CI: update dependencies

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
rootless-containers · Jul 16, 2024 · 5d99513 · 5d99513
1 parent df2f16d
commit 5d99513
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 19 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -3,27 +3,38 @@ on: [push, pull_request]
 jobs:
   test-unit:
     name: "Unit test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build unit test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-unit --target test-unit .
     - name: "Unit test"
       run: docker run --rm --privileged rootlesskit:test-unit
   test-cross:
     name: "Cross compilation test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: "Build binaries"
       run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact .
   test-integration:
     name: "Integration test"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
+    - name: "Set up AppArmor"
+      run: |
+        cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit"
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        /home/user/bin/rootlesskit flags=(unconfined) {
+          userns,
+        }
+        EOT
+        sudo systemctl restart apparmor.service
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build integration test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration --target test-integration .
     - name: "Integration test: exit-code"
@@ -174,10 +185,21 @@ jobs:
 
   test-integration-docker:
     name: "Integration test (Docker)"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
+    - name: "Set up AppArmor"
+      run: |
+        cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit"
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        /home/user/bin/rootlesskit flags=(unconfined) {
+          userns,
+        }
+        EOT
+        sudo systemctl restart apparmor.service
     - name: "Check out"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: "Build integration test image"
       run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker .
     - name: "Create a custom network to avoid IP confusion"

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ jobs:
   release:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: "Build binaries"
       run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact .
     - name: "SHA256SUMS"

diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
 ARG GO_VERSION=1.22
-ARG UBUNTU_VERSION=22.04
-ARG SHADOW_VERSION=4.13
+ARG UBUNTU_VERSION=24.04
+ARG SHADOW_VERSION=4.16.0
 ARG SLIRP4NETNS_VERSION=v1.3.1
 ARG VPNKIT_VERSION=0.5.0
-ARG PASST_VERSION=2023_12_30.f091893
-ARG DOCKER_VERSION=25.0.2
+ARG PASST_VERSION=2024_06_24.1ee2eca
+ARG DOCKER_VERSION=27.0.3
 ARG DOCKER_CHANNEL=stable
 
 FROM golang:${GO_VERSION}-alpine AS build
@@ -35,7 +35,7 @@ CMD ["go","test","-v","-race","github.com/rootless-containers/rootlesskit/..."]
 # idmap runnable without --privileged (but still requires seccomp=unconfined apparmor=unconfined)
 FROM ubuntu:${UBUNTU_VERSION} AS idmap
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get install -y automake autopoint bison gettext git gcc libcap-dev libtool make
+RUN apt-get update && apt-get install -y automake autopoint bison gettext git gcc libbsd-dev libcap-dev libtool make pkg-config
 RUN git clone https://github.com/shadow-maint/shadow.git /shadow
 WORKDIR /shadow
 ARG SHADOW_VERSION
@@ -69,8 +69,8 @@ COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap
 COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap
 RUN /sbin/setcap cap_setuid+eip /usr/bin/newuidmap && \
   /sbin/setcap cap_setgid+eip /usr/bin/newgidmap && \
-  useradd --create-home --home-dir /home/user --uid 1000 user && \
-  mkdir -p /run/user/1000 /etc/lxc && \
+  useradd --create-home --home-dir /home/user --uid 2000 user && \
+  mkdir -p /run/user/2000 /etc/lxc && \
   echo "user veth lxcbr0 32" > /etc/lxc/lxc-usernet && \
   echo "user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/user
 COPY --from=artifact /rootlesskit /home/user/bin/
@@ -81,11 +81,11 @@ RUN curl -sSL -o /home/user/bin/slirp4netns https://github.com/rootless-containe
 COPY --from=vpnkit /vpnkit /home/user/bin/vpnkit
 COPY --from=passt /usr/local /usr/local
 ADD ./hack /home/user/hack
-RUN chown -R user:user /run/user/1000 /home/user
+RUN chown -R user:user /run/user/2000 /home/user
 USER user
 ENV HOME /home/user
 ENV USER user
-ENV XDG_RUNTIME_DIR=/run/user/1000
+ENV XDG_RUNTIME_DIR=/run/user/2000
 ENV PATH /home/user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV LD_LIBRARY_PATH=/home/user/lib
 WORKDIR /home/user/hack
@@ -99,7 +99,7 @@ RUN curl -fsSL -o /home/user/bin/dockerd-rootless.sh https://raw.githubuserconte
   chmod +x /home/user/bin/dockerd-rootless.sh
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin
-ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+ENV DOCKER_HOST=unix:///run/user/2000/docker.sock
 RUN mkdir -p /home/user/.local
 VOLUME /home/user/.local
 CMD ["dockerd-rootless.sh"]
diff --git a/hack/benchmark-iperf3-net.sh b/hack/benchmark-iperf3-net.sh
@@ -43,6 +43,7 @@ function benchmark::iperf3::lxc-user-nic() {
 	set -x
 	# ignore "lxc-net is already running" error
 	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || true
+	sudo /etc/init.d/lxc-net start
 	ip=$(ip -4 -o addr show $dev | awk '{print $4}' | cut -d "/" -f 1)
 	$ROOTLESSKIT --state-dir=$statedir --net=lxc-user-nic $@ -- $IPERF3C $ip
 	set +x

diff --git a/hack/integration-net.sh b/hack/integration-net.sh
@@ -17,5 +17,6 @@ set -x
 if [ "${net}" = "lxc-user-nic" ]; then
 	# ignore "lxc-net is already running" error
 	sudo /usr/lib/$(uname -m)-linux-gnu/lxc/lxc-net start || true
+	sudo /etc/init.d/lxc-net start || true
 fi
 $ROOTLESSKIT --net=${net} --copy-up=/etc --copy-up=/run --disable-host-loopback ${flags} -- nslookup example.com