Commit Graph

116 Commits

Author SHA1 Message Date
Kir Kolyshkin c5ca778fa8 ci: temporarily disable criu repo gpg check
This unblocks our CI, which is broken by the repo's expired signing key.

Stolen-from: https://github.com/moby/moby/pull/42935
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 12:50:17 -07:00
Kir Kolyshkin 0d297b7190 ci/gha: test criu-dev with latest go
As commits 120f74060 and a58718013 were added independently,
criu-dev go version was left at 1.16.x. Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 16aedc3130 ci/gha: remove debug info
This was supposed to be added temporarily, but slipped into the final
commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 3fd1851ce9 CI/GHA: switch to OBS criu repo
This will bring criu 3.16, which is available from OBS but not (yet?) PPA.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:21 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00
Sebastiaan van Stijn 2eaeea77c2 Merge pull request #3207 from kolyshkin/update-shfmt
ci/gha: bump shfmt to 3.3.1
2021-09-10 23:36:56 +02:00
Kir Kolyshkin 47abdceef1 ci/gha: update golangci-lint to 1.42.1
v1.42.1 was released tagged a few days ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 49137c2aa0 ci/gha: bump shfmt to 3.3.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 16:37:00 -07:00
Rodrigo Campos 347c371bf4 CI: Mark CGO warnings as errors
Treat warning as errors only in the CI. We can enforce it in the source
code (like setting CFLAGS in libcontainer/nsenter/nsenter.go), but that
can force other downstream to patch the code if thei C compiler produces
warnings. For that reason, we do it only on the CI.

Todays CGO warnings are quite hidden in the CI (only shown for the
compilation step, that is collapsed) and CI is green anyways. With this
patch, CI fails if a warning is introduced.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-31 18:08:29 +02:00
Sebastiaan van Stijn 8e6871a3b1 Merge pull request #3116 from kolyshkin/ci-add-criu-dev
ci/gha: add latest criu-dev test run
2021-08-19 09:46:52 +02:00
Mrunal Patel 9835e9c6b2 Merge pull request #3021 from kolyshkin/go-1.17beta1
ci: add go1.17
2021-08-18 13:32:05 -07:00
Kir Kolyshkin a587180136 ci: add go1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 17:49:44 -07:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Rodrigo Campos 844d6774e0 CI: Validate compilation without buildtags
Today we support the seccomp build tag only that is used by default.
However, we are not testing that compiling without any build tag works.

I found the CI didn't catch this when working on #2682, that the CI was
green but compilation without build tags was broken.

We test compilation without build tags only, compilation with the only
build tag supported is done extensively in other actions.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-16 17:44:54 +02:00
Kir Kolyshkin 120f740601 ci/gha: add latest criu-dev test run
Add testing against criu-dev branch instead of a released version
(happens to be criu v3.15 at the moment), to check how it works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 17:00:58 -07:00
Kir Kolyshkin 6215b2f33f ci/gha: drop Go 1.13
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Akihiro Suda 87bfd20fbd Evaluate Cirrus CI for Vagrant tests
ref: issue 3078

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-18 20:32:40 +09:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
dependabot[bot] 01f5dcaeb7 build(deps): bump tim-actions/get-pr-commits from 1.0.0 to 1.1.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-11 06:31:30 +00:00
Enrico Weigelt, metux IT consult 1b2abc89ae github: workflows: fix tiny typo
Tiny spelling fix - it's called "docker", not "dockre".

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2021-06-10 13:03:16 +02:00
Kir Kolyshkin 7ca5456299 Enable dependabot
This should enable a bot that auto-creates PRs to update dependencies.

For more info, see
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically

Once enabled, dependabot work should be seen at
https://github.com/opencontainers/runc/network/updates
(as well as new PRs).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-01 17:40:35 -07:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Mrunal Patel 5fe1e98a49 Merge pull request #2945 from kolyshkin/update-sh
ci/gha: bump shfmt and shellcheck
2021-05-14 19:14:30 -04:00
Kir Kolyshkin d519da5eb0 Dockerfile, Vagrantfile.centos7, .github: bats 1.3.0
Bump from bats 1.2.1 to 1.3.0.

