From 3d77fe5a41818127a652b93c60f0b90d8c65d780 Mon Sep 17 00:00:00 2001 From: apostasie Date: Thu, 5 Dec 2024 13:53:28 -0800 Subject: [PATCH] Custom busybox and registry windows images Signed-off-by: apostasie --- .github/workflows/common.yml | 33 ++ .../ghcr-image-build-and-publish.yml | 69 ---- .github/workflows/lint.yml | 78 ---- .github/workflows/project.yml | 31 -- .github/workflows/release.yml | 43 -- .github/workflows/test-canary.yml | 99 ----- .github/workflows/test-images-build.yml | 236 +++++++++++ .github/workflows/test-kube.yml | 27 -- .github/workflows/test.yml | 369 ------------------ 9 files changed, 269 insertions(+), 716 deletions(-) create mode 100644 .github/workflows/common.yml delete mode 100644 .github/workflows/ghcr-image-build-and-publish.yml delete mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/project.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/test-canary.yml create mode 100644 .github/workflows/test-images-build.yml delete mode 100644 .github/workflows/test-kube.yml diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml new file mode 100644 index 00000000000..ca1254c2d0f --- /dev/null +++ b/.github/workflows/common.yml @@ -0,0 +1,33 @@ +name: common + +on: + workflow_call: + inputs: + config-path: + required: true + type: string + outputs: + GO_VERSION: + description: "The first output string" + value: ${{ jobs.environment.outputs.output_go }} + REGISTRY_SERVER: + description: "The second output string" + value: ${{ jobs.environment.outputs.output_registry }} +jobs: + environment: + env: + GO_VERSION: 1.23.x + REGISTRY_SERVER: ghcr.io + BUSYBOX_VERSION: 5ad83957fa74aafd061afbfb8da14ce3220659a9 + REGISTRY_VERSION: v2.8.3 + CURL_VERSION: 8.11.0_4 + runs-on: ubuntu-24.04 + steps: + - id: go + run: echo "GO_VERSION=$GO_VERSION" >> $GITHUB_OUTPUT + - id: registry + run: echo "REGISTRY_SERVER=$REGISTRY_SERVER" >> $GITHUB_OUTPUT + outputs: + output_go: ${{ steps.go.outputs.GO_VERSION }} + output_registry: ${{ steps.registry.outputs.REGISTRY_SERVER }} + diff --git a/.github/workflows/ghcr-image-build-and-publish.yml b/.github/workflows/ghcr-image-build-and-publish.yml deleted file mode 100644 index e0b812946a8..00000000000 --- a/.github/workflows/ghcr-image-build-and-publish.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: image - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -on: - push: - branches: [main] - # Publish semver tags as releases. - tags: ['v*.*.*'] - pull_request: - branches: [main] - paths-ignore: - - '**.md' - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - -jobs: - build: - - runs-on: ubuntu-24.04 - permissions: - contents: read - packages: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4.2.2 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v3.3.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5.6.1 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - uses: docker/build-push-action@v6.10.0 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 433922ed207..00000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: lint - -on: - push: - branches: - - main - - 'release/**' - pull_request: - -env: - GO_VERSION: 1.23.x - -jobs: - go: - timeout-minutes: 5 - name: "go | ${{ matrix.goos }} | ${{ matrix.canary }}" - runs-on: "${{ matrix.os }}" - defaults: - run: - shell: bash - strategy: - matrix: - include: - - os: ubuntu-24.04 - goos: linux - - os: ubuntu-24.04 - goos: freebsd - # FIXME: this is currently failing in a non-sensical way, so, running on linux instead... - # - os: windows-2022 - - os: ubuntu-24.04 - goos: windows - - os: ubuntu-24.04 - goos: linux - # This allows the canary script to select any upcoming golang alpha/beta/RC - canary: go-canary - env: - GOOS: "${{ matrix.goos }}" - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: Set GO env - run: | - # If canary is specified, get the latest available golang pre-release instead of the major version - if [ "$canary" != "" ]; then - . ./hack/build-integration-canary.sh - canary::golang::latest - fi - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - check-latest: true - cache: true - - name: golangci-lint - uses: golangci/golangci-lint-action@v6 - with: - args: --verbose - other: - timeout-minutes: 5 - name: yaml | shell | imports order - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - check-latest: true - cache: true - - name: yaml - run: make lint-yaml - - name: shell - run: make lint-shell - - name: go imports ordering - run: | - go install -v github.com/incu6us/goimports-reviser/v3@latest - make lint-imports diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml deleted file mode 100644 index ebeef72caec..00000000000 --- a/.github/workflows/project.