-
Notifications
You must be signed in to change notification settings - Fork 182
378 lines (336 loc) · 17.1 KB
/
drivers_ci.yml
File metadata and controls
378 lines (336 loc) · 17.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
name: Drivers CI Build
on:
pull_request:
push:
branches:
- master
- 'release/**'
- 'maintainers/**'
workflow_dispatch:
# we cannot use paths key here since otherwise required_status_checks jobs won't run.
# See https://github.com/orgs/community/discussions/26251.
# We need to use the paths-filter job.
# Checks if any concurrent jobs under the same pull request or branch are being executed
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
paths-filter:
runs-on: ubuntu-24.04
outputs:
driver: ${{ steps.filter.outputs.driver }}
libscap: ${{ steps.filter.outputs.libscap }}
libpman: ${{ steps.filter.outputs.libpman }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
filters: |
driver:
- 'driver/**'
libscap:
- 'userspace/libscap/**'
libpman:
- 'userspace/libpman/**'
# This job run all engine tests and scap-open
test-scap:
name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
needs: paths-filter
strategy:
matrix:
arch: [amd64, arm64]
fail-fast: false
steps:
- name: Checkout Libs ⤵️
# We need to skip each step because of https://github.com/orgs/community/discussions/9141.
# This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Install deps ⛓️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
- name: Install cmake 🌊
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: ./.github/actions/install-cmake
- name: Install bpftool 🐝
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: ./.github/actions/install-bpftool
with:
arch: ${{ matrix.arch }}
- name: Build scap-open and drivers 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cmake -B build -S . \
-DBUILD_WARNINGS_AS_ERRORS=On \
-DUSE_BUNDLED_DEPS=On \
-DBUILD_DRIVER=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DCREATE_TEST_TARGETS=On \
-DENABLE_LIBSCAP_TESTS=On \
-DUSE_ASAN=On \
-DUSE_UBSAN=On
cmake --build build --target scap-open driver libscap_test --parallel $(nproc)
- name: Run scap-open with modern bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cd build
sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 10
- name: Run scap-open with kmod 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cd build
sudo insmod ./driver/scap.ko
sudo ./libscap/examples/01-open/scap-open --kmod --num_events 10
sudo rmmod scap
- name: Run libscap_test 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cd build
sudo ./test/libscap/libscap_test
- name: Validate scap-open with modern bpf
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: Andreagit97/bpfvalidator@v0.3.0
with:
args: |
--config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
test-drivers:
name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
needs: paths-filter
strategy:
matrix:
arch: [amd64, arm64]
fail-fast: false
steps:
- name: Checkout Libs ⤵️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Install deps ⛓️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
- name: Install cmake 🌊
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: ./.github/actions/install-cmake
- name: Install bpftool 🐝
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: ./.github/actions/install-bpftool
with:
arch: ${{ matrix.arch }}
- name: Install multilib compilers for ia32 tests
if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
run: |
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
- name: Build drivers tests 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cmake -B build -S . \
-DBUILD_WARNINGS_AS_ERRORS=On \
-DUSE_BUNDLED_DEPS=ON \
-DENABLE_DRIVERS_TESTS=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DMODERN_BPF_DEBUG_MODE=ON
cmake --build build --target drivers_test driver --parallel $(nproc)
- name: Run drivers_test with modern bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cd build
sudo ./test/drivers/drivers_test -m
- name: Run drivers_test with kmod 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cd build
sudo ./test/drivers/drivers_test -k
test-drivers-ppc64le:
name: test-drivers-ppc64le 😁 (system_deps,custom node)
runs-on: ubuntu-24.04
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
needs: paths-filter
steps:
