Skip to content

Commit

Permalink
Test rootless docker.
Browse files Browse the repository at this point in the history
  • Loading branch information
@adelton
adelton committed Jan 20, 2024
1 parent f6837d3 commit 95f6359
Showing 1 changed file with 5 additions and 284 deletions.
289 changes: 5 additions & 284 deletions .github/workflows/build-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,8 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ fedora-rawhide, fedora-39, fedora-38, centos-9-stream, centos-8-stream, rocky-9, rocky-8, almalinux-9, almalinux-8, centos-7 ]
os: [ fedora-rawhide, fedora-39, centos-8-stream, rocky-9 ]
docker: [ docker ]
include:
- os: rhel-9
docker: podman
- os: rhel-8
docker: podman
- os: rhel-7
docker: podman
timeout-minutes: 15
steps:
- name: Install podman 4.*
Expand Down Expand Up @@ -98,7 +91,7 @@ jobs:
path: freeipa-server-${{ matrix.os }}
retention-days: 1

test-docker:
test-docker-rootless:
name: Run with docker
runs-on: ubuntu-22.04
needs: [ build ]
Expand All @@ -119,11 +112,12 @@ jobs:
- os: centos-8-stream
readonly: --read-only
ca: --external-ca
os: [ fedora-38, rhel-9, rhel-8, almalinux-9 ]
os: [ rocky-9 ]
timeout-minutes: 30
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/docker-cgroups-ubuntu-22
- name: Use Docker in rootless mode.
uses: ScribeMD/rootless-docker@0.2.2
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
Expand All @@ -141,276 +135,3 @@ jobs:
if: ${{ failure() }}
run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}

test-docker-20-04:
name: Run with docker on Ubuntu 20.04
runs-on: ubuntu-20.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
include:
- os: fedora-39
readonly: --read-only
- os: centos-8-stream
readonly: --read-only
- os: centos-7
protected_regular: unset
- os: rhel-7
protected_regular: unset
timeout-minutes: 30
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
- name: Disable fs.protected_regular
if: ${{ matrix.protected_regular == 'unset' }}
run: sudo sysctl fs.protected_regular=0
- name: Run master and replica
run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
- name: Run partial tests
if: ${{ failure() }}
run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}

test-podman:
name: Run with sudo podman
runs-on: ubuntu-22.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
os: [ fedora-39, centos-8-stream ]
timeout-minutes: 30
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | sudo podman load
- name: Run master and replica
run: docker='sudo podman' tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
- name: Run partial tests
if: ${{ failure() }}
run: docker='sudo podman' tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}

test-rootless-podman:
name: Run with rootless podman
runs-on: ubuntu-22.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
os: [ fedora-39, rhel-9, rhel-8, centos-8-stream, rocky-9, rocky-8, almalinux-8 ]
timeout-minutes: 30
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load
- name: Run master
run: docker=podman tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} && podman pod ls -q | xargs podman pod rm -f
- name: Run partial tests
if: ${{ failure() }}
run: docker=podman tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}

test-upgrade:
name: Upgrade from older version or build
runs-on: ubuntu-22.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
include:
- os: fedora-39
data-from: fedora-38
- os: fedora-39
data-from: fedora-37
- os: rhel-8
data-from: centos-8
- os: centos-8-stream
data-from: centos-8
- os: rocky-8
data-from: centos-8
- os: almalinux-8
data-from: centos-8
timeout-minutes: 20
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/docker-cgroups-ubuntu-22
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
- name: Populate volume with data
run: docker volume create loaded-data && docker create --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop && mkdir /tmp/freeipa-data && docker run --security-opt label=disable --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out'
- name: Run master and replica
run: VOLUME=/tmp/freeipa-data replica=none tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}

test-upgrade-podman:
name: Upgrade from older version with podman
runs-on: ubuntu-22.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
include:
- os: fedora-39
data-from: fedora-38
timeout-minutes: 20
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load
- name: Populate volume with data
run: podman volume create loaded-data && podman run --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop || true
- name: Copy the content of the volume to directory
run: mkdir /tmp/freeipa-data && podman run --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out'
- name: Run master and replica
run: docker=podman VOLUME=/tmp/freeipa-data replica=none tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}

