Skip to content

fix(nss): Improve NSS error logs #1613

fix(nss): Improve NSS error logs

fix(nss): Improve NSS error logs #1613

Workflow file for this run

name: QA & sanity checks
on:
push:
branches:
- main
tags:
- "*"
pull_request:
env:
DEBIAN_FRONTEND: noninteractive
apt_deps: >-
libpam-dev
libglib2.0-dev
libpwquality-dev
test_apt_deps: >-
ffmpeg
# In Rust the grpc stubs are generated at build time
# so we always need to install the protobuf compilers
# when building the NSS crate.
protobuf_compilers: >-
protobuf-compiler
jobs:
go-sanity:
name: "Go: Code sanity"
runs-on: ubuntu-latest
steps:
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y ${{ env.apt_deps }}
- uses: actions/checkout@v4
- name: Go code sanity check
uses: canonical/desktop-engineering/gh-actions/go/code-sanity@main
with:
golangci-lint-configfile: ".golangci.yaml"
tools-directory: "tools"
- name: Build cmd/authd with withexamplebroker tag
run: |
set -eu
go build -tags withexamplebroker ./cmd/authd
- name: Run PAM client for interactive testing purposes
run: |
set -eu
go run -tags pam_binary_cli ./pam login --exec-debug
- name: Generate PAM module
run: |
set -eu
find pam -name '*.so' -print -delete
go generate -C pam -x
test -e pam/pam_authd.so
test -e pam/go-exec/pam_authd_exec.so
- name: Generate PAM module with pam_debug tag
run: |
set -eu
find pam -name '*.so' -print -delete
go generate -C pam -x -tags pam_debug
test -e pam/pam_authd.so
test -e pam/go-exec/pam_authd_exec.so
rust-sanity:
name: "Rust: Code sanity"
runs-on: ubuntu-latest
steps:
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y ${{ env.apt_deps }} ${{ env.protobuf_compilers}}
- uses: actions/checkout@v4
- name: Rust code sanity check
uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main
with:
token: ${{ secrets.GITHUB_TOKEN }}
c-sanity:
name: "C Code sanity"
runs-on: ubuntu-latest
env:
CFLAGS: "-Werror"
steps:
- name: Install dependencies
run: |
set -eu
sudo apt update
sudo apt install -y ${{ env.apt_deps }} clang-tools clang
- name: Prepare report dir
run: |
set -eu
scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX)
echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV
- uses: actions/checkout@v4
- name: Run scan build on GDM extensions
run: |
set -eu
scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \
-Wno-gnu-variable-sized-type-not-at-end \
pam/internal/gdm/extension.h
- name: Run scan build on go-exec module
run: |
set -eu
scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \
-DAUTHD_TEST_MODULE=1 \
$(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \
-lpam -shared -fPIC \
pam/go-exec/module.c
- name: Upload scan build reports
uses: actions/upload-artifact@v4
with:
name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
path: ${{ env.SCAN_BUILD_REPORTS_PATH }}
go-tests:
name: "Go: Tests"
runs-on: ubuntu-latest
steps:
- name: Install dependencies
run: |
sudo apt update
# The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them.
sudo apt install -y ${{ env.apt_deps }} ${{ env.protobuf_compilers}} ${{ env.test_apt_deps }}
- name: Install PAM and GLib debug symbols
run: |
set -eu
sudo apt-get install ubuntu-dbgsym-keyring -y
echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \
sudo tee -a /etc/apt/sources.list.d/ddebs.list
# Sometimes ddebs archive is stuck, so in case of failure we need to go manual
sudo apt update -y || true
if ! sudo apt install -y libpam-modules-dbgsym libpam0*-dbgsym libglib2.0-0-dbgsym; then
sudo apt install -y ubuntu-dev-tools
pull-lp-ddebs pam $(lsb_release -cs)
pull-lp-ddebs libglib2.0-0 $(lsb_release -cs)
sudo apt install -y ./libpam0*.ddeb ./libpam-modules*.ddeb ./libglib2.0-0-dbgsym*.ddeb
sudo apt remove -y ubuntu-dev-tools
sudo apt autoremove -y
fi
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install VHS and ttyd for integration tests
run: |
set -eu
go install github.com/charmbracelet/vhs@latest
# VHS requires ttyd >= 1.7.2 to work properly.
wget https://github.com/tsl0922/ttyd/releases/download/1.7.4/ttyd.x86_64
chmod +x ttyd.x86_64
sudo mv ttyd.x86_64 /usr/bin/ttyd
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly # We need nightly to enable instrumentation for coverage.
override: true
components: llvm-tools-preview
- name: Install grcov
run: |
set -eu
cargo install grcov
- name: Prepare tests artifacts path
run: |
set -eu
artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX)
echo AUTHD_TEST_ARTIFACTS_PATH="${artifacts_dir}" >> $GITHUB_ENV
echo ASAN_OPTIONS="log_path=${artifacts_dir}/asan.log:print_stats=true" >> $GITHUB_ENV
- name: Run tests (with coverage collection)
env:
G_DEBUG: "fatal-criticals"
run: |
set -eu
# The coverage is not written if the output directory does not exist, so we need to create it.
cov_dir="$(pwd)/coverage"
cod_cov_dir="$(pwd)/coverage/codecov"
raw_cov_dir="${cov_dir}/raw"
mkdir -p "${raw_cov_dir}" "${cod_cov_dir}"
# Overriding the default coverage directory is not an exported flag of go test (yet), so
# we need to override it using the test.gocoverdir flag instead.
#TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged.
go test -cover -covermode=set ./... -coverpkg=./... -shuffle=on -args -test.gocoverdir="${raw_cov_dir}"
# Convert the raw coverage data into textfmt so we can merge the Rust one into it
go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out"
# Append the Rust coverage data to the Go one
cat "${raw_cov_dir}/rust-cov/rust2go_coverage" >>"${cov_dir}/coverage.out"
# Filter out the testutils package and the pb.go file
grep -v -e "testutils" -e "pb.go" "${cov_dir}/coverage.out" >"${cod_cov_dir}/coverage.out.filtered"
# Move gcov output to coverage dir
mv "${raw_cov_dir}"/*.gcov "${cod_cov_dir}"
- name: Run tests (with race detector)
run: |
go test -race ./...
- name: Run PAM tests (with Address Sanitizer)
env:
# Do not optimize, keep debug symbols and frame pointer for better
# stack trace information in case of ASAN errors.
CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer"
G_DEBUG: "fatal-criticals"
run: |
# Use `-dwarflocationlists` to give ASAN a better time to unwind the stack trace
go test -C ./pam/internal -asan -gcflags="-dwarflocationlists=true" ./...
pushd ./pam/integration-tests
go test -asan -gcflags="-dwarflocationlists=true" -c
# FIXME: Suppression may be removed with newer libpam, as the one we ship in ubuntu as some leaks
env LSAN_OPTIONS=suppressions=$(pwd)/lsan.supp \
./integration-tests.test \
|| exit_code=$?
popd
# We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs:
cat "${AUTHD_TEST_ARTIFACTS_PATH}"/asan.log* || true
exit ${exit_code}
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
directory: ./coverage/codecov
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload test failures artifacts
if: failure()
uses: actions/upload-artifact@v4
with:
name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
path: ${{ env.AUTHD_TEST_ARTIFACTS_PATH }}