System logs collector

Signed-off-by: apostasie <[email protected]>

Author: apostasie

.github/matchers/tigron.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "tigron",
+      "pattern": [
+        {
+          "regexp": "^([^:]+):(\\d+):(\\d+):\\s+(error|warning):\\s+(.*)$",
+          "severity": 1,
+          "file": 2,
+          "line": 3,
+          "column": 4,
+          "message": 5
+        }
+      ]
+    }
+  ]
+}

.github/workflows/job-test-in-container.yml

@@ -35,6 +35,10 @@ on:
         required: false
         default: false
         type: boolean
+    outputs:
+      artifact:
+        description: "Artifact generated by this job"
+        value: ${{ jobs.test.outputs.artifact }}
 
 env:
   GOTOOLCHAIN: local
@@ -55,6 +59,8 @@ jobs:
     defaults:
       run:
         shell: bash
+    outputs:
+      artifact: ${{ steps.artifact-upload.outputs.artifact-url }}
 
     env:
       # https://github.com/containerd/nerdctl/issues/622
@@ -161,9 +167,9 @@ jobs:
             && args=(test-integration ./hack/test-integration.sh -test.allow-modify-users=true) \
             || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)
           if [ "${{ inputs.ipv6 }}" == true ]; then
-            docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.only-ipv6 -test.target=${{ inputs.binary }}
+            docker run --name test-runner --network host -t --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.only-ipv6 -test.target=${{ inputs.binary }}
           else
-            docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.target=${{ inputs.binary }}
+            docker run --name test-runner -t --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.target=${{ inputs.binary }}
           fi
       # FIXME: this NEEDS to go away
       - name: "Run: integration tests (flaky)"
@@ -175,7 +181,42 @@ jobs:
             && args=(test-integration ./hack/test-integration.sh) \
             || args=(test-integration-${{ inputs.target }} /test-integration-rootless.sh ./hack/test-integration.sh)
           if [ "${{ inputs.ipv6 }}" == true ]; then
-            docker run --network host -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.only-ipv6 -test.target=${{ inputs.binary }}
+            docker run --name test-runner-flaky --network host -t --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.only-ipv6 -test.target=${{ inputs.binary }}
           else
-            docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.target=${{ inputs.binary }}
+            docker run --name test-runner-flaky -t --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=true -test.target=${{ inputs.binary }}
           fi
+
+      - name: "Wrap: collector"
+        if: ${{ failure() || success() }}
+        run: |
+          # Get the reports from inside the containers
+          [ "${{ inputs.target }}" == "rootful" ] && src=/root || src=/home/rootless
+          mkdir -p ~/report
+          docker cp test-runner:$src/nerdctl-test-report ~/report/main || true
+          # Flaky may not have run
+          docker cp test-runner-flaky:$src/nerdctl-test-report ~/report/flaky 2>/dev/null || true
+          # Add metadata info to the runs
+          . ./mod/wax/scripts/collector.sh
+          collect::metadata \
+            "runner=${{ inputs.runner }}" \
+            "binary=${{ inputs.binary }}" \
+            "canary=${{ inputs.canary }}" \
+            "target=${{ inputs.target }}" \
+            "ipv6=${{ inputs.ipv6 }}" \
+            "containerd-version=${{ inputs.containerd-version }}" \
+            "rootlesskit-version=${{ inputs.rootlesskit-version }}" \
+            "attempt=$GITHUB_RUN_ATTEMPT" \
+            "sha=$GITHUB_SHA" \
+            "id=$GITHUB_RUN_ID" \
+            "number=$GITHUB_RUN_NUMBER" \
+            > ~/report/main/metadata.json
+            [ ! -e ~/report/flaky ] || cp ~/report/main/metadata.json ~/report/flaky/metadata.json
+
+      - name: "Wrap: upload"
+        id: artifact-upload
+        if: ${{ failure() || success() }}
+        uses: actions/upload-artifact@v4
+        with:
+          path: ~/report/*
+          retention-days: 1
+          name: wax-${{ inputs.runner }}-${{ inputs.binary }}-${{ inputs.canary }}-${{ inputs.target }}-${{ inputs.ipv6 }}-${{ inputs.containerd-version }}-${{ inputs.rootlesskit-version }}

.github/workflows/job-test-in-host.yml

@@ -43,6 +43,10 @@ on:
       linux-cni-sha:
         required: true
         type: string
+    outputs:
+      artifact:
+        description: "Artifact generated by this job"
+        value: ${{ jobs.test.outputs.artifact }}
 
 env:
   GOTOOLCHAIN: local
@@ -60,6 +64,8 @@ jobs:
     defaults:
       run:
         shell: bash
+    outputs:
+      artifact: ${{ steps.artifact-upload.outputs.artifact-url }}
 
     env:
       SHOULD_RUN: "yes"
@@ -183,22 +189,30 @@ jobs:
           make install-dev-tools
           echo "::endgroup::"
 
