Enable actions/attest-build-provenance; Release v2.3.0 #880
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Main | |
on: [push, pull_request] | |
jobs: | |
test-unit: | |
name: "Unit test" | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: "Check out" | |
uses: actions/checkout@v4 | |
- name: "Build unit test image" | |
run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-unit --target test-unit . | |
- name: "Unit test" | |
run: docker run --rm --privileged rootlesskit:test-unit | |
test-cross: | |
name: "Cross compilation test" | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: "Build binaries" | |
run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact . | |
test-integration: | |
name: "Integration test" | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: "Set up AppArmor" | |
run: | | |
cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit" | |
abi <abi/4.0>, | |
include <tunables/global> | |
/home/user/bin/rootlesskit flags=(unconfined) { | |
userns, | |
} | |
EOT | |
sudo systemctl restart apparmor.service | |
- name: "Check out" | |
uses: actions/checkout@v4 | |
- name: "Build integration test image" | |
run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration --target test-integration . | |
- name: "Integration test: exit-code" | |
run: docker run --rm --privileged rootlesskit:test-integration ./integration-exit-code.sh | |
- name: "Integration test: propagation" | |
run: docker run --rm --privileged rootlesskit:test-integration ./integration-propagation.sh | |
- name: "Integration test: propagation (with `mount --make-rshared /`)" | |
run: docker run --rm --privileged rootlesskit:test-integration sh -exc "sudo mount --make-rshared / && ./integration-propagation.sh" | |
- name: "Integration test: restart" | |
run: docker run --rm --privileged rootlesskit:test-integration ./integration-restart.sh | |
- name: "Integration test: port" | |
# NOTE: "--net=host" is a bad hack to enable IPv6 | |
run: docker run --rm --net=host --privileged rootlesskit:test-integration ./integration-port.sh | |
- name: "Integration test: IPv6 routing" | |
run: docker run --rm --privileged --sysctl net.ipv6.conf.all.disable_ipv6=0 rootlesskit:test-integration ./integration-ipv6.sh | |
- name: "Integration test: systemd socket activation" | |
run: docker run --rm --net=none --privileged rootlesskit:test-integration ./integration-systemd-socket.sh | |
- name: "Integration test: Network (network driver=slirp4netns)" | |
run: | | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh slirp4netns | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh slirp4netns --detach-netns | |
- name: "Integration test: Network (network driver=vpnkit)" | |
run: | | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh vpnkit | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh vpnkit --detach-netns | |
- name: "Integration test: Network (network driver=lxc-user-nic)" | |
run: | | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh lxc-user-nic | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh lxc-user-nic --detach-netns | |
- name: "Integration test: Network (network driver=pasta)" | |
run: | | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta | |
docker run --rm --privileged rootlesskit:test-integration ./integration-net.sh pasta --detach-netns | |
# ===== Benchmark: Network (MTU=1500) ===== | |
- name: "Benchmark: Network (MTU=1500, network driver=slirp4netns)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 | |
- name: "Benchmark: Network (MTU=1500, network driver=slirp4netns with sandbox and seccomp)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto | |
- name: "Benchmark: Network (MTU=1500, network driver=slirp4netns with sandbox and seccomp) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --detach-netns | |
# NOTE: MTU greater than 16424 is known not to work for VPNKit. | |
# Also, MTU greather than 4K might not be effective for VPNKit: https://twitter.com/mugofsoup/status/1017665057738641408 | |
- name: "Benchmark: Network (MTU=1500, network driver=vpnkit)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh vpnkit 1500 | |
- name: "Benchmark: Network (MTU=1500, network driver=vpnkit) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh vpnkit 1500 --detach-netns | |
- name: "Benchmark: Network (MTU=1500, network driver=pasta)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 1500 | |
- name: "Benchmark: Network (MTU=1500, network driver=pasta) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 1500 --detach-netns | |
- name: "Benchmark: Network (MTU=1500, network driver=lxc-user-nic)" | |
run: | | |
docker run --rm --privileged \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 1500 | |
- name: "Benchmark: Network (MTU=1500, network driver=lxc-user-nic) with detach-netns" | |
run: | | |
