diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 39b825c76..000000000 --- a/.cirrus.yml +++ /dev/null @@ -1,415 +0,0 @@ ---- - -# Main collection of env. vars to set for all tasks and scripts. -env: - #### - #### Global variables used for all tasks - #### - # Name of the ultimate destination branch for this CI run, PR or post-merge. - DEST_BRANCH: "main" - GOPATH: "/var/tmp/go" - GOSRC: "${GOPATH}/src/github.com/containers/buildah" - GOCACHE: "/tmp/go-build" - # Overrides default location (/tmp/cirrus) for repo clone - CIRRUS_WORKING_DIR: "${GOSRC}" - # Shell used to execute all script commands - CIRRUS_SHELL: "/bin/bash" - # Automation script path relative to $CIRRUS_WORKING_DIR) - SCRIPT_BASE: "./contrib/cirrus" - # No need to go crazy, but grab enough to cover most PRs - CIRRUS_CLONE_DEPTH: 50 - # Unless set by in_podman.sh, default to operating outside of a podman container - IN_PODMAN: 'false' - # root or rootless - PRIV_NAME: root - # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value - RUNTIME_N: "" - - #### - #### Cache-image names to test with - #### - # GCE project where images live - IMAGE_PROJECT: "libpod-218412" - FEDORA_NAME: "fedora-43" - PRIOR_FEDORA_NAME: "fedora-42" - RAWHIDE_NAME: "rawhide" - DEBIAN_NAME: "debian-14" - - # Image identifiers - IMAGE_SUFFIX: "c20260319t182308z-f43f42d14" - FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" - PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" - RAWHIDE_CACHE_IMAGE_NAME: "rawhide-${IMAGE_SUFFIX}" # Used temporarily for rust-podman-sequoia. After that RPM is available in stable Fedora releases, we can stop testing against Rawhide again. - DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}" - - IN_PODMAN_IMAGE: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}" - - #### - #### Command variables to help avoid duplication - #### - # Command to prefix every output line with a timestamp - # (can't do inline awk script, Cirrus-CI or YAML mangles quoting) - _TIMESTAMP: 'awk -f ${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/timestamp.awk' - -gcp_credentials: ENCRYPTED[ae0bf7370f0b6e446bc61d0865a2c55d3e166b3fab9466eb0393e38e1c66a31ca4c71ddc7e0139d47d075c36dd6d3fd7] - -# Default timeout for each task -timeout_in: 30m - -# Default VM to use unless set or modified by task -gce_instance: &standardvm - image_project: "${IMAGE_PROJECT}" - zone: "us-central1-c" # Required by Cirrus for the time being - cpu: 2 - memory: "4G" - disk: 200 # Gigabytes, do not set less than 200 per obscure GCE docs re: I/O performance - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - - -# Update metadata on VM images referenced by this repository state -meta_task: - name: "VM img. keepalive" - alias: meta - - container: - image: "quay.io/libpod/imgts:latest" - cpu: 1 - memory: "1G" - - env: - # Space-separated list of images used by this repository state - IMGNAMES: |- - ${FEDORA_CACHE_IMAGE_NAME} - ${PRIOR_FEDORA_CACHE_IMAGE_NAME} - ${RAWHIDE_CACHE_IMAGE_NAME} - ${DEBIAN_CACHE_IMAGE_NAME} - build-push-${IMAGE_SUFFIX} - BUILDID: "${CIRRUS_BUILD_ID}" - REPOREF: "${CIRRUS_CHANGE_IN_REPO}" - GCPJSON: ENCRYPTED[d3614d6f5cc0e66be89d4252b3365fd84f14eee0259d4eb47e25fc0bc2842c7937f5ee8c882b7e547b4c5ec4b6733b14] - GCPNAME: ENCRYPTED[8509e6a681b859479ce6aa275bd3c4ac82de5beec6df6057925afc4cd85b7ef2e879066ae8baaa2d453b82958e434578] - GCPPROJECT: ENCRYPTED[cc09b62d0ec6746a3df685e663ad25d9d5af95ef5fd843c96f3d0ec9d7f065dc63216b9c685c9f43a776a1d403991494] - - clone_script: 'true' - script: '/usr/local/bin/entrypoint.sh' - - -smoke_task: - alias: 'smoke' - name: "Smoke Test" - - gce_instance: - memory: "12G" - cpu: 8 - - # Don't bother running on branches (including cron), or for tags. - skip: $CIRRUS_PR == '' - - timeout_in: 10m - - setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' - build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}' - validate_test_script: '${SCRIPT_BASE}/test.sh validate |& ${_TIMESTAMP}' - - binary_artifacts: - path: ./bin/* - -# Check that all included go modules from other sources match -# # what is expected in `vendor/modules.txt` vs `go.mod`. -vendor_task: - name: "Test Vendoring" - alias: vendor - - env: - CIRRUS_WORKING_DIR: "/var/tmp/go/src/github.com/containers/buildah" - GOPATH: "/var/tmp/go" - GOSRC: "/var/tmp/go/src/github.com/containers/buildah" - - # Runs within Cirrus's "community cluster" - container: - image: docker.io/library/golang:1.25 - cpu: 1 - memory: 1 - - timeout_in: 5m - - vendor_script: - - './hack/check_vendor_toolchain.sh Try updating the image used by the vendor_task in .cirrus.yml.' - - 'make vendor' - - './hack/tree_status.sh' - - -# Confirm cross-compile ALL architectures on a Mac OS-X VM. -cross_build_task: - name: "Cross Compile" - gce_instance: - cpu: 8 - memory: "24G" - alias: cross_build - skip: >- - $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*' - env: - HOME: /root - script: - - go version - - make -j cross CGO_ENABLED=0 - binary_artifacts: - path: ./bin/* - - -unit_task: - name: 'Unit tests w/ $STORAGE_DRIVER' - gce_instance: - cpu: 4 - alias: unit - skip: ¬_build_docs >- - $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*' || - $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*' - depends_on: &smoke_vendor - - smoke - - vendor - - matrix: - - env: - STORAGE_DRIVER: 'vfs' - - env: - STORAGE_DRIVER: 'overlay' - - setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' - unit_test_script: '${SCRIPT_BASE}/test.sh unit |& ${_TIMESTAMP}' - - always: &standardlogs - audit_log_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh