-
Notifications
You must be signed in to change notification settings - Fork 91
281 lines (240 loc) · 10.5 KB
/
ci-rpm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
name: "CI RPM"
on:
push:
branches-ignore:
- coverity_scan
pull_request:
env:
CI: 1
CI_TEST_USER: tapioca
CI_TEST_PASS: queijo
GH_ACTIONS: 1
jobs:
pre-ci:
runs-on: ubuntu-latest
# Map a step output to a job output
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
rpm-build:
# If branch protection is in place with status checks enabled, ensure
# names are updated if new matrix entries are added or the name format
# changes.
name: "RPM Build (${{ matrix.env.NAME }})"
needs: pre-ci
if: ${{ needs.pre-ci.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
container:
image: ${{ matrix.env.OS }}
strategy:
fail-fast: false
matrix:
env:
- { "NAME": "centos-7", "OS": "centos:7", "DIST": "centos" }
- { "NAME": "centos-8", "OS": "centos:8", "DIST": "centos" }
- { "NAME": "rocky-8", "OS": "rockylinux/rockylinux:8", "DIST": "rocky" }
- { "NAME": "rocky-9", "OS": "rockylinux/rockylinux:9", "DIST": "rocky" }
steps:
- name: Extra repos for CentOS and Rocky Linux 8
if: ${{ matrix.env.NAME == 'centos-' || matrix.env.NAME == 'stream-8' || matrix.env.NAME == 'rocky-8' }}
run: |
echo '[ltb-project]' > /etc/yum.repos.d/ltb-project.repo
echo 'name=LTB project packages' >> /etc/yum.repos.d/ltb-project.repo
echo 'baseurl=https://ltb-project.org/rpm/$releasever/$basearch' >> /etc/yum.repos.d/ltb-project.repo
echo 'enabled=1' >> /etc/yum.repos.d/ltb-project.repo
echo 'gpgcheck=1' >> /etc/yum.repos.d/ltb-project.repo
echo 'gpgkey=https://www.ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project' >> /etc/yum.repos.d/ltb-project.repo
rpm --import https://www.ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project
#
# Centos9 is EOL, so we need the below tricks to get it to work.
#
# Converting from CentOS Linux 8 to CentOS Stream 8 is the "official" process
# (see centos.org/centos-stream/#centos-stream-8):
#
- name: Some hacks for CentOS 8 (EOL) to work again.
if: ${{ matrix.env.NAME == 'centos-8' }}
run: |
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Linux-*
yum upgrade -y
yum -y --disablerepo '*' --enablerepo extras swap centos-linux-repos centos-stream-repos
yum clean all && yum makecache
yum distro-sync -y --allowerasing
- name: Enable EPEL for CentOS and Rocky Linux
if: ${{ startsWith(matrix.env.NAME, 'centos-') || startsWith(matrix.env.NAME, 'rocky-') }}
run: |
yum install -y epel-release
# Required so that the checkout action uses git protocol rather than the GitHub REST API.
# make rpm requires the FR directory to be a git repository.
- name: Install recent git for CentOS 7
if: ${{ matrix.env.NAME == 'centos-7' }}
run: |
yum install -y https://packages.endpointdev.com/rhel/7/os/x86_64/git-core-2.30.1-1.ep7.x86_64.rpm
- name: Install distro git for Rocky and CentOS 8.
if: ${{ startsWith(matrix.env.NAME, 'rocky-') || matrix.env.NAME == 'centos-8' }}
run: |
yum install -y git-core git
- name: Enable PowerTools / CRB
run: |
yum install -y yum-utils dnf-plugins-core
yum config-manager --enable PowerTools || :
yum config-manager --enable powertools || :
yum config-manager --enable crb || :
- name: Enable EPEL for Rocky Linux 9
if: ${{ matrix.env.NAME == 'rocky-9' }}
run: |
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
- name: Set up NetworkRADIUS extras repository
run: |
echo '[networkradius-extras]' > /etc/yum.repos.d/networkradius-extras.repo
echo 'name=NetworkRADIUS-extras-$releasever' >> /etc/yum.repos.d/networkradius-extras.repo
echo 'baseurl=http://packages.networkradius.com/extras/${{ matrix.env.DIST }}/$releasever/' >> /etc/yum.repos.d/networkradius-extras.repo
echo 'enabled=1' >> /etc/yum.repos.d/networkradius-extras.repo
echo 'gpgcheck=1' >> /etc/yum.repos.d/networkradius-extras.repo
echo 'gpgkey=https://packages.networkradius.com/pgp/[email protected]' >> /etc/yum.repos.d/networkradius-extras.repo
rpm --import https://packages.networkradius.com/pgp/[email protected]
- name: Install common tools
run: |
yum install -y rpm-build openssl make gcc perl
- name: "Install common tools"
run: |
yum install -y \
yum-utils \
bzip2 \
gcc \
hostname \
make \
perl \
