slice bounds and nil VM access fix (#1754) #4024
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| - push | |
| - pull_request | |
| env: | |
| GO_VERSION: "1.19.x" | |
| GOTESTSUM_VERSION: "latest" | |
| jobs: | |
| lint: | |
| runs-on: "windows-2019" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| goos: [windows, linux] | |
| root: ["", test] # cannot specify "./... ./test/..." unless in go workspace | |
| include: | |
| - goos: linux | |
| root: "" | |
| dirs: >- | |
| ./cmd/gcs/... | |
| ./cmd/gcstools/... | |
| ./internal/guest... | |
| ./internal/tools/... | |
| ./pkg/... | |
| ./ext4/... | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Clean mod cache | |
| shell: Powershell | |
| run: | | |
| go clean -modcache | |
| - uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: v1.52 | |
| args: >- | |
| --verbose | |
| --max-issues-per-linter=0 | |
| --max-same-issues=0 | |
| --modules-download-mode=readonly | |
| ${{ matrix.dirs }} | |
| working-directory: ${{ matrix.root }} | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| protos: | |
| runs-on: "windows-2019" | |
| steps: | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@v3 | |
| with: | |
| path: "go/src/github.com/Microsoft/hcsshim" | |
| # Install protoc-gen-gogoctrd in D:\bin | |
| - uses: actions/checkout@v3 | |
| with: | |
| repository: containerd/containerd | |
| ref: v1.6.2 | |
| path: "containerd" | |
| - name: Install protoc-gen-gogoctrd | |
| shell: powershell | |
| run: | | |
| cd containerd | |
| go build ./cmd/protoc-gen-gogoctrd | |
| mkdir D:\bin | |
| mv protoc-gen-gogoctrd.exe D:\bin | |
| # Install protoc in D:\bin | |
| - name: Install protoc | |
| shell: powershell | |
| run: | | |
| Invoke-WebRequest -OutFile protoc.zip -Uri https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/protoc-3.19.4-win32.zip | |
| Expand-Archive -Path protoc.zip -DestinationPath . | |
| mv include go/src/github.com/Microsoft/hcsshim/protobuf | |
| mv bin\protoc.exe D:\bin | |
| - name: Run Protobuild | |
| shell: powershell | |
| run: | | |
| go install github.com/containerd/[email protected] | |
| cd go\src\github.com\Microsoft\hcsshim | |
| $Env:Path += ";D:\bin;" + $Env:GOPATH + "\bin" | |
| protobuild $(go list ./... | grep -v /vendor/) | |
| git diff --exit-code | |
| env: | |
| GOPATH: '${{ github.workspace }}\go' | |
| GOFLAGS: "" | |
| GOPROXY: "" | |
| verify-vendor: | |
| runs-on: "windows-2019" | |
| env: | |
| GOPROXY: "https://proxy.golang.org,direct" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Validate go.mod and vendoring | |
| shell: powershell | |
| run: | | |
| $currentPath = (Get-Location).Path | |
| $process = Start-Process powershell.exe -PassThru -Verb runAs -Wait -ArgumentList $currentPath/scripts/Verify-GoModules.ps1, $currentPath | |
| if ($process.ExitCode -ne 0) { | |
| Write-Error "Main modules are not up to date. Please validate your go version >= this job's and run `go mod vendor` followed by `go mod tidy` in the repo root path." | |
| } | |
| exit $process.ExitCode | |
| - name: Validate test/go.mod | |
| shell: powershell | |
| working-directory: test | |
| run: | | |
| Write-Output "::group::go mod tidy" | |
| go mod tidy | |
| Write-Output "::endgroup::" | |
| git add --all --intent-to-add . | |
| Write-Output "::group::git diff" | |
| git diff --stat --exit-code | |
| Write-Output "::endgroup::" | |
| if ($LASTEXITCODE -ne 0) { | |
| Write-Output "::error ::./test/go.mod is not up to date. Please run ``go mod tidy`` from within ``./test``" | |
| exit $LASTEXITCODE | |
| } | |
| go-gen: | |
| name: Go Generate | |
| runs-on: "windows-2019" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Validate go generate | |
| shell: powershell | |
| run: | | |
| Write-Output "::group::go generate" | |
| go generate -x .\... | |
| Write-Output "::endgroup::" | |
| if ($LASTEXITCODE -ne 0) { | |
| Write-Output "::error title=Go Generate::Error running go generate." | |
| exit $LASTEXITCODE | |
| } | |
| git add --all --intent-to-add . | |
