selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH testsuite 0/2] Migrate CI to GH Actions
@ 2021-01-22 10:27 Ondrej Mosnacek
  2021-01-22 10:27 ` [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which' Ondrej Mosnacek
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2021-01-22 10:27 UTC (permalink / raw)
  To: selinux

See individual patches for more details.

Special thanks to Nicholas Iooss, who figured out this approach.

Note: I plan to merge this tomorrow (along with the userfaultfd test)
so that we have working CI again. I might do that also earlier if
someone acks it fast ;)

Ondrej Mosnacek (2):
  check-syntax: use 'command -v' instead of 'which'
  Migrate CI to GH Actions

 .github/workflows/checks.yml |  27 +++++++
 .travis.yml                  |  40 ----------
 Vagrantfile                  |  65 ++++++++++++++++
 tools/check-syntax           |   2 +-
 travis-ci/LICENSE            |   5 --
 travis-ci/run-kvm-test.sh    | 141 -----------------------------------
 travis-ci/run-testsuite.sh   |  58 --------------
 7 files changed, 93 insertions(+), 245 deletions(-)
 create mode 100644 .github/workflows/checks.yml
 delete mode 100644 .travis.yml
 create mode 100644 Vagrantfile
 delete mode 100644 travis-ci/LICENSE
 delete mode 100755 travis-ci/run-kvm-test.sh
 delete mode 100755 travis-ci/run-testsuite.sh

-- 
2.29.2


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which'
  2021-01-22 10:27 [PATCH testsuite 0/2] Migrate CI to GH Actions Ondrej Mosnacek
@ 2021-01-22 10:27 ` Ondrej Mosnacek
  2021-01-22 15:47   ` Paul Moore
  2021-01-22 10:27 ` [PATCH testsuite 2/2] Migrate CI to GH Actions Ondrej Mosnacek
  2021-01-23  9:55 ` [PATCH testsuite 0/2] " Ondrej Mosnacek
  2 siblings, 1 reply; 5+ messages in thread
From: Ondrej Mosnacek @ 2021-01-22 10:27 UTC (permalink / raw)
  To: selinux

In minimal environments (e.g. Fedora container image) 'which' is not
installed by default. To avoid the need to install an additional
dependency, use 'command -v', which also does the trick and is a shell
builtin.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tools/check-syntax | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/check-syntax b/tools/check-syntax
index 0ca79e2..2115a79 100755
--- a/tools/check-syntax
+++ b/tools/check-syntax
@@ -27,7 +27,7 @@ CHK_PERL_EXCLUDE=""
 #
 function verify_deps() {
 	[[ -z "$1" ]] && return
-	if ! which "$1" >& /dev/null; then
+	if ! command -v "$1" >& /dev/null; then
 		echo "error: install \"$1\" and include it in your \$PATH"
 		exit 1
 	fi
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH testsuite 2/2] Migrate CI to GH Actions
  2021-01-22 10:27 [PATCH testsuite 0/2] Migrate CI to GH Actions Ondrej Mosnacek
  2021-01-22 10:27 ` [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which' Ondrej Mosnacek
@ 2021-01-22 10:27 ` Ondrej Mosnacek
  2021-01-23  9:55 ` [PATCH testsuite 0/2] " Ondrej Mosnacek
  2 siblings, 0 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2021-01-22 10:27 UTC (permalink / raw)
  To: selinux

As discovered by Nicholas Iooss [1], GH Actions now supports
HW-accelerated Linux VMs at least on macOS runners [2], so we can
finally migrate the CI away from Travis.

The new check uses Vagrant to provision the Fedora VM, as this is the
simplest way to get it to work on macOS. Unfortunately there is no
Rawhide image provided in the official Vagrant repos, so for now the
testsuite is run only on Fedora 33. I'd like to add Rawhide in the
future, but let's start with the low-hanging fruit.

