Merge pull request opencontainers#3104 from adrianreber/2021-07-20-vagrant

Do not use Vagrant for CentOS 7/8

Author: kolyshkin

.cirrus.yml

@@ -1,29 +1,33 @@
 ---
-# We use Cirrus for Vagrant tests, because macOS instances of GHA
-# are too slow and flaky, and Linux instances of GHA do not support KVM.
+# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS
+# instances of GHA are too slow and flaky, and Linux instances of GHA do not
+# support KVM.
 
 # NOTE Cirrus execution environments lack a terminal, needed for
 # some integration tests. So we use `ssh -tt` command to fake a terminal.
 
-compute_engine_instance:
-  image_project: cirrus-images
-  image: family/docker-kvm
-  platform: linux
-  nested_virtualization: true
-  # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
-  cpu: 8
-  # Memory limit: `4GB * NCPU`
-  memory: 32G
-
-vagrant_task:
+task:
   timeout_in: 30m
+
   env:
     DEBIAN_FRONTEND: noninteractive
     HOME: /root
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: fedora34
-      DISTRO: centos7
+
+  name: vagrant DISTRO:$DISTRO
+
+  compute_engine_instance:
+    image_project: cirrus-images
+    image: family/docker-kvm
+    platform: linux
+    nested_virtualization: true
+    # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
+    cpu: 8
+    # Memory limit: `4GB * NCPU`
+    memory: 32G
+
   host_info_script: |
     uname -a
     echo "-----"
@@ -65,3 +69,89 @@ vagrant_task:
     else
       ssh -tt default "sudo -i make -C /vagrant localrootlessintegration"
     fi
+
+task:
+  timeout_in: 30m
+
+  env:
+    HOME: /root
+    CIRRUS_WORKING_DIR: /home/runc
+    GO_VERSION: "1.16.6"
+    BATS_VERSION: "v1.3.0"
+    # yamllint disable rule:key-duplicates
+    matrix:
+      DISTRO: centos-7
+      DISTRO: centos-stream-8
+
+  name: ci / $DISTRO
+
+  compute_engine_instance:
+    image_project: centos-cloud
+    image: family/$DISTRO
+    platform: linux
+    cpu: 4
+    memory: 8G
+
+  install_dependencies_script: |
+    yum install -y -q epel-release
+    case $DISTRO in
+    centos-7)
+      (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
+      # sysctl
+      echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
+      sysctl --system
+      ;;
+    centos-stream-8)
+      yum install -y -q dnf-plugins-core
+      yum config-manager --set-enabled powertools
+      ;;
+    esac
+    yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu
+    # install Go
+    curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
+    # install bats
+    cd /tmp
+    git clone https://github.com/bats-core/bats-core
+    cd bats-core
+    git checkout $BATS_VERSION
+    ./install.sh /usr/local
+    cd -
+    # Add a user for rootless tests
+    useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
+    # set PATH
+    echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
+    # Setup ssh localhost for terminal emulation (script -e did not work)
+    ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
+    cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys
+    chmod 400 /root/.ssh/authorized_keys
+    ssh-keyscan localhost >> /root/.ssh/known_hosts
+    echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config
+    sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config
+    systemctl restart sshd
+  host_info_script: |
+    uname -a
+    echo "-----"
+    cat /etc/os-release
+    echo "-----"
+    cat /proc/cpuinfo
+    echo "-----"
+    df -T
+    echo "-----"
+    systemctl --version
+  unit_tests_script: |
+    ssh -tt localhost "make -C /home/runc localunittest"
+  integration_systemd_script: |
+    ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes"
+  integration_fs_script: |
+    ssh -tt localhost "make -C /home/runc localintegration"
+  integration_systemd_rootless_script: |
+    echo "SKIP: integration_systemd_rootless_script requires cgroup v2"
+  integration_fs_rootless_script: |
+    case $DISTRO in
+    centos-7)
+      echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
+        ;;
+    centos-stream-8)
+      ssh -tt localhost "make -C /home/runc localrootlessintegration"
+      ;;
+    esac

Vagrantfile.centos7

@@ -537,7 +537,7 @@ EOF
 	root_period=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us")
 	root_runtime=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_runtime_us")
 	# the following IFS magic sets dirs=("runc-cgroups-integration-test" "test-cgroup")
-	IFS='/' read -r -a dirs <<<"$REL_CGROUPS_PATH"
+	IFS='/' read -r -a dirs <<<"${REL_CGROUPS_PATH#/}"
 	for ((i = 0; i < ${#dirs[@]}; i++)); do
 		local target="$CGROUP_CPU_BASE_PATH"
 		for ((j = 0; j <= i; j++)); do

tests/integration/update.bats

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 # Copyright (C) 2017 SUSE LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -114,6 +114,15 @@ function enable_cgroup() {
 		# necessary, and might actually be a bug in our impl of cgroup
 		# handling.
 		[[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems}
+		# The following is required by "update rt period and runtime".
+		if [[ "$cg" == "cpu" ]]; then
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us"
+			fi
+			if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" ]]; then
+				chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us"
+			fi
+		fi
 	done
 	# cgroup v2
 	if [[ -e "$CGROUP_MOUNT/cgroup.controllers" ]]; then