build(deps): bump the docker group with 2 updates #11568
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
push: | |
branches: | |
- main | |
- 'release/**' | |
pull_request: | |
paths-ignore: | |
- '**.md' | |
env: | |
GO_VERSION: 1.23.x | |
SHORT_TIMEOUT: 5 | |
LONG_TIMEOUT: 60 | |
jobs: | |
# This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA | |
build-dependencies: | |
timeout-minutes: 15 | |
name: dependencies | ${{ matrix.containerd }} | ${{ matrix.arch }} | |
runs-on: "${{ matrix.runner }}" | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- runner: ubuntu-24.04 | |
containerd: v1.6.36 | |
arch: amd64 | |
- runner: ubuntu-24.04 | |
containerd: v1.7.24 | |
arch: amd64 | |
- runner: ubuntu-24.04 | |
containerd: v2.0.0 | |
arch: amd64 | |
- runner: arm64-8core-32gb | |
containerd: v2.0.0 | |
arch: arm64 | |
env: | |
CONTAINERD_VERSION: "${{ matrix.containerd }}" | |
ARCH: "${{ matrix.arch }}" | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- name: "Expose GitHub Runtime variables for gha" | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: "Build dependencies for the integration test environment image" | |
run: | | |
docker buildx create --name with-gha --use | |
docker buildx build \ | |
--output=type=docker \ | |
--cache-to type=gha,mode=max,scope=${ARCH}-${CONTAINERD_VERSION} \ | |
--cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ | |
--target build-dependencies --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . | |
test-unit: | |
# FIXME: | |
# Supposed to work: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#example-returning-a-json-data-type | |
# Apparently does not | |
# timeout-minutes: ${{ fromJSON(env.SHORT_TIMEOUT) }} | |
timeout-minutes: 10 | |
name: unit | ${{ matrix.goos }} | |
runs-on: "${{ matrix.os }}" | |
defaults: | |
run: | |
shell: bash | |
strategy: | |
matrix: | |
include: | |
- os: windows-2022 | |
goos: windows | |
- os: ubuntu-24.04 | |
goos: linux | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
check-latest: true | |
cache: true | |
- if: ${{ matrix.goos=='windows' }} | |
uses: actions/[email protected] | |
with: | |
repository: containerd/containerd | |
ref: v1.7.24 | |
path: containerd | |
fetch-depth: 1 | |
- if: ${{ matrix.goos=='windows' }} | |
name: "Set up CNI" | |
working-directory: containerd | |
run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows | |
- name: "Run unit tests" | |
run: make test-unit | |
test-integration: | |
needs: build-dependencies | |
timeout-minutes: 30 | |
name: rootful | ${{ matrix.containerd }} | ${{ matrix.runner }} | |
runs-on: "${{ matrix.runner }}" | |
strategy: | |
fail-fast: false | |
matrix: | |
# ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2 | |
include: | |
- ubuntu: 20.04 | |
containerd: v1.6.36 | |
runner: "ubuntu-20.04" | |
arch: amd64 | |
- ubuntu: 22.04 | |
containerd: v1.7.24 | |
runner: "ubuntu-22.04" | |
arch: amd64 | |
- ubuntu: 24.04 | |
containerd: v2.0.0 | |
runner: "ubuntu-24.04" | |
arch: amd64 | |
- ubuntu: 24.04 | |
containerd: v2.0.0 | |
runner: arm64-8core-32gb | |
arch: arm64 | |
env: | |
CONTAINERD_VERSION: "${{ matrix.containerd }}" | |
ARCH: "${{ matrix.arch }}" | |
UBUNTU_VERSION: "${{ matrix.ubuntu }}" | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- name: "Expose GitHub Runtime variables for gha" | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: "Prepare integration test environment" | |
run: | | |
docker buildx create --name with-gha --use | |
docker buildx build \ | |
--output=type=docker \ | |
--cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ | |
-t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . | |
- name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)" | |
run: | | |
sudo systemctl disable --now snapd.service snapd.socket | |
sudo apt-get purge -y snapd | |
sudo losetup -Dv | |
sudo losetup -lv | |
- name: "Register QEMU (tonistiigi/binfmt)" | |
run: | | |
# `--install all` will only install emulation for architectures that cannot be natively executed | |
# Since some arm64 platforms do provide native fallback execution for 32 bits, | |
# armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. | |
# To avoid that, we explicitly list the architectures we do want emulation for. | |
docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 | |
- name: "Run integration tests" | |
run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false | |
- name: "Run integration tests (flaky)" | |
run: docker run -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true | |