| Write-Output "::group::git diff" | |
| git diff --stat --exit-code | |
| Write-Output "::endgroup::" | |
| if ($LASTEXITCODE -ne 0) { | |
| Write-Output "::error ::Generated files are not up to date. Please run ``go generate .\...``." | |
| exit $LASTEXITCODE | |
| } | |
| test-linux: | |
| needs: [lint, protos, verify-vendor, go-gen] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Install go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install gotestsum | |
| run: go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }} | |
| - name: Test standard security policy | |
| run: gotestsum --format standard-verbose --debug -- -timeout=30m -mod=mod -gcflags=all=-d=checkptr ./pkg/securitypolicy | |
| - name: Test rego security policy | |
| run: gotestsum --format standard-verbose --debug -- -tags=rego -timeout=30m -mod=mod -gcflags=all=-d=checkptr ./pkg/securitypolicy | |
| - name: Test rego policy interpreter | |
| run: gotestsum --format standard-verbose --debug -- -mod=mod -gcflags=all=-d=checkptr ./internal/regopolicyinterpreter | |
| - name: Build gcs Testing Binary | |
| run: go test -mod=mod -gcflags=all=-d=checkptr -c -tags functional ./gcs | |
| working-directory: test | |
| test-windows: | |
| needs: [lint, protos, verify-vendor, go-gen] | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [windows-2019, windows-2022] | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install gotestsum | |
| run: go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }} | |
| # run tests | |
| - name: Test repo | |
| run: gotestsum --format standard-verbose --debug -- -gcflags=all=-d=checkptr -tags admin ./... | |
| - name: Test schema version | |
| run: gotestsum --format standard-verbose --debug -- -mod=mod -gcflags=all=-d=checkptr -tags admin ./internal | |
| working-directory: test | |
| - name: Test rego policy interpreter | |
| run: gotestsum --format standard-verbose --debug -- -mod=mod -gcflags=all=-d=checkptr ./internal/regopolicyinterpreter | |
| # build testing binaries | |
| - name: Build containerd-shim-runhcs-v1 Testing Binary | |
| run: go test -mod=mod -gcflags=all=-d=checkptr -c -tags functional ./containerd-shim-runhcs-v1 | |
| working-directory: test | |
| - name: Build cri-containerd Testing Binary | |
| run: go test -mod=mod -gcflags=all=-d=checkptr -c -tags functional ./cri-containerd | |
| working-directory: test | |
| - name: Build functional Testing Binary | |
| run: go test -mod=mod -gcflags=all=-d=checkptr -c -tags functional ./functional | |
| working-directory: test | |
| - name: Build runhcs Testing Binary | |
| run: go test -mod=mod -gcflags=all=-d=checkptr -c -tags functional ./runhcs | |
| working-directory: test | |
| - name: Build logging-driver Binary | |
| run: go build -mod=mod -o sample-logging-driver.exe ./cri-containerd/helpers/log.go | |
| working-directory: test | |
| - uses: actions/upload-artifact@v3 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| name: test_binaries_${{ matrix.os }} | |
| path: | | |
| test/containerd-shim-runhcs-v1.test.exe | |
| test/cri-containerd.test.exe | |
| test/functional.test.exe | |
| test/runhcs.test.exe | |
| test/sample-logging-driver.exe | |
| integration-tests: | |
| needs: [lint, protos, verify-vendor, go-gen] | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [windows-2019, windows-2022] | |
| steps: | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| check-latest: true | |
| - name: Set env | |
| shell: bash | |
| run: | | |
| mkdir -p "${{ github.workspace }}/bin" | |
| echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV | |
| echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
| echo "${{ github.workspace }}/src/github.com/containerd/containerd/bin" >> $GITHUB_PATH | |
| - uses: actions/checkout@v3 | |
| with: | |
| path: src/github.com/containerd/containerd | |
| repository: "containerd/containerd" | |
| - uses: actions/checkout@v3 | |
| with: | |
| path: src/github.com/Microsoft/hcsshim | |
| - name: Install crictl | |
| shell: powershell | |
