[1.3] CI: migrate Vagrant + Cirrus to Lima + GHA

.cirrus.yml

@@ -1,76 +1,10 @@
 ---
-# We use Cirrus for RHEL clones (native) and Fedora (in Vagrant), because
-# neither is available on GHA natively, so the only option is VM.
-# In GHA, nested virtualization is only supported on macOS instances, which
-# are slow and flaky.
+# We use Cirrus for RHEL clones because Cirrus can directly run them
+# without depending on nested virtualization.
 
 # NOTE Cirrus execution environments lack a terminal, needed for
 # some integration tests. So we use `ssh -tt` command to fake a terminal.
 
-task:
-  timeout_in: 30m
-
-  env:
-    DEBIAN_FRONTEND: noninteractive
-    HOME: /root
-    # yamllint disable rule:key-duplicates
-    matrix:
-      DISTRO: fedora
-
-  name: vagrant DISTRO:$DISTRO
-
-  compute_engine_instance:
-    image_project: cirrus-images
-    image: family/docker-kvm
-    platform: linux
-    nested_virtualization: true
-    # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
-    cpu: 4
-    # Memory limit: `4GB * NCPU`
-    memory: 16G
-
-  host_info_script: |
-    uname -a
-    # -----
-    cat /etc/os-release
-    # -----
-    df -T
-    # -----
-    cat /proc/cpuinfo
-  install_libvirt_vagrant_script: |
-    curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
-    echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
-    sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
-    apt-get update
-    apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
-    systemctl enable --now libvirtd
-    apt-get build-dep -y vagrant ruby-libvirt
-    apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
-    vagrant plugin install vagrant-libvirt
-  vagrant_cache:
-    fingerprint_script: cat Vagrantfile.$DISTRO
-    folder: /root/.vagrant.d/boxes
-  vagrant_up_script: |
-    ln -sf Vagrantfile.$DISTRO Vagrantfile
-    # Retry if it fails (download.fedoraproject.org returns 404 sometimes)
-    vagrant up --no-tty || vagrant up --no-tty
-    mkdir -p -m 0700 /root/.ssh
-    vagrant ssh-config >> /root/.ssh/config
-  guest_info_script: |
-    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus && rpm -q container-selinux"'
-  check_config_script: |
-    ssh default /vagrant/script/check-config.sh
-  unit_tests_script: |
-    ssh default 'sudo -i make -C /vagrant localunittest'
-  integration_systemd_script: |
-    ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
-  integration_fs_script: |
-    ssh -tt default "sudo -i make -C /vagrant localintegration"
-  integration_systemd_rootless_script: |
-    ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
-  integration_fs_rootless_script: |
-    ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
-
 task:
   timeout_in: 30m
 

.github/workflows/test.yml

@@ -213,10 +213,72 @@ jobs:
     - name: unit test
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
 
+  fedora:
+    timeout-minutes: 30
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: lima-vm/lima-actions/setup@v1
+      id: lima-actions-setup
+
+    - uses: actions/cache@v4
+      with:
+        path: ~/.cache/lima
+        key: lima-${{ steps.lima-actions-setup.outputs.version }}
+
+    - name: "Start VM"
+      # --plain is set to disable file sharing, port forwarding, built-in containerd, etc. for faster start up
+      #
+      # CPUs: min(4, host CPU cores)
+      # RAM:  min(4 GiB, half of host memory)
+      # Disk: 100 GiB
+      run: limactl start --plain --name=default template://fedora
+
+    - name: "Initialize VM"
+      run: |
+        set -eux -o pipefail
+        limactl cp -r . default:/tmp/runc
+        lima sudo /tmp/runc/script/setup_host_fedora.sh
+
+    - name: "Show guest info"
+      run: |
+        set -eux -o pipefail
+        lima uname -a
+        lima systemctl --version
+        lima df -T
+        lima cat /etc/os-release
+        lima go version
+        lima sestatus
+        lima rpm -q container-selinux
+
+    - name: "Check config"
+      run: lima /tmp/runc/script/check-config.sh
+
+    # NOTE the execution environment lacks a terminal, needed for
+    # some integration tests. So we use `ssh -tt` command to fake a terminal.
+    - uses: lima-vm/lima-actions/ssh@v1
+
+    - name: "Run unit tests"
+      run: ssh -tt lima-default sudo -i make -C /tmp/runc localunittest
+
+    - name: "Run integration tests (systemd driver)"
+      run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration RUNC_USE_SYSTEMD=yes
+
+    - name: "Run integration tests (fs driver)"
+      run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
+
+    - name: "Run integration tests (systemd driver, rootless)"
+      run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
+
+    - name: "Run integration tests (fs driver, rootless)"
+      run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration
+
   all-done:
     needs:
     - test
     - cross-i386
+    - fedora
     runs-on: ubuntu-24.04
     steps:
     - run: echo "All jobs completed"

script/setup_host_fedora.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -eux -o pipefail
+DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core"
+RPMS="bats git-core glibc-static golang jq libseccomp-devel make"
+# Work around dnf mirror failures by retrying a few times.
+for i in $(seq 0 2); do
+	sleep "$i"
+	# shellcheck disable=SC2086
+	dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break
+done
+dnf clean all
+
+# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
+mount -o remount,suid /tmp
+
+# Add a user for rootless tests
+useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
+
+# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
+ssh-keygen -t ecdsa -N "" -f /root/rootless.key
+# shellcheck disable=SC2174
+mkdir -m 0700 -p /home/rootless/.ssh
+cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
+cat /root/rootless.key.pub >>/home/rootless/.ssh/authorized_keys
+chown -R rootless.rootless /home/rootless
+
+# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
+mkdir -p /etc/systemd/system/user@.service.d
+cat >/etc/systemd/system/user@.service.d/delegate.conf <<EOF
+[Service]
+# default: Delegate=pids memory
+# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04).
+Delegate=yes
+EOF
+systemctl daemon-reload