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: project - -on: - push: - branches: - - main - - 'release/**' - pull_request: - -jobs: - project: - name: checks - runs-on: ubuntu-24.04 - timeout-minutes: 20 - steps: - - uses: actions/checkout@v4.2.2 - with: - path: src/github.com/containerd/nerdctl - fetch-depth: 100 - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - cache-dependency-path: src/github.com/containerd/nerdctl - - uses: containerd/project-checks@v1.1.0 - with: - working-directory: src/github.com/containerd/nerdctl - repo-access-token: ${{ secrets.GITHUB_TOKEN }} - - run: ./hack/verify-no-patent.sh - working-directory: src/github.com/containerd/nerdctl - - run: ./hack/verify-pkg-isolation.sh - working-directory: src/github.com/containerd/nerdctl diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 4043288037c..00000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,43 +0,0 @@ -# See https://github.com/containerd/nerdctl/blob/main/MAINTAINERS_GUIDE.md for how to make a release. -name: Release -on: - push: - tags: - - 'v*' - - 'test-action-release-*' -jobs: - release: - runs-on: ubuntu-24.04 - timeout-minutes: 40 - steps: - - uses: actions/checkout@v4.2.2 - - uses: actions/setup-go@v5 - with: - go-version: 1.23.x - - name: "Compile binaries" - run: make artifacts - - name: "SHA256SUMS" - run: | - ( cd _output; sha256sum nerdctl-* ) | tee /tmp/SHA256SUMS - mv /tmp/SHA256SUMS _output/SHA256SUMS - - name: "The sha256sum of the SHA256SUMS file" - run: (cd _output; sha256sum SHA256SUMS) - - name: "Prepare the release note" - run: | - shasha=$(sha256sum _output/SHA256SUMS | awk '{print $1}') - cat <<-EOF | tee /tmp/release-note.txt - $(hack/generate-release-note.sh) - - - - - The binaries were built automatically on GitHub Actions. - The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - - The sha256sum of the SHA256SUMS file itself is \`${shasha}\` . - - - - - Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE]) - EOF - - name: "Create release" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - tag="${GITHUB_REF##*/}" - gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" _output/* diff --git a/.github/workflows/test-canary.yml b/.github/workflows/test-canary.yml deleted file mode 100644 index 152097cd0fc..00000000000 --- a/.github/workflows/test-canary.yml +++ /dev/null @@ -1,99 +0,0 @@ -# This pipeline purpose is solely meant to run a subset of our test suites against upcoming or unreleased dependencies versions -name: canary - -on: - push: - branches: - - main - - 'release/**' - pull_request: - paths-ignore: - - '**.md' - -env: - UBUNTU_VERSION: "24.04" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - -jobs: - linux: - runs-on: "ubuntu-24.04" - timeout-minutes: 40 - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: "Prepare integration test environment" - run: | - . ./hack/build-integration-canary.sh - canary::build::integration - - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)" - run: | - sudo systemctl disable --now snapd.service snapd.socket - sudo apt-get purge -y snapd - sudo losetup -Dv - sudo losetup -lv - - name: "Register QEMU (tonistiigi/binfmt)" - run: | - # `--install all` will only install emulation for architectures that cannot be natively executed - # Since some arm64 platforms do provide native fallback execution for 32 bits, - # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. - # To avoid that, we explicitly list the architectures we do want emulation for. - docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 - - name: "Run unit tests" - run: