Merge pull request #3104 from adrianreber/2021-07-20-vagrant

Do not use Vagrant for CentOS 7/8 Signed-off-by: Sascha Grunert <[email protected]>
opencontainers · Jul 27, 2021 · cf51093 · cf51093
2 parents 713748d + 9f656db
commit cf51093
Show file tree

Hide file tree

Showing 17 changed files with 344 additions and 173 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -1,29 +1,33 @@
 ---
-# We use Cirrus for Vagrant tests, because macOS instances of GHA
-# are too slow and flaky, and Linux instances of GHA do not support KVM.
+# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS
+# instances of GHA are too slow and flaky, and Linux instances of GHA do not
+# support KVM.
 
 # NOTE Cirrus execution environments lack a terminal, needed for
 # some integration tests. So we use `ssh -tt` command to fake a terminal.
 
-compute_engine_instance:
-  image_project: cirrus-images
-  image: family/docker-kvm
-  platform: linux
-  nested_virtualization: true
-  # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
-  cpu: 8
-  # Memory limit: `4GB * NCPU`
-  memory: 32G
-
-vagrant_task:
+task:
   timeout_in: 30m
+
   env:
     DEBIAN_FRONTEND: noninteractive
     HOME: /root
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: fedora34
-      DISTRO: centos7
+
+  name: vagrant DISTRO:$DISTRO
+
+  compute_engine_instance:
+    image_project: cirrus-images
+    image: family/docker-kvm
+    platform: linux
+    nested_virtualization: true
+    # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
+    cpu: 8
+    # Memory limit: `4GB * NCPU`
+    memory: 32G
+
   host_info_script: |
     uname -a
     echo "-----"
@@ -65,3 +69,89 @@ vagrant_task:
     else
       ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
     fi
+
+task:
+  timeout_in: 30m
+
+  env:
+    HOME: /root
+    CIRRUS_WORKING_DIR: /home/runc
+    GO_VERSION: "1.16.6"
+    BATS_VERSION: "v1.3.0"
+    # yamllint disable rule:key-duplicates
+    matrix:
+      DISTRO: centos-7
+      DISTRO: centos-stream-8
+
+  name: ci / $DISTRO
+
+  compute_engine_instance:
+    image_project: centos-cloud
+    image: family/$DISTRO
+    platform: linux
+    cpu: 4
+    memory: 8G
+
+  install_dependencies_script: |
+    yum install -y -q epel-release
+    case $DISTRO in
+    centos-7)
+      (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
+      # sysctl
+      echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
+      sysctl --system
+      ;;
+    centos-stream-8)
+      yum install -y -q dnf-plugins-core
+      yum config-manager --set-enabled powertools
+      ;;
+    esac
+    yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu
+    # install Go
+    curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
+    # install bats
+    cd /tmp
+    git clone https://github.com/bats-core/bats-core
+    cd bats-core
+    git checkout $BATS_VERSION
+    ./install.sh /usr/local
+    cd -
+    # Add a user for rootless tests
+    useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
+    # set PATH
+    echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
+    # Setup ssh localhost for terminal emulation (script -e did not work)
+    ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
+    cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
+    chmod 400 /root/.ssh/authorized_keys
+    ssh-keyscan localhost >> /root/.ssh/known_hosts
+    echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
+    sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
+    systemctl restart sshd
+  host_info_script: |
+    uname -a
+    echo "-----"
+    cat /etc/os-release
+    echo "-----"
+    cat /proc/cpuinfo
+    echo "-----"
+    df -T
+    echo "-----"
+    systemctl --version
+  unit_tests_script: |
+    ssh -tt localhost "make -C /home/runc localunittest"
+  integration_systemd_script: |
+    ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
+  integration_fs_script: |
+    ssh -tt localhost "make -C /home/runc localintegration"
+  integration_systemd_rootless_script: |
+    echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
+  integration_fs_rootless_script: |
+    case $DISTRO in
+    centos-7)
+      echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
+        ;;
+    centos-stream-8)
+      ssh -tt localhost "make -C /home/runc localrootlessintegration"
+      ;;
+    esac
diff --git a/Vagrantfile.centos7 b/Vagrantfile.centos7
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/mrunalp/fileutils v0.5.0
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/opencontainers/selinux v1.8.2
-	github.com/seccomp/libseccomp-golang v0.9.1
+	github.com/seccomp/libseccomp-golang v0.9.2-0.20200616122406-847368b35ebf
 	github.com/sirupsen/logrus v1.8.1
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092

diff --git a/go.sum b/go.sum
@@ -54,8 +54,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
-github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20200616122406-847368b35ebf h1:b0+ZBD3rohnkQ4q5duD1+RyTXTg9yk+qTOPMSQtapO0=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20200616122406-847368b35ebf/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=

diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -47,6 +47,8 @@ const (
 	Allow
 	Trace
 	Log
+	KillThread
+	KillProcess
 )
 
 // Operator is a comparison operator to be used when matching syscall arguments in Seccomp

diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -583,7 +583,7 @@ func enosysPatchFilter(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (
 
 func filterFlags(filter *libseccomp.ScmpFilter) (flags uint, noNewPrivs bool, err error) {
 	// Ignore the error since pre-2.4 libseccomp is treated as API level 0.
-	apiLevel, _ := libseccomp.GetApi()
+	apiLevel, _ := libseccomp.GetAPI()
 
 	noNewPrivs, err = filter.GetNoNewPrivsBit()
 	if err != nil {

diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -82,6 +82,10 @@ func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error
 	switch act {
 	case configs.Kill:
 		return actKill, nil
+	case configs.KillThread:
+		return libseccomp.ActKillThread, nil
+	case configs.KillProcess:
+		return libseccomp.ActKillProcess, nil
 	case configs.Errno:
 		if errnoRet != nil {
 			return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil

diff --git a/tests/integration/update.bats b/tests/integration/update.bats
@@ -537,7 +537,7 @@ EOF
 	root_period=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us")
 	root_runtime=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_runtime_us")
 	# the following IFS magic sets dirs=("runc-cgroups-integration-test" "test-cgroup")
-	IFS='/' read -r -a dirs <<<"$REL_CGROUPS_PATH"
+	IFS='/' read -r -a dirs <<<"${REL_CGROUPS_PATH#/}"
 	for ((i = 0; i < ${#dirs[@]}; i++)); do
 		local target="$CGROUP_CPU_BASE_PATH"
 		for ((j = 0; j <= i; j++)); do

diff --git a/tests/rootless.sh b/tests/rootless.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 # Copyright (C) 2017 SUSE LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -114,6 +114,15 @@ function enable_cgroup() {
 		# necessary, and might actually be a bug in our impl of cgroup
 		# handling.
 		[[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems}
+		# The following is required by "update rt period and runtime".
+		if [[ "$cg" == "cpu" ]]; then
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us"
+			fi
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us"
+			fi
+		fi
 	done
 	# cgroup v2
 	if [[ -e "$CGROUP_MOUNT/cgroup.controllers" ]]; then

diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
-Original file line number
+Diff line change
@@ Expand Up / @@ -47,6 +47,8 @@ const ( @@
     	Allow
     	Trace
     	Log
+    	KillThread
+    	KillProcess
     )
     // Operator is a comparison operator to be used when matching syscall arguments in Seccomp
@@ Expand Down @@