Commit Graph

185 Commits

Author SHA1 Message Date
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 01f30162d2 ci/gha: run on main branch
Since we have renamed our default branch, GHA CI is no longer testing
it (see https://github.com/opencontainers/runc/actions).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 11:06:25 -07:00
Kir Kolyshkin a0f8847e2a Drop go 1.16
Require go 1.17 from now on, since go 1.16 is no longer supported.
Drop go1.16 compatibility.

NOTE we also have to install go 1.18 from Vagrantfile, because
Fedora 35 comes with Go 1.16.x which can't be used.

Note the changes to go.mod and vendor are due to
https://go.dev/doc/go1.17#tools

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin 5211cc3f7e Add / switch to Go 1.18
Switch to Go 1.18 as the default Go version.

Support for Go 1.16 is removed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin fcab941e4d ci: switch to golangci-lint 1.45
For release notes, see
https://github.com/golangci/golangci-lint/releases/tag/v1.45.0

Notably, it adds support for Go 1.18.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:16:23 -07:00
Kir Kolyshkin f7637defb8 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:57:35 -08:00
Kir Kolyshkin f7d4613492 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:42:01 -08:00
dependabot[bot] a43485c92c build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 04:20:24 +00:00
Kir Kolyshkin be00ae07c3 ci: shellcheck: update to 0.8.0, fix/suppress new warnings
1. This valid warning is reported by shellcheck v0.8.0:

	In tests/integration/helpers.bash line 38:
	KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
				       ^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"

Fix this.

2. These (invalid) warnings are also reported by the new version:

	In tests/integration/events.bats line 13:
	@test "events --stats" {
	^-- SC2030 (info): Modification of status is local (to subshell caused by @bats test).

	In tests/integration/events.bats line 41:
		[ "$status" -eq 0 ]
		   ^-----^ SC2031 (info): status was modified in a subshell. That change might be lost.

Basically, this is happening because shellcheck do not really track
the call tree and/or local variables. This is a known (and reported)
deficiency, and the alternative to disabling these warnings is moving
the code around, which is worse due to more changes in git history.

So we have to silence/disable these.

3. Update shellcheck to 0.8.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-10 17:24:04 -08:00
dependabot[bot] 0767b782c4 build(deps): bump tim-actions/get-pr-commits from 1.1.0 to 1.2.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-31 04:15:58 +00:00
Kir Kolyshkin b5cb405629 ci: add go 1.18beta1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-15 17:20:09 -08:00
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Kir Kolyshkin 50105de1d8 Fix failure with rw bind mount of a ro fuse
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.

Here's the relevant strace line:

> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)

I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.

The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.

A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.

[1] https://github.com/containers/podman/issues/12205

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 13:09:41 -08:00
Kir Kolyshkin 712157f663 Revert "ci: temporarily disable criu repo gpg check"
This was a temporary kludge, which is no longer required.

This reverts commit c5ca778fa8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 13:27:31 -08:00
Kir Kolyshkin 12e99a0f8d Require Go >= 1.16
Go 1.15 is not supported since Go 1.17 release (16 Aug 2021), and some
packages that we use already require Go 1.16+ (notably,
github.com/cilium/ebpf v0.7.0).

Let's require Go 1.16+.

Remove Go version requirement from README when describing dependencies,
since it is no longer needed:

	$ GO=go1.15.15 make vendor
	go1.15.15 mod tidy
	go mod tidy: go.mod file indicates go 1.16, but maximum supported version is 1.15
	make: *** [Makefile:141: vendor] Error 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin 3d98676626 ci/gha: install latest stable Go version
Jobs verify/compile-buildtags and verify/deps relied on whatever Go
version is available from the Ubuntu-20.04 image, which seems to be
1.15.x).

Job test/cross-i386 was installing whatever Go version is considered to
be the default one by actions/setup-go@v2, which seems to be go 1.15.15
at the moment.

Fix all three jobs to install Go 1.x (which should translate to latest
stable Go version, i.e. 1.17.2 as of now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin c5ca778fa8 ci: temporarily disable criu repo gpg check
This unblocks our CI, which is broken by the repo's expired signing key.

Stolen-from: https://github.com/moby/moby/pull/42935
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 12:50:17 -07:00
Kir Kolyshkin 0d297b7190 ci/gha: test criu-dev with latest go
As commits 120f74060 and a58718013 were added independently,
criu-dev go version was left at 1.16.x. Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 16aedc3130 ci/gha: remove debug info
This was supposed to be added temporarily, but slipped into the final
commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 3fd1851ce9 CI/GHA: switch to OBS criu repo
This will bring criu 3.16, which is available from OBS but not (yet?) PPA.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:21 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00
Sebastiaan van Stijn 2eaeea77c2 Merge pull request #3207 from kolyshkin/update-shfmt
ci/gha: bump shfmt to 3.3.1
2021-09-10 23:36:56 +02:00
Kir Kolyshkin 47abdceef1 ci/gha: update golangci-lint to 1.42.1
v1.42.1 was released tagged a few days ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 49137c2aa0 ci/gha: bump shfmt to 3.3.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 16:37:00 -07:00
Rodrigo Campos 347c371bf4 CI: Mark CGO warnings as errors
Treat warning as errors only in the CI. We can enforce it in the source
code (like setting CFLAGS in libcontainer/nsenter/nsenter.go), but that
can force other downstream to patch the code if thei C compiler produces
warnings. For that reason, we do it only on the CI.