docker run --rm --privileged \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 1500 --detach-netns | |
- name: "Benchmark: Network (MTU=1500, rootful veth for comparison)" | |
run: | | |
docker run --rm --privileged \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh rootful_veth 1500 | |
# ===== Benchmark: Network (MTU=65520) ===== | |
- name: "Benchmark: Network (MTU=65520, network driver=slirp4netns)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 65520 | |
- name: "Benchmark: Network (MTU=65520, network driver=slirp4netns with sandbox and seccomp)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh slirp4netns 65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto | |
- name: "Benchmark: Network (MTU=65520, network driver=pasta)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh pasta 65520 | |
- name: "Benchmark: Network (MTU=65520, network driver=lxc-user-nic)" | |
run: | | |
docker run --rm --privileged \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh lxc-user-nic 65520 | |
- name: "Benchmark: Network (MTU=65520, rootful veth for comparison)" | |
run: | | |
docker run --rm --privileged \ | |
rootlesskit:test-integration ./benchmark-iperf3-net.sh rootful_veth 65520 | |
# ===== Benchmark: TCP Ports ===== | |
- name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=slirp4netns)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh slirp4netns | |
- name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=slirp4netns) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh slirp4netns --detach-netns | |
- name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=builtin)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh builtin | |
- name: "Benchmark: TCP Ports (network driver=slirp4netns, port driver=builtin) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh builtin --detach-netns | |
- name: "Benchmark: TCP Ports (network driver=pasta, port driver=implicit)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh implicit --net=pasta | |
- name: "Benchmark: TCP Ports (network driver=pasta, port driver=implicit) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port.sh implicit --net=pasta --detach-netns | |
# ===== Benchmark: UDP Ports ===== | |
- name: "Benchmark: UDP Ports (port driver=slirp4netns)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns | |
- name: "Benchmark: UDP Ports (port driver=slirp4netns) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh slirp4netns --detach-netns | |
- name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta | |
- name: "Benchmark: UDP Ports (network driver=pasta, port driver=implicit) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh implicit --net=pasta --detach-netns | |
- name: "Benchmark: UDP Ports (port driver=builtin)" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin | |
- name: "Benchmark: UDP Ports (port driver=builtin) with detach-netns" | |
run: | | |
docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --device /dev/net/tun \ | |
rootlesskit:test-integration ./benchmark-iperf3-port-udp.sh builtin --detach-netns | |
test-integration-docker: | |
name: "Integration test (Docker)" | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: "Set up AppArmor" | |
run: | | |
cat <<EOT | sudo tee "/etc/apparmor.d/home.user.bin.rootlesskit" | |
abi <abi/4.0>, | |
include <tunables/global> | |
/home/user/bin/rootlesskit flags=(unconfined) { | |
userns, | |
} | |
EOT | |
sudo systemctl restart apparmor.service | |
- name: "Check out" | |
uses: actions/checkout@v4 | |
- name: "Build integration test image" | |
run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker . | |
- name: "Create a custom network to avoid IP confusion" | |
run: docker network create custom | |
- name: "Docker Integration test: net=slirp4netns, port-driver=builtin" | |
run: | | |
docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker | |
sleep 2 | |
docker exec test docker info | |
docker exec test ./integration-docker.sh | |
docker rm -f test | |
- name: "Docker Integration test: net=slirp4netns, port-driver=slirp4netns" | |
run: | | |
docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns rootlesskit:test-integration-docker | |
sleep 2 | |
docker exec test docker info | |
docker exec test ./integration-docker.sh | |
docker rm -f test | |
- name: "Docker Integration test: net=vpnkit, port-driver=builtin" | |
run: | | |
docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=vpnkit -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker | |
sleep 2 | |
docker exec test docker info | |
docker exec test ./integration-docker.sh | |
docker rm -f test | |
- name: "Docker Integration test: net=pasta, port-driver=implicit" | |
run: | | |
docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit rootlesskit:test-integration-docker | |
sleep 2 | |
docker exec test docker info | |
docker exec test ./integration-docker.sh | |
docker rm -f test |