Merge pull request #10766 from sameersaeed/v1.6.36-sandbox-cni-plugins #90
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- 'release/**' | |
pull_request: | |
branches: | |
- main | |
- 'release/**' | |
permissions: # added using https://github.com/step-security/secure-workflows | |
contents: read | |
jobs: | |
# | |
# golangci-lint | |
# | |
linters: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests | |
name: Linters | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 10 | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, actuated-arm64-4cpu-16gb, macos-12, windows-2019] | |
steps: | |
- name: Install dependencies | |
if: matrix.os == 'ubuntu-20.04' || matrix.os == 'actuated-arm64-4cpu-16gb' | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libbtrfs-dev | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/install-go | |
- uses: golangci/golangci-lint-action@v4 | |
with: | |
only-new-issues: true | |
version: v1.55.0 | |
skip-cache: true | |
args: --timeout=8m | |
# | |
# Project checks | |
# | |
project: | |
name: Project Checks | |
if: github.repository == 'containerd/containerd' | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: src/github.com/containerd/containerd | |
fetch-depth: 100 | |
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go | |
- uses: containerd/[email protected] | |
with: | |
working-directory: src/github.com/containerd/containerd | |
repo-access-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: verify go modules and vendor directory | |
run: | | |
sudo apt-get install -y jq | |
make verify-vendor | |
working-directory: src/github.com/containerd/containerd | |
# | |
# Protobuf checks | |
# | |
protos: | |
name: Protobuf | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 5 | |
defaults: | |
run: | |
working-directory: src/github.com/containerd/containerd | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: src/github.com/containerd/containerd | |
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go | |
- name: Set env | |
shell: bash | |
run: | | |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV | |
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
- name: Install protobuf | |
run: | | |
sudo -E PATH=$PATH script/setup/install-protobuf | |
sudo chmod +x /usr/local/bin/protoc | |
sudo chmod og+rx /usr/local/include/google /usr/local/include/google/protobuf /usr/local/include/google/protobuf/compiler | |
sudo chmod -R og+r /usr/local/include/google/protobuf/ | |
protoc --version | |
- run: script/setup/install-dev-tools | |
- run: make proto-fmt | |
- run: make check-protos check-api-descriptors | |
man: | |
name: Manpages | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/install-go | |
- run: go install github.com/cpuguy83/go-md2man/[email protected] | |
- run: make man | |
# Make sure binaries compile with other platforms | |
crossbuild: | |
name: Crossbuild Binaries | |
needs: [linters, protos, man] | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 10 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- goos: linux | |
goarch: arm64 | |
- goos: linux | |
goarch: arm | |
goarm: "7" | |
- goos: linux | |
goarch: arm | |
goarm: "5" | |
- goos: linux | |
goarch: ppc64le | |
- goos: linux | |
goarch: riscv64 | |
- goos: freebsd | |
goarch: amd64 | |
- goos: freebsd | |
goarch: arm64 | |
- goos: windows | |
goarch: arm | |
goarm: "7" | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/install-go | |
- run: | | |
set -e -x | |
packages="libbtrfs-dev" | |
platform="${{matrix.goos}}/${{matrix.goarch}}" | |
if [ -n "${{matrix.goarm}}" ]; then | |
platform+="/v${{matrix.goarm}}" | |
fi | |
case "${platform}" in | |
linux/arm/v5) | |
packages+=" crossbuild-essential-armel" | |
echo "CGO_ENABLED=1" >> $GITHUB_ENV | |
echo "CC=arm-linux-gnueabi-gcc" >> $GITHUB_ENV | |
;; | |
linux/arm/v7) | |
packages+=" crossbuild-essential-armhf" | |
echo "CGO_ENABLED=1" >> $GITHUB_ENV | |
echo "CC=arm-linux-gnueabihf-gcc" >> $GITHUB_ENV | |
;; | |
linux/arm64) | |
packages+=" crossbuild-essential-arm64" | |
echo "CGO_ENABLED=1" >> $GITHUB_ENV | |
echo "CC=aarch64-linux-gnu-gcc" >> $GITHUB_ENV | |
;; | |
linux/ppc64le) | |
packages+=" crossbuild-essential-ppc64el" | |
echo "CGO_ENABLED=1" >> $GITHUB_ENV | |
echo "CC=powerpc64le-linux-gnu-gcc" >> $GITHUB_ENV | |