Todays CGO warnings are quite hidden in the CI (only shown for the
compilation step, that is collapsed) and CI is green anyways. With this
patch, CI fails if a warning is introduced.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-31 18:08:29 +02:00
Sebastiaan van Stijn 8e6871a3b1 Merge pull request #3116 from kolyshkin/ci-add-criu-dev
ci/gha: add latest criu-dev test run
2021-08-19 09:46:52 +02:00
Mrunal Patel 9835e9c6b2 Merge pull request #3021 from kolyshkin/go-1.17beta1
ci: add go1.17
2021-08-18 13:32:05 -07:00
Kir Kolyshkin a587180136 ci: add go1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 17:49:44 -07:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Rodrigo Campos 844d6774e0 CI: Validate compilation without buildtags
Today we support the seccomp build tag only that is used by default.
However, we are not testing that compiling without any build tag works.

I found the CI didn't catch this when working on #2682, that the CI was
green but compilation without build tags was broken.

We test compilation without build tags only, compilation with the only
build tag supported is done extensively in other actions.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-16 17:44:54 +02:00
Kir Kolyshkin 120f740601 ci/gha: add latest criu-dev test run
Add testing against criu-dev branch instead of a released version
(happens to be criu v3.15 at the moment), to check how it works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 17:00:58 -07:00
Kir Kolyshkin 6215b2f33f ci/gha: drop Go 1.13
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Akihiro Suda 87bfd20fbd Evaluate Cirrus CI for Vagrant tests
ref: issue 3078

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-18 20:32:40 +09:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
dependabot[bot] 01f5dcaeb7 build(deps): bump tim-actions/get-pr-commits from 1.0.0 to 1.1.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-11 06:31:30 +00:00
Enrico Weigelt, metux IT consult 1b2abc89ae github: workflows: fix tiny typo
Tiny spelling fix - it's called "docker", not "dockre".

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2021-06-10 13:03:16 +02:00
Kir Kolyshkin 7ca5456299 Enable dependabot
This should enable a bot that auto-creates PRs to update dependencies.

For more info, see
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically

Once enabled, dependabot work should be seen at
https://github.com/opencontainers/runc/network/updates
(as well as new PRs).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-01 17:40:35 -07:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Mrunal Patel 5fe1e98a49 Merge pull request #2945 from kolyshkin/update-sh
ci/gha: bump shfmt and shellcheck
2021-05-14 19:14:30 -04:00
Kir Kolyshkin d519da5eb0 Dockerfile, Vagrantfile.centos7, .github: bats 1.3.0
Bump from bats 1.2.1 to 1.3.0.

Changes: https://github.com/bats-core/bats-core/releases/tag/v1.3.0

NOTE we're already using bats 1.3.0 on Fedora CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:34:54 -07:00
Kir Kolyshkin af2e03c50f ci/gha: bump shellcheck 0.7.1 -> 0.7.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:11:09 -07:00
Kir Kolyshkin 2d1bb91dca ci/gha: bump shfmt 3.2.0 -> 3.2.4
Changes: https://github.com/mvdan/sh/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:09:52 -07:00
Akihiro Suda ee4612bcdc CI: enable Go 1.13 again
Dockre/Moby still builds runc with Go 1.13, so we should still support
Go 1.13.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-30 19:15:51 +09:00
Akihiro Suda 7e7eb1c39d CI: update Fedora to 34
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-27 23:52:53 +09:00
Kir Kolyshkin d748280aa9 make release: build/include libseccomp
libseccomp is LGPL, meaning if we statically link it, we have to include
the source code of the library.

Amend "make release" to download and build libseccomp, build runc
against it, and include its sources into the release directory.

The only caveat is I found no way to stop go build from using the
stock (distro-provided) libseccomp.a, so the script checks that
the stock libseccomp.a is not available, and aborts otherwise.

While at it:
 - enable shellcheck for script/release.sh
 - remove libseccomp installation from the gha job
 - add dependecies needed for libseccomp build to the gha job

[v2: also include libseccomp .asc file]
[v3: rebase]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:43:02 -07:00
Kir Kolyshkin 3eb46d89d2 ci: make static built binary available
This uploads the results of make release step (static binary and
a source tarball) so that they are available. I am not very sure if
it's of any use, but at least one can download and play with a static
binary from any PR.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:42:34 -07:00