[1] https://github.com/SELinuxProject/selinux/commit/316a4f89dd502d6f2b072f76af16de320c1cf673
[2] https://github.com/actions/virtual-environments/issues/433#issuecomment-618872784

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .github/workflows/checks.yml |  27 +++++++
 .travis.yml                  |  40 ----------
 Vagrantfile                  |  65 ++++++++++++++++
 travis-ci/LICENSE            |   5 --
 travis-ci/run-kvm-test.sh    | 141 -----------------------------------
 travis-ci/run-testsuite.sh   |  58 --------------
 6 files changed, 92 insertions(+), 244 deletions(-)
 create mode 100644 .github/workflows/checks.yml
 delete mode 100644 .travis.yml
 create mode 100644 Vagrantfile
 delete mode 100644 travis-ci/LICENSE
 delete mode 100755 travis-ci/run-kvm-test.sh
 delete mode 100755 travis-ci/run-testsuite.sh

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
new file mode 100644
index 0000000..e1e383f
--- /dev/null
+++ b/.github/workflows/checks.yml
@@ -0,0 +1,27 @@
+name: checks
+on: [push, pull_request]
+jobs:
+  style-check:
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+    steps:
+      - run: sudo dnf install -y astyle perltidy findutils git-core
+      - uses: actions/checkout@v2
+      - run: tools/check-syntax -f && git diff --exit-code
+  fedora-test:
+    runs-on: macos-latest
+    env:
+      FEDORA_VERSION: 33
+    steps:
+      - uses: actions/checkout@v2
+      # macOS sometimes allows symlinks to have permissions other than 777,
+      # so change all symlink perms to match the Linux convention. Otherwise
+      # the rsync run by Vagrant will complain that it can't copy over the
+      # perms.
+      - name: Fix symlink permissions
+        run: find . -type link -exec chmod -h 777 \{\} \;
+      - name: Create a Vagrant VM
+        run: vagrant up
+      - name: Run SELinux testsuite
+        run: vagrant ssh -- sudo make -C /root/testsuite test
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index cba7462..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-language: c
-
-dist: bionic
-
-env:
-  matrix:
-    - FEDORA_KIND="releases" FEDORA_MAJOR="33"
-    - FEDORA_KIND="development" FEDORA_MAJOR="rawhide"
-
-addons:
-  apt:
-    packages:
-      - astyle
-      - qemu-kvm
-      - libvirt-bin
-      - virtinst
-      - bridge-utils
-      - libguestfs-tools
-      - cpu-checker
-      - netcat
-
-before_install:
-  # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
-  - git clone https://github.com/perltidy/perltidy.git perltidy
-  - |
-    (cd perltidy &&
-     perl Makefile.PL &&
-     make PREFIX=/usr/local &&
-     sudo make install PREFIX=/usr/local)
-  - sudo usermod -a -G kvm,libvirt,libvirt-qemu "$USER"
-  # Verify that KVM is working, useful if Travis ever changes anything.
-  - kvm-ok
-  - sudo systemctl enable libvirtd
-  - sudo systemctl start libvirtd
-  # Set up a key so we can ssh into the VM
-  - ssh-keygen -N "" -f "$HOME/.ssh/id_rsa"
-
-script:
-  - tools/check-syntax -f && git diff --exit-code
-  - bash travis-ci/run-kvm-test.sh travis-ci/run-testsuite.sh
diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..c305fce
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,65 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+# Vagrant configuration file which creates a virtual machine that can run the
+# test suite.
+#
+# To create a new virtual machine:
+#
+#    FEDORA_VERSION=33 vagrant up
+#
+# To launch tests (for example after modifications have been made):
+#
+#    vagrant rsync && vagrant ssh -- sudo make -C /root/testsuite test
+#
+# To destroy the virtual machine (for example to start again from a clean environment):
+#
+#    vagrant destroy
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  config.vm.box = "fedora/#{ENV['FEDORA_VERSION']}-cloud-base"