+
+      - if: ${{ env.SHOULD_RUN == 'yes' }}
+        name: "Init: prepare artifacts directories"
+        run: |
+          mkdir -p ~/report/main
+          mkdir -p ~/report/ipv6
+          mkdir -p ~/report/flaky
+
       # ipv6 is tested only on linux
-      - if: ${{ contains(inputs.runner, 'ubuntu') && env.SHOULD_RUN == 'yes' }}
+      - if: ${{ env.SHOULD_RUN == 'yes' && contains(inputs.runner, 'ubuntu' )}}
         name: "Run (linux): integration tests (IPv6)"
         run: |
           . ./hack/github/action-helpers.sh
           github::md::h2 "ipv6" >> "$GITHUB_STEP_SUMMARY"
 
-          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-ipv6
+          WAX_REPORT_LOCATION=$HOME/report/ipv6 ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-ipv6
 
       - if: ${{ env.SHOULD_RUN == 'yes' }}
         name: "Run: integration tests"
         run: |
           . ./hack/github/action-helpers.sh
           github::md::h2 "non-flaky" >> "$GITHUB_STEP_SUMMARY"
 
-          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=false
+          WAX_REPORT_LOCATION=$HOME/report/main ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=false
 
       # FIXME: this must go
       - if: ${{ env.SHOULD_RUN == 'yes' }}
@@ -207,4 +221,42 @@ jobs:
           . ./hack/github/action-helpers.sh
           github::md::h2 "flaky" >> "$GITHUB_STEP_SUMMARY"
 
-          ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=true
+          WAX_REPORT_LOCATION=$HOME/report/flaky ./hack/test-integration.sh -test.target=${{ inputs.binary }} -test.only-flaky=true
+
+      - name: "Wrap: collector"
+        if: ${{ env.SHOULD_RUN == 'yes' && (failure() || success()) }}
+        run: |
+          # Add metadata info to the runs
+          . ./mod/wax/scripts/collector.sh
+          collect::metadata \
+            "runner=${{ inputs.runner }}" \
+            "binary=${{ inputs.binary }}" \
+            "canary=${{ inputs.canary }}" \
+            "ipv6=false" \
+            "attempt=$GITHUB_RUN_ATTEMPT" \
+            "sha=$GITHUB_SHA" \
+            "id=$GITHUB_RUN_ID" \
+            "number=$GITHUB_RUN_NUMBER" \
+            > ~/report/main/metadata.json
+
+          collect::metadata \
+            "runner=${{ inputs.runner }}" \
+            "binary=${{ inputs.binary }}" \
+            "canary=${{ inputs.canary }}" \
+            "ipv6=true" \
+            "attempt=$GITHUB_RUN_ATTEMPT" \
+            "sha=$GITHUB_SHA" \
+            "id=$GITHUB_RUN_ID" \
+            "number=$GITHUB_RUN_NUMBER" \
+            > ~/report/ipv6/metadata.json
+
+          cp ~/report/main/metadata.json ~/report/flaky/metadata.json
+
+      - name: "Wrap: upload"
+        id: artifact-upload
+        if: ${{ env.SHOULD_RUN == 'yes' && (failure() || success()) }}
+        uses: actions/upload-artifact@v4
+        with:
+          path: ~/report/*
+          retention-days: 1
+          name: wax-${{ inputs.runner }}-${{ inputs.binary }}-${{ inputs.canary }}

.github/workflows/workflow-test.yml

@@ -147,3 +147,23 @@ jobs:
       containerd-service-sha: 1941362cbaa89dd591b99c32b050d82c583d3cd2e5fa63085d7017457ec5fca8
       linux-cni-version: v1.7.1
       linux-cni-sha: 1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098
+
+  reporter:
+    if: ${{ failure() || success() }}
+    name: "reporter${{ inputs.hack }}"
+    needs:
+      - test-integration-host
+      - test-integration-container
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Fetch Repository
+        uses: actions/checkout@v4
+      - name: Download all workflow run artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ~/report
+      - name: Process
+        run: |
+          # git show --name-only --pretty=""
+          ls -lAR ~/report || true
+          exit 1

hack/github/gotestsum-reporter.sh

@@ -14,13 +14,18 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 
+# DEPRECATED: favor post-processing inside integration.sh rather than using a post-run hook.
+# Reasons are:
+# - post-run hook do not work on windows
+# - post-run hook is limited to a single run of gotestsum, while it is desirable to process multiple runs together
+
 # shellcheck disable=SC2034,SC2015
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)"
 readonly root
 
