As discovered by Nicholas Iooss [1], GH Actions now supports HW-accelerated Linux VMs at least on macOS runners [2], so we can finally migrate the CI away from Travis. The new check uses Vagrant to provision the Fedora VM, as this is the simplest way to get it to work on macOS. Unfortunately there is no Rawhide image provided in the official Vagrant repos, so for now the testsuite is run only on Fedora 33. I'd like to add Rawhide in the future, but let's start with the low-hanging fruit. [1] https://github.com/SELinuxProject/selinux/commit/316a4f89dd502d6f2b072f76af16de320c1cf673 [2] https://github.com/actions/virtual-environments/issues/433#issuecomment-618872784 Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- .github/workflows/checks.yml | 27 +++++++ .travis.yml | 40 ---------- Vagrantfile | 65 ++++++++++++++++ travis-ci/LICENSE | 5 -- travis-ci/run-kvm-test.sh | 141 ----------------------------------- travis-ci/run-testsuite.sh | 58 -------------- 6 files changed, 92 insertions(+), 244 deletions(-) create mode 100644 .github/workflows/checks.yml delete mode 100644 .travis.yml create mode 100644 Vagrantfile delete mode 100644 travis-ci/LICENSE delete mode 100755 travis-ci/run-kvm-test.sh delete mode 100755 travis-ci/run-testsuite.sh diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml new file mode 100644 index 0000000..e1e383f --- /dev/null +++ b/.github/workflows/checks.yml @@ -0,0 +1,27 @@ +name: checks +on: [push, pull_request] +jobs: + style-check: + runs-on: ubuntu-latest + container: + image: fedora:latest + steps: + - run: sudo dnf install -y astyle perltidy findutils git-core + - uses: actions/checkout@v2 + - run: tools/check-syntax -f && git diff --exit-code + fedora-test: + runs-on: macos-latest + env: + FEDORA_VERSION: 33 + steps: + - uses: actions/checkout@v2 + # macOS sometimes allows symlinks to have permissions other than 777, + # so change all symlink perms to match the Linux convention. Otherwise + # the rsync run by Vagrant will complain that it can't copy over the + # perms. + - name: Fix symlink permissions + run: find . -type link -exec chmod -h 777 \{\} \; + - name: Create a Vagrant VM + run: vagrant up + - name: Run SELinux testsuite + run: vagrant ssh -- sudo make -C /root/testsuite test diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index cba7462..0000000 --- a/.travis.yml +++ /dev/null @@ -1,40 +0,0 @@ -language: c - -dist: bionic - -env: - matrix: - - FEDORA_KIND="releases" FEDORA_MAJOR="33" - - FEDORA_KIND="development" FEDORA_MAJOR="rawhide" - -addons: - apt: - packages: - - astyle - - qemu-kvm - - libvirt-bin - - virtinst - - bridge-utils - - libguestfs-tools - - cpu-checker - - netcat - -before_install: - # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56 - - git clone https://github.com/perltidy/perltidy.git perltidy - - | - (cd perltidy && - perl Makefile.PL && - make PREFIX=/usr/local && - sudo make install PREFIX=/usr/local) - - sudo usermod -a -G kvm,libvirt,libvirt-qemu "$USER" - # Verify that KVM is working, useful if Travis ever changes anything. - - kvm-ok - - sudo systemctl enable libvirtd - - sudo systemctl start libvirtd - # Set up a key so we can ssh into the VM - - ssh-keygen -N "" -f "$HOME/.ssh/id_rsa" - -script: - - tools/check-syntax -f && git diff --exit-code - - bash travis-ci/run-kvm-test.sh travis-ci/run-testsuite.sh diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..c305fce --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,65 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# Vagrant configuration file which creates a virtual machine that can run the +# test