go test -v ./pkg/... - - name: "Run integration tests" - run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false - - name: "Run integration tests (flaky)" - run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true - - windows: - timeout-minutes: 30 - runs-on: windows-latest - defaults: - run: - shell: bash - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: Set GO env - run: | - # Get latest containerd - args=(curl --proto '=https' --tlsv1.2 -fsSL -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28") - [ "${GITHUB_TOKEN:-}" == "" ] && { - >&2 printf "GITHUB_TOKEN is not set - you might face rate limitations with the Github API\n" - } || args+=(-H "Authorization: Bearer $GITHUB_TOKEN") - ctd_v="$("${args[@]}" https://api.github.com/repos/containerd/containerd/tags | jq -rc .[0].name)" - echo "CONTAINERD_VERSION=${ctd_v:1}" >> "$GITHUB_ENV" - - . ./hack/build-integration-canary.sh - canary::golang::latest - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - cache: true - check-latest: true - - run: go install ./cmd/nerdctl - - run: go install -v gotest.tools/gotestsum@v1 - # This here is solely to get the cni install script, which has not been modified in 3+ years. - # There is little to no reason to update this to latest containerd - - uses: actions/checkout@v4.2.2 - with: - repository: containerd/containerd - ref: "v1.7.24" - path: containerd - fetch-depth: 1 - - name: "Set up CNI" - working-directory: containerd - run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows - # Windows setup script can only use released versions - - name: "Set up containerd" - env: - ctrdVersion: ${{ env.CONTAINERD_VERSION }} - run: powershell hack/configure-windows-ci.ps1 - - name: "Run integration tests" - run: ./hack/test-integration.sh -test.only-flaky=false - - name: "Run integration tests (flaky)" - run: ./hack/test-integration.sh -test.only-flaky=true diff --git a/.github/workflows/test-images-build.yml b/.github/workflows/test-images-build.yml new file mode 100644 index 00000000000..248d3b75c43 --- /dev/null +++ b/.github/workflows/test-images-build.yml @@ -0,0 +1,236 @@ +name: prep + +on: + push: + branches: + - main + - 'release/**' + pull_request: + paths-ignore: + - '**.md' + +env: + GO_VERSION: 1.23.x + REGISTRY: ghcr.io + BUSYBOX_VERSION: 5ad83957fa74aafd061afbfb8da14ce3220659a9 + REGISTRY_VERSION: v2.8.3 + CURL_VERSION: 8.11.0_4 + + +jobs: + environment: + uses: ./.github/workflows/common.yml + secrets: inherit + with: + config-path: "foopath" + + other: + name: testing + needs: environment + runs-on: ubuntu-24.04 + steps: + - name: runit + run: | + echo DEBUG + echo ${{ needs.environment.outputs.GO_VERSION }} + echo ${{ needs.environment.outputs.REGISTRY_SERVER }} + echo DONE + + + build-busybox: + name: busybox + runs-on: ubuntu-24.04 + steps: + - id: cache-busybox + uses: actions/cache@v4 + with: + path: busybox.exe + enableCrossOsArchive: true + key: cache-busybox-${{ env.BUSYBOX_VERSION }} + - uses: actions/checkout@v4 + if: steps.cache-busybox.outputs.cache-hit != 'true' + with: + repository: rmyorston/busybox-w32 + ref: ${{ env.BUSYBOX_VERSION }} + fetch-depth: 1 + path: ./src/busybox-w32 + - name: "" + if: steps.cache-busybox.outputs.cache-hit != 'true' + run: | + sudo apt-get install gcc-mingw-w64 ncurses-dev + cd ./src/busybox-w32 + make mingw64_defconfig + make + cd - + cp ./src/busybox-w32/busybox.exe . + + build-curl: + name: busybox + runs-on: ubuntu-24.04 + steps: + - id: cache-curl + uses: actions/cache@v4 + with: + path: curl.exe + enableCrossOsArchive: true + key: cache-curl-${{ env.CURL_VERSION }} + - name: "" + if: steps.cache-curl.outputs.cache-hit != 'true' + run: | + curl -fsSLO https://curl.se/windows/dl-${CURL_VERSION}/curl-${CURL_VERSION}-win64-mingw.zip + unzip curl-${CURL_VERSION}-win64-mingw.zip + cp ./curl-${CURL_VERSION}-win64-mingw/bin/curl.exe . + + + build-registry: + name: registry + runs-on: ubuntu-24.04 + steps: + - id: cache-registry + uses: actions/cache@v4 + with: + path: build + enableCrossOsArchive: true + key: cache-registry-${{ env.REGISTRY_VERSION }} + - uses: actions/checkout@v4 + if: steps.cache-registry.outputs.cache-hit != 'true' + with: + repository: distribution/distribution + ref: ${{ env.REGISTRY_VERSION }} + path: "${{ github.workspace }}/go/src/github.com/docker/distribution" + fetch-depth: 1 + - uses: actions/setup-go@v5 + if: steps.cache-registry.outputs.cache-hit != 'true' + with: + go-version: ${{ env.GO_VERSION }} + check-latest: true + cache: true + - name: "build" + if: steps.cache-registry.outputs.cache-hit != 'true' + run: | + export GOPATH="${{ github.workspace }}/go" + src="${{ github.workspace }}/go/src/github.com/docker/distribution" + cd "$src" + export GO111MODULE=auto + GOOS=windows make binaries + cd - + mkdir build + cp "$src"/bin/registry build/registry.exe + cp "$src"/cmd/registry/config-dev.yml build + + image-busybox: + name: image-busybox + runs-on: windows-2022 + needs: + - build-busybox + - build-curl + defaults: + run: + shell: bash + steps: + - uses: actions/cache/restore@v4 + id: cache-busybox + with: + path: busybox.exe + enableCrossOsArchive: true + key: cache-busybox-${{ env.BUSYBOX_VERSION }} + fail-on-cache-miss: true + - uses: actions/cache/restore@v4 + id: cache-curl + with: + path: curl.exe + enableCrossOsArchive: true + key: cache-curl-${{ env.CURL_VERSION }} + fail-on-cache-miss: true + - name: "Prep busybox image" + run: | + cat < Dockerfile + # escape=\` + FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 + RUN mkdir C:\\tmp + RUN mkdir C:\\bin + COPY busybox.exe C:/bin/ + COPY curl.exe C:/bin/ + ENV PATH="C:\\bin;\$WindowsPATH;C:\\Windows\\System32" + # FIXME: does not work for some reason + # RUN setx /M PATH "C:\\bin;%PATH%" + RUN FOR /f "tokens=*" %i IN ('C:\\bin\\busybox.exe --list') DO mklink C:\\bin\\%i.exe C:\\bin\\busybox.exe + USER ContainerAdministrator + EOF + - name: "Build image" + run: | + docker build --tag dubogus/win-busybox -f Dockerfile . + echo ZGNrcl9wYXRfWXl6R3o1aDZLOUQwVU9lVnJpZ24yZ0Z5U2JVCg== | base64 -d | docker login -u dubogus --password-stdin + docker push dubogus/win-busybox + + image-registry: + name: image-registry + runs-on: windows-2022 + needs: build-registry + defaults: + run: + shell: bash + steps: + - uses: actions/cache/restore@v4 + id: cache-registry + with: + path: build + enableCrossOsArchive: true + key: cache-registry-${{ env.REGISTRY_VERSION }} + fail-on-cache-miss: true + - name: "Prep registry image" + run: | + cat < Dockerfile + FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 + COPY ./build/registry.exe /registry.exe + COPY ./build/config-dev.yml /config.yml + EXPOSE 5000 + ENTRYPOINT ["/registry"] + CMD ["serve", "/config.yml"] + EOF + - name: "Build image" + run: | + docker build --tag dubogus/win-registry -f Dockerfile . + echo ZGNrcl9wYXRfWXl6R3o1aDZLOUQwVU9lVnJpZ24yZ0Z5U2JVCg== | base64 -d | docker login -u dubogus --password-stdin + docker push dubogus/win-registry + + sanity: + timeout-minutes: 30 + name: windows + needs: build-busybox + runs-on: windows-2022 + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@v4.2.2 + with: + fetch-depth: 1 + - uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + cache: true + check-latest: true + - run: go install ./cmd/nerdctl + - run: go install -v gotest.tools/gotestsum@v1 + - uses: actions/checkout@v4.2.2 + with: + repository: containerd/containerd + ref: v1.7.24 + path: containerd + fetch-depth: 1 + - name: "Set up CNI" + working-directory: containerd + run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows + - name: "Set up containerd" + env: + ctrdVersion: 1.7.24 + run: powershell hack/configure-windows-ci.ps1 + - name: "Run integration tests" + run: | + nerdctl.exe run -q --rm --pull always dubogus/win-busybox ls -lA + nerdctl.exe run -q --rm --pull always dubogus/win-busybox echo "\$USERNAME" + nerdctl.exe run -q -d --pull always --name sleep dubogus/win-busybox sleep 3600 + nerdctl.exe ps -a + nerdctl.exe top sleep + nerdctl.exe top sleep -o pid,user,cmd diff --git a/.github/workflows/test-kube.yml b/.github/workflows/test-kube.yml deleted file mode 100644 index 2bd0d00f28c..00000000000 --- a/.github/workflows/test-kube.yml +++ /dev/null @@ -1,27 +0,0 @@ -# This pipeline purpose is solely