 # shellcheck source=/dev/null
-. "$root"/action-helpers.sh
+. "$root"/../github/action-helpers.sh
 
 GITHUB_STEP_SUMMARY="${GITHUB_STEP_SUMMARY:-/dev/null}"
 

hack/test-integration.sh

@@ -19,38 +19,79 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)"
 readonly root
 
-if [[ "$(id -u)" = "0" ]]; then
-  # Ensure securityfs is mounted for apparmor to work
-  if ! mountpoint -q /sys/kernel/security; then
-    mount -tsecurityfs securityfs /sys/kernel/security
-  fi
+# If no argument is provided, run both flaky and not-flaky test suites.
+if [ "$#" == 0 ]; then
+  "$root"/integration.sh -test.only-flaky=false
+  "$root"/integration.sh -test.only-flaky=true
+  exit
 fi
 
+##### Import helper libraries
+# shellcheck source=/dev/null
+. "$root"/../mod/wax/scripts/collector.sh
+
+##### Configuration
+# Where to store report files
+readonly report_location="${WAX_REPORT_LOCATION:-$HOME/nerdctl-test-report}"
+# Where to store gotestsum log file
+readonly gotestsum_log_main="$report_location"/test-integration.log
+readonly gotestsum_log_flaky="$report_location"/test-integration-flaky.log
+# Total run timeout
 readonly timeout="60m"
+# Number of retries for flaky tests
 readonly retries="2"
-readonly needsudo="${WITH_SUDO:-}"
-
-# See https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization
-args=(--format=testname --jsonfile /tmp/test-integration.log --packages="$root"/../cmd/nerdctl/...)
-# FIXME: not working on windows. Need to change approach: move away from --post-run-command and
-# just process the log file. This might also allow multi-steps/multi-target results aggregation.
-[ "$(uname -s)" != "Linux" ] || args+=(--post-run-command "$root"/github/gotestsum-reporter.sh)
-
-if [ "$#" == 0 ]; then
-  "$root"/test-integration.sh -test.only-flaky=false
-  "$root"/test-integration.sh -test.only-flaky=true
-  exit
-fi
+readonly need_sudo="${WITH_SUDO:-}"
 
+##### Prepare gotestsum arguments
+mkdir -p "$report_location"
+# Format and packages to test
+args=(--format=testname --packages="$root"/../cmd/nerdctl/...)
+# Log file
+gotestsum_log="$gotestsum_log_main"
 for arg in "$@"; do
   if [ "$arg" == "-test.only-flaky=true" ] || [ "$arg" == "-test.only-flaky" ]; then
     args+=("--rerun-fails=$retries")
+    gotestsum_log="$gotestsum_log_flaky"
     break
   fi
 done
+args+=(--jsonfile "$gotestsum_log" --)
+
+##### Append go test arguments
+# Honor sudo
+[ "$need_sudo" != true ] && [ "$need_sudo" != yes ] && [ "$need_sudo" != 1 ] || args+=(-exec sudo)
+# About `-p 1`, see https://github.com/containerd/nerdctl/blob/main/docs/testing/README.md#about-parallelization
+args+=(-timeout="$timeout" -p 1 -args -test.allow-kill-daemon "$@")
 
-if [ "$needsudo" == "true" ] || [ "$needsudo" == "yes" ] || [ "$needsudo" == "1" ]; then
-  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -exec sudo -args -test.allow-kill-daemon "$@"
-else
-  gotestsum "${args[@]}" -- -timeout="$timeout" -p 1 -args -test.allow-kill-daemon "$@"
+# FIXME: this should not be the responsibility of the test script
+# Instead, it should be in the Dockerfile (or other stack provisioning script) - eg: /etc/systemd/system/securityfs.service
+# [Unit]
+# Description=Kernel Security File System
+# DefaultDependencies=no
+# Before=sysinit.target
+# Before=apparmor.service
+# ConditionSecurity=apparmor
+# ConditionPathIsMountPoint=!/sys/kernel/security
+#
+# [Service]
+# Type=oneshot
+# ExecStart=/bin/mount -t securityfs -o nosuid,nodev,noexec securityfs /sys/kernel/security
+#
+# [Install]
+# WantedBy=sysinit.target
+if [[ "$(id -u)" = "0" ]]; then
+  # Ensure securityfs is mounted for apparmor to work
+  if ! mountpoint -q /sys/kernel/security; then
+    mount -tsecurityfs securityfs /sys/kernel/security
+  fi
 fi
+
+##### Run it
+ex=0
+gotestsum "${args[@]}" || ex=$?
+
+##### Post: collect logs into the report location
+collect::logs "$report_location"
+
+# Honor gotestsum exit code
+exit "$ex"

mod/wax/README.md

@@ -0,0 +1,9 @@
+# Wax
+
+> polish your CI
+
+A tool to annotate pull requests and generate reports from gotestsum logs.
+
+## TL;DR
+
+TBD.