diff --git a/.cirrus.yml b/.cirrus.yml new file mode 100644 index 00000000000..74b7deae4eb --- /dev/null +++ b/.cirrus.yml @@ -0,0 +1,157 @@ +--- +# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS +# instances of GHA are too slow and flaky, and Linux instances of GHA do not +# support KVM. + +# NOTE Cirrus execution environments lack a terminal, needed for +# some integration tests. So we use `ssh -tt` command to fake a terminal. + +task: + timeout_in: 30m + + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + # yamllint disable rule:key-duplicates + matrix: + DISTRO: fedora34 + + name: vagrant DISTRO:$DISTRO + + compute_engine_instance: + image_project: cirrus-images + image: family/docker-kvm + platform: linux + nested_virtualization: true + # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits + cpu: 8 + # Memory limit: `4GB * NCPU` + memory: 32G + + host_info_script: | + uname -a + echo "-----" + cat /etc/os-release + echo "-----" + cat /proc/cpuinfo + echo "-----" + df -T + install_libvirt_vagrant_script: | + apt-get update + apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt + systemctl enable --now libvirtd + vagrant_cache: + fingerprint_script: uname -s ; cat Vagrantfile.$DISTRO + folder: /root/.vagrant.d + vagrant_up_script: | + ln -sf Vagrantfile.$DISTRO Vagrantfile + # Retry if it fails (download.fedoraproject.org returns 404 sometimes) + vagrant up || vagrant up + mkdir -p -m 0700 /root/.ssh + vagrant ssh-config >> /root/.ssh/config + guest_info_script: | + ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release"' + unit_tests_script: | + ssh default 'sudo -i make -C /vagrant localunittest' + integration_systemd_script: | + ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes" + integration_fs_script: | + ssh -tt default "sudo -i make -C /vagrant localintegration" + integration_systemd_rootless_script: | + if [ $DISTRO == centos7 ]; then + echo "SKIP: integration_systemd_rootless_script requires cgroup v2" + else + ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes" + fi + integration_fs_rootless_script: | + if [ $DISTRO == centos7 ]; then + echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs" + else + ssh -tt default "sudo -i make -C /vagrant localrootlessintegration" + fi + +task: + timeout_in: 30m + + env: + HOME: /root + CIRRUS_WORKING_DIR: /home/runc + GO_VERSION: "1.16.6" + BATS_VERSION: "v1.3.0" + # yamllint disable rule:key-duplicates + matrix: + DISTRO: centos-7 + DISTRO: centos-stream-8 + + name: ci / $DISTRO + + compute_engine_instance: + image_project: centos-cloud + image: family/$DISTRO + platform: linux + cpu: 4 + memory: 8G + + install_dependencies_script: | + yum install -y -q epel-release + case $DISTRO in + centos-7) + (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo) + # sysctl + echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf + sysctl --system + ;; + centos-stream-8) + yum install -y -q dnf-plugins-core + yum config-manager --set-enabled powertools + ;; + esac + yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu + # install Go + curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local + # install bats + cd /tmp + git clone https://github.com/bats-core/bats-core + cd bats-core + git checkout $BATS_VERSION + ./install.sh /usr/local + cd - + # Add a user for rootless tests + useradd -u2000 -m -d/home/rootless -s/bin/bash rootless + # set PATH + echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc + # Setup ssh localhost for terminal emulation (script -e did not work) + ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" + cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys + chmod 400 /root/.ssh/authorized_keys + ssh-keyscan localhost >> /root/.ssh/known_hosts + echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config + sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config + systemctl restart sshd + host_info_script: | + uname -a + echo "-----" + cat /etc/os-release + echo "-----" + cat /proc/cpuinfo + echo "-----" + df -T + echo "-----" + systemctl --version + unit_tests_script: | + ssh -tt localhost "make -C /home/runc localunittest" + integration_systemd_script: | + ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes" + integration_fs_script: | + ssh -tt localhost "make -C /home/runc localintegration" + integration_systemd_rootless_script: | + echo "SKIP: integration_systemd_rootless_script requires cgroup v2" + integration_fs_rootless_script: | + case $DISTRO in + centos-7) + echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs" + ;; + centos-stream-8) + ssh -tt localhost "make -C /home/runc localrootlessintegration" + ;; + esac diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b5ddc2e1b4b..439513b8939 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,8 +1,5 @@ # NOTE Github Actions execution environments lack a terminal, needed for -# some integration tests. Two ways to get a terminal are used below: -# -# 1. script utility -- for "local" integration tests; -# 2. ssh -tt -- for Vagrant VMs (script is buggy on CentOS 7). +# some integration tests. So we use `script` command to fake a terminal. name: ci on: @@ -73,88 +70,6 @@ jobs: if: matrix.rootless != 'rootless' run: sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration' - - # cgroup v2 unified hierarchy + very recent kernel (openat2) - fedora: - # nested virtualization is only available on macOS hosts - runs-on: macos-10.15 - timeout-minutes: 30 - # only run it if others have passed - needs: [test] - steps: - - uses: actions/checkout@v2 - - - name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.fedora34" - uses: actions/cache@v2 - with: - path: ~/.vagrant.d/boxes - key: vagrant-${{ hashFiles('Vagrantfile.fedora34') }} - - - name: prepare vagrant - run: | - ln -sf Vagrantfile.fedora34 Vagrantfile - # Retry if it fails (download.fedoraproject.org returns 404 sometimes) - vagrant up || vagrant up - vagrant ssh-config >> ~/.ssh/config - - - name: system info - run: ssh default 'sh -exc "uname -a && systemctl --version && df -T"' - - - name: unit tests - run: ssh default 'cd /vagrant && sudo make localunittest' - - - name: cgroupv2 with systemd - run: ssh -tt default "sudo make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes" - - - name: cgroupv2 with fs2 - run: ssh -tt default "sudo make -C /vagrant localintegration" - - - name: cgroupv2 with systemd (rootless) - run: ssh -tt default "sudo make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes" - - - name: cgroupv2 with fs2 (rootless) - run: ssh -tt default "sudo make -C /vagrant localrootlessintegration" - - - # kernel 3.10 (frankenized), systemd 219 - centos7: - # nested virtualization is only available on macOS hosts - runs-on: macos-10.15 - timeout-minutes: 15 - # only run it if others have passed - needs: [test] - steps: - - uses: actions/checkout@v2 - - - name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.centos7" - uses: actions/cache@v2 - with: - path: ~/.vagrant.d/boxes - key: vagrant-${{ hashFiles('Vagrantfile.centos7') }} - - - name: prepare vagrant - run: | - ln -sf Vagrantfile.centos7 Vagrantfile - vagrant up - vagrant ssh-config >> ~/.ssh/config - - - name: system info - run: ssh default 'rpm -q centos-release kernel systemd' - - - name: unit tests - run: ssh default 'sudo -i make -C /vagrant localunittest' - - - name: integration tests (fs cgroup driver) - run: ssh -tt default "sudo -i make -C /vagrant localintegration" - - - name: integration tests (systemd cgroup driver) - run: ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=1" - - - name: rootless integration - # FIXME: rootless is skipped because of EPERM on writing cgroup.procs - if: false - run: ssh default "sudo -i make -C /vagrant localrootlessintegration" - # We need to continue support for 32-bit ARM. # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff. # We are not interested in providing official support for i386. diff --git a/Vagrantfile.centos7 b/Vagrantfile.centos7 deleted file mode 100644 index b8ae1db42ad..00000000000 --- a/Vagrantfile.centos7 +++ /dev/null @@ -1,52 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "centos/7" - config.vm.provider :virtualbox do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provider :libvirt do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provision "shell", inline: <<-SHELL - set -e -u -o pipefail - - # configuration - GO_VERSION="1.16.4" - BATS_VERSION="v1.3.0" - - # install yum packages - yum install -y -q epel-release - (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo) - yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu - yum clean all - - # install Go - curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local - - # install bats - git clone https://github.com/bats-core/bats-core - cd bats-core - git checkout $BATS_VERSION - ./install.sh /usr/local - cd .. - rm -rf bats-core - - # set PATH (NOTE: sudo without -i ignores this PATH) - cat >> /etc/profile.d/sh.local < /etc/sysctl.d/userns.conf - sysctl --system - - # Add a user for rootless tests - useradd -u2000 -m -d/home/rootless -s/bin/bash rootless - SHELL -end diff --git a/tests/integration/update.bats b/tests/integration/update.bats index d51e93d0d47..2004d9efc2e 100644 --- a/tests/integration/update.bats +++ b/tests/integration/update.bats @@ -537,7 +537,7 @@ EOF root_period=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us") root_runtime=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_runtime_us") # the following IFS magic sets dirs=("runc-cgroups-integration-test" "test-cgroup") - IFS='/' read -r -a dirs <<<"$REL_CGROUPS_PATH" + IFS='/' read -r -a dirs <<<"${REL_CGROUPS_PATH#/}" for ((i = 0; i < ${#dirs[@]}; i++)); do local target="$CGROUP_CPU_BASE_PATH" for ((j = 0; j <= i; j++)); do diff --git a/tests/rootless.sh b/tests/rootless.sh index bacea49d649..952a6dd8d9e 100755 --- a/tests/rootless.sh +++ b/tests/rootless.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x # Copyright (C) 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -114,6 +114,15 @@ function enable_cgroup() { # necessary, and might actually be a bug in our impl of cgroup # handling. [[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems} + # The following is required by "update rt period and runtime". + if [[ "$cg" == "cpu" ]]; then + if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" ]]; then + chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" + fi + if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" ]]; then + chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" + fi + fi done # cgroup v2 if [[ -e "$CGROUP_MOUNT/cgroup.controllers" ]]; then