;; | |
linux/riscv64) | |
packages+=" crossbuild-essential-riscv64" | |
echo "CGO_ENABLED=1" >> $GITHUB_ENV | |
echo "CC=riscv64-linux-gnu-gcc" >> $GITHUB_ENV | |
;; | |
windows/arm/v7) | |
echo "CGO_ENABLED=0" >> $GITHUB_ENV | |
;; | |
esac | |
if [ -n "${packages}" ]; then | |
sudo apt-get update && sudo apt-get install -y ${packages} | |
fi | |
name: Install deps | |
- name: Build | |
env: | |
GOOS: ${{matrix.goos}} | |
GOARCH: ${{matrix.goarch}} | |
GOARM: ${{matrix.goarm}} | |
run: | | |
make build | |
make binaries | |
# | |
# Build containerd binaries | |
# | |
binaries: | |
name: Binaries | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 10 | |
needs: [linters, protos, man] | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, actuated-arm64-4cpu-16gb, macos-12, windows-2019, windows-2022] | |
go-version: ["1.22.7", "1.23.1"] | |
steps: | |
- name: Install dependencies | |
if: matrix.os == 'ubuntu-20.04' || matrix.os == 'actuated-arm64-4cpu-16gb' | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libbtrfs-dev | |
- name: Set env | |
shell: bash | |
run: | | |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV | |
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
- uses: actions/checkout@v4 | |
with: | |
path: src/github.com/containerd/containerd | |
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Make | |
run: | | |
make build | |
make binaries | |
working-directory: src/github.com/containerd/containerd | |
# | |
# Integration and CRI tests | |
# | |
integration-windows: | |
name: Windows Integration | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 35 | |
needs: [linters, protos, man] | |
env: | |
GOTEST: gotestsum -- | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [windows-2019, windows-2022] | |
defaults: | |
run: | |
shell: bash | |
working-directory: src/github.com/containerd/containerd | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: src/github.com/containerd/containerd | |
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go | |
- uses: actions/checkout@v4 | |
with: | |
repository: Microsoft/hcsshim | |
path: src/github.com/Microsoft/hcsshim | |
- name: Set env | |
run: | | |
echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV | |
echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
echo "${{ github.workspace }}/src/github.com/containerd/containerd/bin" >> $GITHUB_PATH | |
- run: script/setup/install-dev-tools | |
# needs to be a separate step since terminal reload is required to bring in new env variables and PATH | |
- name: Upgrade Chocolaty on Windows 2019 | |
if: matrix.os == 'windows-2019' | |
shell: powershell | |
run: .\script\setup\upgrade_chocolaty_windows_2019.ps1 | |
- name: Upgrade MinGW on Windows 2019 | |
if: matrix.os == 'windows-2019' | |
shell: powershell | |
run: .\script\setup\upgrade_mingw_windows_2019.ps1 | |
- name: Binaries | |
env: | |
CGO_ENABLED: 1 | |
run: | | |
set -o xtrace | |
mingw32-make.exe binaries | |
bindir="$(pwd)" | |
SHIM_COMMIT=$(grep 'Microsoft/hcsshim ' go.mod | awk '{print $2}') | |
cd ../../Microsoft/hcsshim | |
git fetch --tags origin "${SHIM_COMMIT}" | |
git checkout "${SHIM_COMMIT}" | |
GO111MODULE=on go build -mod=vendor -o "${bindir}/integration/client/containerd-shim-runhcs-v1.exe" ./cmd/containerd-shim-runhcs-v1 | |
- run: script/setup/install-gotestsum | |
- name: Tests | |
env: | |
CGO_ENABLED: 1 | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-unit-root.xml | |
run: mingw32-make.exe test root-test | |
- name: Integration 1 | |
env: | |
CGO_ENABLED: 1 | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml | |
run: mingw32-make.exe integration | |
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/1759 | |
- name: Integration 2 | |
env: | |
TESTFLAGS_PARALLEL: 1 | |
EXTRA_TESTFLAGS: "-short" | |
CGO_ENABLED: 1 | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml | |
run: mingw32-make.exe integration | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: TestResults ${{ matrix.os }} | |
path: | | |
${{github.workspace}}/*-junit.xml | |
integration-linux: | |
name: Linux Integration | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 40 | |
needs: [linters, protos, man] | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [io.containerd.runtime.v1.linux, io.containerd.runc.v1, io.containerd.runc.v2] | |
