Merge pull request #3101 from AkihiroSuda/cirrus-10

[1.0] Use Cirrus CI for Vagrant tests

.cirrus.yml

@@ -0,0 +1,157 @@
+---
+# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS
+# instances of GHA are too slow and flaky, and Linux instances of GHA do not
+# support KVM.
+
+# NOTE Cirrus execution environments lack a terminal, needed for
+# some integration tests. So we use `ssh -tt` command to fake a terminal.
+
+task:
+  timeout_in: 30m
+
+  env:
+    DEBIAN_FRONTEND: noninteractive
+    HOME: /root
+    # yamllint disable rule:key-duplicates
+    matrix:
+      DISTRO: fedora34
+
+  name: vagrant DISTRO:$DISTRO
+
+  compute_engine_instance:
+    image_project: cirrus-images
+    image: family/docker-kvm
+    platform: linux
+    nested_virtualization: true
+    # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
+    cpu: 8
+    # Memory limit: `4GB * NCPU`
+    memory: 32G
+
+  host_info_script: |
+    uname -a
+    echo "-----"
+    cat /etc/os-release
+    echo "-----"
+    cat /proc/cpuinfo
+    echo "-----"
+    df -T
+  install_libvirt_vagrant_script: |
+    apt-get update
+    apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt
+    systemctl enable --now libvirtd
+  vagrant_cache:
+    fingerprint_script: uname -s ; cat Vagrantfile.$DISTRO
+    folder: /root/.vagrant.d
+  vagrant_up_script: |
+    ln -sf Vagrantfile.$DISTRO Vagrantfile
+    # Retry if it fails (download.fedoraproject.org returns 404 sometimes)
+    vagrant up || vagrant up
+    mkdir -p -m 0700 /root/.ssh
+    vagrant ssh-config >> /root/.ssh/config
+  guest_info_script: |
+    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release"'
+  unit_tests_script: |
+    ssh default 'sudo -i make -C /vagrant localunittest'
+  integration_systemd_script: |
+    ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
+  integration_fs_script: |
+    ssh -tt default "sudo -i make -C /vagrant localintegration"
+  integration_systemd_rootless_script: |
+    if [ $DISTRO == centos7 ]; then
+      echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
+    else
+      ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
+    fi
+  integration_fs_rootless_script: |
+    if [ $DISTRO == centos7 ]; then
+      echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
+    else
+      ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
+    fi
+
+task:
+  timeout_in: 30m
+
+  env:
+    HOME: /root
+    CIRRUS_WORKING_DIR: /home/runc
+    GO_VERSION: "1.16.6"
+    BATS_VERSION: "v1.3.0"
+    # yamllint disable rule:key-duplicates
+    matrix:
+      DISTRO: centos-7
+      DISTRO: centos-stream-8
+
+  name: ci / $DISTRO
+
+  compute_engine_instance:
+    image_project: centos-cloud
+    image: family/$DISTRO
+    platform: linux
+    cpu: 4
+    memory: 8G
+
+  install_dependencies_script: |
+    yum install -y -q epel-release
+    case $DISTRO in
+    centos-7)
+      (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
+      # sysctl
+      echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
+      sysctl --system
+      ;;
+    centos-stream-8)
+      yum install -y -q dnf-plugins-core
+      yum config-manager --set-enabled powertools
+      ;;
+    esac
+    yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu
+    # install Go
+    curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
+    # install bats
+    cd /tmp
+    git clone https://github.com/bats-core/bats-core
+    cd bats-core
+    git checkout $BATS_VERSION
+    ./install.sh /usr/local
+    cd -
+    # Add a user for rootless tests
+    useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
+    # set PATH
+    echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
+    # Setup ssh localhost for terminal emulation (script -e did not work)
+    ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
+    cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
+    chmod 400 /root/.ssh/authorized_keys
+    ssh-keyscan localhost >> /root/.ssh/known_hosts
+    echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
+    sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
+    systemctl restart sshd
+  host_info_script: |
+    uname -a
+    echo "-----"
+    cat /etc/os-release
+    echo "-----"
+    cat /proc/cpuinfo
+    echo "-----"
+    df -T
+    echo "-----"
+    systemctl --version
+  unit_tests_script: |
+    ssh -tt localhost "make -C /home/runc localunittest"
+  integration_systemd_script: |
+    ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
+  integration_fs_script: |
+    ssh -tt localhost "make -C /home/runc localintegration"
+  integration_systemd_rootless_script: |
+    echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
+  integration_fs_rootless_script: |
+    case $DISTRO in
+    centos-7)
+      echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
+        ;;
+    centos-stream-8)
+      ssh -tt localhost "make -C /home/runc localrootlessintegration"
+      ;;
+    esac

