From 581a55c994c542a3cd6996bb0b933f778fdde155 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 11:57:10 -0400 Subject: [PATCH 1/8] Add GH actions to setup QEMU and buildx This idea was stolen from felddy/reusable-workflows. --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b57fa87..e3cce0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -204,6 +204,10 @@ jobs: run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Run molecule tests run: molecule test --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session From 5759b776bb0e245c457c72d7115d34e3fa88e530 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 12:17:44 -0400 Subject: [PATCH 2/8] Add Molecule testing support for aarch where possible --- .github/workflows/build.yml | 29 +++++++- molecule/default/molecule.yml | 124 +++++++++++++++++++++++++++++++--- 2 files changed, 141 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e3cce0b..a9ad548 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,6 +174,30 @@ jobs: strategy: fail-fast: false matrix: + architecture: + - aarch64 + - amd64 + exclude: + # The Docker images we use for these platforms do not + # support aarch64. + - architecture: aarch64 + platform: amazonlinux2023-systemd + - architecture: aarch64 + platform: fedora39-systemd + - architecture: aarch64 + platform: fedora40-systemd + platform: + - amazonlinux2023-systemd + - debian10-systemd + - debian11-systemd + - debian12-systemd + - debian13-systemd + - kali-systemd + - fedora39-systemd + - fedora40-systemd + - ubuntu-20-systemd + - ubuntu-22-systemd + - ubuntu-24-systemd scenario: - default steps: @@ -209,7 +233,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Run molecule tests - run: molecule test --scenario-name ${{ matrix.scenario }} + run: >- + molecule test + --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} + --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 8e47275..ec5bdcb 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,102 +7,204 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd + name: amazonlinux2023-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + # name: amazonlinux2023-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd + name: debian10-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd + name: debian11-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd + name: debian12-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd + name: debian13-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd + name: kali-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + name: fedora39-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora39-ansible:latest + # name: fedora39-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd + name: fedora40-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora40-ansible:latest + # name: fedora40-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd + name: ubuntu-20-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd + name: ubuntu-22-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd + name: ubuntu-24-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: From 234ac0387b533627b40e0d5e0cc6a3eb14ab86d1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 22 Apr 2024 16:08:22 -0400 Subject: [PATCH 3/8] Alphabetize platforms Co-authored-by: dav3r --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a9ad548..e79e643 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -192,9 +192,9 @@ jobs: - debian11-systemd - debian12-systemd - debian13-systemd - - kali-systemd - fedora39-systemd - fedora40-systemd + - kali-systemd - ubuntu-20-systemd - ubuntu-22-systemd - ubuntu-24-systemd From 77f62e3687bcf27b319e865b8f99868fde40f9c0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 27 Apr 2024 16:15:14 -0400 Subject: [PATCH 4/8] Add support for the aarch64 platform for Fedora 39, Fedora 40, and AL2023 These platforms can now be included because the following PRs have been merged: - geerlingguy/docker-fedora39-ansible#2 - geerlingguy/docker-fedora40-ansible#1 - geerlingguy/docker-amazonlinux2023-ansible#4 --- .github/workflows/build.yml | 9 ------ molecule/default/molecule.yml | 57 +++++++++++++++++------------------ 2 files changed, 27 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e79e643..22f1c43 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,15 +177,6 @@ jobs: architecture: - aarch64 - amd64 - exclude: - # The Docker images we use for these platforms do not - # support aarch64. - - architecture: aarch64 - platform: amazonlinux2023-systemd - - architecture: aarch64 - platform: fedora39-systemd - - architecture: aarch64 - platform: fedora40-systemd platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ec5bdcb..19df511 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -13,16 +13,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - # name: amazonlinux2023-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest @@ -122,16 +121,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora39-ansible:latest - # name: fedora39-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest @@ -141,16 +139,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora40-ansible:latest - # name: fedora40-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest From 6158bae37a986ff9604b2b52ef42169832d369ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:41:06 -0400 Subject: [PATCH 5/8] Prefer the name arm64 to aarch64 Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- molecule/default/molecule.yml | 44 +++++++++++++++++------------------ 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22f1c43..1cf405b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -175,8 +175,8 @@ jobs: fail-fast: false matrix: architecture: - - aarch64 - amd64 + - arm64 platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 19df511..20b8324 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -16,8 +16,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-aarch64 - platform: aarch64 + name: amazonlinux2023-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -34,8 +34,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-aarch64 - platform: aarch64 + name: debian10-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -52,8 +52,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-aarch64 - platform: aarch64 + name: debian11-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -70,8 +70,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-aarch64 - platform: aarch64 + name: debian12-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -88,8 +88,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-aarch64 - platform: aarch64 + name: debian13-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -106,8 +106,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-aarch64 - platform: aarch64 + name: kali-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -124,8 +124,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-aarch64 - platform: aarch64 + name: fedora39-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -142,8 +142,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-aarch64 - platform: aarch64 + name: fedora40-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -160,8 +160,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-aarch64 - platform: aarch64 + name: ubuntu-20-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -178,8 +178,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-aarch64 - platform: aarch64 + name: ubuntu-22-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -196,8 +196,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-aarch64 - platform: aarch64 + name: ubuntu-24-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: From 357a701ba723f1161e1e953b87147ee8d48826b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:42:35 -0400 Subject: [PATCH 6/8] Assign a name to the test job in the build GHA workflow This helps keep the job name in line with the molecule configuration. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1cf405b..3b88a29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -168,6 +168,9 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: >- + test (${{ matrix.scenario }}) - + ${{ matrix.platform }}-${{ matrix.architecture }} needs: - diagnostics runs-on: ubuntu-latest From 4d2653d8d53ae6591d45705bfcfb573f0dfb8240 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 31 May 2024 16:10:05 -0400 Subject: [PATCH 7/8] Update the `update_molecule_images.sh` helper script Adjust the script to pull down platform specific images instead of just the image of the running system's platform. This will ensure that all images needed by the molecule configuration are retrieved regardless of the system platform. --- update_molecule_images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update_molecule_images.sh b/update_molecule_images.sh index 2c8cccc..f7fc267 100755 --- a/update_molecule_images.sh +++ b/update_molecule_images.sh @@ -45,4 +45,4 @@ check_dependencies # Note that we can't use --max-args in place of -n in the xargs # command since the version of xargs distributed with macOS does not # support it. -yq '.platforms[].image' < "$source_file" | xargs -n 1 docker pull +yq '.platforms[] | "\(.platform) \(.image)"' < "$source_file" | xargs -n 2 docker pull --platform From ba48f714c14ffdb240f21ac1497dc88be5006c58 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:34:00 -0400 Subject: [PATCH 8/8] Add new dependabot ignore directives Adds commented out ignore statements for the following new Action dependencies added to the `test` job: - docker/setup-buildx-action - docker/setup-qemu-action Once uncommented in downstream repositories this will ensure that these dependencies are managed in a centralized place. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 986c3cb..d219c14 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,8 @@ updates: - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-ansible-role + # - dependency-name: docker/setup-buildx-action + # - dependency-name: docker/setup-qemu-action # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: