zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-09-27 03:46:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

CI: migrate Vagrant + Cirrus to Lima + GHA

Browse Source 
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 135552e5e4)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda
2025-03-06 16:02:35 +09:00
parent c5a654e4e6
commit ffbb1dd913
4 changed files with 99 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
.cirrus.yml
View File

@@ -1,76 +1,10 @@
--- ---
# We use Cirrus for RHEL clones (native) and Fedora (in Vagrant), because # We use Cirrus for RHEL clones because Cirrus can directly run them
# neither is available on GHA natively, so the only option is VM. # without depending on nested virtualization.
# In GHA, nested virtualization is only supported on macOS instances, which
# are slow and flaky.
# NOTE Cirrus execution environments lack a terminal, needed for # NOTE Cirrus execution environments lack a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal. # some integration tests. So we use `ssh -tt` command to fake a terminal.
task:
timeout_in: 30m
env:
DEBIAN_FRONTEND: noninteractive
HOME: /root
# yamllint disable rule:key-duplicates
matrix:
DISTRO: fedora
name: vagrant DISTRO:$DISTRO
compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
nested_virtualization: true
# CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
cpu: 4
# Memory limit: `4GB * NCPU`
memory: 16G
host_info_script: |
uname -a
# -----
cat /etc/os-release
# -----
df -T
# -----
cat /proc/cpuinfo
install_libvirt_vagrant_script: |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
apt-get update
apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
systemctl enable --now libvirtd
apt-get build-dep -y vagrant ruby-libvirt
apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
vagrant plugin install vagrant-libvirt
vagrant_cache:
fingerprint_script: cat Vagrantfile.$DISTRO
folder: /root/.vagrant.d/boxes
vagrant_up_script: |
ln -sf Vagrantfile.$DISTRO Vagrantfile
# Retry if it fails (download.fedoraproject.org returns 404 sometimes)
vagrant up --no-tty || vagrant up --no-tty
mkdir -p -m 0700 /root/.ssh
vagrant ssh-config >> /root/.ssh/config
guest_info_script: |
ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus && rpm -q container-selinux"'
check_config_script: |
ssh default /vagrant/script/check-config.sh
unit_tests_script: |
ssh default 'sudo -i make -C /vagrant localunittest'
integration_systemd_script: |
ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
integration_fs_script: |
ssh -tt default "sudo -i make -C /vagrant localintegration"
integration_systemd_rootless_script: |
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
integration_fs_rootless_script: |
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
task: task:
timeout_in: 30m timeout_in: 30m

62
.github/workflows/test.yml vendored
View File

@@ -213,10 +213,72 @@ jobs:
- name: unit test - name: unit test
run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
fedora:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: lima-vm/lima-actions/setup@v1
id: lima-actions-setup
- uses: actions/cache@v4
with:
path: ~/.cache/lima
key: lima-${{ steps.lima-actions-setup.outputs.version }}
- name: "Start VM"
# --plain is set to disable file sharing, port forwarding, built-in containerd, etc. for faster start up
#
# CPUs: min(4, host CPU cores)
# RAM: min(4 GiB, half of host memory)
# Disk: 100 GiB
run: limactl start --plain --name=default template://fedora
- name: "Initialize VM"
run: |
set -eux -o pipefail
limactl cp -r . default:/tmp/runc
lima sudo /tmp/runc/script/setup_host_fedora.sh
- name: "Show guest info"
run: |
set -eux -o pipefail
lima uname -a
lima systemctl --version
lima df -T
lima cat /etc/os-release
lima go version
lima sestatus
lima rpm -q container-selinux
- name: "Check config"
run: lima /tmp/runc/script/check-config.sh
# NOTE the execution environment lacks a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal.
- uses: lima-vm/lima-actions/ssh@v1
- name: "Run unit tests"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localunittest
- name: "Run integration tests (systemd driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
- name: "Run integration tests (systemd driver, rootless)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver, rootless)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration
all-done: all-done:
needs: needs:
- test - test
- cross-i386 - cross-i386
- fedora
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- run: echo "All jobs completed" - run: echo "All jobs completed"

53
Vagrantfile.fedora
View File

@@ -1,53 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "fedora-41"
# For URL, check https://www.fedoraproject.org/cloud/download
config.vm.box_url = "https://download.fedoraproject.org/pub/fedora/linux/releases/41/Cloud/x86_64/images/Fedora-Cloud-Base-Vagrant-libvirt-41-1.4.x86_64.vagrant.libvirt.box"
config.vm.provider :virtualbox do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provider :libvirt do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provision "shell", inline: <<-SHELL
set -e -u -o pipefail
DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core"
RPMS="bats git-core glibc-static golang jq libseccomp-devel make"
# Work around dnf mirror failures by retrying a few times.
for i in $(seq 0 2); do
sleep $i
dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break
done
dnf clean all
# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
mount -o remount,suid /tmp
# Prevent the "fatal: unsafe repository" git complain during build.
git config --global --add safe.directory /vagrant
# Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
mkdir -m 0700 -p /home/rootless/.ssh
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
chown -R rootless.rootless /home/rootless
# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
mkdir -p /etc/systemd/system/user@.service.d
cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
[Service]
# default: Delegate=pids memory
# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04).
Delegate=yes
EOF
systemctl daemon-reload
SHELL
end

35
script/setup_host_fedora.sh Executable file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
set -eux -o pipefail
DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core"
RPMS="bats git-core glibc-static golang jq libseccomp-devel make"
# Work around dnf mirror failures by retrying a few times.
for i in $(seq 0 2); do
sleep "$i"
# shellcheck disable=SC2086
dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break
done
dnf clean all
# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
mount -o remount,suid /tmp
# Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
# shellcheck disable=SC2174
mkdir -m 0700 -p /home/rootless/.ssh
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
cat /root/rootless.key.pub >>/home/rootless/.ssh/authorized_keys
chown -R rootless.rootless /home/rootless
# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
mkdir -p /etc/systemd/system/user@.service.d
cat >/etc/systemd/system/user@.service.d/delegate.conf <<EOF
[Service]
# default: Delegate=pids memory
# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04).
Delegate=yes
EOF
systemctl daemon-reload