From 12d833d07d365becf5716d3bf22daa5d5e07bc52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 12 Sep 2023 10:35:54 +0200 Subject: [PATCH 1/3] ci: Add a very basic nerdctl sanity test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add a very basic sanity test to check that we can spawn a containers using nerdctl + Kata Containers. This will ensure that, at least, we don't regress to the point where this feature doesn't work at all. In the future, we should also test all the VMMs with devmapper, but that's for a follow-up PR after this test is working as expected. Fixes: #7911 Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/ci.yaml | 8 ++ .../workflows/run-nerdctl-tests-on-garm.yaml | 57 ++++++++++++++ tests/integration/nerdctl/gha-run.sh | 78 +++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 .github/workflows/run-nerdctl-tests-on-garm.yaml create mode 100644 tests/integration/nerdctl/gha-run.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4838344eee..8f7c90ffb2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -81,6 +81,14 @@ jobs: commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} + run-nerdctl-tests-on-garm: + needs: build-kata-static-tarball-amd64 + uses: ./.github/workflows/run-nerdctl-tests-on-garm.yaml + with: + tarball-suffix: -${{ inputs.tag }} + commit-hash: ${{ inputs.commit-hash }} + target-branch: ${{ inputs.target-branch }} + run-kata-deploy-tests-on-aks: needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-kata-deploy-tests-on-aks.yaml diff --git a/.github/workflows/run-nerdctl-tests-on-garm.yaml b/.github/workflows/run-nerdctl-tests-on-garm.yaml new file mode 100644 index 0000000000..a902d7cc5c --- /dev/null +++ b/.github/workflows/run-nerdctl-tests-on-garm.yaml @@ -0,0 +1,57 @@ +name: CI | Run nerdctl integration tests +on: + workflow_call: + inputs: + tarball-suffix: + required: false + type: string + commit-hash: + required: false + type: string + target-branch: + required: false + type: string + default: "" + +jobs: + run-nerdctl-tests: + strategy: + # We can set this to true whenever we're 100% sure that + # all the tests are not flaky, otherwise we'll fail them + # all due to a single flaky instance. + fail-fast: false + matrix: + vmm: + - clh + - dragonball + - qemu + runs-on: garm-ubuntu-2304 + env: + KATA_HYPERVISOR: ${{ matrix.vmm }} + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: Install dependencies + run: bash tests/integration/nerdctl/gha-run.sh install-dependencies + + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball-amd64${{ inputs.tarball-suffix }} + path: kata-artifacts + + - name: Install kata + run: bash tests/integration/nerdctl/gha-run.sh install-kata kata-artifacts + + - name: Run nerdctl smoke test + timeout-minutes: 5 + run: bash tests/integration/nerdctl/gha-run.sh run diff --git a/tests/integration/nerdctl/gha-run.sh b/tests/integration/nerdctl/gha-run.sh new file mode 100644 index 0000000000..dc15851564 --- /dev/null +++ b/tests/integration/nerdctl/gha-run.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# +# Copyright (c) 2023 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +set -o errexit +set -o nounset +set -o pipefail + +kata_tarball_dir="${2:-kata-artifacts}" +nerdctl_dir="$(dirname "$(readlink -f "$0")")" +source "${nerdctl_dir}/../../common.bash" + +function install_dependencies() { + info "Installing the dependencies for running the nerdctl tests" + + # Dependency list of projects that we can rely on the system packages + # - wget + # - Used to download the nerdctl-full tarball + # - pip + # - Used to install lastversion, which will be used to get the latest + # release of the nerdctl + declare -a system_deps=( + wget + pip + ) + + sudo apt update + sudo apt -y install "${system_deps[@]}" + + # Install lastversion from pip + # + # --break-system-packages is, unfortunately, needed here as it'll also + # bring in some python3 dependencies on its own + pip install lastversion --break-system-packages + + # As the command above will install lastversion on $HOME/.local/bin, we + # need to add it to the PATH + export PATH=$PATH:${HOME}/.local/bin + + # Download the nerdctl-full tarball, as it comes with all the deps + # needed. + nerdctl_lastest_version=$(lastversion containerd/nerdctl) + wget https://github.com/containerd/nerdctl/releases/download/v${nerdctl_lastest_version}/nerdctl-full-${nerdctl_lastest_version}-linux-amd64.tar.gz + + # Unpack the latest nerdctl into /usr/local/ + sudo tar -xvf nerdctl-full-${nerdctl_lastest_version}-linux-amd64.tar.gz -C /usr/local/ + + # Start containerd service + sudo systemctl daemon-reload + sudo systemctl start containerd +} + +function run() { + info "Running nerdctl smoke test tests using ${KATA_HYPERVISOR} hypervisor" + + enabling_hypervisor + + info "Running nerdctl with runc" + sudo nerdctl run --rm alpine ping -c 2 www.github.com + + info "Running nerdctl with Kata Containers (${KATA_HYPERVISOR})" + sudo nerdctl run --rm --runtime io.containerd.kata.v2 alpine ping -c 2 www.github.com +} + +function main() { + action="${1:-}" + case "${action}" in + install-dependencies) install_dependencies ;; + install-kata) install_kata ;; + run) run ;; + *) >&2 die "Invalid argument" ;; + esac +} + +main "$@" From c83f167c5981a5c043dd2d3dcbcaa5f333e353bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 12 Sep 2023 16:13:00 +0200 Subject: [PATCH 2/3] ci: docker: Run the tests after the kata-static is created MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There's no reason to wait till the payload is created to run the tests, as we rely on the tarball, not on the kata-deploy payload. That was a mistake on my side, and that's already fixed for the nerdctl tests. Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8f7c90ffb2..8b8ad8ab44 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -74,7 +74,7 @@ jobs: file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile run-docker-tests-on-garm: - needs: publish-kata-deploy-payload-amd64 + needs: build-kata-static-tarball-amd64 uses: ./.github/workflows/run-docker-tests-on-garm.yaml with: tarball-suffix: -${{ inputs.tag }} From f536ef5ce1ba5a32d7d9727c469e20f3820436f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 12 Sep 2023 16:26:41 +0200 Subject: [PATCH 3/3] ci: docker: Also run the smoke test with runc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will help us to make sure that the failure is actually related to Kata Containers. Signed-off-by: Fabiano FidĂȘncio --- tests/integration/docker/gha-run.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/integration/docker/gha-run.sh b/tests/integration/docker/gha-run.sh index fc4f430d38..58a6dceaca 100755 --- a/tests/integration/docker/gha-run.sh +++ b/tests/integration/docker/gha-run.sh @@ -38,6 +38,10 @@ function run() { enabling_hypervisor + info "Running docker with runc" + sudo docker run --rm alpine ping -c 2 www.github.com + + info "Running docker with Kata Containers (${KATA_HYPERVISOR})" sudo docker run --rm --runtime io.containerd.kata.v2 alpine ping -c 2 www.github.com }