| run: | | |
| $VerbosePreference = 'Continue' | |
| $ErrorActionPreference = 'Stop' | |
| $crictlVersion = 'v1.24.2' | |
| $url = "https://github.com/kubernetes-sigs/cri-tools/releases/download/${crictlVersion}/crictl-${crictlVersion}-windows-amd64.tar.gz" | |
| curl.exe -L --no-progress-meter -o c:\crictl.tar.gz $url | |
| tar.exe xf c:\crictl.tar.gz -C "${{ github.workspace }}/bin" | |
| if ( $LASTEXITCODE ) { | |
| Write-Output '::error::Could not install crictl.' | |
| exit $LASTEXITCODE | |
| } | |
| - name: Install mingw | |
| shell: powershell | |
| run: | | |
| $VerbosePreference = 'Continue' | |
| # dont set $ErrorActionPreference since we want to allow choco install to fail later on | |
| Write-Output '::group::Update chocolaty' | |
| choco upgrade -y chocolatey | |
| Write-Output '::endgroup::' | |
| if ( $LASTEXITCODE ) { | |
| Write-Output '::error::Could not update chocolatey.' | |
| exit $LASTEXITCODE | |
| } | |
| Write-Output 'Install mingw' | |
| # Install sometimes fails when downloading mingw zip from source-forge with: | |
| # "ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url" | |
| # Issue is with accessing from source-forge, which version 10.3+ do not use, but cannot upgrade versions. | |
| # Add retry and backoff | |
| foreach ( $i in 1..3 ) { | |
| Write-Output "::group::Attempt $i" | |
| if ( $i -gt 1 ) { | |
| # remove any left-over state | |
| choco uninstall -y --no-progress --force mingw | |
| Write-Output 'Sleeping for 60 seconds' | |
| Sleep -Seconds 60 | |
| } | |
| choco install -y --no-progress --stop-on-first-failure --force mingw --allow-downgrade --version 10.2.0 | |
| Write-Output '::endgroup::' | |
| if ( -not $LASTEXITCODE ) { | |
| Write-Output "Attempt $i succeeded (exit code: $LASTEXITCODE)" | |
| break | |
| } | |
| Write-Output "::warning title=mingw::Attempt $i failed (exit code: $LASTEXITCODE)" | |
| } | |
| if ( $LASTEXITCODE ) { | |
| Write-Output "::error::Could not install mingw after $i attempts." | |
| exit $LASTEXITCODE | |
| } | |
| - name: Build binaries | |
| shell: bash | |
| working-directory: src/github.com/containerd/containerd | |
| run: | | |
| set -o xtrace | |
| mingw32-make.exe binaries | |
| script/setup/install-cni-windows | |
| - name: Build the shim | |
| working-directory: src/github.com/Microsoft/hcsshim | |
| shell: powershell | |
| run: | | |
| go build -mod vendor -o "${{ github.workspace }}/src/github.com/containerd/containerd/bin/containerd-shim-runhcs-v1.exe" .\cmd\containerd-shim-runhcs-v1 | |
| - name: Run containerd integration tests | |
| shell: bash | |
| working-directory: src/github.com/containerd/containerd | |
| run: | | |
| export EXTRA_TESTFLAGS="-timeout=20m" | |
| make integration | |
| - name: Run containerd CRI integration tests | |
| shell: bash | |
| working-directory: src/github.com/containerd/containerd | |
| env: | |
| TEST_IMAGE_LIST: ${{github.workspace}}/repolist.toml | |
| BUSYBOX_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/busybox:1.29-2" | |
| RESOURCE_CONSUMER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/resource-consumer:1.10" | |
| CGO_ENABLED: 1 | |
| run: | | |
| cat > "${{ env.TEST_IMAGE_LIST }}" << EOF | |
| busybox = "${{ env.BUSYBOX_TESTING_IMAGE_REF }}" | |
| ResourceConsumer = "${{ env.RESOURCE_CONSUMER_TESTING_IMAGE_REF }}" | |
| EOF | |
| # In the stable version of hcsshim that is used in containerd, killing a task | |
| # that has already exited or a task that has not yet been started, yields a | |
| # ErrNotFound. The master version of hcsshim returns nil, which is in line with | |
| # how the linux runtime behaves. See: | |
| # https://github.com/containerd/containerd/blob/f4f41296c2b0ac7d60aae3dd9c219a7636b0a07e/integration/restart_test.go#L152-L160 | |
| # | |
| # We skip this test here, until a new release of hcsshim is cut and the one in | |
| # containerd is updated. When the shim is updated in containerd, this test will | |
| # also need to be updated and the special case for windows, removed. | |
