Further restriction of child processes capabilities (part 2) #7129
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "ci" | |
on: | |
push: | |
branches: [master] | |
pull_request: | |
branches: [master] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
container: quay.io/sssd/ci-client-devel:latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
id: dependencies | |
uses: ./.github/actions/install-dependencies | |
- name: Configure sssd | |
uses: ./.github/actions/configure | |
- name: make | |
shell: bash | |
working-directory: x86_64 | |
run: | | |
source ../contrib/fedora/bashrc_sssd | |
make CFLAGS+="$SSS_WARNINGS -Werror" | |
- name: make check | |
shell: bash | |
working-directory: x86_64 | |
run: | | |
source ../contrib/fedora/bashrc_sssd | |
make CFLAGS+="$SSS_WARNINGS -Werror" check | |
- name: make distcheck | |
shell: bash | |
working-directory: x86_64 | |
run: | | |
source ../contrib/fedora/bashrc_sssd | |
make distcheck | |
- uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: build | |
path: | | |
x86_64/config.log | |
x86_64/config.h | |
x86_64/test-suite.log | |
if-no-files-found: ignore | |
prepare: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
outputs: | |
matrix: ${{ steps.matrix.outputs.matrix }} | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v4 | |
- name: Get matrix | |
id: matrix | |
run: ./contrib/ci/get-matrix.py --action | |
intgcheck: | |
needs: [prepare, build] | |
strategy: | |
fail-fast: false | |
matrix: | |
tag: ${{ fromJson(needs.prepare.outputs.matrix).intgcheck }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
path: sssd | |
- name: Setup containers | |
uses: SSSD/sssd-ci-containers/actions/setup@master | |
with: | |
path: sssd-ci-containers | |
tag: ${{ matrix.tag }} | |
limit: dns client | |
override: | | |
services: | |
client: | |
image: ${REGISTRY}/ci-client-devel:${TAG} | |
volumes: | |
- ../sssd:/sssd:rw | |
- name: Run integration tests | |
uses: SSSD/sssd-ci-containers/actions/exec@master | |
with: | |
working-directory: /sssd | |
script: ./contrib/ci/run --moderate | |
- name: Print logs | |
uses: next-actions/print-logs@master | |
if: always() | |
with: | |
working-directory: ./sssd/ci-build-debug | |
files: | | |
test-suite.log | |
ci-make-intgcheck.log | |
ci-make-distcheck.log | |
- name: Upload main artifacts | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: ignore | |
name: ${{ matrix.tag }}-intgcheck | |
path: | | |
./sssd/var/log/sssd/*.log | |
./sssd/ci-build-debug/ci-*.log | |
./sssd/ci-build-debug/config.log | |
./sssd/ci-build-debug/test-suite.log | |
./sssd/ci-build-debug/ci-mock-result/*.log | |
./sssd/ci-build-debug/src/tests/cwrap/test-suite.log | |
- name: Upload valgrind artifacts | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: ignore | |
name: ${{ matrix.tag }}-intgcheck-valgrind | |
path: | | |
./sssd/ci-build-debug/*.valgrind.log | |
system: | |
needs: [prepare, build] | |
strategy: | |
fail-fast: false | |
matrix: | |
tag: ${{ fromJson(needs.prepare.outputs.matrix).multihost }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.11 | |
- name: Checkout sssd repository | |
uses: actions/checkout@v4 | |
with: | |
path: sssd | |
- name: Setup containers | |
uses: SSSD/sssd-ci-containers/actions/setup@master | |
with: | |
path: sssd-ci-containers | |
tag: ${{ matrix.tag }} | |
override: | | |
services: | |
client: | |
image: ${REGISTRY}/ci-client-devel:${TAG} | |
shm_size: 4G | |
tmpfs: | |
- /dev/shm | |
volumes: | |
- ../sssd:/sssd:rw | |
ipa: | |
image: ${REGISTRY}/ci-ipa-devel:${TAG} | |
shm_size: 4G | |
tmpfs: | |
- /dev/shm | |
volumes: | |
- ../sssd:/sssd:rw | |
- name: Build SSSD on the client and IPA | |
uses: SSSD/sssd-ci-containers/actions/exec@master | |
with: | |
log-file: build.log | |
working-directory: /sssd | |
