Commit Graph

159 Commits

Author SHA1 Message Date
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin adedeb993a ci/gha: add Go 1.23, drop 1.21
- drop Go 1.21;
- add Go 1.23;
- for a few jobs that were using Go 1.21, switch to 1.22;

Also, bump go to 1.22 in go.mod.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin 15ec295bb1 ci/gha: bump golangci-lint to v1.59
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:25:30 -07:00
Kir Kolyshkin 309a6d91a4 ci/gha: add go-fix job
Add a CI job to ensure go fix produces no result. Quoting
`go doc cmd/fix`:

> Fix finds Go programs that use old APIs and rewrites them to use newer
> ones. After you update to a new Go release, fix helps make the
> necessary changes to your programs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-03 10:12:25 -07:00
Kir Kolyshkin a3302f2054 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin 67f6c37bc2 ci/gha: switch to ubuntu 24.04
Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep
ubuntu-20.04 to test cgroup v1 stuff.

Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
after apt install). This can be addressed separately later.

The only kludge we have to add is enable userns for runc binary being
tested (as userns is disabled by apparmor system-wide by default now,
see [1]).

[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 23:43:12 -07:00
Kir Kolyshkin b24fc9d2c4 ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 10:51:43 -07:00
Kir Kolyshkin f452f667c0 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:26:41 -07:00
Kir Kolyshkin d63018c252 ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 6bcc736122 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:25:02 -07:00
Kir Kolyshkin baba55e278 ci/actuated: re-enable CRIU tests
They were failing earlier but are working now.

This includes a fix to criu repo path assignment so it works for actuated case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Akihiro Suda 00238f5d2b CI: add actuated-arm64
See <https://actuated.dev/blog/arm-ci-cncf-ampere>.
Thanks to Alex Ellis, Ampere Computing, and Equinix.

Host information:
* CPU: aarch64 (ARMv8)
* Kernel: 5.10.201
  * Lacks ~CONFIG_CHECKPOINT_RESTORE~, CONFIG_BLK_CGROUP_IOCOST, etc.
* Cgroup: v2
* OS: Ubuntu 22.04
  * Lacks newuidmap, newgidmap, etc. (still apt-gettable)
  * sshd is not running

vmmeter is added from:
https://gist.github.com/alexellis/1f33e581c75e11e161fe613c46180771#file-metering-gha-md

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-24 17:22:33 +09:00
Akihiro Suda 30dc98f577 CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:09 +09:00
Kir Kolyshkin 851e3882b7 ci/test: exclude some runc_nodmz jobs
1. Sort the list of matrix excludes in the order of matrix,
   add comments explaining why we disable some jobs.

2. Exclude some jobs:
 - runc_nodmz && go 1.20.x
 - runc_nodmz && -race

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-01 17:06:40 -07:00
Kir Kolyshkin ac31da6b80 ci/cross-i386: pin Go to 1.21.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:55:50 +11:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00
Kir Kolyshkin f944d7b653 ci/gha: fix downloading Release.key
Since today, the URL from download.opensuse.org started returning a
HTTP 302 redirect, so -L option for curl is needed to follow it.

While at it, remove apt-key as per its man page recommendation:

> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive
> name and either "gpg" or "asc" as file extension.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-19 21:12:30 -07:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
dependabot[bot] 2d0cd0b381 build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 04:50:22 +00:00
dependabot[bot] fe6f33b2c0 build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 04:21:42 +00:00
Kir Kolyshkin 17e7e230bd ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:22:23 -07:00
Kir Kolyshkin b22073c5fe ci/gha: add job timeouts
The default timeout is 360 minutes, which is way long for these jobs.
If the CI (or a test) has stuck, we'd better know about it earlier than
in 6 hours.

Set the timeouts for some [relatively] long running jobs conservatively:
 - test and release jobs usually take ~10 minutes;
 - lint job takes 1 minute (but can be a few times slower when we switch
   Go or golangci-lint version);
 - cross-386 job takes about 2 minutes;
 - the rest is seconds (and I am lazy to set timeouts everywhere).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-16 16:08:35 -07:00
Kir Kolyshkin 46d6089fb5 ci/gha: re-enable go caching
Since https://github.com/actions/setup-go/issues/368 is now fixed
(in https://github.com/actions/setup-go/releases/tag/v4.1.0), there
is no need to disable caching when using different distros.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 15:18:21 -07:00
Kir Kolyshkin 5741ea230a ci: add go 1.21, remove go 1.19
Go 1.21 is out, and go 1.19 is no longer supported.

