Skip to content

Commit

Permalink
[test] Checking if criu cgroup v1 kludges help
Browse files Browse the repository at this point in the history
Testing criu PR 2545.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Iteration 4 - 2024-12-17 20:22:55
  • Loading branch information
kolyshkin committed Dec 18, 2024
1 parent aace922 commit 3aba938
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 404 deletions.
104 changes: 24 additions & 80 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,70 +7,6 @@
# NOTE Cirrus execution environments lack a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal.

task:
timeout_in: 30m

env:
DEBIAN_FRONTEND: noninteractive
HOME: /root
# yamllint disable rule:key-duplicates
matrix:
DISTRO: fedora

name: vagrant DISTRO:$DISTRO

compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
nested_virtualization: true
# CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
cpu: 4
# Memory limit: `4GB * NCPU`
memory: 16G

host_info_script: |
uname -a
# -----
cat /etc/os-release
# -----
df -T
# -----
cat /proc/cpuinfo
install_libvirt_vagrant_script: |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
apt-get update
apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
systemctl enable --now libvirtd
apt-get build-dep -y vagrant ruby-libvirt
apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
vagrant plugin install vagrant-libvirt
vagrant_cache:
fingerprint_script: cat Vagrantfile.$DISTRO
folder: /root/.vagrant.d/boxes
vagrant_up_script: |
ln -sf Vagrantfile.$DISTRO Vagrantfile
# Retry if it fails (download.fedoraproject.org returns 404 sometimes)
vagrant up --no-tty || vagrant up --no-tty
mkdir -p -m 0700 /root/.ssh
vagrant ssh-config >> /root/.ssh/config
guest_info_script: |
ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus && rpm -q container-selinux"'
check_config_script: |
ssh default /vagrant/script/check-config.sh
unit_tests_script: |
ssh default 'sudo -i make -C /vagrant localunittest'
integration_systemd_script: |
ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
integration_fs_script: |
ssh -tt default "sudo -i make -C /vagrant localintegration"
integration_systemd_rootless_script: |
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
integration_fs_rootless_script: |
ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
task:
timeout_in: 30m

Expand All @@ -79,7 +15,7 @@ task:
CIRRUS_WORKING_DIR: /home/runc
GO_VERSION: "1.23"
BATS_VERSION: "v1.9.0"
RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
RPMS: gcc git glibc-static libseccomp-devel make fuse-sshfs container-selinux gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libselinux-devel protobuf-c-devel protobuf-devel libdrm-devel
# yamllint disable rule:key-duplicates
matrix:
DISTRO: almalinux-8
Expand All @@ -100,6 +36,7 @@ task:
yum config-manager --set-enabled powertools # for glibc-static
;;
*-9)
RPMS="$RPMS nftables-devel libbsd-devel"
dnf config-manager --set-enabled crb # for glibc-static
dnf -y install epel-release # for fuse-sshfs
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
Expand Down Expand Up @@ -128,6 +65,10 @@ task:
git checkout $BATS_VERSION
./install.sh /usr/local
cd -
# Install CRIU
# Testing https://github.com/checkpoint-restore/criu/pull/2545
git clone https://github.com/kolyshkin/criu.git ~/criu
(cd ~/criu && git checkout freeze-kludges && sudo make install-criu)
# Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
Expand All @@ -147,6 +88,8 @@ task:
sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
systemctl restart sshd
host_info_script: |
criu --version
# -----
uname -a
# -----
/usr/local/go/bin/go version
Expand All @@ -162,19 +105,20 @@ task:
cat /proc/cpuinfo
check_config_script: |
/home/runc/script/check-config.sh
unit_tests_script: |
unit_tests_1_script: |
ssh -tt localhost "make -C /home/runc localunittest"
integration_systemd_script: |
ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
integration_fs_script: |
ssh -tt localhost "make -C /home/runc localintegration"
integration_systemd_rootless_script: |
case $DISTRO in
*-8)
echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
;;
*)
ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
esac
integration_fs_rootless_script: |
ssh -tt localhost "make -C /home/runc localrootlessintegration"
criu_rpm_script: |
mv /usr/local/sbin/criu{,-removed}
yum -y install criu
hash -r
which criu
criu --version
unit_tests_stock_criu_script: |
ssh -tt localhost "make -C /home/runc localunittest"
criu_custom_script: |
mv /usr/local/sbin/criu{-removed,}
hash -r
which criu
criu --version
unit_tests_2_script: |
ssh -tt localhost 'make -C /home/runc localunittest'
68 changes: 6 additions & 62 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,11 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04, ubuntu-24.04, actuated-arm64-6cpu-8gb]
os: [ubuntu-20.04]
go-version: [1.22.x, 1.23.x]
rootless: ["rootless", ""]
rootless: [""]
race: ["-race", ""]
criu: ["", "criu-dev"]
exclude:
# Disable most of criu-dev jobs, as they are expensive
# (need to compile criu) and don't add much value/coverage.
- criu: criu-dev
go-version: 1.22.x
- criu: criu-dev
rootless: rootless
- criu: criu-dev
race: -race
- go-version: 1.22.x
os: actuated-arm64-6cpu-8gb
- race: "-race"
os: actuated-arm64-6cpu-8gb
- criu: criu-dev
os: actuated-arm64-6cpu-8gb