audit' - df_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh df' - journal_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh journal' - podman_system_info_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh podman' - buildah_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh buildah_version' - buildah_info_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh buildah_info' - package_versions_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh packages' - golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang' - -conformance_task: - name: 'Debian Conformance w/ $STORAGE_DRIVER' - alias: conformance - skip: *not_build_docs - depends_on: *smoke_vendor - - gce_instance: - cpu: 4 - image_name: "${DEBIAN_CACHE_IMAGE_NAME}" - - matrix: - - env: - STORAGE_DRIVER: 'vfs' - TMPDIR: '/var/tmp' - - env: - STORAGE_DRIVER: 'overlay' - - setup_script: '${SCRIPT_BASE}/setup.sh conformance |& ${_TIMESTAMP}' - conformance_test_script: '${SCRIPT_BASE}/test.sh conformance |& ${_TIMESTAMP}' - - always: - <<: *standardlogs - -integration_task: - name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" - alias: integration - skip: *not_build_docs - depends_on: *smoke_vendor - - matrix: - # VFS - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'vfs' - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'vfs' - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${DEBIAN_NAME}" - IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'vfs' - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'vfs' - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'vfs' - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - # OVERLAY - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${DEBIAN_NAME}" - IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - - env: - DISTRO_NV: "${RAWHIDE_NAME}" - IMAGE_NAME: "${RAWHIDE_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - TEST_BUILD_TAGS: 'containers_image_sequoia' - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - - gce_instance: &integration_gce_instance - image_name: "$IMAGE_NAME" - cpu: 8 - memory: "8G" - - # Separate scripts for separate outputs, makes debugging easier. - setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' - build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}' - integration_test_script: '${SCRIPT_BASE}/test.sh integration |& ${_TIMESTAMP}' - - binary_artifacts: - path: ./bin/* - - always: - <<: *standardlogs - -integration_rootless_task: - name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" - alias: integration_rootless - skip: *not_build_docs - depends_on: *smoke_vendor - - matrix: - # Running rootless tests on overlay - # OVERLAY - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - PRIV_NAME: rootless - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - PRIV_NAME: rootless - BUILDAH_RUNTIME: crun - RUNTIME_N: " using crun" - - env: - DISTRO_NV: "${DEBIAN_NAME}" - IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - PRIV_NAME: rootless - - env: - DISTRO_NV: "${FEDORA_NAME}" - IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - PRIV_NAME: rootless - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - - env: - DISTRO_NV: "${PRIOR_FEDORA_NAME}" - IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - STORAGE_DRIVER: 'overlay' - PRIV_NAME: rootless - BUILDAH_RUNTIME: runc - RUNTIME_N: " using runc" - - gce_instance: - <<: *integration_gce_instance - - # Separate scripts for separate outputs, makes debugging easier. - setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' - build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}' - integration_test_script: '${SCRIPT_BASE}/test.sh integration |& ${_TIMESTAMP}' - - binary_artifacts: - path: ./bin/* - - always: - <<: *standardlogs - -in_podman_task: - name: "Containerized Integration" - alias: in_podman - skip: *not_build_docs - depends_on: *smoke_vendor - - gce_instance: - cpu: 8 - memory: "8G" - - env: - # This is key, cause the scripts to re-execute themselves inside a container. - IN_PODMAN: 'true' - BUILDAH_ISOLATION: 'chroot' - STORAGE_DRIVER: 'vfs' - - # Separate scripts for separate outputs, makes debugging easier. - setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' - build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}' - integration_test_script: '${SCRIPT_BASE}/test.sh integration |& ${_TIMESTAMP}' - - binary_artifacts: - path: ./bin/* - - always: - <<: *standardlogs - - -# Status aggregator for all tests. This task simply ensures a defined -# set of tasks all passed, and allows confirming that based on the status -# of this task. -success_task: - # N/B: The prow merge-bot (tide) is sensitized to this exact name, DO NOT CHANGE IT. - # Ref: https://github.com/openshift/release/pull/48909 - name: "Total Success" - alias: success - - depends_on: - - meta - - smoke - - unit - - conformance - - vendor - - cross_build - - integration - - integration_rootless - - in_podman - - container: - image: "quay.io/libpod/alpine:latest" - cpu: 1 - memory: 1 - - env: - CIRRUS_SHELL: direct # execute command directly - - clone_script: mkdir -p $CIRRUS_WORKING_DIR - script: /bin/true diff --git a/.github/filters.yaml b/.github/filters.yaml new file mode 100644 index 000000000..7b82434b5 --- /dev/null +++ b/.github/filters.yaml @@ -0,0 +1,12 @@ +code: + - '**/*.go' + - 'go.mod' + - 'go.sum' + - 'vendor/**' + - 'Makefile' + - '.github/**' + - 'contrib/ci/**' + - 'hack/**' + - 'tests/**' + - '.codespellrc' + - '.golangci.yml' diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml deleted file mode 100644 index 47e431e1f..000000000 --- a/.github/workflows/check_cirrus_cron.