This also fixes cirrus-ci failure.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 12:34:55 -07:00
Kir Kolyshkin 98317c16ed ci: bump golangci-lint, remove fixed exception
The exception was fixed by https://github.com/polyfloyd/go-errorlint/pull/12
which eventually made its way into golangci-lint.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-16 15:02:26 +08:00
Sebastiaan van Stijn 17b335a2ee Merge pull request #3902 from kolyshkin/skip-less
ci/gha: don't skip rootless+systemd on ubuntu 22.04
2023-06-28 15:28:08 +02:00
Kir Kolyshkin 5e53e6592a ci: bump shellcheck to 0.9.0, fix new SC2016 warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-27 08:44:21 -07:00
Kir Kolyshkin c9209fd223 ci/gha: don't skip rootless+systemd on ubuntu 22.04
We used to skip testing rootless integration tests for systemd, because
in case of cgroup v1 it does not support user delegation.

Since we added ubuntu 22.04 to the testing matrix, we can actually test
rootless+systemd there (with the proper systemd setup).

Fixes: 953e1cc485
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-13 18:01:09 -07:00
Kir Kolyshkin 5929b01989 ci/gha: add space-at-eol check, fix existing issues
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:27:27 -07:00
dependabot[bot] 2a3470456e build(deps): bump tim-actions/get-pr-commits from 1.2.0 to 1.3.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-17 05:00:09 +00:00
Kir Kolyshkin 62cc13ea1a gha: disable setup-go cache for golangci job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, and olangci/golangci-lint-action also uses caching.

These two caches clash, resulting in multiple warnings in CI logs.

The official golangci-lint-action solution is to disable caching
for setup-go job (see [1]). Do the same.

[1] https://github.com/golangci/golangci-lint-action/pull/704

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Kir Kolyshkin 083e9789b8 ci/gha: rm actions/cache from validate/deps job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, so it is no longer required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Kir Kolyshkin da5cdfed7c ci/gha: fix cross-i386
As of today, installing fails with

> libc6:i386 : Depends: libgcc-s1:i386 but it is not going to be installed

Add the package explicitly to work around that.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-15 16:19:39 -07:00
Kir Kolyshkin b32655d2bc ci/gha: rm kludges for cross-i386 job
The first kludge is not needed since the switch to Ubuntu 22.04 in
commit 953e1cc48.

The second one is not needed since Go 1.20.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-15 15:13:25 -07:00
Kir Kolyshkin 13091eeefa ci: bump bats 1.8.2 -> 1.9.0
As Fedora 38 uses bats 1.9.0, let's switch to this version in other
places.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-26 18:56:37 -07:00
Aleksa Sarai 22538f896a keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Kir Kolyshkin 953e1cc485 ci/gha: switch to or add ubuntu 22.04
For test jobs, add ubuntu 22.04 into the matrix, so we can test of both
cgroup v1 and v2.

For validate jobs, just switch to ubuntu 22.04

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-10 10:32:02 -07:00
Kir Kolyshkin 9dbb9f90b9 ci: bump bats 1.3.0 -> 1.8.2
This version is already used by Cirrus CI Fedora 37 job, but other CI
jobs are still using 1.3.0.

Bump it everywhere so we can enjoy new version features and fixes.

For one thing, I noticed that new bats is reporting error location
correctly.

We will also be able to use "run !" and "run -N" commands.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-05 15:22:23 -07:00
dependabot[bot] 1034cfa826 build(deps): bump lumaxis/shellcheck-problem-matchers from 1 to 2
Bumps [lumaxis/shellcheck-problem-matchers](https://github.com/lumaxis/shellcheck-problem-matchers) from 1 to 2.
- [Release notes](https://github.com/lumaxis/shellcheck-problem-matchers/releases)
- [Commits](https://github.com/lumaxis/shellcheck-problem-matchers/compare/v1...v2)

---
updated-dependencies:
- dependency-name: lumaxis/shellcheck-problem-matchers
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-04 17:44:14 +00:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Austin Vazquez 5ecd40b9bd Add Go 1.20, require Go 1.19, drop Go 1.18
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2023-02-02 19:56:26 +00:00
Kir Kolyshkin 3fbc5ba7ca ci: add tests/int/get-images.sh check
This is to check that tests/integration/get-images.sh is in sync
with tests/integration/bootstrap-get-images.sh.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-01-24 16:43:12 -08:00
Kir Kolyshkin 56edc41ca6 ci: bump shfmt to 3.5.1, simplify CI setup
1. Bump shfmt to v3.5.1. Release notes:
   https://github.com/mvdan/sh/releases

2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer
   necessary. Therefore, we can use shfmt to find all the files.
   Add .editorconfig to ignore vendor subdirectory.

3. Use shfmt docker image, so that we don't have to install anything
   explicitly. This greatly simplifies the shfmt CI job. Add
   localshfmt target so developers can still use a local shfmt binary
   when necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 11:08:36 -07:00
Kir Kolyshkin 6bf2c3b67e ci/gha: use v3 tag for actions/cache
This tag points to the latest v3 version (currently v3.0.11). Mainly
done to avoid cluttering git history with multiple minor v3 upgrades.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-17 10:05:17 -07:00
dependabot[bot] a04363c1b9 build(deps): bump actions/cache from 3.0.10 to 3.0.11
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.10...v3.0.11)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 04:11:15 +00:00