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+  config.vm.synced_folder ".", "/root/testsuite", type: "rsync",
+    # need to disable '--copy-links', which is in rsync__args by default
+    rsync__args: ["-vzra", "--delete"]
+
+  config.vm.provider "virtualbox" do |v|
+    v.memory = 4096
+  end
+  config.vm.provider "libvirt" do |v|
+    v.memory = 4096
+  end
+
+  config.vm.provision :shell, inline: <<SCRIPT
+    dnf install -y \
+      --allowerasing \
+      --skip-broken \
+      make \
+      perl-Test \
+      perl-Test-Harness \
+      perl-Test-Simple \
+      perl-lib \
+      selinux-policy-devel \
+      gcc \
+      libselinux-devel \
+      net-tools \
+      netlabel_tools \
+      nftables \
+      iptables \
+      lksctp-tools-devel \
+      attr \
+      libbpf-devel \
+      keyutils-libs-devel \
+      quota \
+      xfsprogs-devel \
+      libuuid-devel \
+      e2fsprogs \
+      jfsutils \
+      dosfstools \
+      kernel-devel-"$(uname -r)" \
+      kernel-modules-"$(uname -r)"
+SCRIPT
+end
diff --git a/travis-ci/LICENSE b/travis-ci/LICENSE
deleted file mode 100644
index 1f95d26..0000000
--- a/travis-ci/LICENSE
+++ /dev/null
@@ -1,5 +0,0 @@
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/travis-ci/run-kvm-test.sh b/travis-ci/run-kvm-test.sh
deleted file mode 100755
index 81c57ff..0000000
--- a/travis-ci/run-kvm-test.sh
+++ /dev/null
@@ -1,141 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: MIT
-
-# Based on SELinux userspace CI scripts from:
-# https://github.com/SELinuxProject/selinux
-
-set -ex
-
-TEST_RUNNER="$1"
-
-if [ -z "$TEST_RUNNER" ]; then
-    echo "$0: expected script to be run on the command line!" 1>&2
-    exit 1
-fi
-
-#
-# Variables for controlling the Fedora Image version and download URLs.
-#
-if [ -z "$FEDORA_KIND" ] || [ -z "$FEDORA_MAJOR" ]; then
-    echo "$0: FEDORA_KIND and FEDORA_MAJOR must be set!" 1>&2
-    exit 1
-fi
-
-BASE_URL="https://download.fedoraproject.org/pub/fedora/linux/$FEDORA_KIND/$FEDORA_MAJOR/Cloud/x86_64/images"
-GPG_URL="https://getfedora.org/static/fedora.gpg"
-
-#
-# Travis gives us 7.5GB of RAM and two cores:
-# https://docs.travis-ci.com/user/reference/overview/
-#
-MEMORY=4096
-VCPUS="$(nproc)"
-
-#
-# Get the Fedora Cloud Image, It is a base image that small and ready to go, extract it and modify it with virt-sysprep
-#  - https://alt.fedoraproject.org/en/verify.html
-cd "$HOME"
-wget -r -nd -np -l 1 -H -e robots=off -A "*.raw.xz,*-CHECKSUM" "$BASE_URL"
-latest_image="$(ls -1q *.raw.xz | tail -n 1)"
-if [ -z "$latest_image" ]; then
-    echo "$0: no image file downloaded!" 1>&2
-    exit 1
-fi
-
-# Verify the image (skip GPG for unsigned rawhide images)
-if [ "$FEDORA_KIND" != "development" ]; then
-    curl "$GPG_URL" | gpg --import
-    gpg --verify-files ./*-CHECKSUM
-fi
-sha256sum --ignore-missing -c ./*-CHECKSUM
-
-# Extract the image
-unxz -T0 "$latest_image"
-latest_image="${latest_image%.xz}"
-
-# Search is needed for $HOME so virt service can access the image file.
-chmod a+x "$HOME"
-
-#
-# Modify the virtual image to:
-#   - Enable a login, we just use root
-#   - Enable passwordless login
-#     - Force a relabel to fix labels on ssh keys
-#
-sudo virt-sysprep -a "$latest_image" \
-  --root-password password:123456 \
-  --hostname fedoravm \
-  --append-line '/etc/ssh/sshd_config:PermitRootLogin yes' \
-  --append-line '/etc/ssh/sshd_config:PubkeyAuthentication yes' \
-  --mkdir /root/.ssh \
-  --upload "$HOME/.ssh/id_rsa.pub:/root/.ssh/authorized_keys" \
-  --chmod '0600:/root/.ssh/authorized_keys' \
-  --run-command 'chown root:root /root/.ssh/authorized_keys' \
-  --copy-in "$TRAVIS_BUILD_DIR:/root" \
-  --network \
-  --selinux-relabel
