtd
47 apt-get build-dep -y vagrant ruby-libvirt
48 apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
49 vagrant plugin install vagrant-libvirt
50 vagrant_cache:
51 fingerprint_script: cat Vagrantfile.$DISTRO
52 folder: /root/.vagrant.d/boxes
53 vagrant_up_script: |
54 ln -sf Vagrantfile.$DISTRO Vagrantfile
55 # Retry if it fails (download.fedoraproject.org returns 404 sometimes)
56 vagrant up --no-tty || vagrant up --no-tty
57 mkdir -p -m 0700 /root/.ssh
58 vagrant ssh-config >> /root/.ssh/config
59 guest_info_script: |
60 ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"'
61 check_config_script: |
62 ssh default /vagrant/script/check-config.sh
63 unit_tests_script: |
64 ssh default 'sudo -i make -C /vagrant localunittest'
65 integration_systemd_script: |
66 ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
67 integration_fs_script: |
68 ssh -tt default "sudo -i make -C /vagrant localintegration"
69 integration_systemd_rootless_script: |
70 ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
71 integration_fs_rootless_script: |
72 ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
73
74task:
75 timeout_in: 30m
76
77 env:
78 HOME: /root
79 CIRRUS_WORKING_DIR: /home/runc
80 GO_VERSION: "1.20"
81 BATS_VERSION: "v1.9.0"
82 RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
83 # yamllint disable rule:key-duplicates
84 matrix:
85 DISTRO: centos-7
86 DISTRO: centos-stream-8
87 DISTRO: centos-stream-9
88
89 name: ci / $DISTRO
90
91 compute_engine_instance:
92 image_project: centos-cloud
93 image: family/$DISTRO
94 platform: linux
95 cpu: 4
96 memory: 8G
97
98 install_dependencies_script: |
99 case $DISTRO in
100 centos-7)
101 (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
102 # EPEL is needed for jq and fuse-sshfs.
103 rpm -q epel-release || rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
104 # sysctl
105 echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
106 sysctl --system
107 ;;
108 centos-stream-8)
109 yum config-manager --set-enabled powertools # for glibc-static
110 ;;
111 centos-stream-9)
112 dnf config-manager --set-enabled crb # for glibc-static
113 dnf -y install epel-release epel-next-release # for fuse-sshfs
114 # Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
115 # The default (since systemd v252) is "pids memory cpu".
116 mkdir -p /etc/systemd/system/user@.service.d
117 printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf
118 systemctl daemon-reload
119 ;;
120 esac
121 # Work around dnf mirror failures by retrying a few times.
122 for i in $(seq 0 2); do
123 sleep $i
124 yum install -y $RPMS && break
125 done
126 [ $? -eq 0 ] # fail if yum failed
127
128 # Double check that all rpms were installed (yum from CentOS 7
129 # does not exit with an error if some packages were not found).
130 # Use --whatprovides since some packages are renamed.
131 rpm -q --whatprovides $RPMS
132 # install Go
133 PREFIX="https://go.dev/dl/"
134 # Find out the latest minor release URL.
135 eval $(curl -fsSL "${PREFIX}?mode=json" | jq -r --arg Ver "$GO_VERSION" '.[] | select(.version | startswith("go\($Ver)")) | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | "filename=\"" + .filename + "\""')
136 curl -fsSL "$PREFIX$filename" | tar Cxz /usr/local
137 # install bats
138 cd /tmp
139 git clone https://github.com/bats-core/bats-core
140 cd bats-core
141 git checkout $BATS_VERSION
142 ./install.sh /usr/local
143 cd -
144 # Add a user for rootless tests
145 useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
146 # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
147 ssh-keygen -t ecdsa -N "" -f /root/rootless.key
148 mkdir -m 0700 -p /home/rootless/.ssh
149 cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
150 cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
151 chown -R rootless.rootless /home/rootless
152 # set PATH
153 echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
154 # Setup ssh localhost for terminal emulation (script -e did not work)
155 ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
156 cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
157 chmod 400 /root/.ssh/authorized_keys
158 ssh-keyscan localhost >> /root/.ssh/known_hosts
159 echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
160 sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
161 systemctl restart sshd
162 host_info_script: |
163 uname -a
164 # -----
165 /usr/local/go/bin/go version
166 # -----
167 systemctl --version
168 # -----
169 cat /etc/os-release
170 # -----
171 df -T
172 # -----
173 cat /proc/cpuinfo
174 check_config_script: |
175 /home/runc/script/check-config.sh
176 unit_tests_script: |
177 ssh -tt localhost "make -C /home/runc localunittest"
178 integration_systemd_script: |
179 ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
180 integration_fs_script: |
181 ssh -tt localhost "make -C /home/runc localintegration"
182 integration_systemd_rootless_script: |
183 case $DISTRO in
184 centos-7|centos-stream-8)
185 echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
186 ;;
187 *)
188 ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
189 esac
190 integration_fs_rootless_script: |
191 case $DISTRO in
192 centos-7)
193 echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
194 ;;
195 *)
196 ssh -tt localhost "make -C /home/runc localrootlessintegration"
197 ;;
198 esac
View as plain text