meant to run a subset of our test suites against a kubernetes cluster -name: kubernetes - -on: - push: - branches: - - main - - 'release/**' - pull_request: - paths-ignore: - - '**.md' - -jobs: - linux: - runs-on: "ubuntu-24.04" - timeout-minutes: 40 - env: - ROOTFUL: true - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: "Run Kubernetes integration tests" - # See https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization - run: | - ./hack/build-integration-kubernetes.sh - sudo ./_output/nerdctl exec nerdctl-test-control-plane bash -c -- 'export TMPDIR="$HOME"/tmp; mkdir -p "$TMPDIR"; cd /nerdctl-source; /usr/local/go/bin/go test -p 1 ./cmd/nerdctl/... -test.only-kubernetes' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index feba1ca4c26..b6e1f659d41 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,348 +15,6 @@ env: LONG_TIMEOUT: 60 jobs: - # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA - build-dependencies: - timeout-minutes: 15 - name: dependencies | ${{ matrix.containerd }} | ${{ matrix.arch }} - runs-on: "${{ matrix.runner }}" - strategy: - fail-fast: false - matrix: - include: - - runner: ubuntu-24.04 - containerd: v1.6.36 - arch: amd64 - - runner: ubuntu-24.04 - containerd: v1.7.24 - arch: amd64 - - runner: ubuntu-24.04 - containerd: v2.0.0 - arch: amd64 - - runner: arm64-8core-32gb - containerd: v2.0.0 - arch: arm64 - env: - CONTAINERD_VERSION: "${{ matrix.containerd }}" - ARCH: "${{ matrix.arch }}" - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: "Expose GitHub Runtime variables for gha" - uses: crazy-max/ghaction-github-runtime@v3 - - name: "Build dependencies for the integration test environment image" - run: | - docker buildx create --name with-gha --use - docker buildx build \ - --output=type=docker \ - --cache-to type=gha,mode=max,scope=${ARCH}-${CONTAINERD_VERSION} \ - --cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ - --target build-dependencies --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . - - test-unit: - # FIXME: - # Supposed to work: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#example-returning-a-json-data-type - # Apparently does not - # timeout-minutes: ${{ fromJSON(env.SHORT_TIMEOUT) }} - timeout-minutes: 10 - name: unit | ${{ matrix.goos }} - runs-on: "${{ matrix.os }}" - defaults: - run: - shell: bash - strategy: - matrix: - include: - - os: windows-2022 - goos: windows - - os: ubuntu-24.04 - goos: linux - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - check-latest: true - cache: true - - if: ${{ matrix.goos=='windows' }} - uses: actions/checkout@v4.2.2 - with: - repository: containerd/containerd - ref: v1.7.24 - path: containerd - fetch-depth: 1 - - if: ${{ matrix.goos=='windows' }} - name: "Set up CNI" - working-directory: containerd - run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows - - name: "Run unit tests" - run: make test-unit - - test-integration: - needs: build-dependencies - timeout-minutes: 30 - name: rootful | ${{ matrix.containerd }} | ${{ matrix.runner }} - runs-on: "${{ matrix.runner }}" - strategy: - fail-fast: false - matrix: - # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2 - include: - - ubuntu: 20.04 - containerd: v1.6.36 - runner: "ubuntu-20.04" - arch: amd64 - - ubuntu: 22.04 - containerd: v1.7.24 - runner: "ubuntu-22.04" - arch: amd64 - - ubuntu: 24.04 - containerd: v2.0.0 - runner: "ubuntu-24.04" - arch: amd64 - - ubuntu: 24.04 - containerd: v2.0.0 - runner: arm64-8core-32gb - arch: arm64 - env: - CONTAINERD_VERSION: "${{ matrix.containerd }}" - ARCH: "${{ matrix.arch }}" - UBUNTU_VERSION: "${{ matrix.ubuntu }}" - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: "Expose GitHub Runtime variables for gha" - uses: crazy-max/ghaction-github-runtime@v3 - - name: "Prepare integration test environment" - run: | - docker buildx create --name with-gha --use - docker buildx build \ - --output=type=docker \ - --cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ - -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . - - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)" - run: | - sudo systemctl disable --now snapd.service