Commit Graph

38 Commits

Author SHA1 Message Date
Kir Kolyshkin e6a8287c1f ci: shellcheck: update to 0.8.0, fix/suppress new warnings
1. This valid warning is reported by shellcheck v0.8.0:

	In tests/integration/helpers.bash line 38:
	KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
				       ^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"

Fix this.

2. These (invalid) warnings are also reported by the new version:

	In tests/integration/events.bats line 13:
	@test "events --stats" {
	^-- SC2030 (info): Modification of status is local (to subshell caused by @bats test).

	In tests/integration/events.bats line 41:
		[ "$status" -eq 0 ]
		   ^-----^ SC2031 (info): status was modified in a subshell. That change might be lost.

Basically, this is happening because shellcheck do not really track
the call tree and/or local variables. This is a known (and reported)
deficiency, and the alternative to disabling these warnings is moving
the code around, which is worse due to more changes in git history.

So we have to silence/disable these.

3. Update shellcheck to 0.8.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit be00ae07c3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-27 11:30:24 -07:00
Kir Kolyshkin 91fa032da4 ci: add basic checks for CHANGELOG.md
Perform some basic checks for CHANGELOG.md.

In particular, check for
 - missing periods;
 - extra spaces at EOL;
 - non-ASCII characters.

Fix the issues found.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-08 11:46:47 -07:00
Kir Kolyshkin 3a09da6b5a ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:50:47 -07:00
Kir Kolyshkin bf1cd884d9 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7637defb8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
Kir Kolyshkin 1feafc31f8 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f7d4613492)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:46:59 -07:00
dependabot[bot] eeac4e7721 build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a43485c92c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 16:35:41 -07:00
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Kir Kolyshkin 3d98676626 ci/gha: install latest stable Go version
Jobs verify/compile-buildtags and verify/deps relied on whatever Go
version is available from the Ubuntu-20.04 image, which seems to be
1.15.x).

Job test/cross-i386 was installing whatever Go version is considered to
be the default one by actions/setup-go@v2, which seems to be go 1.15.15
at the moment.

Fix all three jobs to install Go 1.x (which should translate to latest
stable Go version, i.e. 1.17.2 as of now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00
Sebastiaan van Stijn 2eaeea77c2 Merge pull request #3207 from kolyshkin/update-shfmt
ci/gha: bump shfmt to 3.3.1
2021-09-10 23:36:56 +02:00
Kir Kolyshkin 47abdceef1 ci/gha: update golangci-lint to 1.42.1
v1.42.1 was released tagged a few days ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 49137c2aa0 ci/gha: bump shfmt to 3.3.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 16:37:00 -07:00
Rodrigo Campos 347c371bf4 CI: Mark CGO warnings as errors
Treat warning as errors only in the CI. We can enforce it in the source
code (like setting CFLAGS in libcontainer/nsenter/nsenter.go), but that
can force other downstream to patch the code if thei C compiler produces
warnings. For that reason, we do it only on the CI.

Todays CGO warnings are quite hidden in the CI (only shown for the
compilation step, that is collapsed) and CI is green anyways. With this
patch, CI fails if a warning is introduced.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-31 18:08:29 +02:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Rodrigo Campos 844d6774e0 CI: Validate compilation without buildtags
Today we support the seccomp build tag only that is used by default.
However, we are not testing that compiling without any build tag works.

I found the CI didn't catch this when working on #2682, that the CI was
green but compilation without build tags was broken.

We test compilation without build tags only, compilation with the only
build tag supported is done extensively in other actions.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-16 17:44:54 +02:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
dependabot[bot] 01f5dcaeb7 build(deps): bump tim-actions/get-pr-commits from 1.0.0 to 1.1.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-11 06:31:30 +00:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Kir Kolyshkin af2e03c50f ci/gha: bump shellcheck 0.7.1 -> 0.7.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:11:09 -07:00
Kir Kolyshkin 2d1bb91dca ci/gha: bump shfmt 3.2.0 -> 3.2.4
Changes: https://github.com/mvdan/sh/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:09:52 -07:00
Kir Kolyshkin d748280aa9 make release: build/include libseccomp
libseccomp is LGPL, meaning if we statically link it, we have to include
the source code of the library.

Amend "make release" to download and build libseccomp, build runc
against it, and include its sources into the release directory.

