feat: add s2n TLS support and GitHub Actions workflow

jamesbeedy · jamesbeedy · commit bc42efc6329e · 2026-02-08T19:11:30.000Z
- Patch debian/control to add libs2n-dev to Build-Depends
- Patch debian/rules to add --with-s2n to configure options
- Update docker-bake.hcl to use ghcr.io/vantagecompute registry
- Add GitHub Actions workflow for building and pushing images
- Workflow builds slurmctld, slurmdbd, slurmrestd, slurmd, sackd, login

This enables the tls_s2n.so plugin for encrypted SLURM communications.
diff --git a/.github/workflows/build-slurm-images.yaml b/.github/workflows/build-slurm-images.yaml
@@ -0,0 +1,143 @@
+# SPDX-FileCopyrightText: Copyright (C) Vantage Compute, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Build SLURM Images with s2n TLS
+
+on:
+  push:
+    branches:
+      - main
+      - 'feat/**'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      slurm_version:
+        description: 'SLURM version (e.g., 25.11.0, 25.11-latest)'
+        required: false
+        default: '25.11-latest'
+      push_images:
+        description: 'Push images to registry'
+        required: false
+        default: 'false'
+        type: boolean
+
+env:
+  REGISTRY: ghcr.io/vantagecompute
+  # Default to 25.11 for ubuntu24.04
+  SLURM_VERSION: ${{ github.event.inputs.slurm_version || '25.11-latest' }}
+
+jobs:
+  build-ubuntu2404:
+    name: Build Ubuntu 24.04 Images
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      matrix:
+        target:
+          - slurmctld
+          - slurmdbd
+          - slurmrestd
+          - slurmd
+          - sackd
+          - login
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version info
+        id: version
+        run: |
+          # Extract version from tag or use default
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            VERSION="${{ github.ref_name }}"
+            VERSION="${VERSION#v}"  # Remove 'v' prefix
+          else
+            VERSION="${{ env.SLURM_VERSION }}"
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          
+          # Generate image tags
+          TAGS="${{ env.REGISTRY }}/${{ matrix.target }}:${VERSION}-ubuntu24.04"
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            TAGS="${TAGS},${{ env.REGISTRY }}/${{ matrix.target }}:latest-ubuntu24.04"
+          fi
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+
+      - name: Build and push ${{ matrix.target }}
+        uses: docker/build-push-action@v6
+        with:
+          context: schedmd/slurm/25.11/ubuntu24.04
+          file: schedmd/slurm/25.11/ubuntu24.04/Dockerfile
+          target: ${{ matrix.target }}
+          push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || github.event.inputs.push_images == 'true') }}
+          tags: ${{ steps.version.outputs.tags }}
+          build-args: |
+            SLURM_VERSION=${{ steps.version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: |
+            org.opencontainers.image.title=Vantage SLURM ${{ matrix.target }}
+            org.opencontainers.image.description=SLURM ${{ matrix.target }} with s2n TLS support
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+            org.opencontainers.image.source=https://github.com/vantagecompute/slurm-containers
+            org.opencontainers.image.vendor=Vantage Compute, Inc.
+
+  # Check for new upstream releases (runs weekly)
+  check-upstream:
+    name: Check Upstream Releases
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check for new SLURM releases
+        id: check
+        run: |
+          # Get latest release from SchedMD/slurm
+          LATEST=$(curl -s https://api.github.com/repos/SchedMD/slurm/releases/latest | jq -r .tag_name)
+          echo "Latest upstream SLURM release: ${LATEST}"
+          echo "latest=${LATEST}" >> $GITHUB_OUTPUT
+          
+          # Check if we have this version tagged
+          if git tag -l | grep -q "^v${LATEST#slurm-}$"; then
+            echo "Already have this version"
+            echo "new_release=false" >> $GITHUB_OUTPUT
+          else
+            echo "New release available!"
+            echo "new_release=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create issue for new release
+        if: steps.check.outputs.new_release == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const latest = '${{ steps.check.outputs.latest }}';
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `New SLURM release available: ${latest}`,
+              body: `A new SLURM release is available upstream: ${latest}\n\nPlease update the Dockerfiles and create a new release.`,
+              labels: ['upstream-update']
+            });
diff --git a/schedmd/slurm/25.11/ubuntu24.04/Dockerfile b/schedmd/slurm/25.11/ubuntu24.04/Dockerfile
@@ -54,10 +54,31 @@ EOR
 
 COPY --from=slurm-src /workspace/${SLURM_DIR} ${SLURM_DIR}
 
+# Install libs2n-dev for TLS support (s2n plugin)
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+  --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOR
+# Install s2n library for TLS plugin
+set -xeuo pipefail
+apt-get -qq update
+apt-get -qq -y install --no-install-recommends libs2n-dev
+EOR
+
+# Patch debian/control to add libs2n-dev to Build-Depends for s2n TLS support
+RUN <<EOR
+set -xeuo pipefail
+sed -i 's/^\(Build-Depends:.*\)$/\1, libs2n-dev/' ${SLURM_DIR}/debian/control
+EOR
+
+# Patch debian/rules to add --with-s2n to dh_auto_configure options
+RUN <<EOR
+set -xeuo pipefail
+sed -i 's/\(dh_auto_configure --\)/\1 --with-s2n/' ${SLURM_DIR}/debian/rules
+EOR
+
 # Ref: https://slurm.schedmd.com/quickstart_admin.html#debuild
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
   --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOR
-# Build Slurm
+# Build Slurm with s2n TLS support
 set -xeuo pipefail
 mk-build-deps -ir --tool='apt-get -y -o Debug::pkgProblemResolver=yes --no-install-recommends' ${SLURM_DIR}/debian/control >/dev/null
 ( cd ${SLURM_DIR} && debuild -b -uc -us >/dev/null )
diff --git a/schedmd/slurm/docker-bake.hcl b/schedmd/slurm/docker-bake.hcl
@@ -4,7 +4,7 @@
 ################################################################################
 
 variable "REGISTRY" {
-  default = "ghcr.io/slinkyproject"
+  default = "ghcr.io/vantagecompute"
 }
 
 variable "SUFFIX" {}

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`################################################################################`
`5`	`5`
`6`	`6`	`variable "REGISTRY" {`
`7`		`- default = "ghcr.io/slinkyproject"`
	`7`	`+ default = "ghcr.io/vantagecompute"`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`variable "SUFFIX" {}`