- name: Extract branch name
run: echo "GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV
- name: Build and test drivers on ppc64le node via ssh
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.PPC64LE_HOST }}
username: ${{ secrets.PPC64LE_USERNAME }}
key: ${{ secrets.PPC64LE_KEY }}
port: ${{ secrets.PPC64LE_PORT }}
envs: GIT_BRANCH,GITHUB_REPOSITORY,GITHUB_SERVER_URL
command_timeout: 60m
script: |
sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf libbpf-devel
# Remove, if present, any libs clone created by a previous job run.
rm -rf libs
git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
cd libs
mkdir -p build && cd build
cmake -B . -S .. \
-DBUILD_WARNINGS_AS_ERRORS=On \
-DUSE_BUNDLED_DEPS=ON \
-DENABLE_DRIVERS_TESTS=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DMODERN_BPF_DEBUG_MODE=ON \
-DUSE_BUNDLED_LIBELF=OFF
cmake --build . --target drivers_test driver --parallel $(nproc)
sudo ./test/drivers/drivers_test -m
rc_modern=$?
sudo ./test/drivers/drivers_test -k
rc_kmod=$?
exit $(($rc_modern + $rc_kmod))
build-drivers-s390x:
name: build-drivers-s390x 😁 (bundle_deps)
runs-on: ubuntu-24.04-s390x
# Avoid running on forks since the s390x runner doesn't support unauthenticated usage.
# See: https://github.com/IBM/actionspz/blob/main/docs/FAQ.md#what-about-forked-repos.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
needs: paths-filter
steps:
- name: Checkout Libs ⤵️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Install deps ⛓️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
- name: Install bpftool 🐝
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: ./.github/actions/install-bpftool
with:
arch: 's390x'
- name: Build drivers tests 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
cmake -B build -S . \
-DBUILD_WARNINGS_AS_ERRORS=On \
-DUSE_BUNDLED_DEPS=ON \
-DENABLE_DRIVERS_TESTS=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DMODERN_BPF_DEBUG_MODE=ON
cmake --build build --target drivers_test driver --parallel $(nproc)
build-modern-bpf-skeleton:
needs: paths-filter
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: 'ubuntu-24.04'
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
container: fedora:41
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
dnf install -y ca-certificates make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf libbpf-devel curl
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install cmake 🌊
uses: ./.github/actions/install-cmake
- name: Install bpftool 🐝
uses: ./.github/actions/install-bpftool
with:
arch: 'amd64'
- name: Build modern BPF skeleton
run: |
cmake -B skeleton-build -S . -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off
cmake --build skeleton-build --target ProbeSkeleton --parallel $(nproc)
- name: Upload skeleton
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: bpf_probe_x86_64.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
retention-days: 1
build-scap-open-w-extern-bpf-skeleton:
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
needs: [paths-filter,build-modern-bpf-skeleton]
runs-on: 'ubuntu-24.04'
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
steps:
- name: Install build dependencies
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install cmake 🌊
uses: ./.github/actions/install-cmake
- name: Download skeleton
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: bpf_probe_x86_64.skel.h
path: /tmp
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DUSE_BUNDLED_DEPS=On \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
- name: Build project
run: |
cmake --build build --target scap-open --parallel $(nproc)
# Only runs on pull request since on master branch it is already triggered by pages CI.
kernel-tests-dev:
needs: paths-filter
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
uses: ./.github/workflows/reusable_kernel_tests.yaml
with:
# Use real branch's HEAD sha, not the merge commit
libsversion: ${{ github.event.pull_request.head.sha }}
secrets: inherit
kernel-tests-pr-info-upload:
needs: kernel-tests-dev
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
runs-on: ubuntu-24.04
steps:
- name: Download X64 matrix
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: matrix_X64
path: matrix_X64
- name: Download ARM64 matrix
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: matrix_ARM64
path: matrix_ARM64
- name: Save PR info
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# X64 kernel testing matrix" >> ./pr/COMMENT
echo "$(head -n $(grep -n -v -m1 '^|' matrix_X64/matrix.md | awk -F':' '{ print $1 }') matrix_X64/matrix.md)" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
echo "# ARM64 kernel testing matrix" >> ./pr/COMMENT
echo "$(head -n $(grep -n -v -m1 '^|' matrix_ARM64/matrix.md | awk -F':' '{ print $1 }') matrix_ARM64/matrix.md)" >> ./pr/COMMENT
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
with:
name: pr-kernel-testing
path: pr/
retention-days: 1
if-no-files-found: warn