runc: [runc, crun] | |
exclude: | |
- runtime: io.containerd.runc.v1 | |
runc: crun | |
- runtime: io.containerd.runtime.v1.linux | |
runc: crun | |
# runc.v1 doesn't support cgroupv2 | |
- runtime: io.containerd.runc.v1 | |
os: actuated-arm64-4cpu-16gb | |
# shim.v1 doesn't support cgroupv2 | |
- runtime: io.containerd.runtime.v1.linux | |
os: actuated-arm64-4cpu-16gb | |
os: [ubuntu-20.04, actuated-arm64-4cpu-16gb] | |
env: | |
GOTEST: gotestsum -- | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/install-go | |
- name: Install containerd dependencies | |
env: | |
RUNC_FLAVOR: ${{ matrix.runc }} | |
run: | | |
sudo apt-get install -y gperf libbtrfs-dev dmsetup strace xfsprogs | |
script/setup/install-seccomp | |
script/setup/install-runc | |
script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}') | |
script/setup/install-critools | |
script/setup/install-failpoint-binaries | |
- name: Install criu | |
# NOTE: Required actuated enable CONFIG_CHECKPOINT_RESTORE | |
# | |
# REF: https://criu.org/Linux_kernel | |
if: matrix.os != 'actuated-arm64-4cpu-16gb' | |
run: | | |
sudo add-apt-repository ppa:criu/ppa | |
sudo apt-get update | |
sudo apt-get install -y criu | |
- name: Install containerd | |
env: | |
CGO_ENABLED: 1 | |
run: | | |
make binaries GO_BUILD_FLAGS="-mod=vendor" | |
sudo -E PATH=$PATH make install | |
- run: script/setup/install-gotestsum | |
- name: Tests | |
env: | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-unit-root-junit.xml | |
run: | | |
make test | |
sudo -E PATH=$PATH make root-test | |
- name: Integration 1 | |
env: | |
TEST_RUNTIME: ${{ matrix.runtime }} | |
RUNC_FLAVOR: ${{ matrix.runc }} | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml | |
run: | | |
extraflags="" | |
[ "${RUNC_FLAVOR}" == "crun" ] && { | |
extraflags="EXTRA_TESTFLAGS=-no-criu"; | |
} | |
sudo -E PATH=$PATH make integration ${extraflags} TESTFLAGS_RACE=-race | |
# Run the integration suite a second time. See discussion in github.com/containerd/containerd/pull/1759 | |
- name: Integration 2 | |
env: | |
TEST_RUNTIME: ${{ matrix.runtime }} | |
RUNC_FLAVOR: ${{ matrix.runc }} | |
GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml | |
run: | | |
extraflags="" | |
[ "${RUNC_FLAVOR}" == "crun" ] && { | |
extraflags="EXTRA_TESTFLAGS=-no-criu"; | |
} | |
sudo -E PATH=$PATH TESTFLAGS_PARALLEL=1 make integration ${extraflags} | |
- name: CRI Integration Test | |
env: | |
TEST_RUNTIME: ${{ matrix.runtime }} | |
run: | | |
CONTAINERD_RUNTIME=$TEST_RUNTIME make cri-integration | |
- name: cri-tools critest | |
env: | |
TEST_RUNTIME: ${{ matrix.runtime }} | |
run: | | |
BDIR="$(mktemp -d -p $PWD)" | |
function cleanup() { | |
sudo pkill containerd || true | |
cat ${BDIR}/containerd-cri.log | |
sudo -E rm -rf ${BDIR} | |
} | |
trap cleanup EXIT | |
mkdir -p ${BDIR}/{root,state} | |
cat > ${BDIR}/config.toml <<EOF | |
version = 2 | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] | |
runtime_type = "${TEST_RUNTIME}" | |
EOF | |
sudo ls /etc/cni/net.d | |
sudo -E PATH=$PATH /usr/local/bin/containerd -a ${BDIR}/c.sock --config ${BDIR}/config.toml --root ${BDIR}/root --state ${BDIR}/state --log-level debug &> ${BDIR}/containerd-cri.log & | |
sudo -E PATH=$PATH /usr/local/bin/ctr -a ${BDIR}/c.sock version | |
sudo -E PATH=$PATH critest --report-dir "${{github.workspace}}/critestreport" --runtime-endpoint=unix:///${BDIR}/c.sock --parallel=8 | |
# Log the status of this VM to investigate issues like | |
# https://github.com/containerd/containerd/issues/4969 | |
- name: Host Status | |
if: always() | |
run: | | |
set -x | |
mount | |
df | |
losetup -l | |
- name: Kernel Message | |
if: failure() | |
run: | | |
sudo lsmod | |
sudo dmesg -T -f kern | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: TestResults ${{ matrix.runtime }} ${{matrix.runc}} ${{ matrix.os }} | |
path: | | |
*-junit.xml | |
${{github.workspace}}/critestreport/*.xml | |
tests-mac-os: | |
name: MacOS unit tests | |
runs-on: macos-12 | |
timeout-minutes: 10 | |
needs: [linters, protos, man] | |
env: | |
GOTEST: gotestsum -- | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/install-go | |
- run: script/setup/install-gotestsum | |
- name: Tests | |
env: | |
GOTESTSUM_JUNITFILE: "${{ github.workspace }}/macos-test-junit.xml" | |