procps-ng \
rpm-build \
psmisc \
sudo
- uses: actions/checkout@v3
with:
path: pam_radius
# Build Package
- name: "Install build dependencies"
run: |
yum-builddep -y redhat/pam_radius_auth.spec
working-directory: pam_radius
- name: "Build RPMs"
run: |
[ -r /opt/rh/devtoolset-8/enable ] && source /opt/rh/devtoolset-8/enable || :
make rpm
working-directory: pam_radius
- name: "Collect RPMs"
run: |
mkdir -p rpms/
mv rpmbuild/RPMS/x86_64/*.rpm rpms/
working-directory: pam_radius
- name: "Install .rpm packages"
run: |
rpm -ivh rpms/pam*.rpm
working-directory: pam_radius
- name: "Show infos of the .rpm package"
run: |
rpm -qi pam_radius_auth
- name: "List content of the .rpm package"
run: |
rpm -qs pam_radius_auth
- name: "Create the CI_TEST_USER user in /etc/passwd (no-password)"
run: |
sudo useradd -d /tmp ${CI_TEST_USER}
id ${CI_TEST_USER}
- name: "Setup FreeRADIUS/SSHD/SYSLOG-NG/PAM then run full CI tests"
run: |
sudo yum -y update
sudo yum -y install \
freeradius freeradius-utils \
syslog-ng \
openssh-server sshpass
echo "#######################################################"
echo "## Stop the services syslog-ng/sshd/freeradius"
( sudo rm -f /var/log/secure && \
sudo touch /var/log/secure && \
sudo chmod 600 /var/log/secure
)
sudo killall -q -9 syslog-ng radiusd sshd || :
# https://stackoverflow.com/questions/47973554/how-to-let-syslog-workable-in-docker
sudo sed -i 's/system()/# system()/g' /etc/syslog-ng/syslog-ng.conf
sudo /usr/sbin/syslog-ng --no-caps
echo "#######################################################"
echo "## Setup the services"
export CI_TEST_USER="$CI_TEST_USER" CI_TEST_PASS="$CI_TEST_PASS"
for i in setup-pam_radius.sh setup-freeradius.sh setup-sshd.sh; do
script="${PWD}/scripts/ci/$i"
echo "Calling $script"
sudo -E $script
done
echo "#######################################################"
echo "## Start the services sshd"
echo | sudo ssh-keygen -A
sudo /usr/sbin/sshd
sudo rm -f /run/nologin # Needed to enable the log in!
echo "## Start the services radiusd"
( sudo make -C /etc/raddb/certs/ destroycerts all && \
sudo sed 's/dh_file =/#dh_file =/g' -i /etc/raddb/mods-available/eap && \
sudo chmod 0644 /etc/raddb/certs/server.pem
)
sudo /usr/sbin/radiusd
echo "#######################################################"
echo "## Show processes"
ps aux | grep -E "([r]adius|[s]sh|[s]yslog)"
working-directory: pam_radius
- name: "Content of /etc/ssh/sshd_config"
run: |
sudo cat /etc/ssh/sshd_config
- name: "Content of /etc/pam.d/sshd"
run: |
sudo cat /etc/pam.d/sshd
- name: "Content of /etc/pam_radius_auth.conf"
run: |
sudo cat /etc/pam_radius_auth.conf
- name: "Validate freeradius instance using radtest"
run: |
radtest -x $CI_TEST_USER $CI_TEST_PASS localhost 0 testing123
- name: "Run ssh authorization over pam_radius"
run: |
if ! sshpass -p "${CI_TEST_PASS}" -v \
/usr/bin/ssh -T -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 22 ${CI_TEST_USER}@localhost id; then
echo "ERROR: Something goes wrong with the SSH + PAM_RADIUS authentication!"
echo "############## Show the logs in /var/log/secure"
sudo tail -35 /var/log/secure
exit 1
fi
- name: "Looking for 'pam_radius_auth: authentication succeeded' in /var/log/secure"
run: |
echo "#######################################################"
echo "## Show the logs in /var/log/secure"
sudo cat -n /var/log/secure
# if ! grep -q "pam_radius_auth: authentication succeeded" /var/log/secure; then
# echo "ERROR: Something goes wrong with the SSH + PAM_RADIUS authentication!"
# exit 1
# fi
#
# If the CI has failed and the branch is ci-debug then we start a tmate
# session to provide interactive shell access to the session.
#
# The SSH rendezvous point will be emitted continuously in the job output,
# which will look something like:
#
# SSH: ssh [email protected]
#
# For example:
#
# git push origin ci-debug --force
#
# Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions
#
# ssh [email protected]
#
# Access requires that you have the private key corresponding to the
# public key of the GitHub user that initiated the job.
#
- name: "Debug: Start tmate"
uses: mxschmitt/action-tmate@v3
with:
limit-access-to-actor: true
if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }}