Skip to content

Authorization refactor in preparation for fine-grained authorization #5954

Authorization refactor in preparation for fine-grained authorization

Authorization refactor in preparation for fine-grained authorization #5954

Workflow file for this run

name: Tests
on:
- push
- pull_request
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
code-tests:
env:
CGO_CFLAGS: "-I/home/runner/work/lxd/lxd-test/vendor/raft/include/ -I/home/runner/work/lxd/lxd-test/vendor/dqlite/include/"
CGO_LDFLAGS: "-L/home/runner/work/lxd/lxd-test/vendor/raft/.libs/ -L/home/runner/work/lxd/lxd-test/vendor/dqlite/.libs/"
LD_LIBRARY_PATH: "/home/runner/work/lxd/lxd-test/vendor/raft/.libs/:/home/runner/work/lxd/lxd-test/vendor/dqlite/.libs/"
CGO_LDFLAGS_ALLOW: "(-Wl,-wrap,pthread_create)|(-Wl,-z,now)"
name: Code tests
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
if: github.event_name == 'pull_request'
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: 1.18.x
- name: Install dependencies
run: |
sudo add-apt-repository ppa:ubuntu-lxc/lxc-git-master -y --no-update
sudo apt-get update
sudo apt-get install --no-install-recommends -y \
build-essential \
curl \
gettext \
git \
libacl1-dev \
libcap-dev \
libdbus-1-dev \
liblxc-dev \
lxc-templates \
libseccomp-dev \
libselinux-dev \
libsqlite3-dev \
libtool \
libudev-dev \
libuv1-dev \
make \
pkg-config \
shellcheck
python3 -m pip install flake8
- name: Download go dependencies
run: |
go mod download
- name: Make LXD tarball and unpack it
env:
CUSTOM_VERSION: "test"
run: |
make dist
tar -xzf lxd-test.tar.gz -C ~/work/lxd/
rm lxd-test.tar.gz
- name: Build LXD dependencies
run: |
cd ~/work/lxd/lxd-test
make deps
- name: Run LXD build
run: |
make
- name: Run static analysis
run: |
make static-analysis
- name: Unit tests (all)
run: |
sudo --preserve-env=CGO_CFLAGS,CGO_LDFLAGS,CGO_LDFLAGS_ALLOW,LD_LIBRARY_PATH LD_LIBRARY_PATH=${LD_LIBRARY_PATH} go test ./...
system-tests:
env:
CGO_LDFLAGS_ALLOW: "(-Wl,-wrap,pthread_create)|(-Wl,-z,now)"
LXD_SHIFTFS_DISABLE: "true"
LXD_CEPH_CLUSTER: "ceph"
LXD_CEPH_CEPHFS: "cephfs"
LXD_CEPH_CEPHOBJECT_RADOSGW: "http://127.0.0.1"
LXD_CONCURRENT: "1"
LXD_VERBOSE: "1"
LXD_OFFLINE: "1"
LXD_TMPFS: "1"
LXD_REQUIRED_TESTS: "test_storage_buckets"
name: System tests
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
go: ["1.18.x"]
suite: ["cluster", "standalone"]
backend: ["dir", "btrfs", "lvm", "zfs", "ceph", "random"]
include:
- go: stable
suite: cluster
backend: dir
- go: stable
suite: standalone
backend: dir
- go: tip
suite: cluster
backend: dir
- go: tip
suite: standalone
backend: dir
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Go (stable)
uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go }}
if: matrix.go != 'tip'
- name: Install Go (tip)
run: |
curl -sSfL https://storage.googleapis.com/go-build-snap/go/linux-amd64/$(git ls-remote https://github.com/golang/go.git HEAD | awk '{print $1;}').tar.gz -o gotip.tar.gz
ls -lah gotip.tar.gz
mkdir -p ~/sdk/gotip
tar -C ~/sdk/gotip -xzf gotip.tar.gz
~/sdk/gotip/bin/go version
echo "PATH=$HOME/go/bin:$HOME/sdk/gotip/bin/:$PATH" >> $GITHUB_ENV
if: matrix.go == 'tip'
- name: Install dependencies
run: |
set -x
sudo add-apt-repository ppa:ubuntu-lxc/lxc-git-master -y --no-update
sudo add-apt-repository ppa:dqlite/dev -y --no-update