run: make test | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: TestResults MacOS | |
path: | | |
*-junit.xml | |
vagrant: | |
name: Vagrant | |
runs-on: ubuntu-latest-4-cores | |
timeout-minutes: 45 | |
needs: [linters, protos, man] | |
strategy: | |
fail-fast: false | |
matrix: | |
# Currently crun is disabled to decrease CI flakiness. | |
# We can enable crun again when we get a better CI infra. | |
runc: [runc] | |
box: | |
- fedora/39-cloud-base | |
# We have to keep EL8 to test old glibc, cgroup, kernel, etc. | |
# The image was changed from rockylinux/8 to almalinux/8, | |
# as the former one no longer works: | |
# https://github.com/containerd/containerd/pull/10297 | |
- almalinux/8 | |
env: | |
GOTEST: gotestsum -- | |
BOX: ${{ matrix.box }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: "Cache ~/.vagrant.d/boxes" | |
uses: actions/cache@v4 | |
with: | |
path: /root/.vagrant.d | |
key: vagrant-${{ matrix.box }} | |
- name: Set up Vagrant | |
run: | | |
# Canonical's Vagrant 2.2.19 dpkg cannot download Fedora 38 image: https://bugs.launchpad.net/vagrant/+bug/2017828 | |
# So we have to install Vagrant >= 2.3.1 from the upstream: https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49 | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list | |
sudo apt-get update | |
sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant | |
sudo systemctl enable --now libvirtd | |
sudo apt-get build-dep -y vagrant ruby-libvirt | |
sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev | |
sudo vagrant plugin install vagrant-libvirt vagrant-scp | |
- name: Vagrant start | |
run: | | |
if [ "$BOX" = "rockylinux/8" ]; then | |
# The latest version 5.0.0 seems 404 (as of March 30, 2022) | |
export BOX_VERSION="4.0.0" | |
fi | |
sudo BOX=$BOX vagrant up --no-tty | |
- name: Integration | |
env: | |
RUNC_FLAVOR: ${{ matrix.runc }} | |
SELINUX: Enforcing | |
GOTESTSUM_JUNITFILE: /tmp/test-integration-junit.xml | |
run: sudo BOX=$BOX vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-integration | |
- name: CRI test | |
env: | |
RUNC_FLAVOR: ${{ matrix.runc }} | |
SELINUX: Enforcing | |
REPORT_DIR: /tmp/critestreport | |
run: sudo BOX=$BOX vagrant up --provision-with=selinux,install-runc,install-gotestsum,test-cri | |
- name: Get test reports | |
if: always() | |
run: | | |
sudo vagrant scp :/tmp/test-integration-junit.xml "${{ github.workspace }}/" | |
sudo vagrant scp :/tmp/critestreport "${{ github.workspace }}/critestreport" | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
# ${{ matrix.box }} cannot be used here due to character limitation | |
name: TestResults vagrant ${{ github.run_id }} ${{ matrix.runtime }} ${{matrix.runc}} | |
path: | | |
${{github.workspace}}/*-junit.xml | |
${{github.workspace}}/critestreport/* | |
cgroup2-misc: | |
name: CGroupsV2 - rootless CRI test | |
runs-on: ubuntu-latest-4-cores | |
timeout-minutes: 45 | |
needs: [linters, protos, man] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: "Cache ~/.vagrant.d/boxes" | |
uses: actions/cache@v4 | |
with: | |
path: /root/.vagrant.d/boxes | |
key: vagrant-${{ hashFiles('Vagrantfile*') }} | |
- name: Set up Vagrant | |
run: | | |
# Canonical's Vagrant 2.2.19 dpkg cannot download Fedora 38 image: https://bugs.launchpad.net/vagrant/+bug/2017828 | |
# So we have to install Vagrant >= 2.3.1 from the upstream: https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49 | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list | |
sudo apt-get update | |
sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant | |
sudo systemctl enable --now libvirtd | |
sudo apt-get build-dep -y vagrant ruby-libvirt | |
sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev | |
sudo vagrant plugin install vagrant-libvirt vagrant-scp | |
- name: Vagrant start | |
run: | | |
sudo vagrant up --no-tty | |
# slow, so separated from the regular cgroup2 task | |
- name: CRI-in-UserNS test with Rootless Podman | |
run: | | |
sudo vagrant up --provision-with=install-rootless-podman | |
# Execute rootless podman to create the UserNS env | |
sudo vagrant ssh -- podman build --target cri-in-userns -t cri-in-userns -f /vagrant/contrib/Dockerfile.test /vagrant | |
sudo vagrant ssh -- podman run --rm --privileged cri-in-userns |