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -# See also: -# https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml - -on: - # Note: This only applies to the default branch. - schedule: - # N/B: This should correspond to a period slightly after - # the last job finishes running. See job defs. at: - # https://cirrus-ci.com/settings/repository/6706677464432640 - - cron: '03 03 * * 1-5' - # Debug: Allow triggering job manually in github-actions WebUI - workflow_dispatch: {} - -jobs: - # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows - call_cron_failures: - uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main - secrets: - SECRET_CIRRUS_API_KEY: ${{secrets.SECRET_CIRRUS_API_KEY}} - ACTION_MAIL_SERVER: ${{secrets.ACTION_MAIL_SERVER}} - ACTION_MAIL_USERNAME: ${{secrets.ACTION_MAIL_USERNAME}} - ACTION_MAIL_PASSWORD: ${{secrets.ACTION_MAIL_PASSWORD}} - ACTION_MAIL_SENDER: ${{secrets.ACTION_MAIL_SENDER}} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..735a0c8ce --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,205 @@ +name: "ci" + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + path-filter: + name: path-filter + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + pull-requests: read + outputs: + code: ${{ steps.filter.outputs.code }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - id: filter + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 + with: + filters: .github/filters.yaml + + smoke: + name: smoke + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-4-16-x86 + test: smoke + distro: fedora-current + timeout: 20 + + vendor: + name: vendor + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-4-16-x86 + test: vendor + distro: fedora-current + timeout: 20 + + cross: + name: cross + runs-on: cncf-ubuntu-8-32-x86 + timeout-minutes: 30 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: go.mod + cache: true + + - name: Build all cross targets + run: make -j4 cross CGO_ENABLED=0 + + unit: + needs: [smoke, vendor, path-filter] + if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request' + name: unit ${{ matrix.storage }} + strategy: + fail-fast: false + matrix: + storage: [vfs, overlay] + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-4-16-x86 + test: unit + storage: ${{ matrix.storage }} + priv: root + distro: fedora-current + timeout: 60 + + conformance: + needs: [smoke, vendor, path-filter] + if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request' + name: conformance ${{ matrix.storage }} + strategy: + fail-fast: false + matrix: + storage: [vfs, overlay] + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-8-32-x86 + test: conformance + storage: ${{ matrix.storage }} + priv: root + distro: debian-sid + timeout: 40 + + integration: + needs: [smoke, vendor, path-filter] + if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request' + name: integration ${{ matrix.storage }} ${{ matrix.priv }} ${{ matrix.distro }} + strategy: + fail-fast: false + matrix: + distro: [fedora-current, fedora-prior, debian-sid] + storage: [vfs, overlay] + priv: [root, rootless] + exclude: + - storage: vfs + priv: rootless + - distro: debian-sid + priv: rootless + # Skip rootless+overlay: upstream Cirrus's PASSTHROUGH_ENV_RE drops + # STORAGE_DRIVER through SSH re-exec to rootlessuser, so their + # "Integration rootless ... w/ overlay" task silently tests vfs. + # When we propagate STORAGE_DRIVER properly, we expose a real + # rootless+overlay cleanup bug in buildah's storage code + # ("replacing mount point .../merged: directory not empty"). + # Skip these cells until that's fixed upstream. + - storage: overlay + priv: rootless + include: + - storage: overlay + priv: root + distro: fedora-rawhide + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-8-32-x86 + test: integration + storage: ${{ matrix.storage }} + priv: ${{ matrix.priv }} + distro: ${{ matrix.distro }} + timeout: 60 + + in_podman: + needs: [smoke, vendor, path-filter] + if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request' + name: in_podman + uses: ./.github/workflows/lima.yml + with: + runner: cncf-ubuntu-8-32-x86 + test: in_podman + storage: vfs + priv: root + distro: fedora-current + timeout: 60 + + mac: + needs: [smoke, vendor] + name: build (darwin) + runs-on: macos-15 + timeout-minutes: 30 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: go.mod + cache: true + + - name: Build darwin/arm64 + run: make bin/buildah.darwin.arm64 + + - name: Build darwin/amd64 + run: make bin/buildah.darwin.amd64 + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: buildah-darwin + path: bin/buildah.darwin.* + if-no-files-found: error + + success: + name: "Total Success" + if: always() + needs: + - path-filter + - smoke + - vendor + - cross + - unit + - conformance + - integration + - in_podman + - mac + runs-on: ubuntu-latest + steps: + - name: Check all required jobs + run: | + if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || \ + [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then + echo "One or more required jobs failed or were cancelled" + exit 1 + fi + echo "All required jobs passed or were skipped" diff --git a/.github/workflows/lima.yml b/.github/workflows/lima.yml new file mode 100644 index 000000000..ccb06d065 --- /dev/null +++ b/.github/workflows/lima.yml @@ -0,0 +1,57 @@ +name: lima + +on: + workflow_call: + inputs: + distro: + required: true + type: string + test: + required: true + type: string + priv: + required: false + type: string + storage: + required: false + type: string + runner: + required: