Experimental: add a proxy to increase CI resiliency to third party services failures

.github/workflows/proxy_cache/Caddyfile.conf

@@ -0,0 +1,164 @@
+# Caddy global config
+{
+    https_port 443
+    http_port 80
+
+    default_sni localhost
+    admin :2024
+    storage file_system {
+        root "{$HOME}/proxy/certs"
+    }
+    skip_install_trust
+    auto_https ignore_loaded_certs
+    order cache before rewrite
+
+    acme_ca internal
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    cache {
+        log_level "warn"
+
+        cache_keys {
+            disable_body
+        }
+
+        key {
+            disable_body
+        }
+
+        stale 31536000s
+        ttl 31536000s
+
+        nuts {
+            configuration {
+                Dir "{$HOME}/proxy/cache"
+                EntryIdxMode 1
+                RWMode 0
+                SegmentSize 1024
+                NodeNum 42
+                SyncEnable true
+                StartFileLoadingMode 1
+            }
+        }
+    }
+
+    servers {
+        metrics
+    }
+}
+
+https://index.docker.io {
+    tls internal
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy https://index.docker.io {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+        # Be sure to back out if Docker Hub gives us the 429 treatment
+        unhealthy_status 429
+    }
+}
+
+https://registry-1.docker.io {
+    tls internal
+
+    # Not enabling cache for Hub - doing this would require to be path specific
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy https://registry-1.docker.io {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+        # Be sure to back out if Docker Hub gives us the 429 treatment
+        unhealthy_status 429
+    }
+}
+
+http://deb.debian.org {
+    cache
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy http://deb.debian.org {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+    }
+}
+
+https://deb.debian.org {
+    tls internal
+
+    cache
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy http://deb.debian.org {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+    }
+}
+
+http://ports.ubuntu.com {
+    cache
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy http://ports.ubuntu.com {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+    }
+}
+
+https://ports.ubuntu.com {
+    tls internal
+
+    cache
+
+    log {
+        output stdout
+        format json
+        level "info"
+    }
+
+    reverse_proxy http://ports.ubuntu.com {
+        # Try up to 5 times
+        lb_retries 5
+        # Wait one second between each try
+        lb_try_interval 1s
+    }
+}

.github/workflows/proxy_cache/Dockerfile

@@ -0,0 +1,5 @@
+FROM golang:bookworm
+RUN go install github.com/caddyserver/xcaddy/cmd/xcaddy@v0.4.2
+RUN "$(go env GOPATH)"/bin/xcaddy build --with github.com/caddyserver/cache-handler --with github.com/darkweak/storages/nuts/caddy
+COPY ./Caddyfile.conf /config/Caddyfile.conf
+CMD ["./caddy", "run", "--config", "/config/Caddyfile.conf", "--adapter", "caddyfile"]

.github/workflows/proxy_cache/setup.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2034,SC2015
+set -o errexit -o errtrace -o functrace -o nounset -o pipefail
+root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)"
+readonly root
+
+# Cleanup for repeat local development
+docker rmi -f caddy
+docker rm -f proxy
+# Build the caddy image
+docker build -t caddy -f "$root"/Dockerfile "$root"
+# Run it, exposing 80 and 443 (+2024 for the admin / trust)
+docker run -d --restart always --name proxy -p 80:80 -p 443:443 -p 2024:2024 caddy
+# Copy caddy here and trust the generated certificate
+docker cp proxy:/go/caddy .
+./caddy trust --address localhost:2024
+# Point docker registry to our proxy
+echo "127.0.0.1 registry-1.docker.io" | sudo tee -a /etc/hosts >/dev/null
+echo "127.0.0.1 ports.ubuntu.com" | sudo tee -a /etc/hosts >/dev/null
+echo "127.0.0.1 deb.debian.org" | sudo tee -a /etc/hosts >/dev/null
+# Restart docker to take into account the newly trusted certificate
+sudo systemctl restart docker

.github/workflows/test.yml

@@ -77,8 +77,10 @@ jobs:
       - uses: actions/checkout@v4.2.1
         with:
           fetch-depth: 1
+      - name: "Setup proxy"
+        run: ./.github/workflows/proxy_cache/setup.sh
       - name: "Prepare integration test environment"
-        run: docker build -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
+        run: docker build --network host --add-host=ports.ubuntu.com:127.0.0.1 --add-host=deb.debian.org:127.0.0.1 -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
       - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
         run: |
           sudo systemctl disable --now snapd.service snapd.socket
@@ -128,8 +130,10 @@ jobs:
           sudo mkdir -p /etc/docker
           echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json
           sudo systemctl restart docker
+      - name: "Setup proxy"
+        run: ./.github/workflows/proxy_cache/setup.sh
       - name: "Prepare integration test environment"
-        run: docker build -t test-integration-ipv6 --target test-integration-ipv6 --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
+        run: docker build --network host --add-host=ports.ubuntu.com:127.0.0.1 --add-host=deb.debian.org:127.0.0.1 -t test-integration-ipv6 --target test-integration-ipv6 --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} .
       - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)"
         run: |
           sudo systemctl disable --now snapd.service snapd.socket
@@ -215,8 +219,10 @@ jobs:
           docker run --privileged --rm tonistiigi/binfmt --install linux/amd64
           docker run --privileged --rm tonistiigi/binfmt --install linux/arm64
           docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7
+      - name: "Setup proxy"
+        run: ./.github/workflows/proxy_cache/setup.sh
       - name: "Prepare (network driver=slirp4netns, port driver=builtin)"
-        run: docker build -t ${TEST_TARGET} --target ${TEST_TARGET} --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} --build-arg ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} .
+        run: docker build --network host --add-host=ports.ubuntu.com:127.0.0.1 --add-host=deb.debian.org:127.0.0.1 -t ${TEST_TARGET} --target ${TEST_TARGET} --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} --build-arg ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} .
       - name: "Disable BuildKit for RootlessKit v1 (workaround for issue #622)"
         run: |
           # https://github.com/containerd/nerdctl/issues/622