Changes: https://github.com/bats-core/bats-core/releases/tag/v1.3.0

NOTE we're already using bats 1.3.0 on Fedora CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:34:54 -07:00
Kir Kolyshkin af2e03c50f ci/gha: bump shellcheck 0.7.1 -> 0.7.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:11:09 -07:00
Kir Kolyshkin 2d1bb91dca ci/gha: bump shfmt 3.2.0 -> 3.2.4
Changes: https://github.com/mvdan/sh/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:09:52 -07:00
Akihiro Suda ee4612bcdc CI: enable Go 1.13 again
Dockre/Moby still builds runc with Go 1.13, so we should still support
Go 1.13.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-30 19:15:51 +09:00
Akihiro Suda 7e7eb1c39d CI: update Fedora to 34
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-27 23:52:53 +09:00
Kir Kolyshkin d748280aa9 make release: build/include libseccomp
libseccomp is LGPL, meaning if we statically link it, we have to include
the source code of the library.

Amend "make release" to download and build libseccomp, build runc
against it, and include its sources into the release directory.

The only caveat is I found no way to stop go build from using the
stock (distro-provided) libseccomp.a, so the script checks that
the stock libseccomp.a is not available, and aborts otherwise.

While at it:
 - enable shellcheck for script/release.sh
 - remove libseccomp installation from the gha job
 - add dependecies needed for libseccomp build to the gha job

[v2: also include libseccomp .asc file]
[v3: rebase]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:43:02 -07:00
Kir Kolyshkin 3eb46d89d2 ci: make static built binary available
This uploads the results of make release step (static binary and
a source tarball) so that they are available. I am not very sure if
it's of any use, but at least one can download and play with a static
binary from any PR.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:42:34 -07:00
Kir Kolyshkin 2400e5e36e Merge pull request #2860 from kolyshkin/validate-c
fix/simplify scripts/validate-c, fix *.c formatting
2021-03-28 10:17:34 -07:00
Mrunal Patel 3505f15e35 Merge pull request #2834 from AkihiroSuda/cache-vagrant
CI: cache ~/.vagrant.d/boxes
2021-03-26 11:33:33 -07:00
Kir Kolyshkin 522bd64187 Fix checking C code formatting
Apparently, scripts/validate-c is not working in CI (or maybe
maintainers ignored the failures from it) -- current C code
gets some changes if we run indent on it.

This commit fixes this, simplifying things along the way.

 In particular:

1. Remove "validate" make target, add "cfmt" target that just runs
   indent on all *.c files in the repository (NOTE that *.h files
   are not included, as before).

   This may help a contributor to fix their code -- they just need
   to run "make cfmt" now instead of running "make validate" and
   copy-pasting the indent command and options from the hint.

2. Split GHA validate/misc into validate/release and validate/cfmt.
   The latter checks that the sources are not changed after "make cfmt".

3. Adds a few more options to indent. This was mostly motivated by
   trying to save the existing formatting, minimizing the amount of
   changes indent produces.

   The new options are:

   * -il0: sets the offset for goto labels to 0 (currently all labels
     but one are not indented -- let's keep it that way);

   * -ppi2: sets the indentation for nested preprocessor directives
     to 2 spaces (same as it is done in "SYS_memfd_create" defines);

   * -cp1: sets the indentation between #else / #endif and the
     following comment to 1 space.

4. Reformat the code using the new indent options.

5. Remove the now-unused script/{.validate,validate-c}.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:56:09 -07:00
Akihiro Suda 74299a1cfb CI: cache ~/.vagrant.d/boxes
For deflaking CI failures during `vagrant up`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-05 13:21:28 +09:00
Kir Kolyshkin e618a6d5ee curl: add --retry 5
Sometimes github gives up 5xx errors, for example:

> panic: getImages error exit status 1 (output: curl: (22) The requested URL returned error: 502
> Failed to get https://github.com/docker-library/busybox/raw/dist-i386/stable/glibc/busybox.tar.xz

This is unfortunate but temporary, and adding --retry should handle
at least some cases, improving CI stability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-04 15:37:59 -08:00
Kir Kolyshkin 1820c42547 Merge pull request #2768 from kolyshkin/unit-386
ci/gha: add i386 unit test
2021-02-25 18:23:36 -08:00
Mrunal Patel d11985a586 Merge pull request #2799 from kolyshkin/race1
Fix data races, enable testing with -race
2021-02-24 16:37:34 -08:00
Kir Kolyshkin 91f0ae1884 ci/gha: bump go 1.16-rc1 -> 1.16.x
As the final go 1.16 is released, rc1 is no longer available.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-16 12:30:05 -08:00
Kir Kolyshkin d73b4443ef ci: enable -race from matrix
Add a new test matrix dimension so all tests are run twice,
with and without race detector.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-08 16:01:14 -08:00
Kir Kolyshkin 51ec5db1f1 ci: add i386 unit test run
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-05 11:54:14 -08:00
Aleksa Sarai b4cb54c2ea merge branch 'pr-2782'
Kir Kolyshkin (2):
  ci/gha: bump golangci-lint to v1.36
  .golangci.yml: add

LGTMs: @AkihiroSuda @cyphar
Closes #2782
2021-02-05 17:46:52 +11:00
Akihiro Suda 9f1e43ea69 Merge pull request #2741 from kolyshkin/test-images 2021-02-05 15:30:43 +09:00
Kir Kolyshkin a9e99b6da3 ci/gha/fedora: retry vagrant up
download.fedoraproject.org gives HTTP 404 at times,
breaking the CI. Let's give it another chance.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-03 10:56:00 -08:00
Kir Kolyshkin 5ab0588432 ci: untangle getting test images
This simplifies and optimizes getting container images used for tests.

Currently, we have three different ways of getting images:

1. (for hello-world) the image is in this repo under tests/integration/testdata.

2. (for busybox) download it from github (the repo that is used for
   preparing official Docker image) using curl.

3. (for debian) download from Docker hub, using skopeo and umoci.

To further complicate things, we have to do this downloading in multiple
scenarios (at least 4): locally, in github CI, from Dockefile, inside a
Vagrant VM. For each scenario, we have to install skopeo and umoci, and
those two are not yet universally available for all the distros that we
use.

Yet another complication is those images are used for tests/integration
(bats-driven tests) as well as for libcontainer/integration (go tests).
The tests in libcontainer/integration rely on busybox being available
from /busybox, and the bats tests just download the images to a
temporary location during every run.

It is also hard to support CI for other architectures, because all
the machinery for preparing images is so complicated.

This commit is an attempt to simplify and optimize getting images,
mostly by getting rid of skopeo and umoci dependencies, but also
by moving the download logic into one small shell script, which
is used from all the places.

Benefits:

 - images (if not present) are only downloaded once;
 - same images are used for both kind of tests (go and bats);
 - same images are used for local and inside-docker tests
   (because source directory is mounted into container);
 - the download logic is located within 1 simple shell script.