true + type: string + timeout: + required: false + type: number + +permissions: {} + +jobs: + lima: + name: ${{ inputs.test }} ${{ inputs.storage || '' }} ${{ inputs.priv || '' }} ${{ inputs.distro }} + runs-on: ${{ inputs.runner }} + timeout-minutes: ${{ inputs.timeout || 20 }} + permissions: {} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + fetch-depth: 50 + + - name: Fetch base ref for merge-base + run: git fetch --depth=50 origin main:refs/remotes/origin/main || true + + - uses: lima-vm/lima-actions/setup@55627e31b78637bf254a8b2a14da8ea7d12564e5 # v1.1.0 + id: lima + with: + version: v2.1.1 + + - name: Run test on lima + run: | # zizmor: ignore[template-injection] + ./contrib/ci/ci.sh ${{ inputs.test }} ${{ inputs.storage }} ${{ inputs.priv }} ${{ inputs.distro }} + + - name: Upload journal as artifact + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "journal-${{ inputs.test }}-${{ inputs.storage }}-${{ inputs.priv }}-${{ inputs.distro }}.log" + path: "./contrib/ci/journal.log" + if-no-files-found: ignore diff --git a/contrib/ci/ci.sh b/contrib/ci/ci.sh new file mode 100755 index 000000000..f246ca8f9 --- /dev/null +++ b/contrib/ci/ci.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +set -eo pipefail + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" && pwd ) + +source "$SCRIPT_DIR/lib.sh" + +AUTOMATION_RELEASE="${AUTOMATION_RELEASE:-20260520t200858z}" +LIMA_VM_NAME=buildah-ci + +REPO_DIR="$SCRIPT_DIR/../.." + +parse_args "$@" + +IMAGE="$DISTRO_NAME.x86_64.qcow2.zst" + +IMAGE_URL_BASE="${IMAGE_URL_BASE:-https://objectstorage.us-ashburn-1.oraclecloud.com/n/id0lmbbwgcdv/b/podman-ci-vm-images/o/releases}" +IMAGE_URL="$IMAGE_URL_BASE/$AUTOMATION_RELEASE/$IMAGE" + +trap "limactl delete --force $LIMA_VM_NAME" EXIT + +limactl --yes start --plain --name=$LIMA_VM_NAME --cpus $(nproc) --memory 8 --disk 150 --nested-virt \ + --set ".images=[{\"location\":\"$IMAGE_URL\", \"arch\": \"x86_64\"}]" \ + "$SCRIPT_DIR/template.lima.yml" + +limactl copy "$REPO_DIR" $LIMA_VM_NAME:/var/tmp/buildah + +set +e + +limactl shell --workdir /var/tmp/buildah $LIMA_VM_NAME ./contrib/ci/runner.sh "${@}" +rc=$? + +limactl shell --workdir /var/tmp/buildah $LIMA_VM_NAME sudo contrib/ci/logcollector.sh journal &> "$SCRIPT_DIR/journal.log" + +exit $rc diff --git a/contrib/ci/lib.sh b/contrib/ci/lib.sh new file mode 100644 index 000000000..ef33a509a --- /dev/null +++ b/contrib/ci/lib.sh @@ -0,0 +1,70 @@ +OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | tr -d '.')" +OS_RELEASE_ID="$(source /etc/os-release; echo $ID)" +OS_REL_VER="$OS_RELEASE_ID-$OS_RELEASE_VER" + + +function die() { + echo "$1" >&2 + exit 1 +} + +function parse_args() { + TEST= + DISTRO_NAME= + STORAGE_DRIVER=overlay + PRIV=root + case "$#" in + 2) + TEST=$1 + DISTRO_NAME=$2 + ;; + 3) + TEST=$1 + PRIV=$2 + DISTRO_NAME=$3 + ;; + 4) + TEST=$1 + STORAGE_DRIVER=$2 + PRIV=$3 + DISTRO_NAME=$4 + ;; + *) + die "Invalid number of arguments $#, need 2-4" + ;; + esac + + validate_distro "$DISTRO_NAME" + validate_storage "$STORAGE_DRIVER" + validate_priv "$PRIV" +} + +function validate_distro() { + case "$1" in + "fedora-current"|"fedora-prior"|"fedora-rawhide"|"debian-sid") + ;; + *) + die "Unknown DISTRO_NAME '$1' set" + ;; + esac +} + +function validate_storage() { + case "$1" in + "vfs"|"overlay") + ;; + *) + die "Unknown STORAGE_DRIVER '$1' set" + ;; + esac +} + +function validate_priv() { + case "$1" in + "root"|"rootless") + ;; + *) + die "Unknown PRIV '$1' set" + ;; + esac +} diff --git a/contrib/cirrus/logcollector.sh b/contrib/ci/logcollector.sh similarity index 61% rename from contrib/cirrus/logcollector.sh rename to contrib/ci/logcollector.sh index fa13acef6..bd189bca2 100755 --- a/contrib/cirrus/logcollector.sh +++ b/contrib/ci/logcollector.sh @@ -1,10 +1,26 @@ -#!/bin/bash +#!/usr/bin/env bash set -e -source $(dirname $0)/lib.sh +# shellcheck source=contrib/ci/lib.sh +source "$(dirname "$0")/lib.sh" -req_env_vars CI GOSRC OS_RELEASE_ID +showrun() { + echo "+ $(printf " %q" "$@")" + set +e + echo '------------------------------------------------------------' + "$@" + local status=$? + [[ $status -eq 0 ]] || echo "[ rc = $status -- proceeding anyway ]" + echo '------------------------------------------------------------' + set -e +} + +bad_os_id_ver() { + die "Unknown OS '$OS_RELEASE_ID'" +} + +GOSRC="${GOSRC:-$(pwd)}" case $1 in audit) @@ -17,11 +33,10 @@ case $1 in df) showrun df -lhTx tmpfs ;; journal) showrun journalctl -b ;; podman) showrun podman system info ;; - buildah_version) showrun $GOSRC/bin/buildah version;; - buildah_info) showrun $GOSRC/bin/buildah info;; - golang) showrun go version;; + buildah_version) showrun "$GOSRC/bin/buildah" version ;; + buildah_info) showrun "$GOSRC/bin/buildah" info ;; + golang) showrun go version ;; packages) - # These names are common to Fedora and Debian PKG_NAMES=(\ buildah conmon @@ -48,8 +63,7 @@ case $1 in ;; *) bad_os_id_ver ;; esac - # Any not-present packages will be listed as such - $PKG_LST_CMD ${PKG_NAMES[@]} | sort -u + $PKG_LST_CMD "${PKG_NAMES[@]}" | sort -u ;; - *) die "Warning, $(basename $0) doesn't know how to handle the parameter '$1'" + *) die "Warning, $(basename "$0") doesn't know how to handle the parameter '$1'" esac diff --git a/contrib/ci/runner.sh b/contrib/ci/runner.sh new file mode 100755 index 000000000..17c6614fa --- /dev/null +++ b/contrib/ci/runner.sh @@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +set -eo pipefail + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" && pwd ) + +source "$SCRIPT_DIR/lib.sh" + +parse_args "$@" + +export PRIV_NAME="$PRIV" +export STORAGE_DRIVER + +PRESERVE_ENVS="STORAGE_DRIVER,PRIV_NAME,BUILDAH_RUNTIME,IN_PODMAN,IN_PODMAN_NAME,IN_PODMAN_IMAGE,TEST_BUILD_TAGS,GOPATH,GOCACHE,GOSRC,GITVALIDATE_EPOCH,CI_USE_REGISTRY_CACHE,TMPDIR" + +LCR=/var/cache/local-registry/local-cache-registry +if [[ -x $LCR ]]; then + while read new_image; do + $LCR cache "$new_image" + done < <(grep '^[^#]' tests/NEW-IMAGES 2>/dev/null || true) + export CI_USE_REGISTRY_CACHE=1 +fi +SUDO="" +if [[ "$PRIV" == "root" ]]; then + SUDO="sudo --preserve-env=$PRESERVE_ENVS" +fi + +conf=/etc/containers/storage.conf +if [[ ! -e $conf ]]; then + sudo tee $conf <", "arch": "x86_64"}]' +images: diff --git a/contrib/cirrus/bors-ng.png b/contrib/cirrus/bors-ng.png deleted file mode 100644 index 9148d1695..000000000 Binary files a/contrib/cirrus/bors-ng.png and /dev/null differ diff --git a/contrib/cirrus/build.sh b/contrib/cirrus/build.sh deleted file mode 100755 index 5a809eeb1..000000000 --- a/contrib/cirrus/build.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source $(dirname $0)/lib.sh - -req_env_vars IN_PODMAN IN_PODMAN_NAME GOSRC - -remove_packaged_buildah_files - -go version && go env - -cd "$GOSRC" -if [[ "$IN_PODMAN" == "true" ]] -then - in_podman --rm $IN_PODMAN_NAME $0 -else - echo "Compiling buildah (\$GOSRC=$GOSRC)" - showrun make clean all EXTRA_BUILD_TAGS="$TEST_BUILD_TAGS" - - echo "Installing buildah" - mkdir -p bin - showrun make install PREFIX=/usr - showrun ./bin/buildah info -fi diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh deleted file mode 100755 index bdbf02404..000000000 --- a/contrib/cirrus/lib.sh +++ /dev/null @@ -1,357 +0,0 @@ - - -# Library of common, shared utility functions. This file is intended -# to be sourced by other scripts, not called directly. - -# BEGIN Global export of all variables -set -a - -# Due to differences across platforms and runtime execution environments, -# handling of the (otherwise) default shell setup is non-uniform. Rather -# than attempt to workaround differences, simply force-load/set required -# items every time this library is utilized. -USER="$(whoami)" -HOME="$(getent passwd $USER | cut -d : -f 6)" -# Some platforms set and make this read-only -[[ -n "$UID" ]] || \ - UID=$(getent passwd $USER | cut -d : -f 3) - -# Automation library installed at image-build time, -# defining $AUTOMATION_LIB_PATH in this file. -if [[ -r "/etc/automation_environment" ]]; then - source /etc/automation_environment -fi -# shellcheck disable=SC2154 -if [[ -n "$AUTOMATION_LIB_PATH" ]]; then - # shellcheck source=/usr/share/automation/lib/common_lib.sh - source $AUTOMATION_LIB_PATH/common_lib.sh -else - ( - echo "WARNING: It does not appear that containers/automation was installed." - echo " Functionality of most of this library will be negatively impacted" - echo " This ${BASH_SOURCE[0]} was loaded by ${BASH_SOURCE[1]}" - ) > /dev/stderr -fi - -# Required for proper GPG functioning under automation -GPG_TTY="${GPG_TTY:-/dev/null}" - -# Essential default paths, many are overridden when executing under Cirrus-CI -# others are duplicated here, to assist in debugging. -GOPATH="${GOPATH:-/var/tmp/go}" -if type -P go &> /dev/null -then - # required for go 1.12+ - GOCACHE="${GOCACHE:-$HOME/.cache/go-build}" - eval "$(go env)" - # Ensure compiled tooling is reachable - PATH="$PATH:$GOPATH/bin" -fi -CIRRUS_WORKING_DIR="${CIRRUS_WORKING_DIR:-$GOPATH/src/github.com/containers/buildah}" -GOSRC="${GOSRC:-$CIRRUS_WORKING_DIR}" -PATH="$GOSRC/tests/tools/build:$HOME/bin:$GOPATH/bin:/usr/local/bin:/usr/lib/cri-o-runc/sbin:$PATH" -SCRIPT_BASE=${SCRIPT_BASE:-./contrib/cirrus} - -cd $GOSRC -if type -P git &> /dev/null -then - CIRRUS_CHANGE_IN_REPO=${CIRRUS_CHANGE_IN_REPO:-$(git show-ref --hash=8 HEAD || date +%s)} -else # pick something unique and obviously not from Cirrus - CIRRUS_CHANGE_IN_REPO=${CIRRUS_CHANGE_IN_REPO:-unknown$(date +%s)} -fi - -export CI="${CI:-false}" -CIRRUS_CI="${CIRRUS_CI:-false}" -CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}" -CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-buildah} -CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%d)} # difficult to reliably discover -CIRRUS_BUILD_ID=${CIRRUS_BUILD_ID:-unknown$(date +%s)} # must be short and unique enough -CIRRUS_TASK_ID=${CIRRUS_BUILD_ID:-unknown$(date +%d)} # to prevent state thrashing when - # debugging with `hack/get_ci_vm.sh` - -# All CI jobs use a local registry -export CI_USE_REGISTRY_CACHE=true - -# Regex defining all CI-related env. vars. necessary for all possible -# testing operations on all platforms and versions. This is necessary -# to avoid needlessly passing through global/system values across -# contexts, such as host->container or root->rootless user -# -# List of envariables which must be EXACT matches -# N/B: Don't include BUILDAH_ISOLATION, STORAGE_DRIVER, or CGROUP_MANAGER -# here because they will negatively affect execution of the rootless -# integration tests. -PASSTHROUGH_ENV_EXACT='BUILDAH_RUNTIME|DEST_BRANCH|DISTRO_NV|GOPATH|GOSRC|ROOTLESS_USER|SCRIPT_BASE|IN_PODMAN_IMAGE' - -# List of envariable patterns which must match AT THE BEGINNING of the name. -PASSTHROUGH_ENV_ATSTART='CI|TEST' - -# List of envariable patterns which can match ANYWHERE in the name -PASSTHROUGH_ENV_ANYWHERE='_NAME|_FQIN' - -# Combine into one -PASSTHROUGH_ENV_RE="(^($PASSTHROUGH_ENV_EXACT)\$)|(^($PASSTHROUGH_ENV_ATSTART))|($PASSTHROUGH_ENV_ANYWHERE)" - -# Unsafe env. vars for display -SECRET_ENV_RE='ACCOUNT|GC[EP]..