The only caveat is I found no way to stop go build from using the
stock (distro-provided) libseccomp.a, so the script checks that
the stock libseccomp.a is not available, and aborts otherwise.

While at it:
 - enable shellcheck for script/release.sh
 - remove libseccomp installation from the gha job
 - add dependecies needed for libseccomp build to the gha job

[v2: also include libseccomp .asc file]
[v3: rebase]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:43:02 -07:00
Kir Kolyshkin 3eb46d89d2 ci: make static built binary available
This uploads the results of make release step (static binary and
a source tarball) so that they are available. I am not very sure if
it's of any use, but at least one can download and play with a static
binary from any PR.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:42:34 -07:00
Kir Kolyshkin 522bd64187 Fix checking C code formatting
Apparently, scripts/validate-c is not working in CI (or maybe
maintainers ignored the failures from it) -- current C code
gets some changes if we run indent on it.

This commit fixes this, simplifying things along the way.

 In particular:

1. Remove "validate" make target, add "cfmt" target that just runs
   indent on all *.c files in the repository (NOTE that *.h files
   are not included, as before).

   This may help a contributor to fix their code -- they just need
   to run "make cfmt" now instead of running "make validate" and
   copy-pasting the indent command and options from the hint.

2. Split GHA validate/misc into validate/release and validate/cfmt.
   The latter checks that the sources are not changed after "make cfmt".

3. Adds a few more options to indent. This was mostly motivated by
   trying to save the existing formatting, minimizing the amount of
   changes indent produces.

   The new options are:

   * -il0: sets the offset for goto labels to 0 (currently all labels
     but one are not indented -- let's keep it that way);

   * -ppi2: sets the indentation for nested preprocessor directives
     to 2 spaces (same as it is done in "SYS_memfd_create" defines);

   * -cp1: sets the indentation between #else / #endif and the
     following comment to 1 space.

4. Reformat the code using the new indent options.

5. Remove the now-unused script/{.validate,validate-c}.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:56:09 -07:00
Kir Kolyshkin e618a6d5ee curl: add --retry 5
Sometimes github gives up 5xx errors, for example:

> panic: getImages error exit status 1 (output: curl: (22) The requested URL returned error: 502
> Failed to get https://github.com/docker-library/busybox/raw/dist-i386/stable/glibc/busybox.tar.xz

This is unfortunate but temporary, and adding --retry should handle
at least some cases, improving CI stability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-04 15:37:59 -08:00
Kir Kolyshkin dc0257926a ci/gha: bump golangci-lint to v1.36
Changes: https://github.com/golangci/golangci-lint/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-01 14:24:15 -08:00
Aleksa Sarai 7a8d7162f9 seccomp: prepend -ENOSYS stub to all filters
Having -EPERM is the default was a fairly significant mistake from a
future-proofing standpoint in that it makes any new syscall return a
non-ignorable error (from glibc's point of view). We need to correct
this now because faccessat2(2) is something glibc critically needs to
have support for, but they're blocked on container runtimes because we
return -EPERM unconditionally (leading to confusion in glibc). This is
also a problem we're probably going to keep running into in the future.

Unfortunately there are several issues which stop us from having a clean
solution to this problem:

 1. libseccomp has several limitations which require us to emulate
    behaviour we want:

    a. We cannot do logic based on syscall number, meaning we cannot
       specify a "largest known syscall number";
    b. libseccomp doesn't know in which kernel version a syscall was
       added, and has no API for "minimum kernel version" so we cannot
       simply ask libseccomp to generate sane -ENOSYS rules for us.
    c. Additional seccomp rules for the same syscall are not treated as
       distinct rules -- if rules overlap, seccomp will merge them. This
       means we cannot add per-syscall -EPERM fallbacks;
    d. There is no inverse operation for SCMP_CMP_MASKED_EQ;
    e. libseccomp does not allow you to specify multiple rules for a
       single argument, making it impossible to invert OR rules for
       arguments.

 2. The runtime-spec does not have any way of specifying:

    a. The errno for the default action;
    b. The minimum kernel version or "newest syscall at time of profile
       creation"; nor
    c. Which syscalls were intentionally excluded from the allow list
       (weird syscalls that are no longer used were excluded entirely,
       but Docker et al expect those syscalls to get EPERM not ENOSYS).