snapd.socket - sudo apt-get purge -y snapd - sudo losetup -Dv - sudo losetup -lv - - name: "Register QEMU (tonistiigi/binfmt)" - run: | - # `--install all` will only install emulation for architectures that cannot be natively executed - # Since some arm64 platforms do provide native fallback execution for 32 bits, - # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. - # To avoid that, we explicitly list the architectures we do want emulation for. - docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 - - name: "Run integration tests" - run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false - - name: "Run integration tests (flaky)" - run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true - - test-integration-ipv6: - needs: build-dependencies - timeout-minutes: 15 - name: ipv6 | ${{ matrix.containerd }} | ${{ matrix.ubuntu }} - runs-on: "ubuntu-${{ matrix.ubuntu }}" - strategy: - fail-fast: false - matrix: - include: - - ubuntu: 24.04 - containerd: v2.0.0 - arch: amd64 - env: - CONTAINERD_VERSION: "${{ matrix.containerd }}" - ARCH: "${{ matrix.arch }}" - UBUNTU_VERSION: "${{ matrix.ubuntu }}" - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - name: "Expose GitHub Runtime variables for gha" - uses: crazy-max/ghaction-github-runtime@v3 - - name: Enable IPv6 for Docker, and configure docker to use containerd for gha - run: | - sudo mkdir -p /etc/docker - echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker - - name: "Prepare integration test environment" - run: | - docker buildx create --name with-gha --use - docker buildx build \ - --output=type=docker \ - --cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ - -t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . - - name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)" - run: | - sudo systemctl disable --now snapd.service snapd.socket - sudo apt-get purge -y snapd - sudo losetup -Dv - sudo losetup -lv - - name: "Register QEMU (tonistiigi/binfmt)" - run: | - # `--install all` will only install emulation for architectures that cannot be natively executed - # Since some arm64 platforms do provide native fallback execution for 32 bits, - # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. - # To avoid that, we explicitly list the architectures we do want emulation for. - docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 - - name: "Run integration tests" - # The nested IPv6 network inside docker and qemu is complex and needs a bunch of sysctl config. - # Therefore, it's hard to debug why the IPv6 tests fail in such an isolation layer. - # On the other side, using the host network is easier at configuration. - # Besides, each job is running on a different instance, which means using host network here - # is safe and has no side effects on others. - run: docker run --network host -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-ipv6 - - test-integration-rootless: - needs: build-dependencies - timeout-minutes: 30 - name: "${{ matrix.target }} | ${{ matrix.containerd }} | ${{ matrix.rootlesskit }} | ${{ matrix.ubuntu }}" - runs-on: "ubuntu-${{ matrix.ubuntu }}" - strategy: - fail-fast: false - matrix: - # ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2 - include: - - ubuntu: 20.04 - containerd: v1.6.36 - rootlesskit: v1.1.1 # Deprecated - target: rootless - arch: amd64 - - ubuntu: 22.04 - containerd: v1.7.24 - rootlesskit: v2.3.1 - target: rootless - arch: amd64 - - ubuntu: 24.04 - containerd: v2.0.0 - rootlesskit: v2.3.1 - target: rootless - arch: amd64 - - ubuntu: 24.04 - containerd: v1.7.24 - rootlesskit: v2.3.1 - target: rootless-port-slirp4netns - arch: amd64 - env: - CONTAINERD_VERSION: "${{ matrix.containerd }}" - ARCH: "${{ matrix.arch }}" - UBUNTU_VERSION: "${{ matrix.ubuntu }}" - ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}" - TEST_TARGET: "test-integration-${{ matrix.target }}" - steps: - - name: "Set up AppArmor" - if: matrix.ubuntu == '24.04' - run: | - cat <, - include - - /usr/local/bin/rootlesskit flags=(unconfined) { - userns, - - # Site-specific additions and overrides. See local/README for details. - include if exists - } - EOT - sudo systemctl restart apparmor.service - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - name: "Register QEMU (tonistiigi/binfmt)" - run: | - # `--install all` will only install emulation for architectures that cannot be natively executed - # Since some arm64 platforms do provide native fallback execution for 32 bits, - # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. - # To avoid that, we explicitly list the architectures we do want emulation for. - docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 - - name: "Expose GitHub Runtime variables for gha" - uses: crazy-max/ghaction-github-runtime@v3 - - name: "Prepare (network driver=slirp4netns, port driver=builtin)" - run: | - docker buildx create --name with-gha --use - docker buildx build \ - --output=type=docker \ - --cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ - -t ${TEST_TARGET} --target ${TEST_TARGET} --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} --build-arg ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} . - - name: "Disable BuildKit for RootlessKit v1 (workaround for issue #622)" - run: | - # https://github.com/containerd/nerdctl/issues/622 - WORKAROUND_ISSUE_622= - if echo "${ROOTLESSKIT_VERSION}" | grep -q v1; then - WORKAROUND_ISSUE_622=1 - fi - echo "WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622}" >> "$GITHUB_ENV" - - name: "Test (network driver=slirp4netns, port driver=builtin)" - run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false - - name: "Test (network driver=slirp4netns, port driver=builtin) (flaky)" - run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true - - build: - timeout-minutes: 5 - name: "build | ${{ matrix.go-version }}" - runs-on: ubuntu-24.04 - strategy: - matrix: - go-version: ["1.22.x", "1.23.x"] - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go-version }} - cache: true - check-latest: true - - name: "build" - run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make binaries - - test-integration-docker-compatibility: - timeout-minutes: 30 - name: docker - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - cache: true - check-latest: true - - name: "Register QEMU (tonistiigi/binfmt)" - run: | - # `--install all` will only install emulation for architectures that cannot be natively executed - # Since some arm64 platforms do provide native fallback execution for 32 bits, - # armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. - # To avoid that, we explicitly list the architectures we do want emulation for. - docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 - docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 - - name: "Prepare integration test environment" - run: | - sudo apt-get install -y expect - go install -v gotest.tools/gotestsum@v1 - - name: "Ensure that the integration test suite is compatible with Docker" - run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker - - name: "Ensure that the IPv6 integration test suite is compatible with Docker" - run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-ipv6 - - name: "Ensure that the integration test suite is compatible with Docker (flaky only)" - run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-flaky - test-integration-windows: timeout-minutes: 30 name: windows @@ -392,30 +50,3 @@ jobs: run: ./hack/test-integration.sh -test.only-flaky=false - name: "Run integration tests (flaky)" run: ./hack/test-integration.sh -test.only-flaky=true - - test-integration-freebsd: - timeout-minutes: 30 - name: FreeBSD - # ubuntu-24.04 lacks the vagrant package - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4.2.2 - with: - fetch-depth: 1 - - uses: actions/cache@v4 - with: - path: /root/.vagrant.d - key: vagrant-${{ matrix.box }} - - name: Set up vagrant - run: | - sudo apt-get update - sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt - sudo systemctl enable --now libvirtd - - name: Boot VM - run: | - ln -sf Vagrantfile.freebsd Vagrantfile - sudo vagrant up --no-tty - - name: test-unit - run: sudo vagrant up --provision-with=test-unit - - name: test-integration - run: sudo vagrant up --provision-with=test-integration