Complete migration from Cirrus CI to GHA (Lima)

Fix issue 5238

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

.cirrus.yml

@@ -1,127 +0,0 @@
----
-# We use Cirrus for RHEL clones because Cirrus can directly run them
-# without depending on nested virtualization.
-
-# NOTE Cirrus execution environments lack a terminal, needed for
-# some integration tests. So we use `ssh -tt` command to fake a terminal.
-
-task:
-  timeout_in: 30m
-
-  env:
-    HOME: /root
-    CIRRUS_WORKING_DIR: /home/runc
-    GO_VER_PREFIX: "1.25."
-    BATS_VERSION: "v1.12.0"
-    LIBPATHRS_VERSION: "0.2.4"
-    RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils cargo lld wget
-    # yamllint disable rule:key-duplicates
-    matrix:
-      - DISTRO: almalinux-8
-        IMAGE_PROJECT: almalinux-cloud
-      - DISTRO: almalinux-9
-        IMAGE_PROJECT: almalinux-cloud
-      - DISTRO: centos-stream-10
-        IMAGE_PROJECT: centos-cloud
-
-  name: ci / $DISTRO
-
-  compute_engine_instance:
-    image_project: $IMAGE_PROJECT
-    image: family/$DISTRO
-    platform: linux
-    cpu: 4
-    memory: 8G
-
-  install_dependencies_script: |
-    case $DISTRO in
-    *-8)
-      dnf config-manager --set-enabled powertools # for glibc-static
-      ;;
-    *-9|*-10)
-      dnf config-manager --set-enabled crb # for glibc-static
-      dnf -y install epel-release # for fuse-sshfs
-      # Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
-      # The default (since systemd v252) is "pids memory cpu".
-      mkdir -p /etc/systemd/system/user@.service.d
-      printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/user@.service.d/delegate.conf
-      systemctl daemon-reload
-      ;;
-    esac
-    # Work around dnf mirror failures by retrying a few times.
-    for i in $(seq 0 2); do
-      sleep $i
-      dnf install -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs $RPMS && break
-    done
-    [ $? -eq 0 ] # fail if dnf failed
-
-    case $DISTRO in
-    *-8)
-      # Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545).
-      # Alas we have to disable container-tools for that.
-      dnf -y module disable container-tools
-      dnf -y copr enable adrian/criu-el8
-      dnf -y install criu
-    esac
-
-    # Install libpathrs.
-    /home/runc/script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
-
-    # Install Go.
-    URL_PREFIX="https://go.dev/dl/"
-    # Find out the latest minor release URL.
-    filename=$(curl -fsSL "${URL_PREFIX}?mode=json&include=all" | jq -r --arg Ver "go$GO_VER_PREFIX" '. | map(select(.version | contains($Ver))) | first | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | .filename')
-    curl -fsSL "$URL_PREFIX$filename" | tar Cxz /usr/local
-    # install bats
-    cd /tmp
-    git clone https://github.com/bats-core/bats-core
-    cd bats-core
-    git checkout $BATS_VERSION
-    ./install.sh /usr/local
-    cd -
-    # Setup rootless tests.
-    /home/runc/script/setup_rootless.sh
-    # set PATH
-    echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
-    # Allow potentially unsafe tests.
-    echo 'export RUNC_ALLOW_UNSAFE_TESTS=yes' >> /root/.bashrc
-    # Setup ssh localhost for terminal emulation (script -e did not work)
-    ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
-    cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
-    chmod 400 /root/.ssh/authorized_keys
-    ssh-keyscan localhost >> /root/.ssh/known_hosts
-    echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
-    sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
-    systemctl restart sshd
-  host_info_script: |
-    uname -a
-    # -----
-    /usr/local/go/bin/go version
-    # -----
-    systemctl --version
-    # -----
-    cat /etc/os-release
-    # -----
-    df -T
-    # -----
-    sestatus
-    # -----
-    cat /proc/cpuinfo
-  check_config_script: |
-    /home/runc/script/check-config.sh
-  unit_tests_script: |
-    ssh -tt localhost "make -C /home/runc localunittest"
-  integration_systemd_script: |
-    ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
-  integration_fs_script: |
-    ssh -tt localhost "make -C /home/runc localintegration"
-  integration_systemd_rootless_script: |
-    case $DISTRO in
-      *-8)
-        echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
-        ;;
-      *)
-        ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
-    esac
-  integration_fs_rootless_script: |
-    ssh -tt localhost "make -C /home/runc localrootlessintegration"

