Authorization refactor in preparation for fine-grained authorization #5954
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
- push | |
- pull_request | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
code-tests: | |
env: | |
CGO_CFLAGS: "-I/home/runner/work/lxd/lxd-test/vendor/raft/include/ -I/home/runner/work/lxd/lxd-test/vendor/dqlite/include/" | |
CGO_LDFLAGS: "-L/home/runner/work/lxd/lxd-test/vendor/raft/.libs/ -L/home/runner/work/lxd/lxd-test/vendor/dqlite/.libs/" | |
LD_LIBRARY_PATH: "/home/runner/work/lxd/lxd-test/vendor/raft/.libs/:/home/runner/work/lxd/lxd-test/vendor/dqlite/.libs/" | |
CGO_LDFLAGS_ALLOW: "(-Wl,-wrap,pthread_create)|(-Wl,-z,now)" | |
name: Code tests | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Dependency Review | |
uses: actions/dependency-review-action@v3 | |
if: github.event_name == 'pull_request' | |
- name: Install Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 1.18.x | |
- name: Install dependencies | |
run: | | |
sudo add-apt-repository ppa:ubuntu-lxc/lxc-git-master -y --no-update | |
sudo apt-get update | |
sudo apt-get install --no-install-recommends -y \ | |
build-essential \ | |
curl \ | |
gettext \ | |
git \ | |
libacl1-dev \ | |
libcap-dev \ | |
libdbus-1-dev \ | |
liblxc-dev \ | |
lxc-templates \ | |
libseccomp-dev \ | |
libselinux-dev \ | |
libsqlite3-dev \ | |
libtool \ | |
libudev-dev \ | |
libuv1-dev \ | |
make \ | |
pkg-config \ | |
shellcheck | |
python3 -m pip install flake8 | |
- name: Download go dependencies | |
run: | | |
go mod download | |
- name: Make LXD tarball and unpack it | |
env: | |
CUSTOM_VERSION: "test" | |
run: | | |
make dist | |
tar -xzf lxd-test.tar.gz -C ~/work/lxd/ | |
rm lxd-test.tar.gz | |
- name: Build LXD dependencies | |
run: | | |
cd ~/work/lxd/lxd-test | |
make deps | |
- name: Run LXD build | |
run: | | |
make | |
- name: Run static analysis | |
run: | | |
make static-analysis | |
- name: Unit tests (all) | |
run: | | |
sudo --preserve-env=CGO_CFLAGS,CGO_LDFLAGS,CGO_LDFLAGS_ALLOW,LD_LIBRARY_PATH LD_LIBRARY_PATH=${LD_LIBRARY_PATH} go test ./... | |
system-tests: | |
env: | |
CGO_LDFLAGS_ALLOW: "(-Wl,-wrap,pthread_create)|(-Wl,-z,now)" | |
LXD_SHIFTFS_DISABLE: "true" | |
LXD_CEPH_CLUSTER: "ceph" | |
LXD_CEPH_CEPHFS: "cephfs" | |
LXD_CEPH_CEPHOBJECT_RADOSGW: "http://127.0.0.1" | |
LXD_CONCURRENT: "1" | |
LXD_VERBOSE: "1" | |
LXD_OFFLINE: "1" | |
LXD_TMPFS: "1" | |
LXD_REQUIRED_TESTS: "test_storage_buckets" | |
name: System tests | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
go: ["1.18.x"] | |
suite: ["cluster", "standalone"] | |
backend: ["dir", "btrfs", "lvm", "zfs", "ceph", "random"] | |
include: | |
- go: stable | |
suite: cluster | |
backend: dir | |
- go: stable | |
suite: standalone | |
backend: dir | |
- go: tip | |
suite: cluster | |
backend: dir | |
- go: tip | |
suite: standalone | |
backend: dir | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Go (stable) | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go }} | |
if: matrix.go != 'tip' | |
- name: Install Go (tip) | |
run: | | |
curl -sSfL https://storage.googleapis.com/go-build-snap/go/linux-amd64/$(git ls-remote https://github.com/golang/go.git HEAD | awk '{print $1;}').tar.gz -o gotip.tar.gz | |
ls -lah gotip.tar.gz | |
mkdir -p ~/sdk/gotip | |
tar -C ~/sdk/gotip -xzf gotip.tar.gz | |
~/sdk/gotip/bin/go version | |
echo "PATH=$HOME/go/bin:$HOME/sdk/gotip/bin/:$PATH" >> $GITHUB_ENV | |
if: matrix.go == 'tip' | |
- name: Install dependencies | |
run: | | |
set -x | |
sudo add-apt-repository ppa:ubuntu-lxc/lxc-git-master -y --no-update | |
sudo add-apt-repository ppa:dqlite/dev -y --no-update | |
sudo apt-get update | |
sudo snap remove lxd --purge | |