|SSH|PASSWORD|SECRET|TOKEN' - -# FQINs needed for testing -REGISTRY_FQIN=${REGISTRY_FQIN:-quay.io/libpod/registry:2.8.2} -ALPINE_FQIN=${ALPINE_FQIN:-quay.io/libpod/alpine} - -# for in-container testing -IN_PODMAN_NAME="in_podman_$CIRRUS_TASK_ID" -IN_PODMAN="${IN_PODMAN:-false}" - -# rootless_user -ROOTLESS_USER="rootlessuser" - -# Downloaded, but not installed packages. -PACKAGE_DOWNLOAD_DIR=/var/cache/download - -lilto() { err_retry 8 1000 "" "$@"; } # just over 4 minutes max -bigto() { err_retry 7 5670 "" "$@"; } # 12 minutes max - -# Working with apt under automation is a PITA, make it easy -# Avoid some ways of getting stuck waiting for user input -export DEBIAN_FRONTEND=noninteractive -# Short-cut for frequently used base command -export APTGET='apt-get -qq --yes' -# Short timeout for quick-running packaging command -SHORT_APTGET="lilto $APTGET" -SHORT_DNFY="lilto dnf -y" -# Longer timeout for long-running packaging command -LONG_APTGET="bigto $APTGET" -LONG_DNFY="bigto dnf -y" - -# Allow easy substitution for debugging if needed -CONTAINER_RUNTIME="showrun ${CONTAINER_RUNTIME:-podman}" - -# END Global export of all variables -set +a - -bad_os_id_ver() { - die "Unknown/Unsupported distro. $OS_RELEASE_ID and/or version $OS_RELEASE_VER for $(basename $0)" -} - -# Remove all files provided by the distro version of buildah. -# All VM cache-images used for testing include the distro buildah because it -# simplifies installing necessary dependencies which can change over time. -# For general CI testing however, calling this function makes sure the system -# can only run the compiled source version. -remove_packaged_buildah_files() { - warn "Removing packaged buildah files to prevent conflicts with source build and testing." - req_env_vars OS_RELEASE_ID - - if [[ "$OS_RELEASE_ID" =~ "debian" ]] - then - LISTING_CMD="dpkg-query -L buildah" - else - LISTING_CMD='rpm -ql buildah' - fi - - # yum/dnf/dpkg may list system directories, only remove files - $LISTING_CMD | while read fullpath - do - # Sub-directories may contain unrelated/valuable stuff - if [[ -d "$fullpath" ]]; then continue; fi - - rm -vf "$fullpath" - done - - if [[ -z "$CONTAINER" ]]; then - # Be super extra sure and careful vs performant and completely safe - sync && echo 3 > /proc/sys/vm/drop_caches - fi -} - -# Return a list of environment variables that should be passed through -# to lower levels (tests in containers, or via ssh to rootless). -# We return the variable names only, not their values. It is up to our -# caller to reference values. -passthrough_envars(){ - warn "Will pass env. vars. matching the following regex: - $PASSTHROUGH_ENV_RE" - compgen -A variable | \ - grep -Ev "$SECRET_ENV_RE" | \ - grep -Ev "^PASSTHROUGH_" | \ - grep -E "$PASSTHROUGH_ENV_RE" -} - -in_podman() { - req_env_vars IN_PODMAN_NAME GOSRC GOPATH SECRET_ENV_RE HOME - [[ -n "$@" ]] || \ - die "Must specify FQIN and command with arguments to execute" - - # Line-separated arguments which include shell-escaped special characters - declare -a envargs - while read -r var; do - # Pass "-e VAR" on the command line, not "-e VAR=value". Podman can - # do a much better job of transmitting the value than we can, - # especially when value includes spaces. - envargs+=("-e" "$var") - done <<<"$(passthrough_envars)" - - showrun podman run -i --name="$IN_PODMAN_NAME" \ - --net=host \ - --privileged \ - --cgroupns=host \ - "${envargs[@]}" \ - -e BUILDAH_ISOLATION \ - -e STORAGE_DRIVER \ - -e "IN_PODMAN=false" \ - -e "CONTAINER=podman" \ - -e "CGROUP_MANAGER=cgroupfs" \ - -v "$HOME/auth:$HOME/auth:ro" \ - -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ - --device /dev/fuse:rwm \ - -v "$GOSRC:$GOSRC:z" \ - --workdir "$GOSRC" \ - "$@" -} - -verify_local_registry(){ - # On the unexpected/rare chance of a name-clash - local CUSTOM_FQIN=localhost:5000/my-alpine-$RANDOM - echo "Verifying local 'registry' container is operational" - showrun podman version - showrun podman info - showrun podman ps --all - showrun podman images - showrun ls -alF $HOME/auth - showrun podman pull $ALPINE_FQIN - showrun podman login --tls-verify=false localhost:5000 --username testuser --password testpassword - showrun podman tag $ALPINE_FQIN $CUSTOM_FQIN - showrun podman push --tls-verify=false --creds=testuser:testpassword $CUSTOM_FQIN - showrun podman ps --all - showrun podman images - showrun podman rmi $ALPINE_FQIN - showrun podman rmi $CUSTOM_FQIN - showrun podman pull --tls-verify=false --creds=testuser:testpassword $CUSTOM_FQIN - showrun podman ps --all - showrun podman images - echo "Success, local registry is working, cleaning up." - showrun podman rmi $CUSTOM_FQIN -} - -execute_local_registry() { - if nc -4 -z 127.0.0.1 5000 - then - warn "Found listener on localhost:5000, NOT starting up local registry server." - verify_local_registry - return 0 - fi - req_env_vars CONTAINER_RUNTIME GOSRC - local authdirpath=$HOME/auth - cd $GOSRC - - echo "Creating a self signed certificate and get it in the right places" - mkdir -p $authdirpath - openssl req \ - -newkey rsa:4096 -nodes -sha256 -x509 -days 2 \ - -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=registry host certificate" \ - -addext subjectAltName=DNS:localhost \ - -keyout $authdirpath/domain.key \ - -out $authdirpath/domain.crt - - cp $authdirpath/domain.crt $authdirpath/domain.cert - - echo "Creating http credentials file" - showrun htpasswd -Bbn testuser testpassword > $authdirpath/htpasswd - - echo "Starting up the local 'registry' container" - showrun podman run -d -p 5000:5000 --name registry \ - -v $authdirpath:$authdirpath:Z \ - -e "REGISTRY_AUTH=htpasswd" \ - -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ - -e REGISTRY_AUTH_HTPASSWD_PATH=$authdirpath/htpasswd \ - -e REGISTRY_HTTP_TLS_CERTIFICATE=$authdirpath/domain.crt \ - -e REGISTRY_HTTP_TLS_KEY=$authdirpath/domain.key \ - $REGISTRY_FQIN - - verify_local_registry -} - -setup_rootless() { - req_env_vars GOPATH GOSRC SECRET_ENV_RE - - local rootless_uid - local rootless_gid - local env_var_val - local akfilepath - local sshcmd - - # Only do this once; established by setup_environment.sh - # shellcheck disable=SC2154 - if passwd --status $ROOTLESS_USER - then - if [[ $PRIV_NAME = "rootless" ]]; then - msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code" - chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC" - return 0 - fi - fi - msg "************************************************************" - msg "Setting up rootless user '$ROOTLESS_USER'" - msg "************************************************************" - cd $GOSRC || exit 1 - # Guarantee independence from specific values - rootless_uid=$((RANDOM+1000)) - rootless_gid=$((RANDOM+1000)) - rootless_supplemental_gid1=$((rootless_gid+1)) - rootless_supplemental_gid2=$((rootless_supplemental_gid1+1)) - rootless_supplemental_gid3=$((rootless_supplemental_gid2+1)) - msg "creating $rootless_uid:$rootless_gid,$rootless_supplemental_gid1,$rootless_supplemental_gid2,$rootless_supplemental_gid3 $ROOTLESS_USER user" - groupadd -g $rootless_gid $ROOTLESS_USER - groupadd -g $rootless_supplemental_gid1 ${ROOTLESS_USER}sg1 - groupadd -g $rootless_supplemental_gid2 ${ROOTLESS_USER}sg2 - groupadd -g $rootless_supplemental_gid3 ${ROOTLESS_USER}sg3 - useradd -g $rootless_gid -G ${ROOTLESS_USER}sg1,${ROOTLESS_USER}sg2,${ROOTLESS_USER}sg3 -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER - rootless_supplemental_gid4=$(awk 'BEGIN{FS=":"}/^rootlessuser:/{print $2+$3}' /etc/subgid) - groupadd -g $rootless_supplemental_gid4 ${ROOTLESS_USER}sg4 - usermod -G ${ROOTLESS_USER}sg1,${ROOTLESS_USER}sg2,${ROOTLESS_USER}sg3,${ROOTLESS_USER}sg4 $ROOTLESS_USER - msg "running id for $ROOTLESS_USER" - id $ROOTLESS_USER - - # We also set up rootless user for image-scp tests (running as root) - if [[ $PRIV_NAME = "rootless" ]]; then - chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC" - fi - echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless - - mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh" - - msg "Creating ssh key pairs" - [[ -r "$HOME/.ssh/id_rsa" ]] || \ - ssh-keygen -t rsa -P "" -f "$HOME/.ssh/id_rsa" - ssh-keygen -t ed25519 -P "" -f "/home/$ROOTLESS_USER/.ssh/id_ed25519" - ssh-keygen -t rsa -P "" -f "/home/$ROOTLESS_USER/.ssh/id_rsa" - - msg "Setup authorized_keys" - cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> $HOME/.ssh/authorized_keys - cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> /home/$ROOTLESS_USER/.ssh/authorized_keys - - msg "Ensure the ssh daemon is up and running within 5 minutes" - systemctl start sshd - lilto systemctl is-active sshd - - msg "Configure ssh file permissions" - chmod -R 700 "$HOME/.ssh" - chmod -R 700 "/home/$ROOTLESS_USER/.ssh" - chown -R $ROOTLESS_USER:$ROOTLESS_USER "/home/$ROOTLESS_USER/.ssh" - - msg " setup known_hosts for $USER" - ssh-keyscan localhost > /root/.ssh/known_hosts - - msg " setup known_hosts for $ROOTLESS_USER" - install -Z -m 700 -o $ROOTLESS_USER -g $ROOTLESS_USER \ - /root/.ssh/known_hosts /home/$ROOTLESS_USER/.ssh/known_hosts - - msg "Setting up pass-through env. vars for $ROOTLESS_USER" - while read -r env_var; do - # N/B: Some values contain spaces and other potential nasty-bits - # (i.e. $CIRRUS_COMMIT_MESSAGE). The %q conversion ensures proper - # bash-style escaping. - printf -- "export %s=%q\n" "${env_var}" "${!env_var}" | tee -a /home/$ROOTLESS_USER/ci_environment - done <<<"$(passthrough_envars)" -} diff --git a/contrib/cirrus/setup.sh b/contrib/cirrus/setup.sh deleted file mode 100755 index 959a18182..000000000 --- a/contrib/cirrus/setup.sh +++ /dev/null @@ -1,120 +0,0 @@ -#!/usr/bin/env bash - -set -e - -# N/B: In most (but not all) cases, these packages will already be installed -# in the VM image at build-time (from libpod repo.). Running package install -# again here, ensures that all cases are covered, and there is never any -# expectation mismatch. -source $(dirname $0)/lib.sh - -req_env_vars OS_RELEASE_ID OS_RELEASE_VER GOSRC IN_PODMAN_IMAGE CIRRUS_CHANGE_TITLE - -msg "Running df." -df -hT - -msg "Disabling git repository owner-check system-wide." -# Newer versions of git bark if repo. files are unexpectedly owned. -# This mainly affects rootless and containerized testing. But -# the testing environment is disposable, so we don't care.= -git config --system --add safe.directory $GOSRC - -# Support optional/draft testing using latest/greatest -# podman-next COPR packages. This requires a draft PR -# to ensure changes also pass CI w/o package updates. -if [[ "$OS_RELEASE_ID" =~ "fedora" ]] && \ - [[ "$CIRRUS_CHANGE_TITLE" =~ CI:NEXT ]] -then - # shellcheck disable=SC2154 - if [[ "$CIRRUS_PR_DRAFT" != "true" ]]; then - die "Magic 'CI:NEXT' string can only be used on DRAFT PRs" - fi - - showrun dnf copr enable rhcontainerbot/podman-next -y - showrun dnf upgrade -y -fi - -msg "Setting up $OS_RELEASE_ID $OS_RELEASE_VER" -cd $GOSRC -case "$OS_RELEASE_ID" in - fedora) - warn "Hard-coding podman to use crun" - cat > /etc/containers/containers.conf < /sys/block/sda/queue/scheduler - warn "I/O scheduler: $(cat /sys/block/sda/queue/scheduler)" -fi - -execute_local_registry # checks for existing port 5000 listener - -if [[ "$IN_PODMAN" == "true" ]] -then - req_env_vars IN_PODMAN_IMAGE IN_PODMAN_NAME - echo "Setting up image to use for \$IN_PODMAN=true testing" - cd $GOSRC - in_podman $IN_PODMAN_IMAGE $0 - showrun podman commit $IN_PODMAN_NAME $IN_PODMAN_NAME - showrun podman rm -f $IN_PODMAN_NAME -fi diff --git a/contrib/cirrus/test.sh b/contrib/cirrus/test.sh deleted file mode 100755 index 1f4fff42f..000000000 --- a/contrib/cirrus/test.