where: | | |
client | |
ipa | |
script: | | |
#!/bin/bash | |
set -ex | |
./contrib/ci/run --deps-only | |
autoreconf -if | |
mkdir -p /dev/shm/sssd | |
pushd /dev/shm/sssd | |
/sssd/configure --enable-silent-rules | |
make rpms | |
- name: Install SSSD on the client and IPA | |
uses: SSSD/sssd-ci-containers/actions/exec@master | |
with: | |
log-file: install.log | |
user: root | |
where: | | |
client | |
ipa | |
script: | | |
#!/bin/bash | |
set -ex | |
dnf install -y /dev/shm/sssd/rpmbuild/RPMS/*/*.rpm | |
rm -fr /dev/shm/sssd | |
# We need to reenable sssd-kcm since it was disabled by removing sssd not not enabled again | |
systemctl enable --now sssd-kcm.socket | |
- name: Restart SSSD on IPA server | |
uses: SSSD/sssd-ci-containers/actions/exec@master | |
with: | |
user: root | |
where: ipa | |
script: | | |
#!/bin/bash | |
set -ex | |
systemctl restart sssd || systemctl status sssd | |
- name: Patch the SSH configuration | |
uses: SSSD/sssd-ci-containers/actions/exec@master | |
with: | |
user: root | |
script: | | |
#!/bin/bash | |
test -x /usr/bin/sss_ssh_knownhosts && \ | |
sed -e 's/GlobalKnownHostsFile/#GlobalKnownHostsFile/' \ | |
-e 's/ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p %p %h/KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts %H/' \ | |
-i /etc/ssh/ssh_config.d/04-ipa.conf | |
- name: Install system tests dependencies | |
shell: bash | |
working-directory: ./sssd/src/tests/system | |
run: | | |
set -ex | |
sudo apt-get update | |
# Install dependencies for python-ldap | |
sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev | |
# Virtualenv | |
pip3 install virtualenv | |
python3 -m venv .venv | |
source .venv/bin/activate | |
# Install system tests requirements | |
pip3 install -r ./requirements.txt | |
# Install yq to parse yaml files | |
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | |
sudo chmod a+x /usr/local/bin/yq | |
- name: Remove ad from mhc.yaml | |
shell: bash | |
working-directory: ./sssd/src/tests/system | |
run: | | |
yq -i 'del(.domains[0].hosts.[] | select(.role == "ad"))' mhc.yaml | |
- name: Check polarion metadata | |
shell: bash | |
working-directory: ./sssd/src/tests/system | |
run: | | |
# Run pytest in collect only mode to quickly catch issues in Polarion metadata. | |
set -ex -o pipefail | |
mkdir -p $GITHUB_WORKSPACE/artifacts | |
source .venv/bin/activate | |
pytest \ | |
--color=yes \ | |
--mh-config=./mhc.yaml \ | |
--mh-artifacts-dir=$GITHUB_WORKSPACE/artifacts \ | |
--polarion-config=../polarion.yaml \ | |
--output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \ | |
--collect-only . |& tee $GITHUB_WORKSPACE/pytest-collect.log | |
- name: Run tests | |
shell: bash | |
working-directory: ./sssd/src/tests/system | |
run: | | |
set -ex -o pipefail | |
mkdir -p $GITHUB_WORKSPACE/artifacts | |
source .venv/bin/activate | |
pytest \ | |
--color=yes \ | |
--show-capture=no \ | |
--mh-config=./mhc.yaml \ | |
--mh-artifacts-dir=$GITHUB_WORKSPACE/artifacts \ | |
--polarion-config=../polarion.yaml \ | |
--output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \ | |
--output-polarion-testrun=$GITHUB_WORKSPACE/artifacts/testrun.xml \ | |
-vvv . |& tee $GITHUB_WORKSPACE/pytest.log | |
- name: Upload artifacts | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: ignore | |
name: ${{ matrix.tag }}-system | |
path: | | |
sssd/ci-install-deps.log | |
artifacts | |
build.log | |
install.log | |
pytest.log | |
pytest-collect.log | |
result: | |
name: All tests are successful | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
needs: [build, intgcheck, system] | |
steps: | |
- name: Fail on failure | |
if: | | |
needs.build.result != 'success' | |
|| needs.intgcheck.result != 'success' | |
|| needs.system.result != 'success' | |
run: exit 1 |