runs-on: ${{ matrix.os }}

Expand Down Expand Up @@ -122,10 +107,11 @@ jobs:
if: ${{ matrix.criu != '' }}
run: |
sudo apt -qy install \
libcap-dev libnet1-dev libnl-3-dev \
libbsd-dev libcap-dev libnet1-dev libnftables-dev libnl-3-dev \
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
git clone https://github.com/checkpoint-restore/criu.git ~/criu
(cd ~/criu && git checkout ${{ matrix.criu }} && sudo make install-criu)
# Testing https://github.com/checkpoint-restore/criu/pull/2545
git clone https://github.com/kolyshkin/criu.git ~/criu
(cd ~/criu && git checkout freeze-kludges && sudo make install-criu)
rm -rf ~/criu
- name: install go ${{ matrix.go-version }}
Expand All @@ -137,52 +123,10 @@ jobs:
- name: build
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all

- name: Setup Bats and bats libs
uses: bats-core/bats-action@3.0.0
with:
bats-version: 1.9.0
support-install: false
assert-install: false
detik-install: false
file-install: false

- name: Allow userns for runc
# https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15
if: matrix.os == 'ubuntu-24.04'
run: |
sed "s;^profile runc /usr/sbin/;profile runc-test $PWD/;" < /etc/apparmor.d/runc | sudo apparmor_parser
- name: unit test
if: matrix.rootless != 'rootless'
run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest

- name: add rootless user
if: matrix.rootless == 'rootless'
run: |
sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key
sudo mkdir -m 0700 -p /home/rootless/.ssh
sudo cp $HOME/rootless.key /home/rootless/.ssh/id_ecdsa
sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
sudo chown -R rootless.rootless /home/rootless
sudo chmod a+X $HOME # for Ubuntu 22.04 and later
- name: integration test (fs driver)
run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'

- name: integration test (systemd driver)
# Skip rootless+systemd for ubuntu 20.04 because of cgroup v1.
if: ${{ !(matrix.os == 'ubuntu-20.04' && matrix.rootless == 'rootless') }}
run: |
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
# The default (since systemd v252) is "pids memory cpu".
sudo mkdir -p /etc/systemd/system/user@.service.d
printf "[Service]\nDelegate=yes\n" | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
sudo systemctl daemon-reload
# Run the tests.
sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
# We need to continue support for 32-bit ARM.
# However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
# We are not interested in providing official support for i386.
Expand Down
Loading

0 comments on commit 3aba938

Please sign in to comment.