ci: Add a very basic nerdctl sanity test

Let's add a very basic sanity test to check that we can spawn a
containers using nerdctl + Kata Containers.

This will ensure that, at least, we don't regress to the point where
this feature doesn't work at all.

In the future, we should also test all the VMMs with devmapper, but
that's for a follow-up PR after this test is working as expected.

Fixes: #7911

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

.github/workflows/ci.yaml

@@ -81,6 +81,14 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
 
+  run-nerdctl-tests-on-garm:
+    needs: build-kata-static-tarball-amd64
+    uses: ./.github/workflows/run-nerdctl-tests-on-garm.yaml
+    with:
+      tarball-suffix: -${{ inputs.tag }}
+      commit-hash: ${{ inputs.commit-hash }}
+      target-branch: ${{ inputs.target-branch }}
+
   run-kata-deploy-tests-on-aks:
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-kata-deploy-tests-on-aks.yaml

.github/workflows/run-nerdctl-tests-on-garm.yaml

@@ -0,0 +1,57 @@
+name: CI | Run nerdctl integration tests
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      commit-hash:
+        required: false
+        type: string
+      target-branch:
+        required: false
+        type: string
+        default: ""
+
+jobs:
+  run-nerdctl-tests:
+    strategy:
+      # We can set this to true whenever we're 100% sure that
+      # all the tests are not flaky, otherwise we'll fail them
+      # all due to a single flaky instance.
+      fail-fast: false
+      matrix:
+        vmm:
+          - clh
+          - dragonball
+          - qemu
+    runs-on: garm-ubuntu-2304
+    env:
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Install dependencies
+        run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
+
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-artifacts
+
+      - name: Install kata
+        run: bash tests/integration/nerdctl/gha-run.sh install-kata kata-artifacts
+
+      - name: Run nerdctl smoke test
+        timeout-minutes: 5
+        run: bash tests/integration/nerdctl/gha-run.sh run

tests/integration/nerdctl/gha-run.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+kata_tarball_dir="${2:-kata-artifacts}"
+nerdctl_dir="$(dirname "$(readlink -f "$0")")"
+source "${nerdctl_dir}/../../common.bash"
+
+function install_dependencies() {
+	info "Installing the dependencies for running the nerdctl tests"
+
+	# Dependency list of projects that we can rely on the system packages
+	# - wget
+	#   - Used to download the nerdctl-full tarball
+	# - pip
+	#   - Used to install lastversion, which will be used to get the latest
+	#     release of the nerdctl
+        declare -a system_deps=(
+		wget
+		pip
+	)
+
+	sudo apt update
+	sudo apt -y install "${system_deps[@]}"
+
+	# Install lastversion from pip
+	#
+	# --break-system-packages is, unfortunately, needed here as it'll also
+	# bring in some python3 dependencies on its own
+	pip install lastversion --break-system-packages
+
+	# As the command above will install lastversion on $HOME/.local/bin, we
+	# need to add it to the PATH
+	export PATH=$PATH:${HOME}/.local/bin
+
+	# Download the nerdctl-full tarball, as it comes with all the deps
+	# needed.
+	nerdctl_lastest_version=$(lastversion containerd/nerdctl)
+	wget https://github.com/containerd/nerdctl/releases/download/v${nerdctl_lastest_version}/nerdctl-full-${nerdctl_lastest_version}-linux-amd64.tar.gz
+
+	# Unpack the latest nerdctl into /usr/local/
+	sudo tar -xvf nerdctl-full-${nerdctl_lastest_version}-linux-amd64.tar.gz -C /usr/local/
+
+	# Start containerd service
+	sudo systemctl daemon-reload
+	sudo systemctl start containerd
+}
+
+function run() {
+	info "Running nerdctl smoke test tests using ${KATA_HYPERVISOR} hypervisor"
+
+	enabling_hypervisor
+
+	info "Running nerdctl with runc"
+	sudo nerdctl run --rm alpine ping -c 2 www.github.com
+
+	info "Running nerdctl with Kata Containers (${KATA_HYPERVISOR})"
+	sudo nerdctl run --rm --runtime io.containerd.kata.v2 alpine ping -c 2 www.github.com
+}
+
+function main() {
+	action="${1:-}"
+	case "${action}" in
+		install-dependencies) install_dependencies ;;
+		install-kata) install_kata ;;
+		run) run ;;
+		*) >&2 die "Invalid argument" ;;
+	esac
+}
+
+main "$@"