sudo snap remove core20 --purge || true | |
sudo apt-get autopurge moby-containerd docker uidmap -y | |
sudo ip link delete docker0 | |
sudo nft flush ruleset | |
sudo systemctl mask lxc.service | |
sudo systemctl mask lxc-net.service | |
sudo apt-get install --no-install-recommends -y \ | |
curl \ | |
git \ | |
libacl1-dev \ | |
libcap-dev \ | |
libdbus-1-dev \ | |
libdqlite-dev \ | |
liblxc-dev \ | |
libseccomp-dev \ | |
libselinux-dev \ | |
libsqlite3-dev \ | |
libtool \ | |
libudev-dev \ | |
make \ | |
pkg-config\ | |
acl \ | |
attr \ | |
bind9-dnsutils \ | |
btrfs-progs \ | |
busybox-static \ | |
dnsmasq-base \ | |
easy-rsa \ | |
gettext \ | |
jq \ | |
lxc-utils \ | |
lvm2 \ | |
nftables \ | |
quota \ | |
rsync \ | |
s3cmd \ | |
socat \ | |
sqlite3 \ | |
squashfs-tools \ | |
tar \ | |
tcl \ | |
thin-provisioning-tools \ | |
uuid-runtime \ | |
xfsprogs \ | |
xz-utils \ | |
zfsutils-linux | |
# reclaim some space | |
sudo apt-get clean | |
mkdir -p "$(go env GOPATH)/bin" | |
curl -sSfL https://dl.min.io/server/minio/release/linux-amd64/minio --output "$(go env GOPATH)/bin/minio" | |
chmod +x "$(go env GOPATH)/bin/minio" | |
- name: Download go dependencies | |
run: | | |
go mod download | |
- name: Run LXD build | |
run: | | |
make | |
- name: Setup MicroCeph | |
if: ${{ matrix.backend == 'ceph' }} | |
run: | | |
set -x | |
# If the rootfs and the ephemeral part are on the same physical disk, giving the whole | |
# disk to microceph would wipe our rootfs. Since it is pretty rare for GitHub Action | |
# runners to have a single disk, we immediately bail rather than trying to gracefully | |
# handle it. Once snapd releases with https://github.com/snapcore/snapd/pull/13150, | |
# we will be able to stop worrying about that special case. | |
if [ "$(stat -c '%d' /)" = "$(stat -c '%d' /mnt)" ]; then | |
echo "FAIL: rootfs and ephemeral part on the same disk, aborting" | |
exit 1 | |
fi | |
sudo apt-get install --no-install-recommends -y ceph-common | |
sudo snap install microceph --edge | |
sleep 5 | |
sudo microceph cluster bootstrap | |
sudo microceph.ceph config set global osd_pool_default_size 1 | |
sudo microceph.ceph config set global mon_allow_pool_delete true | |
sudo microceph.ceph config set global osd_memory_target 939524096 | |
sudo microceph.ceph osd crush rule rm replicated_rule | |
sudo microceph.ceph osd crush rule create-replicated replicated default osd | |
for flag in nosnaptrim noscrub nobackfill norebalance norecover noscrub nodeep-scrub; do | |
sudo microceph.ceph osd set $flag | |
done | |
# Repurpose the ephemeral disk for ceph OSD. | |
sudo swapoff /mnt/swapfile | |
ephemeral_disk="$(findmnt --noheadings --output SOURCE --target /mnt | sed 's/[0-9]\+$//')" | |
sudo umount /mnt | |
sudo microceph disk add --wipe "${ephemeral_disk}" | |
sudo rm -rf /etc/ceph | |
sudo ln -s /var/snap/microceph/current/conf/ /etc/ceph | |
sudo microceph enable rgw | |
sudo microceph.ceph osd pool create cephfs_meta 32 | |
sudo microceph.ceph osd pool create cephfs_data 32 | |
sudo microceph.ceph fs new cephfs cephfs_meta cephfs_data | |
sudo microceph.ceph fs ls | |
sleep 30 | |
sudo microceph.ceph status | |
sudo rm -f /snap/bin/rbd | |
- name: "Run system tests (${{ matrix.go }}, ${{ matrix.suite }}, ${{ matrix.backend }})" | |
run: | | |
chmod +x ~ | |
echo "root:1000000:1000000000" | sudo tee /etc/subuid /etc/subgid | |
cd test | |
sudo --preserve-env=PATH,GOPATH,GITHUB_ACTIONS,LXD_VERBOSE,LXD_BACKEND,LXD_CEPH_CLUSTER,LXD_CEPH_CEPHFS,LXD_CEPH_CEPHOBJECT_RADOSGW,LXD_OFFLINE,LXD_SKIP_TESTS,LXD_REQUIRED_TESTS,LXD_SHIFTFS_DISABLE LXD_BACKEND=${{ matrix.backend }} ./main.sh ${{ matrix.suite }} | |
client: | |
