mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
1bf0d62828
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.
When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).
libseccomp started to support faccessat2() in July 2020 with
5696c89640
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)
With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
132 lines
4.3 KiB
YAML
132 lines
4.3 KiB
YAML
steps:
|
|
- script: |
|
|
set -e
|
|
env | sort
|
|
displayName: Print Host Enviroment
|
|
|
|
- script: |
|
|
set -e
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
parallel \
|
|
moreutils \
|
|
rng-tools \
|
|
systemd-coredump \
|
|
python3-docker \
|
|
software-properties-common
|
|
sudo add-apt-repository -y ppa:abbra/freeipa-libseccomp
|
|
sudo apt-get update
|
|
sudo apt-get install -y libseccomp2
|
|
# ubuntu's one is too old: different API
|
|
python3 -m pip install docker --user
|
|
displayName: Install Host's tests requirements
|
|
|
|
- script: |
|
|
set -e
|
|
printf "Available entropy: %s\n" $(cat /proc/sys/kernel/random/entropy_avail)
|
|
sudo service rng-tools start
|
|
sleep 3
|
|
printf "Available entropy: %s\n" $(cat /proc/sys/kernel/random/entropy_avail)
|
|
displayName: Increase entropy level
|
|
|
|
- script: |
|
|
set -eu
|
|
date +'%Y-%m-%d %H:%M:%S' > coredumpctl.time.mark
|
|
systemd_conf="/etc/systemd/system.conf"
|
|
sudo sed -i 's/^DumpCore=.*/#&/g' "$systemd_conf"
|
|
sudo sed -i 's/^DefaultLimitCORE=.*/#&/g' "$systemd_conf"
|
|
echo -e 'DumpCore=yes\nDefaultLimitCORE=infinity' | \
|
|
sudo tee -a "$systemd_conf" >/dev/null
|
|
cat "$systemd_conf"
|
|
coredump_conf="/etc/systemd/coredump.conf"
|
|
cat "$coredump_conf"
|
|
sudo systemctl daemon-reexec
|
|
# for ns-slapd debugging
|
|
sudo sysctl -w fs.suid_dumpable=1
|
|
displayName: Allow coredumps
|
|
|
|
- template: setup-test-environment.yml
|
|
|
|
- template: run-test.yml
|
|
|
|
- script: |
|
|
set -eux
|
|
free -m
|
|
cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
|
|
cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
|
|
cat /proc/sys/vm/swappiness
|
|
condition: succeededOrFailed()
|
|
displayName: Host's memory statistics
|
|
|
|
- task: PublishTestResults@2
|
|
inputs:
|
|
testResultsFiles: 'ipa_envs/*/$(CI_RUNNER_LOGS_DIR)/nosetests.xml'
|
|
testRunTitle: $(System.JobIdentifier) results
|
|
condition: succeededOrFailed()
|
|
|
|
- script: |
|
|
set -eu
|
|
# check the host first, containers cores were dumped here
|
|
COREDUMPS_SUBDIR="coredumps"
|
|
COREDUMPS_DIR="${IPA_TESTS_ENV_WORKING_DIR}/${COREDUMPS_SUBDIR}"
|
|
rm -rfv "$COREDUMPS_DIR" ||:
|
|
mkdir "$COREDUMPS_DIR"
|
|
since_time="$(cat coredumpctl.time.mark || echo '-1h')"
|
|
sudo coredumpctl --no-pager --since="$since_time" list ||:
|
|
|
|
pids="$(sudo coredumpctl --no-pager --since="$since_time" -F COREDUMP_PID || echo '')"
|
|
# nothing to dump
|
|
[ -z "$pids" ] && exit 0
|
|
|
|
# continue in container
|
|
HOST_JOURNAL="/var/log/host_journal"
|
|
CONTAINER_COREDUMP="dump_cores"
|
|
docker create --privileged \
|
|
-v "$(realpath coredumpctl.time.mark)":/coredumpctl.time.mark:ro \
|
|
-v /var/lib/systemd/coredump:/var/lib/systemd/coredump:ro \
|
|
-v /var/log/journal:"$HOST_JOURNAL":ro \
|
|
-v "${BUILD_REPOSITORY_LOCALPATH}":"${IPA_TESTS_REPO_PATH}" \
|
|
--name "$CONTAINER_COREDUMP" freeipa-azure-builder
|
|
docker start "$CONTAINER_COREDUMP"
|
|
|
|
docker exec -t \
|
|
--env IPA_TESTS_REPO_PATH="${IPA_TESTS_REPO_PATH}" \
|
|
--env IPA_TESTS_SCRIPTS="${IPA_TESTS_REPO_PATH}/${IPA_TESTS_SCRIPTS}" \
|
|
--env IPA_PLATFORM="${IPA_PLATFORM}" \
|
|
"$CONTAINER_COREDUMP" \
|
|
/bin/bash --noprofile --norc -eux \
|
|
"${IPA_TESTS_REPO_PATH}/${IPA_TESTS_SCRIPTS}/install-debuginfo.sh"
|
|
|
|
docker exec -t \
|
|
--env IPA_TESTS_REPO_PATH="${IPA_TESTS_REPO_PATH}" \
|
|
--env COREDUMPS_SUBDIR="$COREDUMPS_SUBDIR" \
|
|
--env HOST_JOURNAL="$HOST_JOURNAL" \
|
|
"$CONTAINER_COREDUMP" \
|
|
/bin/bash --noprofile --norc -eux \
|
|
"${IPA_TESTS_REPO_PATH}/${IPA_TESTS_SCRIPTS}/dump_cores.sh"
|
|
# there should be no crashes
|
|
exit 1
|
|
condition: succeededOrFailed()
|
|
displayName: Check for coredumps
|
|
|
|
- script: |
|
|
set -e
|
|
|
|
artifacts_ignore_path="${IPA_TESTS_ENV_WORKING_DIR}/.artifactignore"
|
|
cat > "$artifacts_ignore_path" <<EOF
|
|
**/*
|
|
!coredumps/*.core.tar.gz
|
|
!coredumps/*.stacktrace.tar.gz
|
|
!*/logs/**
|
|
!*/*.yml
|
|
!*/*.yaml
|
|
!*/*.log
|
|
EOF
|
|
cat "$artifacts_ignore_path"
|
|
condition: succeededOrFailed()
|
|
displayName: Generating artifactignore file
|
|
|
|
- template: save-test-artifacts.yml
|
|
parameters:
|
|
logsArtifact: logs-$(System.JobIdentifier)-$(Build.BuildId)-$(System.StageAttempt)-$(System.PhaseAttempt)-$(System.JobPositionInPhase)-$(Agent.OS)-$(Agent.OSArchitecture)
|