.github/workflows/test.yml

@@ -210,8 +210,12 @@ jobs:
         PKG_CONFIG_PATH: /usr/386/lib/pkgconfig
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
 
-  fedora:
-    timeout-minutes: 30
+  lima:
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        template: [almalinux-8, almalinux-9, centos-stream-10, fedora]
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
@@ -230,13 +234,13 @@ jobs:
       # CPUs: min(4, host CPU cores)
       # RAM:  min(4 GiB, half of host memory)
       # Disk: 100 GiB
-      run: limactl start --plain --name=default template://fedora
+      run: limactl start --plain --name=default template:${{ matrix.template }}
 
     - name: "Initialize VM"
       run: |
         set -eux -o pipefail
         limactl cp -r . default:/tmp/runc
-        lima sudo /tmp/runc/script/setup_host_fedora.sh
+        lima sudo /tmp/runc/script/setup_host.sh
 
     - name: "Show guest info"
       run: |
@@ -264,6 +268,8 @@ jobs:
       run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
 
     - name: "Run integration tests (systemd driver, rootless)"
+      # Needs cgroup v2
+      if: ${{ matrix.template != 'almalinux-8' }}
       run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
 
     - name: "Run integration tests (fs driver, rootless)"
@@ -273,7 +279,7 @@ jobs:
     needs:
     - test
     - cross-i386
-    - fedora
+    - lima
     runs-on: ubuntu-24.04
     steps:
     - run: echo "All jobs completed"

README.md

@@ -5,7 +5,6 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/588/badge)](https://bestpractices.coreinfrastructure.org/projects/588)
 [![gha/validate](https://github.com/opencontainers/runc/workflows/validate/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate)
 [![gha/ci](https://github.com/opencontainers/runc/workflows/ci/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Aci)
-[![CirrusCI](https://api.cirrus-ci.com/github/opencontainers/runc.svg)](https://cirrus-ci.com/github/opencontainers/runc)
 
