Skip to content

Implement the first part of 'trust launch' #451

Implement the first part of 'trust launch'

Implement the first part of 'trust launch' #451

Workflow file for this run

on:
push:
pull_request:
name: build
jobs:
build:
name: build
runs-on: self-hosted
steps:
- name: Set up environment
run: |
mkdir ~/bin
echo "PATH=$HOME/bin:$PATH" >> $GITHUB_ENV
- name: Check out git
uses: actions/checkout@v3
- name: Set up golang
uses: actions/setup-go@v3
with:
go-version: 1.21
- name: install dependencies
run: |
sudo apt-get update
sudo add-apt-repository -y ppa:puzzleos/dev
sudo apt-get -y install \
bats cryptsetup-bin expect libacl1-dev libarchive-tools \
libcryptsetup-dev libgpgme-dev libcap-dev \
libdevmapper-dev liblxc-dev libpam0g-dev \
libseccomp-dev libsquashfs-dev lxc lxc-dev make mtools\
openssl pip pkgconf skopeo socat squashfuse swtpm jq \
uidmap umoci qemu-utils qemu-system-x86 xorriso \
ubuntu-dev-tools make gcc squashfs-tools sbsigntool \
python3-yaml
sudo modprobe kvm
sudo adduser $(whoami) kvm
sudo chmod o+rw /dev/kvm
sudo systemctl restart user@$(id -u runner)
sudo systemctl start dbus
sudo pip install virt-firmware
echo "XXX some debug"
cat /proc/self/status
ls -l /run/user
ls -l /dev/kvm
id -u
id -u runner
ps -ef
- name: setup lxc
run: |
chmod ugo+x $HOME
cat /etc/subuid /etc/subgid
u=$(id -un) && g=$(id -gn)
echo "u=$u g=$g"
uidmap=$(awk -F: '$1 == u { print $2, $3 }' "u=$u" /etc/subuid)
gidmap=$(awk -F: '$1 == g { print $2, $3 }' "g=$g" /etc/subgid)
if [ "$u" = "runner" ] && [ -z "$gidmap" ]; then
# 'id -gn' shows docker, but 'runner' is in subgid
g="runner"
gidmap=$(awk -F: '$1 == g { print $2, $3 }' "g=$g" /etc/subgid)
fi
echo "uidmap=$uidmap."
echo "gidmap=$gidmap."
[ -n "$uidmap" ] && [ -n "$gidmap" ] ||
{ echo "did not get uidmap or gidmap for u=$u g=$g"; exit 1; }
mkdir -p ~/.config/lxc/
echo "writing .config/lxc/default.conf"
tee ~/.config/lxc/default.conf <<EOF
lxc.include = /etc/lxc/default.conf
lxc.idmap = u 0 $uidmap
lxc.idmap = g 0 $gidmap
EOF
set -x
cat ~/.config/lxc/default.conf
cat /etc/subuid
echo "writing /etc/lxc/lxc-usernet"
echo "$u veth lxcbr0 100" | sudo tee -a /etc/lxc/lxc-usernet
- name: install stacker
run: |
wget -O ~/bin/stacker --progress=dot:mega https://github.com/project-stacker/stacker/releases/download/v1.0.0-rc2/stacker
chmod 755 ~/bin/stacker
- name: install skopeo
run: |
wget -O ~/bin/skopeo --progress=dot:mega https://github.com/project-machine/tools/releases/download/v0.0.1/skopeo
chmod 755 ~/bin/skopeo
sudo cp -f ~/bin/skopeo /usr/bin/skopeo
- name: lint
run: |
make gofmt
- name: make
run: |
go get -v ./...
make
- name: test preparation
run: |
wget -O ~/bin/machine --progress=dot:mega https://github.com/project-machine/machine/releases/download/0.0.4/machine
wget -O ~/bin/machined --progress=dot:mega https://github.com/project-machine/machine/releases/download/0.0.4/machined
chmod 755 ~/bin/machine ~/bin/machined
mkdir -p ~/.config/systemd/user/
export PATH=~/bin:$PATH
- name: test
run: |
id
mkdir -p /run/user/$(id -u)/containers
chmod go+rx /run/user/$(id -u)
chmod go+rx /run/user/$(id -u)/containers
nohup ~/bin/machined > /tmp/machined.out 2>&1 &
timeout 20m make test
timeout 20m bats tests/livecd1.bats
timeout 20m bats tests/livecd2.bats
- name: show journal output
if: always()
run: |
set -x
cat /tmp/machined.out
sudo dmesg
sudo df -h
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
mosctl
mosb
trust-linux-amd64
- name: publish provision and install layer
if: startsWith(github.ref, 'refs/tags/')
uses: project-stacker/stacker-build-push-action@main
with:
file: 'layers/stacker.yaml'
build-args: |
ZOT_VERSION=2.0.0-rc5
ROOTFS_VERSION=v0.0.15.230901
url: docker://zothub.io/machine/bootstrap
tags: ${{ github.event.release.tag_name }}
username: ${{ secrets.ZOTHUB_USERNAME }}
password: ${{ secrets.ZOTHUB_PASSWORD }}
build_arm64:
runs-on: ubuntu-latest
name: Build on ubuntu-latest arm64
steps:
- uses: actions/checkout@v3
- uses: uraimo/run-on-arch-action@v2
with:
arch: aarch64
distro: ubuntu22.04
githubToken: ${{ github.token }}
install: |
apt-get -y update;
apt-get install -q -y git golang-go;
apt-get install -y bats curl golang make openssl swtpm tpm2-tools \
libcryptsetup-dev libgpgme-dev libcap-dev qemu-kvm \
libdevmapper-dev libacl1-dev libarchive-tools pip python3-yaml \
sbsigntool squashfs-tools wget
pip install virt-firmware
mv /usr/lib/go /usr/lib/go.no || true
cd /tmp/
wget https://go.dev/dl/go1.21.0.linux-arm64.tar.gz
tar -C /usr/lib -zvxf go1.21.0.linux-arm64.tar.gz
rm /usr/bin/go /usr/bin/gofmt
ln -s /usr/lib/go/bin/go /usr/bin/go
ln -s /usr/lib/go/bin/gofmt /usr/bin/gofmt
run: |
git config --global --add safe.directory /home/runner/work/mos/mos
pwd
git describe --always --dirty
go version
make
make test-trust
- name: Rename Binary
run: |
mv trust trust-linux-arm64
- name: release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: trust-linux-arm64