test-integration-ipv6: | |
needs: build-dependencies | |
timeout-minutes: 15 | |
name: ipv6 | ${{ matrix.containerd }} | ${{ matrix.ubuntu }} | |
runs-on: "ubuntu-${{ matrix.ubuntu }}" | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- ubuntu: 24.04 | |
containerd: v2.0.0 | |
arch: amd64 | |
env: | |
CONTAINERD_VERSION: "${{ matrix.containerd }}" | |
ARCH: "${{ matrix.arch }}" | |
UBUNTU_VERSION: "${{ matrix.ubuntu }}" | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- name: Enable ipv4 and ipv6 forwarding | |
run: | | |
sudo sysctl -w net.ipv6.conf.all.forwarding=1 | |
sudo sysctl -w net.ipv4.ip_forward=1 | |
- name: "Expose GitHub Runtime variables for gha" | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: Enable IPv6 for Docker, and configure docker to use containerd for gha | |
run: | | |
sudo mkdir -p /etc/docker | |
echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json | |
sudo systemctl restart docker | |
- name: "Prepare integration test environment" | |
run: | | |
docker buildx create --name with-gha --use | |
docker buildx build \ | |
--output=type=docker \ | |
--cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ | |
-t test-integration --target test-integration --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} . | |
- name: "Remove snap loopback devices (conflicts with our loopback devices in TestRunDevice)" | |
run: | | |
sudo systemctl disable --now snapd.service snapd.socket | |
sudo apt-get purge -y snapd | |
sudo losetup -Dv | |
sudo losetup -lv | |
- name: "Register QEMU (tonistiigi/binfmt)" | |
run: | | |
# `--install all` will only install emulation for architectures that cannot be natively executed | |
# Since some arm64 platforms do provide native fallback execution for 32 bits, | |
# armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. | |
# To avoid that, we explicitly list the architectures we do want emulation for. | |
docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 | |
- name: "Run integration tests" | |
# The nested IPv6 network inside docker and qemu is complex and needs a bunch of sysctl config. | |
# Therefore, it's hard to debug why the IPv6 tests fail in such an isolation layer. | |
# On the other side, using the host network is easier at configuration. | |
# Besides, each job is running on a different instance, which means using host network here | |
# is safe and has no side effects on others. | |
run: docker run --network host -t --rm --privileged test-integration ./hack/test-integration.sh -test.only-ipv6 | |
test-integration-rootless: | |
needs: build-dependencies | |
timeout-minutes: 30 | |
name: "${{ matrix.target }} | ${{ matrix.containerd }} | ${{ matrix.rootlesskit }} | ${{ matrix.ubuntu }}" | |
runs-on: "ubuntu-${{ matrix.ubuntu }}" | |
strategy: | |
fail-fast: false | |
matrix: | |
# ubuntu-20.04: cgroup v1, ubuntu-22.04 and later: cgroup v2 | |
include: | |
- ubuntu: 20.04 | |
containerd: v1.6.36 | |
rootlesskit: v1.1.1 # Deprecated | |
target: rootless | |
arch: amd64 | |
- ubuntu: 22.04 | |
containerd: v1.7.24 | |
rootlesskit: v2.3.1 | |
target: rootless | |
arch: amd64 | |
- ubuntu: 24.04 | |
containerd: v2.0.0 | |
rootlesskit: v2.3.1 | |
target: rootless | |
arch: amd64 | |
- ubuntu: 24.04 | |
containerd: v1.7.24 | |
rootlesskit: v2.3.1 | |
target: rootless-port-slirp4netns | |
arch: amd64 | |
env: | |
CONTAINERD_VERSION: "${{ matrix.containerd }}" | |
ARCH: "${{ matrix.arch }}" | |
UBUNTU_VERSION: "${{ matrix.ubuntu }}" | |
ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}" | |
TEST_TARGET: "test-integration-${{ matrix.target }}" | |
steps: | |
- name: "Set up AppArmor" | |
if: matrix.ubuntu == '24.04' | |
run: | | |
cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit" | |
abi <abi/4.0>, | |
include <tunables/global> | |
/usr/local/bin/rootlesskit flags=(unconfined) { | |
userns, | |
# Site-specific additions and overrides. See local/README for details. | |
include if exists <local/usr.local.bin.rootlesskit> | |
} | |
EOT | |
sudo systemctl restart apparmor.service | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- name: "Register QEMU (tonistiigi/binfmt)" | |
run: | | |
# `--install all` will only install emulation for architectures that cannot be natively executed | |
# Since some arm64 platforms do provide native fallback execution for 32 bits, | |
# armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. | |
# To avoid that, we explicitly list the architectures we do want emulation for. | |
docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 | |