name: Client tests | |
strategy: | |
fail-fast: false | |
matrix: | |
go: | |
- 1.18.x | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-latest | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go }} | |
- name: Create build directory | |
run: | | |
mkdir bin | |
- name: Build static lxc | |
env: | |
CGO_ENABLED: 0 | |
run: | | |
go build -o bin ./lxc | |
- name: Build static lxd-migrate | |
if: runner.os == 'Linux' | |
env: | |
CGO_ENABLED: 0 | |
run: | | |
go build -o bin ./lxd-migrate | |
- name: Unit tests (client) | |
env: | |
CGO_ENABLED: 0 | |
run: go test -v ./client/... | |
- name: Unit tests (lxc) | |
env: | |
CGO_ENABLED: 0 | |
run: go test -v ./lxc/... | |
- name: Unit tests (shared) | |
env: | |
CGO_ENABLED: 0 | |
run: go test -v ./shared/... | |
- name: Upload lxc client artifacts | |
uses: actions/upload-artifact@v3 | |
continue-on-error: true | |
with: | |
name: ${{ runner.os }} | |
path: bin/ | |
documentation: | |
name: Documentation tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
sudo apt-get install aspell aspell-en | |
sudo snap install mdl | |
- name: Run markdown linter | |
run: | | |
make doc-lint | |
- name: Run spell checker | |
run: | | |
make doc-spellcheck | |
- name: Run inclusive naming checker | |
uses: get-woke/woke-action@v0 | |
with: | |
fail-on-error: true | |
woke-args: "*.md **/*.md -c https://github.com/canonical/Inclusive-naming/raw/main/config.yml" | |
- name: Run link checker | |
run: | | |
make doc-linkcheck | |
- name: Build docs (Sphinx) | |
run: make doc | |
- name: Print warnings (Sphinx) | |
run: if [ -s doc/.sphinx/warnings.txt ]; then cat doc/.sphinx/warnings.txt; exit 1; fi | |
- name: Upload documentation artifacts | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: documentation | |
path: doc/html | |
snap: | |
name: Trigger snap edge build | |
runs-on: ubuntu-22.04 | |
needs: [code-tests, system-tests, client, documentation] | |
if: ${{ github.repository == 'canonical/lxd' && github.event_name == 'push'}} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Launchpad SSH access | |
env: | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
LAUNCHPAD_LXD_BOT_KEY: ${{ secrets.LAUNCHPAD_LXD_BOT_KEY }} | |
run: | | |
ssh-agent -a "${SSH_AUTH_SOCK}" > /dev/null | |
ssh-add - <<< "${{ secrets.LAUNCHPAD_LXD_BOT_KEY }}" | |
mkdir -m 0700 -p ~/.ssh/ | |
# In ephemeral environments like GitHub Action runners, relying on TOFU isn't providing any security | |
# so require the key obtained by `ssh-keyscan` to match the expected hash from https://help.launchpad.net/SSHFingerprints | |
ssh-keyscan git.launchpad.net >> ~/.ssh/known_hosts | |
ssh-keygen -qlF git.launchpad.net | grep -xF 'git.launchpad.net RSA SHA256:UNOzlP66WpDuEo34Wgs8mewypV0UzqHLsIFoqwe8dYo' | |
- name: Install Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 1.18.x | |
- name: Trigger Launchpad snap build | |
env: | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
TARGET: >- | |
${{ fromJson('{ | |
"main": "latest-edge", | |
"stable-5.0": "5.0-edge", | |
}')[github.ref_name] }} | |
run: | | |
set -x | |
git config --global user.name "Canonical LXD Bot" | |
git config --global user.email "lxd@lists.canonical.com" | |
localRev=$(git rev-parse HEAD) | |
go install github.com/canonical/lxd-ci/lxd-snapcraft@latest | |
git clone -b "${TARGET}" git+ssh://lxdbot@git.launchpad.net/~canonical-lxd/lxd ~/lxd-pkg-snap-lp | |
cd ~/lxd-pkg-snap-lp | |
lxd-snapcraft -set-version "git-${localRev:0:7}" -set-source-commit "${localRev}" | |
git add --all | |
git commit --all --quiet -s --allow-empty -m "Automatic upstream build (${TARGET})" -m "Upstream commit: ${localRev}" | |
git show | |
git push --quiet |