 ## Introduction
 

script/setup_host.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# This script is used for initializing the host environment for CI.
+# Supports Fedora and EL-based distributions.
+set -eux -o pipefail
+
+: "${LIBPATHRS_VERSION:=0.2.4}"
+
+# BATS_VERSION is only consumed for the EL8 platform as its bats package is too old.
+: "${BATS_VERSION:=v1.12.0}"
+
+SCRIPTDIR="$(dirname "${BASH_SOURCE[0]}")"
+
+# PLATFORM_ID is not available on Fedora
+PLATFORM_ID=
+grep -q ^PLATFORM_ID /etc/os-release && PLATFORM_ID="$(grep -oP '^PLATFORM_ID="\K[^"]+' /etc/os-release)"
+
+# Initialize DNF
+DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs)
+case "$PLATFORM_ID" in
+platform:el8)
+	# DNF+=(--exclude="kernel,kernel-core") seems to fail
+	"${DNF[@]}" config-manager --set-enabled powertools # for glibc-static
+	"${DNF[@]}" install epel-release
+	;;
+platform:el9 | platform:el10)
+	DNF+=(--exclude="kernel,kernel-core")
+	"${DNF[@]}" config-manager --set-enabled crb # for glibc-static
+	"${DNF[@]}" install epel-release
+	;;
+*)
+	# Fedora
+	DNF+=(--exclude="kernel,kernel-core")
+	;;
+esac
+
+# Install common packages
+RPMS=(cargo container-selinux fuse-sshfs git-core glibc-static golang iptables jq libseccomp-devel lld make policycoreutils wget)
+# Work around dnf mirror failures by retrying a few times.
+for i in $(seq 0 2); do
+	sleep "$i"
+	"${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break
+done
+# shellcheck disable=SC2181
+[ $? -eq 0 ] # fail if dnf failed
+
+# Install CRIU
+if [ "$PLATFORM_ID" = "platform:el8" ]; then
+	# Use newer criu (with https://github.com/checkpoint-restore/criu/pull/2545).
+	# Alas we have to disable container-tools for that.
+	"${DNF[@]}" module disable container-tools
+	"${DNF[@]}" copr enable adrian/criu-el8
+fi
+"${DNF[@]}" install criu
+
+# Install BATS
+if [ "$PLATFORM_ID" = "platform:el8" ]; then
+	# The packaged version of bats is too old: `BATS_ERROR_SUFFIX: unbound variable`, `bats_require_minimum_version: command not found`
+	(
+		cd /tmp
+		git clone https://github.com/bats-core/bats-core
+		(
+			cd bats-core
+			git checkout "$BATS_VERSION"
+			./install.sh /usr/local
+			cat >>/etc/profile.d/sh.local <<'EOF'
+PATH="/usr/local/bin:$PATH"
+export PATH
+EOF
+			cat >/etc/sudoers.d/local <<'EOF'
+Defaults    secure_path = "/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
+EOF
+		)
+		rm -rf bats-core
+	)
+else
+	"${DNF[@]}" install bats
+fi
+
+# Clean up DNF
+dnf clean all
+
+# Install libpathrs
+"$SCRIPTDIR"/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
+
+# Setup rootless user.
+"$SCRIPTDIR"/setup_rootless.sh
+
+# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup
+if [ -e /sys/fs/cgroup/cgroup.controllers ]; then
+	mkdir -p /etc/systemd/system/user@.service.d
+	cat >/etc/systemd/system/user@.service.d/delegate.conf <<'EOF'
+[Service]
+# The default (since systemd v252) is "pids memory cpu".
+Delegate=yes
+EOF
+	systemctl daemon-reload
+fi
+
+# Allow potentially unsafe tests.
+echo 'export RUNC_ALLOW_UNSAFE_TESTS=yes' >>/root/.bashrc

script/setup_host_fedora.sh

@@ -1,38 +0,0 @@
-#!/bin/bash
-set -eux -o pipefail
-DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude="kernel,kernel-core")
-RPMS=(bats git-core glibc-static golang jq libseccomp-devel cargo lld make wget)
-# Work around dnf mirror failures by retrying a few times.
-for i in $(seq 0 2); do
-	sleep "$i"
-	"${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break
-done
-
-# criu-4.1-1 has a known bug (https://github.com/checkpoint-restore/criu/issues/2650)
-# which is fixed in criu-4.1-2 (currently in updates-testing). TODO: remove this later.
-if [[ $(rpm -q criu) == "criu-4.1-1.fc"* ]]; then
-	"${DNF[@]}" --enablerepo=updates-testing update criu
-fi
-
-dnf clean all
-
-SCRIPTDIR="$(dirname "${BASH_SOURCE[0]}")"
-
-LIBPATHRS_VERSION="0.2.4"
-"$SCRIPTDIR"/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
-
-# To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
-mount -o remount,suid /tmp
-
-# Setup rootless user.
-"$SCRIPTDIR"/setup_rootless.sh
-
-# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
-mkdir -p /etc/systemd/system/user@.service.d
-cat >/etc/systemd/system/user@.service.d/delegate.conf <<EOF
-[Service]
-# default: Delegate=pids memory
-# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04).
-Delegate=yes
-EOF
-systemctl daemon-reload