suite. +# +# To create a new virtual machine: +# +# FEDORA_VERSION=33 vagrant up +# +# To launch tests (for example after modifications have been made): +# +# vagrant rsync && vagrant ssh -- sudo make -C /root/testsuite test +# +# To destroy the virtual machine (for example to start again from a clean environment): +# +# vagrant destroy + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + config.vm.box = "fedora/#{ENV['FEDORA_VERSION']}-cloud-base" + config.vm.synced_folder ".", "/vagrant", disabled: true + config.vm.synced_folder ".", "/root/testsuite", type: "rsync", + # need to disable '--copy-links', which is in rsync__args by default + rsync__args: ["-vzra", "--delete"] + + config.vm.provider "virtualbox" do |v| + v.memory = 4096 + end + config.vm.provider "libvirt" do |v| + v.memory = 4096 + end + + config.vm.provision :shell, inline: <<SCRIPT + dnf install -y \ + --allowerasing \ + --skip-broken \ + make \ + perl-Test \ + perl-Test-Harness \ + perl-Test-Simple \ + perl-lib \ + selinux-policy-devel \ + gcc \ + libselinux-devel \ + net-tools \ + netlabel_tools \ + nftables \ + iptables \ + lksctp-tools-devel \ + attr \ + libbpf-devel \ + keyutils-libs-devel \ + quota \ + xfsprogs-devel \ + libuuid-devel \ + e2fsprogs \ + jfsutils \ + dosfstools \ + kernel-devel-"$(uname -r)" \ + kernel-modules-"$(uname -r)" +SCRIPT +end diff --git a/travis-ci/LICENSE b/travis-ci/LICENSE deleted file mode 100644 index 1f95d26..0000000 --- a/travis-ci/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/travis-ci/run-kvm-test.sh b/travis-ci/run-kvm-test.sh deleted file mode 100755 index 81c57ff..0000000 --- a/travis-ci/run-kvm-test.sh +++ /dev/null @@ -1,141 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: MIT - -# Based on SELinux userspace CI scripts from: -# https://github.com/SELinuxProject/selinux - -set -ex - -TEST_RUNNER="$1" - -if [ -z "$TEST_RUNNER" ]; then - echo "$0: expected script to be run on the command line!" 1>&2 - exit 1 -fi - -# -# Variables for controlling the Fedora Image version and download URLs. -# -if [ -z "$FEDORA_KIND" ] || [ -z "$FEDORA_MAJOR" ]; then - echo "$0: FEDORA_KIND and FEDORA_MAJOR must be set!" 1>&2 - exit 1 -fi - -BASE_URL="https://download.fedoraproject.org/pub/fedora/linux/$FEDORA_KIND/$FEDORA_MAJOR/Cloud/x86_64/images"; -GPG_URL="https://getfedora.org/static/fedora.gpg"; - -# -# Travis gives us 7.5GB of RAM and two cores: -# https://docs.travis-ci.com/user/reference/overview/ -# -MEMORY=4096 -VCPUS="$(nproc)" - -# -# Get the Fedora Cloud Image, It is a base image that small and ready to go, extract it and modify it with virt-sysprep -# - https://alt.fedoraproject.org/en/verify.html -cd "$HOME" -wget -r -nd -np -l 1 -H -e robots=off -A "*.raw.xz,*-CHECKSUM" "$BASE_URL" -latest_image="$(ls -1q *.raw.xz | tail -n 1)" -if [ -z "$latest_image" ]; then - echo "$0: no image file downloaded!" 1>&2 - exit 1 -fi - -# Verify the image (skip GPG for unsigned rawhide images) -if [ "$FEDORA_KIND" != "development" ]; then - curl "$GPG_URL" | gpg --import - gpg --verify-files ./*-CHECKSUM -fi -sha256sum --ignore-missing -c ./*-CHECKSUM - -# Extract the image -unxz -T0 "$latest_image" -latest_image="${latest_image%.xz}" - -# Search is needed for $HOME so virt service can access the image file. -chmod a+x "$HOME" - -# -# Modify the virtual image to: -# - Enable a login, we just use root -# - Enable passwordless login -# - Force a relabel to fix labels on ssh keys -# -sudo virt-sysprep -a "$latest_image" \ - --root-password password:123456 \ - --hostname fedoravm \ - --append-line '/etc/ssh/sshd_config:PermitRootLogin yes' \ - --append-line '/etc/ssh/sshd_config:PubkeyAuthentication yes' \ - --mkdir /root/.ssh \ - --upload "$HOME/.ssh/id_rsa.pub:/root/.ssh/authorized_keys" \ - --chmod '0600:/root/.ssh/authorized_keys' \ - --run-command 'chown root:root /root/.ssh/authorized_keys' \ - --copy-in "$TRAVIS_BUILD_DIR:/root" \ - --network \ - --selinux-relabel - -# -# Now we create a domain by using virt-install. This not only creates the domain, but runs the VM as well -# It should be ready to go for ssh, once ssh starts. -# -sudo virt-install \ - --name fedoravm \ - --memory $MEMORY \ - --vcpus $VCPUS \ - --disk "$latest_image" \ - --import --noautoconsole - -# -# Here comes the tricky part, we have to figure out when the VM comes up AND we need the ip address for ssh. So we -# can check the net-dhcp leases, for our host. We have to poll, and we will poll for up to 3 minutes in 6 second -# intervals, so 30 poll attempts (0-29 inclusive). -# -# We have a full reboot + relabel, so first sleep gets us close -# -sleep 30 -for i in $(seq 0 29); do - echo "loop $i" - sleep 6s - # Get the leases, but tee it so it's easier to debug - sudo virsh net-dhcp-leases default | tee dhcp-leases.txt - - # get our ipaddress - ipaddy="$(grep fedoravm dhcp-leases.txt | awk '{print $5}' | cut -d'/' -f 1-1)" - if [ -n "$ipaddy" ]; then - # found it, we're done looking, print it for debug logs - echo "ipaddy: $ipaddy" - break - fi - # it's empty/not found, loop back and try again. -done - -# Did we find it? If not die. -if [ -z "$ipaddy" ]; then - echo "$0: ipaddy zero length, exiting with error 1" 1>&2 - exit 1 -fi - -# -# Great we have a host running, ssh into it. We specify -o so -# we don't get blocked on asking to add the servers key to -# our known_hosts. Also, we need to forward the project directory -# so forks know where to go. -# - -# Check if kernel-modules-$(uname -r) can be installed from repos, -# otherwise update kernel and reboot. -if ! echo "dnf -q info --available kernel-modules-\$(uname -r)" | \ - ssh -o StrictHostKeyChecking=no -q "root@$ipaddy" -then - ssh -tt -o StrictHostKeyChecking=no -o LogLevel=QUIET "root@$ipaddy" \ - dnf update -y kernel-core - - sudo virsh reboot fedoravm - sleep 5 - while ! nc -w 10 -z "$ipaddy" 22; do sleep 0.5s; done -fi - -# And run the testsuite. -project_dir="$(basename "$TRAVIS_BUILD_DIR")" -ssh -tt -o StrictHostKeyChecking=no -o LogLevel=QUIET "root@$ipaddy" "SELINUX_DIR=/root/$project_dir /root/$project_dir/$TEST_RUNNER" diff --git a/travis-ci/run-testsuite.sh b/travis-ci/run-testsuite.sh deleted file mode 100755 index bd9073c..0000000 --- a/travis-ci/run-testsuite.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: MIT - -# Based on SELinux userspace CI scripts from: -# https://github.com/SELinuxProject/selinux - -set -ex - -# CI Debug output if things go squirrely. -getenforce -id -Z -nproc -pwd - -# Turn off enforcing for the setup to prevent any weirdness from breaking -# the CI. -setenforce 0 - -dnf install -y \ - --allowerasing \ - --skip-broken \ - make \ - perl-Test \ - perl-Test-Harness \ - perl-Test-Simple \ - perl-lib \ - selinux-policy-devel \ - gcc \ - libselinux-devel \ - net-tools \ - netlabel_tools \ - nftables \ - iptables \ - lksctp-tools-devel \ - attr \ - libbpf-devel \ - keyutils-libs-devel \ - quota \ - xfsprogs-devel \ - libuuid-devel \ - e2fsprogs \ - jfsutils \ - dosfstools \ - kernel-devel-"$(uname -r)" \ - kernel-modules-"$(uname -r)" - -# -# Move to the selinux testsuite directory. -# -cd "$HOME/selinux-testsuite" - -# The testsuite must be run in enforcing mode -setenforce 1 - -# -# Run the test suite -# -make test -- 2.29.2
