From 300c70e6312dd3655d0984a4841548619e5fc37e Mon Sep 17 00:00:00 2001 From: Gerardo Ravago Date: Tue, 20 Aug 2024 15:22:23 -0400 Subject: [PATCH] Migrate CI to Github Actions We are hitting the 1 hour time limit of Circle CI (Issue #166). This migrates the existing CircleCI job completely to Github Actions which has a 5 hour time limit. For the most part, this is pretty much a one-to-one migration. Since upstream OpenSSH provided its own set of Github Actions, I simply moved those to the `upstream-github` directory to avoid conflicts and preserve the source. I did run into two issues with getting the integration tests to pass. Beyond that, I ran into two issues that arose from migrating to Github Actions which need to be partched around. agent-subprocess zombie process reaping The combination of Github Actions' host with the OQS CI container results in a lazier reaping of zombie processes which breaks this test. In this test, ssh-agent is run as a subprocess to some arbitrary user command. This enables exclusive access to ssh-agent to that specific process. The way this works under the hood is that ssh-agent forks into a child process and the parent process exec's into the arbitrary command ([code ref](https://github.com/open-quantum-safe/openssh/blob/OQS-v9/ssh-agent.c#L2384)) which runs to completion. The child process than polls its parent process until it detects its own orphaned status and terminates itself. This, by design, results in a zombie process which must be reaped. The test's assertion uses `kill -0` to check for liveness, but that counts zombies as "alive". The workaround for this then is to add an additional check to assert that zombies are in fact "dead". percent expansion is broken due to Github's HOME override The `percent` test tests % expansions inside SSH config files (e.g. home directory, username, port number). The assertion for the home directory uses the `HOME` environmental variable. Unfortunately, when running a container on a Github Runner, they unconditionally override the value of `HOME` with `/github/home` ([issue ref](https://github.com/actions/runner/issues/863)) and this breaks the test assertion. The fix here is to get a more reliable reference for the home directory and use that for the assertion. Signed-off-by: gcr --- .circleci/config.yml | 52 ------------------- .github/workflows/ubuntu.yaml | 24 +++++++++ regress/agent-subprocess.sh | 6 ++- regress/percent.sh | 1 + {.github => upstream-github}/ci-status.md | 0 {.github => upstream-github}/configs | 0 {.github => upstream-github}/configure.sh | 0 {.github => upstream-github}/run_test.sh | 0 {.github => upstream-github}/setup_ci.sh | 0 .../workflows/c-cpp.yml | 0 .../workflows/cifuzz.yml | 0 .../workflows/selfhosted.yml | 0 .../workflows/upstream.yml | 0 13 files changed, 30 insertions(+), 53 deletions(-) delete mode 100644 .circleci/config.yml create mode 100644 .github/workflows/ubuntu.yaml rename {.github => upstream-github}/ci-status.md (100%) rename {.github => upstream-github}/configs (100%) rename {.github => upstream-github}/configure.sh (100%) rename {.github => upstream-github}/run_test.sh (100%) rename {.github => upstream-github}/setup_ci.sh (100%) rename {.github => upstream-github}/workflows/c-cpp.yml (100%) rename {.github => upstream-github}/workflows/cifuzz.yml (100%) rename {.github => upstream-github}/workflows/selfhosted.yml (100%) rename {.github => upstream-github}/workflows/upstream.yml (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 6593c2fc4586..000000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,52 +0,0 @@ -version: 2.1 - -# This is here just to make CircleCI -# happy, but might be useful in the future. -parameters: - run_downstream_tests: - type: boolean - default: false - -jobs: - ubuntu_build: - description: A template for running BoringSSL tests on x64 Ubuntu Bionic Docker VMs - parameters: - WITH_OPENSSL: - description: "Compile OpenSSH with OpenSSL." - type: boolean - default: true - docker: - - image: openquantumsafe/ci-ubuntu-focal-x86_64:latest - auth: - username: $DOCKER_LOGIN - password: $DOCKER_PASSWORD - steps: - - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally - - run: - name: Set up SSH environment - command: | - mkdir -p -m 0755 /var/empty - groupadd sshd - useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd - - run: - name: Clone liboqs - command: ./oqs-scripts/clone_liboqs.sh - - run: - name: Build liboqs - command: ./oqs-scripts/build_liboqs.sh - - run: - name: Build OpenSSH - command: env WITH_OPENSSL=<< parameters.WITH_OPENSSL >> ./oqs-scripts/build_openssh.sh - - run: - name: Run tests documented to pass - command: ./oqs-test/run_tests.sh - - run: - name: Ensure we have the ssh and sshd syntax right once for each algorithm - command: python3 oqs-test/try_connection.py doone -workflows: - version: 2.1 - build: - jobs: - - ubuntu_build: - name: with-openssl - context: openquantumsafe diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml new file mode 100644 index 000000000000..29ee79a981f3 --- /dev/null +++ b/.github/workflows/ubuntu.yaml @@ -0,0 +1,24 @@ +name: CI Checks +on: [ push, pull_request, workflow_dispatch ] +jobs: + ubuntu_build: + runs-on: ubuntu-latest + container: + image: openquantumsafe/ci-ubuntu-focal-x86_64:latest + steps: + - uses: actions/checkout@v4 + - name: Set up SSH environment + run: | + mkdir -p -m 0755 /var/empty + groupadd sshd + useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd + - name: Clone liboqs + run: ./oqs-scripts/clone_liboqs.sh + - name: Build liboqs + run: ./oqs-scripts/build_liboqs.sh + - name: Build OpenSSH + run: env WITH_OPENSSL=true ./oqs-scripts/build_openssh.sh + - name: Run tests documented to pass + run: ./oqs-test/run_tests.sh + - name: Ensure we have the ssh and sshd syntax right once for each algorithm + run: python3 oqs-test/try_connection.py doone diff --git a/regress/agent-subprocess.sh b/regress/agent-subprocess.sh index 2f36d70cccae..93d7cd2da332 100644 --- a/regress/agent-subprocess.sh +++ b/regress/agent-subprocess.sh @@ -3,6 +3,10 @@ tid="agent subprocess" +is_alive() { + kill -0 ${1} >/dev/null 2>&1 && [ `ps -p ${1} -o state=` != "Z" ] +} + trace "ensure agent exits when run as subprocess" ${SSHAGENT} sh -c "echo \$SSH_AGENT_PID >$OBJ/pidfile; sleep 1" @@ -10,7 +14,7 @@ pid=`cat $OBJ/pidfile` # Currently ssh-agent polls every 10s so we need to wait at least that long. n=12 -while kill -0 $pid >/dev/null 2>&1 && test "$n" -gt "0"; do +while is_alive ${pid} && test "$n" -gt "0"; do n=$(($n - 1)) sleep 1 done diff --git a/regress/percent.sh b/regress/percent.sh index 44561d413bb3..a04fac291885 100644 --- a/regress/percent.sh +++ b/regress/percent.sh @@ -13,6 +13,7 @@ USERID=`id -u` HOST=`hostname | cut -f1 -d.` HOSTNAME=`hostname` HASH="" +HOME=`grep $USER /etc/passwd | cut -d ':' -f6` # Localcommand is evaluated after connection because %T is not available # until then. Because of this we use a different method of exercising it, diff --git a/.github/ci-status.md b/upstream-github/ci-status.md similarity index 100% rename from .github/ci-status.md rename to upstream-github/ci-status.md diff --git a/.github/configs b/upstream-github/configs similarity index 100% rename from .github/configs rename to upstream-github/configs diff --git a/.github/configure.sh b/upstream-github/configure.sh similarity index 100% rename from .github/configure.sh rename to upstream-github/configure.sh diff --git a/.github/run_test.sh b/upstream-github/run_test.sh similarity index 100% rename from .github/run_test.sh rename to upstream-github/run_test.sh diff --git a/.github/setup_ci.sh b/upstream-github/setup_ci.sh similarity index 100% rename from .github/setup_ci.sh rename to upstream-github/setup_ci.sh diff --git a/.github/workflows/c-cpp.yml b/upstream-github/workflows/c-cpp.yml similarity index 100% rename from .github/workflows/c-cpp.yml rename to upstream-github/workflows/c-cpp.yml diff --git a/.github/workflows/cifuzz.yml b/upstream-github/workflows/cifuzz.yml similarity index 100% rename from .github/workflows/cifuzz.yml rename to upstream-github/workflows/cifuzz.yml diff --git a/.github/workflows/selfhosted.yml b/upstream-github/workflows/selfhosted.yml similarity index 100% rename from .github/workflows/selfhosted.yml rename to upstream-github/workflows/selfhosted.yml diff --git a/.github/workflows/upstream.yml b/upstream-github/workflows/upstream.yml similarity index 100% rename from .github/workflows/upstream.yml rename to upstream-github/workflows/upstream.yml