-
-#
-# Now we create a domain by using virt-install. This not only creates the domain, but runs the VM as well
-# It should be ready to go for ssh, once ssh starts.
-#
-sudo virt-install \
-  --name fedoravm \
-  --memory $MEMORY \
-  --vcpus $VCPUS \
-  --disk "$latest_image" \
-  --import --noautoconsole
-
-#
-# Here comes the tricky part, we have to figure out when the VM comes up AND we need the ip address for ssh. So we
-# can check the net-dhcp leases, for our host. We have to poll, and we will poll for up to 3 minutes in 6 second
-# intervals, so 30 poll attempts (0-29 inclusive).
-#
-# We have a full reboot + relabel, so first sleep gets us close
-#
-sleep 30
-for i in $(seq 0 29); do
-    echo "loop $i"
-    sleep 6s
-    # Get the leases, but tee it so it's easier to debug
-    sudo virsh net-dhcp-leases default | tee dhcp-leases.txt
-
-    # get our ipaddress
-    ipaddy="$(grep fedoravm dhcp-leases.txt | awk '{print $5}' | cut -d'/' -f 1-1)"
-    if [ -n "$ipaddy" ]; then
-        # found it, we're done looking, print it for debug logs
-        echo "ipaddy: $ipaddy"
-        break
-    fi
-    # it's empty/not found, loop back and try again.
-done
-
-# Did we find it? If not die.
-if [ -z "$ipaddy" ]; then
-    echo "$0: ipaddy zero length, exiting with error 1" 1>&2
-    exit 1
-fi
-
-#
-# Great we have a host running, ssh into it. We specify -o so
-# we don't get blocked on asking to add the servers key to
-# our known_hosts. Also, we need to forward the project directory
-# so forks know where to go.
-#
-
-# Check if kernel-modules-$(uname -r) can be installed from repos,
-# otherwise update kernel and reboot.
-if ! echo "dnf -q info --available kernel-modules-\$(uname -r)" | \
-    ssh -o StrictHostKeyChecking=no -q "root@$ipaddy"
-then
-    ssh -tt -o StrictHostKeyChecking=no -o LogLevel=QUIET "root@$ipaddy" \
-        dnf update -y kernel-core
-
-    sudo virsh reboot fedoravm
-    sleep 5
-    while ! nc -w 10 -z "$ipaddy" 22; do sleep 0.5s; done
-fi
-
-# And run the testsuite.
-project_dir="$(basename "$TRAVIS_BUILD_DIR")"
-ssh -tt -o StrictHostKeyChecking=no -o LogLevel=QUIET "root@$ipaddy" "SELINUX_DIR=/root/$project_dir /root/$project_dir/$TEST_RUNNER"
diff --git a/travis-ci/run-testsuite.sh b/travis-ci/run-testsuite.sh
deleted file mode 100755
index bd9073c..0000000
--- a/travis-ci/run-testsuite.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: MIT
-
-# Based on SELinux userspace CI scripts from:
-# https://github.com/SELinuxProject/selinux
-
-set -ex
-
-# CI Debug output if things go squirrely.
-getenforce
-id -Z
-nproc
-pwd
-
-# Turn off enforcing for the setup to prevent any weirdness from breaking
-# the CI.
-setenforce 0
-
-dnf install -y \
-    --allowerasing \
-    --skip-broken \
-    make \
-    perl-Test \
-    perl-Test-Harness \
-    perl-Test-Simple \
-    perl-lib \
-    selinux-policy-devel \
-    gcc \
-    libselinux-devel \
-    net-tools \
-    netlabel_tools \
-    nftables \
-    iptables \
-    lksctp-tools-devel \
-    attr \
-    libbpf-devel \
-    keyutils-libs-devel \
-    quota \
-    xfsprogs-devel \
-    libuuid-devel \
-    e2fsprogs \
-    jfsutils \
-    dosfstools \
-    kernel-devel-"$(uname -r)" \
-    kernel-modules-"$(uname -r)"
-
-#
-# Move to the selinux testsuite directory.
-#
-cd "$HOME/selinux-testsuite"
-
-# The testsuite must be run in enforcing mode
-setenforce 1
-
-#
-# Run the test suite
-#
-make test
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which'
  2021-01-22 10:27 ` [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which' Ondrej Mosnacek
@ 2021-01-22 15:47   ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2021-01-22 15:47 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: selinux