| FOCUS="[^TestContainerdRestart$]" make cri-integration | |
| # Enable these tests once the required JobContainer images are updated. | |
| # | |
| # - name: Install containerd service | |
| # shell: powershell | |
| # run: | | |
| # mkdir C:\containerd | |
| # Set-Content C:/containerd/containerd.toml @" | |
| # version = 2 | |
| # [plugins] | |
| # [plugins."io.containerd.grpc.v1.cri".containerd] | |
| # default_runtime_name = "runhcs-wcow-process" | |
| # disable_snapshot_annotations = false | |
| # discard_unpacked_layers = false | |
| # ignore_blockio_not_enabled_errors = false | |
| # ignore_rdt_not_enabled_errors = false | |
| # no_pivot = false | |
| # snapshotter = "windows" | |
| # | |
| # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] | |
| # | |
| # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-hypervisor] | |
| # runtime_type = "io.containerd.runhcs.v1" | |
| # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-hypervisor.options] | |
| # Debug = true | |
| # DebugType = 2 | |
| # SandboxPlatform = "windows/amd64" | |
| # SandboxIsolation = 1 | |
| # | |
| # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process] | |
| # runtime_type = "io.containerd.runhcs.v1" | |
| # pod_annotations = ["microsoft.com/*", "io.microsoft.*" ] | |
| # container_annotations = ["microsoft.com/*", "io.microsoft.*" ] | |
| # | |
| # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options] | |
| # "@ | |
| # | |
| # containerd.exe --register-service --log-level=debug --config C:/containerd/containerd.toml --service-name containerd --address //./pipe/containerd-containerd --state C:/ProgramData/containerd/state --root C:/ProgramData/containerd/root --log-file C:/containerd/containerd.log | |
| # Set-Service containerd -StartupType Automatic | |
| # Start-Service containerd | |
| # | |
| # - name: Build test binary | |
| # working-directory: src/github.com/Microsoft/hcsshim/test | |
| # shell: powershell | |
| # run: | | |
| # go test -mod=mod -o "${{ github.workspace }}/bin/cri-containerd.test.exe" -gcflags=all=-d=checkptr -c ./cri-containerd/ -tags functional | |
| # | |
| # - name: Run hcsshim integration tests | |
| # shell: powershell | |
| # run: | | |
| # cri-containerd.test.exe -cri-endpoint="npipe://./pipe/containerd-containerd" -feature="WCOWProcess" -feature="HostProcess" | |
| build: | |
| needs: [test-windows, test-linux] | |
| runs-on: "windows-2019" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: go build ./cmd/containerd-shim-runhcs-v1 | |
| - run: go build ./cmd/runhcs | |
| - run: go build ./cmd/tar2ext4 | |
| - run: go build ./cmd/wclayer | |
| - run: go build ./cmd/device-util | |
| - run: go build ./cmd/ncproxy | |
| - run: go build ./cmd/dmverity-vhd | |
| - run: go build ./cmd/dmverity-vhd | |
| env: | |
| GOOS: linux | |
| GOARCH: amd64 | |
| - run: go build ./internal/tools/grantvmgroupaccess | |
| - run: go build ./internal/tools/networkagent | |
| - run: go build ./internal/tools/securitypolicy | |
| - run: go build ./internal/tools/uvmboot | |
| - run: go build ./internal/tools/zapdir | |
| - uses: actions/upload-artifact@v3 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| name: binaries | |
| path: | | |
| containerd-shim-runhcs-v1.exe | |
| runhcs.exe | |
| tar2ext4.exe | |
| wclayer.exe | |
| device-util.exe | |
| ncproxy.exe | |
| dmverity-vhd.exe | |
| dmverity-vhd | |
| grantvmgroupaccess.exe | |
| networkagent.exe | |
| securitypolicy.exe | |
| uvmboot.exe | |
| zapdir.exe | |
| build_gcs: | |
| needs: test-linux | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Install go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Test | |
| run: make test | |
| - name: Pull busybox image | |
| run: docker pull busybox | |
| - name: Run Busybox Container | |
| run: docker run --name base_image_container busybox | |
| - name: Export container to tar file | |
| run: | | |
| docker export base_image_container | gzip > base.tar.gz | |
| - name: Build | |
| run: make BASE=./base.tar.gz all |