diff --git a/.cirrus.yml b/.cirrus.yml index e63ef51cf1a..18d4104ffd3 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -1,76 +1,10 @@ --- -# We use Cirrus for RHEL clones (native) and Fedora (in Vagrant), because -# neither is available on GHA natively, so the only option is VM. -# In GHA, nested virtualization is only supported on macOS instances, which -# are slow and flaky. +# We use Cirrus for RHEL clones because Cirrus can directly run them +# without depending on nested virtualization. # NOTE Cirrus execution environments lack a terminal, needed for # some integration tests. So we use `ssh -tt` command to fake a terminal. -task: - timeout_in: 30m - - env: - DEBIAN_FRONTEND: noninteractive - HOME: /root - # yamllint disable rule:key-duplicates - matrix: - DISTRO: fedora - - name: vagrant DISTRO:$DISTRO - - compute_engine_instance: - image_project: cirrus-images - image: family/docker-kvm - platform: linux - nested_virtualization: true - # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits - cpu: 4 - # Memory limit: `4GB * NCPU` - memory: 16G - - host_info_script: | - uname -a - # ----- - cat /etc/os-release - # ----- - df -T - # ----- - cat /proc/cpuinfo - install_libvirt_vagrant_script: | - curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg - echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list - sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list - apt-get update - apt-get install -y libvirt-daemon libvirt-daemon-system vagrant - systemctl enable --now libvirtd - apt-get build-dep -y vagrant ruby-libvirt - apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev - vagrant plugin install vagrant-libvirt - vagrant_cache: - fingerprint_script: cat Vagrantfile.$DISTRO - folder: /root/.vagrant.d/boxes - vagrant_up_script: | - ln -sf Vagrantfile.$DISTRO Vagrantfile - # Retry if it fails (download.fedoraproject.org returns 404 sometimes) - vagrant up --no-tty || vagrant up --no-tty - mkdir -p -m 0700 /root/.ssh - vagrant ssh-config >> /root/.ssh/config - guest_info_script: | - ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus && rpm -q container-selinux"' - check_config_script: | - ssh default /vagrant/script/check-config.sh - unit_tests_script: | - ssh default 'sudo -i make -C /vagrant localunittest' - integration_systemd_script: | - ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes" - integration_fs_script: | - ssh -tt default "sudo -i make -C /vagrant localintegration" - integration_systemd_rootless_script: | - ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes" - integration_fs_rootless_script: | - ssh -tt default "sudo -i make -C /vagrant localrootlessintegration" - task: timeout_in: 30m diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 24f7af93219..b1104d58bdf 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -217,10 +217,72 @@ jobs: - name: unit test run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest + fedora: + timeout-minutes: 30 + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + - uses: lima-vm/lima-actions/setup@v1 + id: lima-actions-setup + + - uses: actions/cache@v4 + with: + path: ~/.cache/lima + key: lima-${{ steps.lima-actions-setup.outputs.version }} + + - name: "Start VM" + # --plain is set to disable file sharing, port forwarding, built-in containerd, etc. for faster start up + # + # CPUs: min(4, host CPU cores) + # RAM: min(4 GiB, half of host memory) + # Disk: 100 GiB + run: limactl start --plain --name=default template://fedora + + - name: "Initialize VM" + run: | + set -eux -o pipefail + limactl cp -r . default:/tmp/runc + lima sudo /tmp/runc/script/setup_host_fedora.sh + + - name: "Show guest info" + run: | + set -eux -o pipefail + lima uname -a + lima systemctl --version + lima df -T + lima cat /etc/os-release + lima go version + lima sestatus + lima rpm -q container-selinux + + - name: "Check config" + run: lima /tmp/runc/script/check-config.sh + + # NOTE the execution environment lacks a terminal, needed for + # some integration tests. So we use `ssh -tt` command to fake a terminal. + - uses: lima-vm/lima-actions/ssh@v1 + + - name: "Run unit tests" + run: ssh -tt lima-default sudo -i make -C /tmp/runc localunittest + + - name: "Run integration tests (systemd driver)" + run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration RUNC_USE_SYSTEMD=yes + + - name: "Run integration tests (fs driver)" + run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration + + - name: "Run integration tests (systemd driver, rootless)" + run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes + + - name: "Run integration tests (fs driver, rootless)" + run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration + all-done: needs: - test - cross-i386 + - fedora runs-on: ubuntu-24.04 steps: - run: echo "All jobs completed" diff --git a/Vagrantfile.fedora b/Vagrantfile.fedora deleted file mode 100644 index f0099721521..00000000000 --- a/Vagrantfile.fedora +++ /dev/null @@ -1,53 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "fedora-41" - # For URL, check https://www.fedoraproject.org/cloud/download - config.vm.box_url = "https://download.fedoraproject.org/pub/fedora/linux/releases/41/Cloud/x86_64/images/Fedora-Cloud-Base-Vagrant-libvirt-41-1.4.x86_64.vagrant.libvirt.box" - config.vm.provider :virtualbox do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provider :libvirt do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provision "shell", inline: <<-SHELL - set -e -u -o pipefail - DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core" - RPMS="bats git-core glibc-static golang jq libseccomp-devel make" - # Work around dnf mirror failures by retrying a few times. - for i in $(seq 0 2); do - sleep $i - dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break - done - dnf clean all - - # To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp. - mount -o remount,suid /tmp - - # Prevent the "fatal: unsafe repository" git complain during build. - git config --global --add safe.directory /vagrant - - # Add a user for rootless tests - useradd -u2000 -m -d/home/rootless -s/bin/bash rootless - - # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh - ssh-keygen -t ecdsa -N "" -f /root/rootless.key - mkdir -m 0700 -p /home/rootless/.ssh - cp /root/rootless.key /home/rootless/.ssh/id_ecdsa - cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys - chown -R rootless.rootless /home/rootless - - # Delegate cgroup v2 controllers to rootless user via --systemd-cgroup - mkdir -p /etc/systemd/system/user@.service.d - cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF -[Service] -# default: Delegate=pids memory -# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04). -Delegate=yes -EOF - systemctl daemon-reload - SHELL -end diff --git a/script/setup_host_fedora.sh b/script/setup_host_fedora.sh new file mode 100755 index 00000000000..c5744324d05 --- /dev/null +++ b/script/setup_host_fedora.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -eux -o pipefail +DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core" +RPMS="bats git-core glibc-static golang jq libseccomp-devel make" +# Work around dnf mirror failures by retrying a few times. +for i in $(seq 0 2); do + sleep "$i" + # shellcheck disable=SC2086 + dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break +done +dnf clean all + +# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp. +mount -o remount,suid /tmp + +# Add a user for rootless tests +useradd -u2000 -m -d/home/rootless -s/bin/bash rootless + +# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh +ssh-keygen -t ecdsa -N "" -f /root/rootless.key +# shellcheck disable=SC2174 +mkdir -m 0700 -p /home/rootless/.ssh +cp /root/rootless.key /home/rootless/.ssh/id_ecdsa +cat /root/rootless.key.pub >>/home/rootless/.ssh/authorized_keys +chown -R rootless.rootless /home/rootless + +# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup +mkdir -p /etc/systemd/system/user@.service.d +cat >/etc/systemd/system/user@.service.d/delegate.conf <= 244 (Fedora >= 32, Ubuntu >= 20.04). +Delegate=yes +EOF +systemctl daemon-reload