sudo apt-get update
sudo snap remove lxd --purge
sudo snap remove core20 --purge || true
sudo apt-get autopurge moby-containerd docker uidmap -y
sudo ip link delete docker0
sudo nft flush ruleset
sudo systemctl mask lxc.service
sudo systemctl mask lxc-net.service
sudo apt-get install --no-install-recommends -y \
curl \
git \
libacl1-dev \
libcap-dev \
libdbus-1-dev \
libdqlite-dev \
liblxc-dev \
libseccomp-dev \
libselinux-dev \
libsqlite3-dev \
libtool \
libudev-dev \
make \
pkg-config\
acl \
attr \
bind9-dnsutils \
btrfs-progs \
busybox-static \
dnsmasq-base \
easy-rsa \
gettext \
jq \
lxc-utils \
lvm2 \
nftables \
quota \
rsync \
s3cmd \
socat \
sqlite3 \
squashfs-tools \
tar \
tcl \
thin-provisioning-tools \
uuid-runtime \
xfsprogs \
xz-utils \
zfsutils-linux
# reclaim some space
sudo apt-get clean
mkdir -p "$(go env GOPATH)/bin"
curl -sSfL https://dl.min.io/server/minio/release/linux-amd64/minio --output "$(go env GOPATH)/bin/minio"
chmod +x "$(go env GOPATH)/bin/minio"
- name: Download go dependencies
run: |
go mod download
- name: Run LXD build
run: |
make
- name: Setup MicroCeph
if: ${{ matrix.backend == 'ceph' }}
run: |
set -x
# If the rootfs and the ephemeral part are on the same physical disk, giving the whole
# disk to microceph would wipe our rootfs. Since it is pretty rare for GitHub Action
# runners to have a single disk, we immediately bail rather than trying to gracefully
# handle it. Once snapd releases with https://github.com/snapcore/snapd/pull/13150,
# we will be able to stop worrying about that special case.
if [ "$(stat -c '%d' /)" = "$(stat -c '%d' /mnt)" ]; then
echo "FAIL: rootfs and ephemeral part on the same disk, aborting"
exit 1
fi
sudo apt-get install --no-install-recommends -y ceph-common
sudo snap install microceph --edge
sleep 5
sudo microceph cluster bootstrap
sudo microceph.ceph config set global osd_pool_default_size 1
sudo microceph.ceph config set global mon_allow_pool_delete true
sudo microceph.ceph config set global osd_memory_target 939524096
sudo microceph.ceph osd crush rule rm replicated_rule
sudo microceph.ceph osd crush rule create-replicated replicated default osd
for flag in nosnaptrim noscrub nobackfill norebalance norecover noscrub nodeep-scrub; do
sudo microceph.ceph osd set $flag
done
# Repurpose the ephemeral disk for ceph OSD.
sudo swapoff /mnt/swapfile
ephemeral_disk="$(findmnt --noheadings --output SOURCE --target /mnt | sed 's/[0-9]\+$//')"
sudo umount /mnt
sudo microceph disk add --wipe "${ephemeral_disk}"
sudo rm -rf /etc/ceph
sudo ln -s /var/snap/microceph/current/conf/ /etc/ceph
sudo microceph enable rgw
sudo microceph.ceph osd pool create cephfs_meta 32
sudo microceph.ceph osd pool create cephfs_data 32
sudo microceph.ceph fs new cephfs cephfs_meta cephfs_data
sudo microceph.ceph fs ls
sleep 30
sudo microceph.ceph status
sudo rm -f /snap/bin/rbd
- name: "Run system tests (${{ matrix.go }}, ${{ matrix.suite }}, ${{ matrix.backend }})"
run: |
chmod +x ~
echo "root:1000000:1000000000" | sudo tee /etc/subuid /etc/subgid
cd test
sudo --preserve-env=PATH,GOPATH,GITHUB_ACTIONS,LXD_VERBOSE,LXD_BACKEND,LXD_CEPH_CLUSTER,LXD_CEPH_CEPHFS,LXD_CEPH_CEPHOBJECT_RADOSGW,LXD_OFFLINE,LXD_SKIP_TESTS,LXD_REQUIRED_TESTS,LXD_SHIFTFS_DISABLE LXD_BACKEND=${{ matrix.backend }} ./main.sh ${{ matrix.suite }}
client:
name: Client tests
strategy:
fail-fast: false
matrix:
go:
- 1.18.x
os:
- ubuntu-latest
- macos-latest
- windows-latest
runs-on: ${{ matrix.os }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go }}
- name: Create build directory
run: |
mkdir bin
- name: Build static lxc
env:
CGO_ENABLED: 0
run: |
go build -o bin ./lxc
- name: Build static lxd-migrate
if: runner.os == 'Linux'
env:
CGO_ENABLED: 0
run: |
go build -o bin ./lxd-migrate
- name: Unit tests (client)
env:
CGO_ENABLED: 0
run: go test -v ./client/...
- name: Unit tests (lxc)
env:
CGO_ENABLED: 0
run: go test -v ./lxc/...
- name: Unit tests (shared)
env:
CGO_ENABLED: 0
run: go test -v ./shared/...
- name: Upload lxc client artifacts
uses: actions/upload-artifact@v3
continue-on-error: true
with:
name: ${{ runner.os }}
path: bin/
documentation:
name: Documentation tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get install aspell aspell-en
sudo snap install mdl
- name: Run markdown linter
run: |
make doc-lint
- name: Run spell checker
run: |
make doc-spellcheck
- name: Run inclusive naming checker
uses: get-woke/woke-action@v0
with:
fail-on-error: true
woke-args: "*.md **/*.md -c https://github.com/canonical/Inclusive-naming/raw/main/config.yml"
- name: Run link checker
run: |
make doc-linkcheck
- name: Build docs (Sphinx)
run: make doc
- name: Print warnings (Sphinx)
run: if [ -s doc/.sphinx/warnings.txt ]; then cat doc/.sphinx/warnings.txt; exit 1; fi
- name: Upload documentation artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: documentation
path: doc/html
snap:
name: Trigger snap edge build
runs-on: ubuntu-22.04
needs: [code-tests, system-tests, client, documentation]
if: ${{ github.repository == 'canonical/lxd' && github.event_name == 'push'}}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Launchpad SSH access
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
LAUNCHPAD_LXD_BOT_KEY: ${{ secrets.LAUNCHPAD_LXD_BOT_KEY }}
run: |
ssh-agent -a "${SSH_AUTH_SOCK}" > /dev/null
ssh-add - <<< "${{ secrets.LAUNCHPAD_LXD_BOT_KEY }}"
mkdir -m 0700 -p ~/.ssh/
# In ephemeral environments like GitHub Action runners, relying on TOFU isn't providing any security
# so require the key obtained by `ssh-keyscan` to match the expected hash from https://help.launchpad.net/SSHFingerprints
ssh-keyscan git.launchpad.net >> ~/.ssh/known_hosts
ssh-keygen -qlF git.launchpad.net | grep -xF 'git.launchpad.net RSA SHA256:UNOzlP66WpDuEo34Wgs8mewypV0UzqHLsIFoqwe8dYo'
- name: Install Go
uses: actions/setup-go@v4
with:
go-version: 1.18.x
- name: Trigger Launchpad snap build
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
TARGET: >-
${{ fromJson('{
"main": "latest-edge",
"stable-5.0": "5.0-edge",
}')[github.ref_name] }}
run: |
set -x
git config --global user.name "Canonical LXD Bot"
git config --global user.email "lxd@lists.canonical.com"
localRev=$(git rev-parse HEAD)
go install github.com/canonical/lxd-ci/lxd-snapcraft@latest
git clone -b "${TARGET}" git+ssh://lxdbot@git.launchpad.net/~canonical-lxd/lxd ~/lxd-pkg-snap-lp
cd ~/lxd-pkg-snap-lp
lxd-snapcraft -set-version "git-${localRev:0:7}" -set-source-commit "${localRev}"
git add --all
git commit --all --quiet -s --allow-empty -m "Automatic upstream build (${TARGET})" -m "Upstream commit: ${localRev}"
git show
git push --quiet