New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI/GHA: test against all minor supported libseccomp versions #70
Conversation
0e3567c
to
59c82f9
Compare
Thanks @kolyshkin. A matrix seemed like a good way to meet everyone's testing needs; I'm glad you added it.
|
59c82f9
to
5bcd998
Compare
Looking more into libseccomp-golang, it seems that it will benefit from testing against older supported libseccomp releases, not just the latest. Currently the minimum supported version is 2.2.0, let's try to add it. |
5bcd998
to
c985b4b
Compare
c985b4b
to
6df53ab
Compare
Nice -- added libseccomp 2.3.x and 2.4.x revealed a bug in TestNotif -- it checks the API level but do not check libseccomp version :) Will fix later today, changing to DRAFT for now. |
3038dc9
to
e247b99
Compare
3e739ba
to
e421558
Compare
43c6868
to
591efe2
Compare
@drakenclimber @pcmoore PTAL. If sending patches to the ML is preferable, please let me know (currently, CONTRIBUTING.md says otherwise). |
I personally prefer github pull requests. But I wear many hats and unfortunately libseccomp-golang isn't one of them this week. The Linux Plumbers Conference is currently going on all week. |
+1 to what @drakenclimber already said. This has been a particularly difficult week on my end due to some personal issues, LPC, and a handful of high-priority and high-visibility SELinux kernel issues flaring up. I'm working my way through the libseccomp-golang PRs right now ... |
.github/workflows/test.yml
Outdated
@@ -16,7 +16,7 @@ jobs: | |||
fail-fast: false | |||
matrix: | |||
go-version: [1.15.x, 1.16.x, 1.17.x] | |||
libseccomp: ["v2.5.2", "HEAD"] | |||
libseccomp: ["v2.2.1", "v2.2.3", "v2.3.3", "v2.4.3", "v2.5.2", "HEAD"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting as we no longer support v2.2.x, v2.3.x, or v2.4.x upstream anymore. I guess we can let this slide for no so long as there are no major issues, but as soon as something significant crops up with these older releases we should probably just drop them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm merely following what's in there already (except for dropping 2.2.0 support).
If you want, I can rework this to drop 2.2.x support, too, as this is only used by very old (but still supported) Ubuntu 14.04.
Dropping 2.3 and especially 2.4 is more problematic though, as this is what many long-term supported distros ship (Debian, RHEL, SLES).
I think it makes total sense to drop 2.2 and 2.3 (and maybe 2.4) after the release is cut, but it's up to you to decide.
Thanks again for the patches @kolyshkin, but I have a few general comments, in no particular order:
My apologies if all of the above seem a bit trivial and nit-picky, but as you are starting to contribute more - thank you! - you're going to be subjected to a bit more "tough love" if you will :) Please leave this PR as-is, I'll fix these things up when I hear back from @drakenclimber (below), but it is something to keep in mind for the future. @drakenclimber, this PR has changed quite a bit since you last looked at it, does your |
If you got an impression that I piled up everything I can change into this single PR, let me assure you this is not so. It all started with "let's add libseccomp versions that this package seems to support to CI", and the rest was added to make the CI green. The only non-really-related stuff is "seccomp_internal.go: simplify version checks" and "test: execInSubprocess: simplify", and I will move it out of this commit.
Will reword.
Definitely no need to apologize, any constructive feedback (and "tough love") is very welcome and truly appreciated.
No problem, I'd rather fix it in place. |
126079c
to
08d3474
Compare
Currently this package requires libseccomp < 2.2.0, refusing to build otherwise, and contains a few kludges specifically targeting libseccomp 2.2.0. Let's require version 2.3.1 or greater, and remove the kludges for older versions. While at it, reword the error message to remove the word "supported". Checking for libseccomp versions shipped with various old (but still supported) releases, here is what I found out: * Ubuntu 14.04 "Trusty Tahr": 2.1.1 (unsupported by this pkg), with 2.2.3 available in backports repo [1] * Debian "Stretch" (aka oldoldstable): 2.3.1 [2] * RHEL/CentOS 7: 2.3.1 [3] * SLES 15 SP1: 2.4.3 [4] * openSUSE Leap 15.2: 2.4.1 [4] * Alpine 3.11: 2.4.2 [5] * Arch, Gentoo: 2.5.x [1] https://launchpad.net/ubuntu/+source/libseccomp [2] https://packages.debian.org/search?keywords=libseccomp [3] https://rpmfind.net/linux/rpm2html/search.php?query=libseccomp [4] https://software.opensuse.org/package/libseccomp [5] https://pkgs.alpinelinux.org/packages?name=libseccomp&branch=v3.11 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Otherwise the LD_PRELOAD, set in a CI job, is not being used, leading to distro libseccomp version being used instead of the one we prepared. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Instead of testing against whatever version of libseccomp the distro (Ubuntu 20.04 in this case) provides, do compile and test against the latest released version, 2.5.2. While at it, it's relatively easy to enable testing against git tip as well, so implement it as well. All we have to do is to change the version from 0.0.0 to some value that is >= current version. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Functions seccomp_api_get(3) and seccomp_api_set(3) appeared in libseccomp 2.4.0, not 2.3.3 like the code assumed. This fixes TestGetAPILevel failure with libseccomp 2.3.3. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
While testing this package against a recent kernel and older libseccomp library (2.2.x to 2.4.x) it appears that every time we perform an API level check, libseccomp version check is also needed. Modify checkAPI to also call checkVersion. Unify both functions, as well as VersionError, to use minor, major, micro triad everywhere. While at it: - fix checkAPI and checkVersion docs; - simplify their tests, add more test cases. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
TestNotif should check not only for API level >= 6, but also for libseccomp >= 2.5.0. Use notifSupported() to fix. Same applies to TestNotifUnsupported. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
NOTE that libseccomp < 2.5.x is no longer officially supported upstream, but this library still works with 2.3.x and 2.4.x, so we test against those. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is to ensure we're testing against the expected libseccomp version (as prepared by CI, which sets the _EXPECTED_LIBSECCOMP_VERSION var). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
08d3474
to
6f6ba25
Compare
Rebased on top of the current main |
@drakenclimber @pcmoore PTAL 🙏🏻 |
Patience please. This week, and last week for that matter, have been busy with conferences as well as the usual stuff. On a personal note, the late summer, early fall weather has been really nice where I live too so I've been trying to enjoy that outside of work. We see the activity on this, and appreciate it, but please be patient and allow us the time to review it. |
Thanks, @kolyshkin. The most recent changes look good to me.
|
Merged at HEAD 6a935f5, thanks @kolyshkin! |
In short:
Addresses: #65 (comment)
Please review commit by commit.