[v2: fix eval; more doc to get-images; print URL if curl failed]
[v3: use "slim" debian, twice as small]
[v4: fix not using $image in setup_bundle]
[v5: don't remove TESTDATA from helpers.bash]
[v6: add i386 support]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-02 16:03:29 -08:00
Kir Kolyshkin dc0257926a ci/gha: bump golangci-lint to v1.36
Changes: https://github.com/golangci/golangci-lint/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-01 14:24:15 -08:00
Aleksa Sarai a4f2b2b0a8 merge branch 'pr-2769'
Kir Kolyshkin (2):
  ci: test with golang 1.16-rc1
  tests/int/spec.bats: fix for go 1.16

LGTMs: @AkihiroSuda @cyphar
Closes #2769
2021-02-01 11:05:49 +11:00
Kir Kolyshkin b1195b7667 ci: test with golang 1.16-rc1
Courtesy of https://github.com/actions/setup-go/issues/92

[v2: update from beta1 to rc1]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-28 13:14:34 -08:00
Aleksa Sarai 7a8d7162f9 seccomp: prepend -ENOSYS stub to all filters
Having -EPERM is the default was a fairly significant mistake from a
future-proofing standpoint in that it makes any new syscall return a
non-ignorable error (from glibc's point of view). We need to correct
this now because faccessat2(2) is something glibc critically needs to
have support for, but they're blocked on container runtimes because we
return -EPERM unconditionally (leading to confusion in glibc). This is
also a problem we're probably going to keep running into in the future.

Unfortunately there are several issues which stop us from having a clean
solution to this problem:

 1. libseccomp has several limitations which require us to emulate
    behaviour we want:

    a. We cannot do logic based on syscall number, meaning we cannot
       specify a "largest known syscall number";
    b. libseccomp doesn't know in which kernel version a syscall was
       added, and has no API for "minimum kernel version" so we cannot
       simply ask libseccomp to generate sane -ENOSYS rules for us.
    c. Additional seccomp rules for the same syscall are not treated as
       distinct rules -- if rules overlap, seccomp will merge them. This
       means we cannot add per-syscall -EPERM fallbacks;
    d. There is no inverse operation for SCMP_CMP_MASKED_EQ;
    e. libseccomp does not allow you to specify multiple rules for a
       single argument, making it impossible to invert OR rules for
       arguments.

 2. The runtime-spec does not have any way of specifying:

    a. The errno for the default action;
    b. The minimum kernel version or "newest syscall at time of profile
       creation"; nor
    c. Which syscalls were intentionally excluded from the allow list
       (weird syscalls that are no longer used were excluded entirely,
       but Docker et al expect those syscalls to get EPERM not ENOSYS).

 3. Certain syscalls should not return -ENOSYS (especially only for
    certain argument combinations) because this could also trigger glibc
    confusion. This means we have to return -EPERM for certain syscalls
    but not as a global default.

 4. There is not an obvious (and reasonable) upper limit to syscall
    numbers, so we cannot create a set of rules for each syscall above
    the largest syscall number in libseccomp. This means we must handle
    inverse rules as described below.

 5. Any syscall can be specified multiple times, which can make
    generation of hotfix rules much harder.

As a result, we have to work around all of these things by coming up
with a heuristic to stop the bleeding. In the future we could hopefully
improve the situation in the runtime-spec and libseccomp.

The solution applied here is to prepend a "stub" filter which returns
-ENOSYS if the requested syscall has a larger syscall number than any
syscall mentioned in the filter. The reason for this specific rule is
that syscall numbers are (roughly) allocated sequentially and thus newer
syscalls will (usually) have a larger syscall number -- thus causing our
filters to produce -ENOSYS if the filter was written before the syscall
existed.

Sadly this is not a perfect solution because syscalls can be added
out-of-order and the syscall table can contain holes for several
releases. Unfortuntely we do not have a nicer solution at the moment
because there is no library which provides information about which Linux
version a syscall was introduced in. Until that exists, this workaround
will have to be good enough.

The above behaviour only happens if the default action is a blocking
action (in other words it is not SCMP_ACT_LOG or SCMP_ACT_ALLOW). If the
default action is permissive then we don't do any patching.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-01-28 23:11:22 +11:00
Akihiro Suda 066ac1823e Merge pull request #2743 from kolyshkin/speedup-runcimage
gha: cache docker layers to speed up make runcimage
2021-01-22 13:15:40 +09:00