Add support for mounting block devices into containers #289
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| # When added to a merge queue. | |
| # See https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue#triggering-merge-group-checks-with-github-actions | |
| merge_group: | |
| pull_request: | |
| branches: ['main', 'release/**'] | |
| permissions: # added using https://github.com/step-security/secure-workflows | |
| contents: read | |
| jobs: | |
| setup: | |
| name: Setup | |
| runs-on: ubuntu-latest | |
| outputs: | |
| kernel-version: ${{ steps.set-vars.outputs.kernel-version }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| .github/.tool-versions | |
| - name: Set variables | |
| id: set-vars | |
| run: | | |
| kernel_version=$(grep -E '^kernel [0-9.]+$' .github/.tool-versions | sed -E 's/^kernel ([0-9.]+)$/\1/') | |
| echo "kernel-version=${kernel_version}" >> $GITHUB_OUTPUT | |
| linters: | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| pull-requests: read # for golangci/golangci-lint-action to fetch pull requests | |
| name: Linters | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - run: make validate | |
| # | |
| # Project checks | |
| # | |
| project: | |
| name: Project Checks | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| path: src/github.com/containerd/nerdbox | |
| fetch-depth: 100 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'src/github.com/containerd/nerdbox/.github/.tool-versions' | |
| - uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4 # v1.2.2 | |
| if: github.repository == 'containerd/nerdbox' | |
| with: | |
| working-directory: src/github.com/containerd/nerdbox | |
| repo-access-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: verify go modules and vendor directory | |
| run: | | |
| make verify-vendor | |
| working-directory: src/github.com/containerd/nerdbox | |
| # | |
| # Protobuf checks | |
| # | |
| protos: | |
| name: Protobuf | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| defaults: | |
| run: | |
| working-directory: src/github.com/containerd/nerdbox | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| path: src/github.com/containerd/nerdbox | |
| # Needed for proto lookup during generation | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| repository: containerd/containerd | |
| path: src/github.com/containerd/containerd | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'src/github.com/containerd/nerdbox/.github/.tool-versions' | |
| - name: Set env | |
| shell: bash | |
| run: | | |
| echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV | |
| echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
| - uses: actions/setup-node@v6 | |
| - run: npm install -g @bufbuild/buf | |
| - run: script/install-proto-tools | |
| - run: make proto-fmt | |
| - run: make check-protos check-api-descriptors | |
| # | |
| # Build kernels on cache miss | |
| # | |
| build-kernels: | |
| name: Build Kernels (if needed) | |
| runs-on: ${{ matrix.os }} | |
| needs: setup | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| arch: x86_64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: ./.github/actions/build-kernel | |
| with: | |
| kernel_version: ${{ needs.setup.outputs.kernel-version }} | |
| kernel_arch: ${{ matrix.arch }} | |
| # | |
| # Integration tests | |
| # | |
| integration: | |
| name: Integration Tests | |
| needs: [setup, build-kernels] | |
| # Always run after kernel builds complete (whether they were cached or not) | |
| if: | | |
| always() && | |
| (needs.build-kernels.result == 'success' || needs.build-kernels.result == 'skipped') | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| arch: x86_64 | |
| steps: | |
| - name: Enable KVM group perms | |
| run: | | |
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| sudo udevadm control --reload-rules | |
| sudo udevadm trigger --name-match=kvm | |
| sudo usermod -aG kvm $USER | |
| - name: Allow unprivileged user namespaces | |
| run: | | |
| if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then | |
| if ! sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0; then | |
| echo "Warning: failed to set kernel.apparmor_restrict_unprivileged_userns; continuing without change" | |
| fi | |
| else | |
| echo "Info: /proc/sys/kernel/apparmor_restrict_unprivileged_userns not present; skipping sysctl tweak" | |
| fi | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Calculate kernel cache key | |
| id: cache-key | |
| run: | | |
| # Hash the kernel config and patches to create a unique cache key | |
| CONFIG_FILE="kernel/config-${{ needs.setup.outputs.kernel-version }}-${{ matrix.arch }}" | |
| if [ ! -f "$CONFIG_FILE" ]; then | |
| echo "Error: Kernel config file $CONFIG_FILE not found" | |
| exit 1 | |
| fi | |
| # Calculate hash of config file and all patches | |
| CONFIG_HASH=$(sha256sum "$CONFIG_FILE" | cut -d' ' -f1) | |
| PATCHES_HASH=$(find kernel/patches -type f -name "*.patch" -exec sha256sum {} \; | sort | sha256sum | cut -d' ' -f1) | |
| # Combine version, arch, config hash, and patches hash | |
| CACHE_KEY="kernel-${{ needs.setup.outputs.kernel-version }}-${{ matrix.arch }}-${CONFIG_HASH:0:8}-${PATCHES_HASH:0:8}" | |
| echo "cache-key=${CACHE_KEY}" >> $GITHUB_OUTPUT | |
| echo "Kernel cache key: ${CACHE_KEY}" | |
| - name: Restore cached kernel | |
| id: cache-kernel | |
| uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: _output/nerdbox-kernel-${{ matrix.arch }} | |
| key: ${{ steps.cache-key.outputs.cache-key }} | |
| - name: Verify kernel from cache | |
| run: | | |
| if [ "${{ steps.cache-kernel.outputs.cache-hit }}" = "true" ]; then | |
| echo "✅ Kernel restored from cache" | |
| else | |
| echo "❌ Kernel not in cache - this should not happen after build-kernels-on-demand" | |
| exit 1 | |
| fi | |
| ls -lh _output/nerdbox-kernel-${{ matrix.arch }} | |
| file _output/nerdbox-kernel-${{ matrix.arch }} | |
| - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Build remaining artifacts (initrd and shim) | |
| run: | | |
| echo "Building host and guest binaries:" | |
| docker buildx bake host-binaries guest-binaries | |
| - name: Verify all artifacts | |
| run: | | |
| echo "Verifying build artifacts:" | |
| ls -lh _output/ | |
| echo "" | |
| echo "Kernel:" | |
| file _output/nerdbox-kernel-${{ matrix.arch }} | |
| echo "" | |
| echo "Initrd:" | |
| file _output/nerdbox-initrd | |
| echo "" | |
| echo "Shim:" | |
| file _output/containerd-shim-nerdbox-v1 | |
| - name: Add _output to PATH | |
| run: echo "$(pwd)/_output" >> $GITHUB_PATH | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: '.github/.tool-versions' | |
| - name: Verify user namespaces not restricted | |
| run: | | |
| go build -o _output/userns-check ./script/userns-check | |
| _output/userns-check | |
| - name: Run integration tests | |
| run: go test -v ./integration/... |