-
Notifications
You must be signed in to change notification settings - Fork 99
152 lines (148 loc) · 6.65 KB
/
reusable-uki-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Reusable UKI test
on:
workflow_call:
inputs:
base_image:
required: true
type: string
family:
required: true
type: string
flavor:
required: true
type: string
flavor_release:
required: true
type: string
permissions: read-all
jobs:
test-uki:
permissions:
id-token: write # OIDC support
contents: write
actions: read
security-events: write
runs-on: kvm
env:
FLAVOR: ${{ inputs.flavor }}
FLAVOR_RELEASE: ${{ inputs.flavor_release }}
TEMP_IMAGE: ttl.sh/${{ inputs.flavor }}-${{ inputs.flavor_release}}-${{ github.sha }}:6h
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version-file: tests/go.mod
cache-dependency-path: tests/go.sum
- name: Enable KVM group perms
run: |
sudo apt-get update
sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev
# https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
# echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
# sudo udevadm control --reload-rules
# sudo udevadm trigger --name-match=kvm
# sudo usermod -a -G kvm,libvirt $USER
#
# TODO: Switch back to the above solution when we switch to the github runners
# https://askubuntu.com/a/1081326
sudo setfacl -m u:runner:rwx /dev/kvm
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Login to earthly
run: |
earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos
- name: Build base image 🔧
run: | # known flavors to work with uki+encryption: fedora >= 38, ubuntu >= 23.10, anything with systemd 253
earthly +base-image \
--FLAVOR=${{ inputs.flavor }} \
--FLAVOR_RELEASE=${{ inputs.flavor_release }} \
--FAMILY=${{ inputs.family }} \
--MODEL=generic \
--VARIANT=core \
--BASE_IMAGE=${{ inputs.base_image }} \
--BOOTLOADER=systemd-boot
- name: Push image to ttl.sh
run: |
docker tag $(cat build/IMAGE) $TEMP_IMAGE
docker push $TEMP_IMAGE
- name: Build uki ISO 🔧
run: |
earthly +uki-iso \
--BASE_IMAGE=$TEMP_IMAGE \
--ENKI_OVERLAY_DIR=tests/assets/sysext/ \
--ENKI_KEYS_DIR=tests/assets/keys/ \
--ENKI_FLAGS="--single-efi-cmdline \"testentry: nothing\""
- name: Create datasource iso 🔧
run: |
earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml
- name: Build uki upgrade image 🔧
run: |
rm -rf /tmp/unpacked
sudo luet util unpack "${TEMP_IMAGE}" ./unpacked
new_version="mynewversion"
sudo sed -i 's/^KAIROS_VERSION=.*/KAIROS_VERSION="'$new_version'"/' ./unpacked/etc/os-release
echo "$new_version" > "${PWD}/build/expected_new_version"
docker run --rm \
-v $PWD/unpacked:/unpacked \
-v $PWD/build:/result \
-v $PWD/tests/assets/keys:/keys \
quay.io/kairos/osbuilder-tools:latest build-uki dir:/unpacked \
--output-dir /result --keys /keys --output-type container \
--single-efi-cmdline "myentry: foobar"
docker load -i build/*.tar
image=$(docker load -i build/*.tar | grep "Loaded image" | awk -F: '{ st = index($0,":");print substr($0,st+1)}' | xargs)
rand=$(head /dev/urandom | tr -dc a-z0-9 | head -c 7)
temp_image=ttl.sh/$(echo $image | sed "s/:latest/-${rand}:6h/")
docker tag $image $temp_image
docker push $temp_image
echo $temp_image > build/upgrade_image_name
- name: Run tests 🔧
env:
USE_QEMU: true
KVM: true
MEMORY: 4000
CPUS: 2
FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
EMULATE_TPM: true
UKI_TEST: true
run: |
export ISO=$(ls $PWD/build/kairos_*.iso)
export DATASOURCE=${PWD}/build/datasource.iso
export UPGRADE_IMAGE=$(cat "${PWD}/build/upgrade_image_name")
export EXPECTED_NEW_VERSION=$(cat "${PWD}/build/expected_new_version")
export EXPECTED_SINGLE_ENTRY="testentry"
cp tests/go.* .
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/
- name: Install kairos-agent (for versioneer)
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: system/kairos-agent
- name: Install Cosign
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
uses: sigstore/cosign-installer@main
- name: Login to Quay Registry
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Push to quay
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }}
env:
COSIGN_YES: true
run: |
SUFFIX="-uki"
IMAGE=$(FLAVOR=${{ inputs.flavor }} FLAVOR_RELEASE="${{ inputs.flavor_release }}" MODEL=generic TARGETARCH=amd64 VARIANT=core REGISTRY_AND_ORG="quay.io/kairos" RELEASE=master kairos-agent versioneer container-artifact-name)
docker tag $(cat build/IMAGE) "$IMAGE$SUFFIX"
docker push "$IMAGE$SUFFIX"
image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX")
cosign sign $image_ref
- uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
if: failure()
with:
name: ${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}.logs.zip
path: tests/**/logs/*
if-no-files-found: warn