On Fri, Jan 22, 2021 at 5:46 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> In minimal environments (e.g. Fedora container image) 'which' is not
> installed by default. To avoid the need to install an additional
> dependency, use 'command -v', which also does the trick and is a shell
> builtin.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  tools/check-syntax | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Nice.

Acked-by: Paul Moore <paul@paul-moore.com>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH testsuite 0/2] Migrate CI to GH Actions
  2021-01-22 10:27 [PATCH testsuite 0/2] Migrate CI to GH Actions Ondrej Mosnacek
  2021-01-22 10:27 ` [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which' Ondrej Mosnacek
  2021-01-22 10:27 ` [PATCH testsuite 2/2] Migrate CI to GH Actions Ondrej Mosnacek
@ 2021-01-23  9:55 ` Ondrej Mosnacek
  2 siblings, 0 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2021-01-23  9:55 UTC (permalink / raw)
  To: SElinux list

On Fri, Jan 22, 2021 at 11:27 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> See individual patches for more details.
>
> Special thanks to Nicholas Iooss, who figured out this approach.
>
> Note: I plan to merge this tomorrow (along with the userfaultfd test)
> so that we have working CI again. I might do that also earlier if
> someone acks it fast ;)
>
> Ondrej Mosnacek (2):
>   check-syntax: use 'command -v' instead of 'which'
>   Migrate CI to GH Actions
>
>  .github/workflows/checks.yml |  27 +++++++
>  .travis.yml                  |  40 ----------
>  Vagrantfile                  |  65 ++++++++++++++++
>  tools/check-syntax           |   2 +-
>  travis-ci/LICENSE            |   5 --
>  travis-ci/run-kvm-test.sh    | 141 -----------------------------------
>  travis-ci/run-testsuite.sh   |  58 --------------
>  7 files changed, 93 insertions(+), 245 deletions(-)
>  create mode 100644 .github/workflows/checks.yml
>  delete mode 100644 .travis.yml
>  create mode 100644 Vagrantfile
>  delete mode 100644 travis-ci/LICENSE
>  delete mode 100755 travis-ci/run-kvm-test.sh
>  delete mode 100755 travis-ci/run-testsuite.sh
>
> --
> 2.29.2

Merged and passing:
https://github.com/SELinuxProject/selinux-testsuite/actions/runs/505560875

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-01-23  9:58 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-22 10:27 [PATCH testsuite 0/2] Migrate CI to GH Actions Ondrej Mosnacek
2021-01-22 10:27 ` [PATCH testsuite 1/2] check-syntax: use 'command -v' instead of 'which' Ondrej Mosnacek
2021-01-22 15:47   ` Paul Moore
2021-01-22 10:27 ` [PATCH testsuite 2/2] Migrate CI to GH Actions Ondrej Mosnacek
2021-01-23  9:55 ` [PATCH testsuite 0/2] " Ondrej Mosnacek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).