 3. Certain syscalls should not return -ENOSYS (especially only for
    certain argument combinations) because this could also trigger glibc
    confusion. This means we have to return -EPERM for certain syscalls
    but not as a global default.

 4. There is not an obvious (and reasonable) upper limit to syscall
    numbers, so we cannot create a set of rules for each syscall above
    the largest syscall number in libseccomp. This means we must handle
    inverse rules as described below.

 5. Any syscall can be specified multiple times, which can make
    generation of hotfix rules much harder.

As a result, we have to work around all of these things by coming up
with a heuristic to stop the bleeding. In the future we could hopefully
improve the situation in the runtime-spec and libseccomp.

The solution applied here is to prepend a "stub" filter which returns
-ENOSYS if the requested syscall has a larger syscall number than any
syscall mentioned in the filter. The reason for this specific rule is
that syscall numbers are (roughly) allocated sequentially and thus newer
syscalls will (usually) have a larger syscall number -- thus causing our
filters to produce -ENOSYS if the filter was written before the syscall
existed.

Sadly this is not a perfect solution because syscalls can be added
out-of-order and the syscall table can contain holes for several
releases. Unfortuntely we do not have a nicer solution at the moment
because there is no library which provides information about which Linux
version a syscall was introduced in. Until that exists, this workaround
will have to be good enough.

The above behaviour only happens if the default action is a blocking
action (in other words it is not SCMP_ACT_LOG or SCMP_ACT_ALLOW). If the
default action is permissive then we don't do any patching.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-01-28 23:11:22 +11:00
Akihiro Suda 066ac1823e Merge pull request #2743 from kolyshkin/speedup-runcimage
gha: cache docker layers to speed up make runcimage
2021-01-22 13:15:40 +09:00
Kir Kolyshkin 1f4a3b1e9f gha: don't check commits on push
This check (for commit subject being short) only make sense for pull
requests, and it fails on pushes to master (i.e. on merges).

Make sure it's only run for pull requests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-15 14:31:10 -08:00
Kir Kolyshkin 4a30ada494 gha: cache docker layers to speed up make runcimage
It currently takes close to 2 minutes to build docker image
(which is currently only used for cross compilation).

Let's see if caching docker layers will help.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-15 12:39:31 -08:00
Kir Kolyshkin e431fe60f8 ci: move misc validate tasks from travis to gha
Note that `make ci` in Travis included `make test`, but we're already
doing that elsewhere (see .github/workflows/test.yml).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-05 21:01:32 -08:00
Kir Kolyshkin 7ecba232e9 ci: move cross compile check from travis to gha
In here we have to use Docker, as Ubuntu does not support
all the architectures we're compile-testing here.

Since this is the only step that is using Docker,
there is no sense to separate `make runcimage` from
the rest of it. In case we'll have to use Docker image
more, it will make sense to do so.

While at it, ditch script/tmpmount (added by commit 1735ad788f),
because
 - it required root (because mount);
 - it is probably no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-05 20:45:28 -08:00
Kir Kolyshkin 8ccd39a91b ci: move commit length check from travis to gha
Using https://github.com/tim-actions/commit-message-checker-with-regex

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-05 20:44:55 -08:00
Kir Kolyshkin 5d1b0268dd .github/workflows/validate: nits
1. Use ubuntu-20.04 instead of ubuntu-latest to fix warnings like

> Ubuntu-latest workflows will use Ubuntu-20.04 soon. For more details,
> see https://github.com/actions/virtual-environments/issues/1816

2. Minor formatting fixes, remove redundant name: etc.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-12-01 17:24:18 -08:00
Kir Kolyshkin c6ed18542d ci: add shellcheck to github actions
Note that

1. No golang caching is required, since we do not build any go code,
   and it does not look like it make sense to cache a single binary
   we donwload from github.

2. Use a problem matcher, so the PRs will be annotated with
   shellcheck warnings.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-20 10:35:56 -08:00
Kir Kolyshkin 33bda24ac3 ci: move verify-deps from travis to github actions
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-20 10:35:56 -08:00
Kir Kolyshkin c60f23b335 ci: add shfmt to github actions
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-20 10:35:56 -08:00
Kir Kolyshkin 717a73b397 ci: renamed golangci-lint to validate
...so we can add more validation-type jobs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-11-20 10:35:56 -08:00