test-upgrade-20-04:
name: Upgrade from older version or build on Ubuntu 20.04
runs-on: ubuntu-20.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
include:
- os: fedora-39
data-from: fedora-38
timeout-minutes: 20
steps:
- uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
- name: Populate volume with data
run: docker volume create loaded-data && docker create --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop && mkdir /tmp/freeipa-data && docker run --security-opt label=disable --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out'
- name: Run master and replica
run: VOLUME=/tmp/freeipa-data replica=none tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}

test-k3s:
name: Run with K3s with docker
runs-on: ubuntu-22.04
needs: [ build ]
strategy:
fail-fast: false
matrix:
os: [ fedora-rawhide, fedora-39, rhel-9, rhel-8, centos-8-stream ]
timeout-minutes: 30
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/docker-cgroups-ubuntu-22
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Decrypt artifacts that were encrypted after build
uses: ./.github/actions/decrypt-file
if: ${{ startsWith(matrix.os, 'rhel-') }}
with:
file: freeipa-server-${{ matrix.os }}.tar.gz
secret: ${{ secrets.UPLOAD_SECRET }}
- name: Download latest cri-dockerd
run: curl -s ${{ github.api_url }}/repos/Mirantis/cri-dockerd/releases/latest | jq -r '.assets[].browser_download_url' | grep jammy_amd64.deb | tee /dev/stderr | xargs curl -LO
- name: Install cri-dockerd
run: sudo apt install -y ./cri-dockerd_*.deb
- name: Unset network-plugin
run: |
sudo mkdir /etc/systemd/system/cri-docker.service.d
( echo '[Service]' ; echo 'ExecStart=' ; sed 's/ExecStart=.*/& --network-plugin=/;t;d' /lib/systemd/system/cri-docker.service ) | sudo tee /etc/systemd/system/cri-docker.service.d/network-plugin.conf
sudo systemctl daemon-reload
sudo systemctl restart cri-docker
- name: Load image
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
- name: Run K3s and master in it
run: tests/run-master-in-k3s.sh localhost/freeipa-server:${{ matrix.os }}

push-after-success:
name: Push images to registries
runs-on: ubuntu-22.04
needs: [ test-docker, test-docker-20-04, test-podman, test-rootless-podman, test-upgrade, test-upgrade-20-04, test-k3s ]
if: github.event_name != 'pull_request' && github.repository == 'freeipa/freeipa-container' && github.ref == 'refs/heads/master'
strategy:
fail-fast: false
matrix:
os: [ fedora-rawhide, fedora-39, fedora-38, centos-8-stream, rocky-9, rocky-8, almalinux-9, almalinux-8, centos-7 ]
timeout-minutes: 30
steps:
- uses: actions/download-artifact@v3
with:
name: freeipa-server-${{ matrix.os }}
- name: Prepare authentication file
run: |
cat > auth.json << 'EOF'
${{ secrets.REGISTRY_CREDENTIALS_FILE }}
EOF
- name: Copy ${{ matrix.os }} to registries
run: |
set -e
f=docker-archive:freeipa-server-${{ matrix.os }}.tar.gz
while read r ; do
if cmp \
<( skopeo inspect $r:${{ matrix.os }} \
| jq -r '.Labels."org.opencontainers.image.base.digest", .Labels."org.opencontainers.image.version"' ) \
<( skopeo inspect $f \
| jq -r '.Labels."org.opencontainers.image.base.digest", .Labels."org.opencontainers.image.version"' ) ; then
echo Built freeipa-server:${{ matrix.os }} is the same as image at ${r#docker://}, not pushing
continue
fi
echo Copying freeipa-server:${{ matrix.os }} to ${r#docker://}
skopeo copy --authfile=auth.json $f $r:${{ matrix.os }}
VERSION=$( skopeo inspect --format='{{index .Labels "org.opencontainers.image.version"}}' $f | sed 's/-.*//' )
test -n "$VERSION"
skopeo copy --authfile=auth.json $r:${{ matrix.os }} $r:${{ matrix.os }}-$VERSION
echo Tagged as ${{ matrix.os }}-$VERSION as well
done << 'EOF'
${{ secrets.REGISTRY_TARGET_LIST }}
EOF

0 comments on commit 95f6359

Please sign in to comment.