.github/workflows/test.yml

@@ -1,8 +1,5 @@
 # NOTE Github Actions execution environments lack a terminal, needed for
-# some integration tests. Two ways to get a terminal are used below:
-#
-# 1. script utility -- for "local" integration tests;
-# 2. ssh -tt -- for Vagrant VMs (script is buggy on CentOS 7).
+# some integration tests. So we use `script` command to fake a terminal.
 
 name: ci
 on:
@@ -73,88 +70,6 @@ jobs:
       if: matrix.rootless != 'rootless'
       run: sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
 
-
-  # cgroup v2 unified hierarchy + very recent kernel (openat2)
-  fedora:
-    # nested virtualization is only available on macOS hosts
-    runs-on: macos-10.15
-    timeout-minutes: 30
-    # only run it if others have passed
-    needs: [test]
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.fedora34"
-        uses: actions/cache@v2
-        with:
-          path: ~/.vagrant.d/boxes
-          key: vagrant-${{ hashFiles('Vagrantfile.fedora34') }}
-
-      - name: prepare vagrant
-        run: |
-          ln -sf Vagrantfile.fedora34 Vagrantfile
-          # Retry if it fails (download.fedoraproject.org returns 404 sometimes)
-          vagrant up || vagrant up
-          vagrant ssh-config >> ~/.ssh/config
-
-      - name: system info
-        run: ssh default 'sh -exc "uname -a && systemctl --version && df -T"'
-
-      - name: unit tests
-        run: ssh default 'cd /vagrant && sudo make localunittest'
-
-      - name: cgroupv2 with systemd
-        run: ssh -tt default "sudo make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
-
-      - name: cgroupv2 with fs2
-        run: ssh -tt default "sudo make -C /vagrant localintegration"
-
-      - name: cgroupv2 with systemd (rootless)
-        run: ssh -tt default "sudo make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
-
-      - name: cgroupv2 with fs2 (rootless)
-        run: ssh -tt default "sudo make -C /vagrant localrootlessintegration"
-
-
-  # kernel 3.10 (frankenized), systemd 219
-  centos7:
-    # nested virtualization is only available on macOS hosts
-    runs-on: macos-10.15
-    timeout-minutes: 15
-    # only run it if others have passed
-    needs: [test]
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.centos7"
-        uses: actions/cache@v2
-        with:
-          path: ~/.vagrant.d/boxes
-          key: vagrant-${{ hashFiles('Vagrantfile.centos7') }}
-
-      - name: prepare vagrant
-        run: |
-          ln -sf Vagrantfile.centos7 Vagrantfile
-          vagrant up
-          vagrant ssh-config >> ~/.ssh/config
-
-      - name: system info
-        run: ssh default 'rpm -q centos-release kernel systemd'
-
-      - name: unit tests
-        run: ssh default 'sudo -i make -C /vagrant localunittest'
-
-      - name: integration tests (fs cgroup driver)
-        run: ssh -tt default "sudo -i make -C /vagrant localintegration"
-
-      - name: integration tests (systemd cgroup driver)
-        run: ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=1"
-
-      - name: rootless integration
-      # FIXME: rootless is skipped because of EPERM on writing cgroup.procs
-        if: false
-        run: ssh default "sudo -i make -C /vagrant localrootlessintegration"
-
   # We need to continue support for 32-bit ARM.
   # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
   # We are not interested in providing official support for i386.

tests/integration/update.bats

@@ -537,7 +537,7 @@ EOF
 	root_period=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us")
 	root_runtime=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_runtime_us")
 	# the following IFS magic sets dirs=("runc-cgroups-integration-test" "test-cgroup")
-	IFS='/' read -r -a dirs <<<"$REL_CGROUPS_PATH"
+	IFS='/' read -r -a dirs <<<"${REL_CGROUPS_PATH#/}"
 	for ((i = 0; i < ${#dirs[@]}; i++)); do
 		local target="$CGROUP_CPU_BASE_PATH"
 		for ((j = 0; j <= i; j++)); do

tests/rootless.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 # Copyright (C) 2017 SUSE LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -114,6 +114,15 @@ function enable_cgroup() {
 		# necessary, and might actually be a bug in our impl of cgroup
 		# handling.
 		[[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems}
+		# The following is required by "update rt period and runtime".
+		if [[ "$cg" == "cpu" ]]; then
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us"
+			fi
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us"
+			fi
+		fi
 	done
 	# cgroup v2
 	if [[ -e "$CGROUP_MOUNT/cgroup.controllers" ]]; then