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env bash - -set -e - -source $(dirname $0)/lib.sh - -req_env_vars IN_PODMAN IN_PODMAN_NAME GOSRC 1 - -# shellcheck disable=SC2154 -if [[ "$PRIV_NAME" == "rootless" ]] && [[ "$UID" -eq 0 ]]; then - # Remove /var/lib/cni, it is not required for rootless cni. - # We have to test that it works without this directory. - # https://github.com/containers/podman/issues/10857 - rm -rf /var/lib/cni - - # change permission of go src and cache directory - # so rootless user can access it - chown -R $ROOTLESS_USER:root /var/tmp/go - chmod -R g+rwx /var/tmp/go - - req_env_vars ROOTLESS_USER - msg "Re-executing test through ssh as user '$ROOTLESS_USER'" - msg "************************************************************" - set -x - exec ssh $ROOTLESS_USER@localhost \ - -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ - -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/test.sh $1 - # Does not return! -elif [[ "$UID" -ne 0 ]]; then - # Load important env. vars written during setup.sh (run as root) - # call to setup_rootless() - source /home/$ROOTLESS_USER/ci_environment -fi -# else: not running rootless, do nothing special - -msg "Test-time env. var. definitions (filtered):" -show_env_vars - -if [[ "$IN_PODMAN" == "true" ]] -then - cd $GOSRC - # Host build environment != container environment - showrun make clean - in_podman --rm $IN_PODMAN_NAME:latest $0 $1 -else - cd $GOSRC - - showrun make - showrun make install.tools - - case $1 in - validate) - showrun ooe.sh git remote add upstream "$CIRRUS_REPO_CLONE_URL" - showrun ooe.sh git remote update - if [[ -n "$CIRRUS_PR" ]]; then - echo "Validating a PR" - export GITVALIDATE_EPOCH="$CIRRUS_BASE_SHA" - elif [[ -n "$CIRRUS_TAG" ]]; then - echo "Refusing to validating a Tag" - return 0 - else - echo "Validating a Branch" - export GITVALIDATE_EPOCH="$CIRRUS_LAST_GREEN_CHANGE" - fi - echo "Linting & Validating from ${GITVALIDATE_EPOCH:-default EPOCH}" - showrun make lint LINTFLAGS="--timeout=20m --color=always -j1" - showrun make validate - ;; - unit) - race= - if [[ -z "$CIRRUS_PR" ]]; then - # If not running on a PR then run unit tests - # with appropriate `-race` flags. - race="-race" - fi - showrun make test-unit RACEFLAGS=$race - ;; - conformance) - # Typically it's undesirable to install packages at runtime. - # This test compares images built with the "latest" version - # of docker, against images built with buildah. Runtime installs - # are required to ensure the latest docker version is used. - [[ "$OS_RELEASE_ID" == "debian" ]] || \ - bad_os_id_ver - - systemctl enable --now docker - showrun make test-conformance - ;; - integration) - showrun make test-integration - ;; - *) - die "First parameter to $(basename $0) not supported: '$1'" - ;; - esac -fi diff --git a/contrib/cirrus/timestamp.awk b/contrib/cirrus/timestamp.awk deleted file mode 100644 index 95b312e51..000000000 --- a/contrib/cirrus/timestamp.awk +++ /dev/null @@ -1,20 +0,0 @@ - - -# This script is intended to be piped into by automation, in order to -# mark output lines with timing information. For example: -# /path/to/command |& awk --file timestamp.awk - -BEGIN { - STARTTIME=systime() - printf "[%s] START", strftime("%T") - printf " - All [+xxxx] lines that follow are relative to right now.\n" -} - -{ - printf "[%+05ds] %s\n", systime()-STARTTIME, $0 -} - -END { - printf "[%s] END", strftime("%T") - printf " - [%+05ds] total duration since START\n", systime()-STARTTIME -} diff --git a/hack/get_ci_vm.sh b/hack/get_ci_vm.sh deleted file mode 100755 index 28b3b7e89..000000000 --- a/hack/get_ci_vm.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env bash - -# -# For help and usage information, simply execute the script w/o any arguments. -# -# This script is intended to be run by Red Hat buildah developers who need -# to debug problems specifically related to Cirrus-CI automated testing. -# It requires that you have been granted prior access to create VMs in -# google-cloud. For non-Red Hat contributors, VMs are available as-needed, -# with supervision upon request. - -set -e - -SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}") -SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH") -REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") - -# Help detect if we were called by get_ci_vm container -GET_CI_VM="${GET_CI_VM:-0}" -in_get_ci_vm() { - if ((GET_CI_VM==0)); then - echo "Error: $1 is not intended for use in this context" - exit 2 - fi -} - -# get_ci_vm APIv1 container entrypoint calls into this script -# to obtain required repo. specific configuration options. -if [[ "$1" == "--config" ]]; then - in_get_ci_vm "$1" - cat < /dev/stderr - source ./contrib/cirrus/lib.sh - echo "+ Running environment setup" > /dev/stderr - ./contrib/cirrus/setup.sh -else - # Create and access VM for specified Cirrus-CI task - mkdir -p $HOME/.config/gcloud/ssh - podman run -it --rm \ - --tz=local \ - -e NAME="$USER" \ - -e SRCDIR=/src \ - -e GCLOUD_ZONE="$GCLOUD_ZONE" \ - -e A_DEBUG="${A_DEBUG:-0}" \ - -v $REPO_DIRPATH:/src:O \ - -v $HOME/.config/gcloud:/root/.config/gcloud:z \ - -v $HOME/.config/gcloud/ssh:/root/.ssh:z \ - quay.io/libpod/get_ci_vm:latest "$@" -fi