- name: "Expose GitHub Runtime variables for gha" | |
uses: crazy-max/ghaction-github-runtime@v3 | |
- name: "Prepare (network driver=slirp4netns, port driver=builtin)" | |
run: | | |
docker buildx create --name with-gha --use | |
docker buildx build \ | |
--output=type=docker \ | |
--cache-from type=gha,scope=${ARCH}-${CONTAINERD_VERSION} \ | |
-t ${TEST_TARGET} --target ${TEST_TARGET} --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} --build-arg CONTAINERD_VERSION=${CONTAINERD_VERSION} --build-arg ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} . | |
- name: "Disable BuildKit for RootlessKit v1 (workaround for issue #622)" | |
run: | | |
# https://github.com/containerd/nerdctl/issues/622 | |
WORKAROUND_ISSUE_622= | |
if echo "${ROOTLESSKIT_VERSION}" | grep -q v1; then | |
WORKAROUND_ISSUE_622=1 | |
fi | |
echo "WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622}" >> "$GITHUB_ENV" | |
- name: "Test (network driver=slirp4netns, port driver=builtin)" | |
run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false | |
- name: "Test (network driver=slirp4netns, port driver=builtin) (flaky)" | |
run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true | |
build: | |
timeout-minutes: 5 | |
name: "build | ${{ matrix.go-version }}" | |
runs-on: ubuntu-24.04 | |
strategy: | |
matrix: | |
go-version: ["1.22.x", "1.23.x"] | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ matrix.go-version }} | |
cache: true | |
check-latest: true | |
- name: "build" | |
run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make binaries | |
test-integration-docker-compatibility: | |
timeout-minutes: 30 | |
name: docker | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
check-latest: true | |
- name: "Register QEMU (tonistiigi/binfmt)" | |
run: | | |
# `--install all` will only install emulation for architectures that cannot be natively executed | |
# Since some arm64 platforms do provide native fallback execution for 32 bits, | |
# armv7 emulation may or may not be installed, causing variance in the result of `uname -m`. | |
# To avoid that, we explicitly list the architectures we do want emulation for. | |
docker run --privileged --rm tonistiigi/binfmt --install linux/amd64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm64 | |
docker run --privileged --rm tonistiigi/binfmt --install linux/arm/v7 | |
- name: "Prepare integration test environment" | |
run: | | |
sudo apt-get install -y expect | |
go install -v gotest.tools/gotestsum@v1 | |
- name: "Ensure that the integration test suite is compatible with Docker" | |
run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker | |
- name: "Ensure that the IPv6 integration test suite is compatible with Docker" | |
run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-ipv6 | |
- name: "Ensure that the integration test suite is compatible with Docker (flaky only)" | |
run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker -test.only-flaky | |
test-integration-windows: | |
timeout-minutes: 30 | |
name: windows | |
runs-on: windows-2022 | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
check-latest: true | |
- run: go install ./cmd/nerdctl | |
- run: go install -v gotest.tools/gotestsum@v1 | |
- uses: actions/[email protected] | |
with: | |
repository: containerd/containerd | |
ref: v1.7.24 | |
path: containerd | |
fetch-depth: 1 | |
- name: "Set up CNI" | |
working-directory: containerd | |
run: GOPATH=$(go env GOPATH) script/setup/install-cni-windows | |
- name: "Set up containerd" | |
env: | |
ctrdVersion: 1.7.24 | |
run: powershell hack/configure-windows-ci.ps1 | |
- name: "Run integration tests" | |
run: ./hack/test-integration.sh -test.only-flaky=false | |
- name: "Run integration tests (flaky)" | |
run: ./hack/test-integration.sh -test.only-flaky=true | |
test-integration-freebsd: | |
timeout-minutes: 30 | |
name: FreeBSD | |
# ubuntu-24.04 lacks the vagrant package | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 1 | |
- uses: actions/cache@v4 | |
with: | |
path: /root/.vagrant.d | |
key: vagrant-${{ matrix.box }} | |
- name: Set up vagrant | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt | |
sudo systemctl enable --now libvirtd | |
- name: Boot VM | |
run: | | |
ln -sf Vagrantfile.freebsd Vagrantfile | |
sudo vagrant up --no-tty | |
- name: test-unit | |
run: sudo vagrant up --provision-with=test-unit | |
- name: test-integration | |
run: sudo vagrant up --provision-with=test-integration |