Skip to content

Fix docker:runc:nonroot test by not setting capabilities on a binary … #296

Fix docker:runc:nonroot test by not setting capabilities on a binary …

Fix docker:runc:nonroot test by not setting capabilities on a binary … #296

Workflow file for this run

name: Go
on: [push, workflow_dispatch]
jobs:
test:
name: ${{ matrix.module }}
strategy:
fail-fast: false
matrix:
module: ["awsutil",
"base62",
"configutil",
"fileutil",
"gatedwriter",
"kv-builder",
"listenerutil",
"mlock",
"nonceutil",
"parseutil",
"password",
"plugincontainer",
"pluginutil",
"reloadutil",
"strutil",
"tlsutil"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: ${{ matrix.module }}/go.mod
cache-dependency-path: ${{ matrix.module }}/go.sum
- name: Build
run: cd ${{ matrix.module }} && go build ./...
- name: Install gVisor
if: ${{ matrix.module == 'plugincontainer' }}
run: |
(
set -e
ARCH="$(uname -m)"
URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"
wget --quiet "${URL}/runsc" "${URL}/runsc.sha512" \
"${URL}/containerd-shim-runsc-v1" "${URL}/containerd-shim-runsc-v1.sha512"
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f -- *.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)
sudo tee /etc/docker/daemon.json <<EOF
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--host-uds=all"
]
}
}
}
EOF
sudo systemctl reload docker
- name: Install rootless docker
if: ${{ matrix.module == 'plugincontainer' }}
run: |
sudo apt-get install -y uidmap dbus-user-session
export FORCE_ROOTLESS_INSTALL=1
curl -fsSL https://get.docker.com/rootless | sh
mkdir -p ~/.config/docker/
tee ~/.config/docker/daemon.json <<EOF
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--host-uds=all",
"--ignore-cgroups"
]
}
}
}
EOF
systemctl --user restart docker
- name: Install rootless podman
if: ${{ matrix.module == 'plugincontainer' }}
run: |
sudo apt-get install -y podman slirp4netns fuse-overlayfs
mkdir -p ~/local/bin
RUNSC_SCRIPT=~/local/bin/runsc.podman
tee "${RUNSC_SCRIPT}" <<EOF
#!/bin/bash
/usr/local/bin/runsc --host-uds=all --ignore-cgroups "\$@"
EOF
chmod u+x "${RUNSC_SCRIPT}"
podman --runtime "${RUNSC_SCRIPT}" system service -t 0 &
- name: Test
run: cd ${{ matrix.module }} && go test ./...
# Verify that every module folder is mentioned in this workflow file.
verify-ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: |
if ! find * -name go.mod -print0 | xargs -0 dirname | xargs -I % grep % .github/workflows/go.yml > /dev/null; then
echo "Ensure every submodule is included in the matrix 'module' input in go.yml in the github workflows folder"
exit 1
fi