zhouyuhuan
/
Cloudpods


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354
							# -*- mode: ruby -*-
# vi: set ft=ruby :

#   Copyright The containerd Authors.
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at

#       http://www.apache.org/licenses/LICENSE-2.0

#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# Vagrantfile for Fedora and EL
Vagrant.configure("2") do |config|
  config.vm.box = ENV["BOX"] ? ENV["BOX"].split("@")[0] : "fedora/37-cloud-base"
  # BOX_VERSION is deprecated. Use "BOX=<BOX>@<BOX_VERSION>".
  config.vm.box_version = ENV["BOX_VERSION"] || (ENV["BOX"].split("@")[1] if ENV["BOX"])

  memory = 4096
  cpus = 2
  disk_size = 60
  config.vm.provider :virtualbox do |v, o|
    v.memory = memory
    v.cpus = cpus
    # Needs env var VAGRANT_EXPERIMENTAL="disks"
    o.vm.disk :disk, size: "#{disk_size}GB", primary: true
  end
  config.vm.provider :libvirt do |v|
    v.memory = memory
    v.cpus = cpus
    v.machine_virtual_size = disk_size
  end

  config.vm.synced_folder ".", "/vagrant", type: "rsync"

  config.vm.provision 'shell', path: 'script/resize-vagrant-root.sh'

  # Disabled by default. To run:
  #   vagrant up --provision-with=upgrade-packages
  # To upgrade only specific packages:
  #   UPGRADE_PACKAGES=selinux vagrant up --provision-with=upgrade-packages
  #
  config.vm.provision "upgrade-packages", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/vagrant-upgrade-packages"
    sh.env = {
        'UPGRADE_PACKAGES': ENV['UPGRADE_PACKAGES'],
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        set -eux -o pipefail
        dnf -y upgrade ${UPGRADE_PACKAGES}
    SHELL
  end

  # To re-run, installing CNI from RPM:
  #   INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages
  #
  config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-packages"
    sh.env = {
        'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        set -eux -o pipefail
        dnf -y install \
            container-selinux \
            curl \
            gcc \
            git \
            iptables \
            libseccomp-devel \
            libselinux-devel \
            lsof \
            make \
            strace \
            ${INSTALL_PACKAGES}
    SHELL
  end

  # EL does not have /usr/local/{bin,sbin} in the PATH by default
  config.vm.provision "setup-etc-environment", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-setup-etc-environment"
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        set -eux -o pipefail
        cat >> /etc/environment <<EOF
PATH=/usr/local/go/bin:/usr/local/bin:/usr/local/sbin:$PATH
EOF
        source /etc/environment
        SHELL
  end

  # To re-run this provisioner, installing a different version of go:
  #   GO_VERSION="1.14.6" vagrant up --provision-with=install-golang
  #
  config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-golang"
    sh.env = {
        'GO_VERSION': ENV['GO_VERSION'] || "1.20.13",
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        set -eux -o pipefail
        curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
        cat >> /etc/profile.d/sh.local <<EOF
GOPATH=\\$HOME/go
PATH=\\$GOPATH/bin:\\$PATH
export GOPATH PATH
git config --global --add safe.directory /vagrant
EOF
    source /etc/profile.d/sh.local
    SHELL
  end

  config.vm.provision "setup-gopath", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-setup-gopath"
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        mkdir -p ${GOPATH}/src/github.com/containerd
        ln -fnsv /vagrant ${GOPATH}/src/github.com/containerd/containerd
    SHELL
  end

  config.vm.provision "install-runc", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-runc"
    sh.env = {
        'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc",
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-runc
        type runc
        runc --version
        chcon -v -t container_runtime_exec_t $(type -ap runc)
    SHELL
  end

  config.vm.provision "install-cni", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-cni"
    sh.env = {
        'CNI_BINARIES': 'bridge dhcp flannel host-device host-local ipvlan loopback macvlan portmap ptp tuning vlan',
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        cd ${GOPATH}/src/github.com/containerd/containerd
        script/setup/install-cni
        PATH=/opt/cni/bin:$PATH type ${CNI_BINARIES} || true
    SHELL
  end

  config.vm.provision "install-cri-tools", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-cri-tools"
    sh.env = {
        'CRI_TOOLS_VERSION': ENV['CRI_TOOLS_VERSION'] || '16911795a3c33833fa0ec83dac1ade3172f6989e',
        'GOBIN': '/usr/local/bin',
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-critools
        type crictl critest
        critest --version
    SHELL
  end

  config.vm.provision "install-containerd", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-containerd"
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        cd ${GOPATH}/src/github.com/containerd/containerd
        make BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" binaries install
        type containerd
        containerd --version
        chcon -v -t container_runtime_exec_t /usr/local/bin/{containerd,containerd-shim*}
        ./script/setup/config-containerd
    SHELL
  end

  config.vm.provision "install-gotestsum", type: "shell",  run: "once" do |sh|
      sh.upload_path = "/tmp/vagrant-install-gotestsum"
      sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-gotestsum
        sudo cp ${GOPATH}/bin/gotestsum /usr/local/bin/
      SHELL
  end

  config.vm.provision "install-failpoint-binaries", type: "shell",  run: "once" do |sh|
      sh.upload_path = "/tmp/vagrant-install-failpoint-binaries"
      sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-failpoint-binaries
        chcon -v -t container_runtime_exec_t $(type -ap containerd-shim-runc-fp-v1)
        containerd-shim-runc-fp-v1 -v
      SHELL
  end

  # SELinux is Enforcing by default.
  # To set SELinux as Disabled on a VM that has already been provisioned:
  #   SELINUX=Disabled vagrant up --provision-with=selinux
  # To set SELinux as Permissive on a VM that has already been provsioned
  #   SELINUX=Permissive vagrant up --provision-with=selinux
  config.vm.provision "selinux", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/vagrant-selinux"
    sh.env = {
        'SELINUX': ENV['SELINUX'] || "Enforcing"
    }
    sh.inline = <<~SHELL
        /vagrant/script/setup/config-selinux
        /vagrant/script/setup/config-containerd
    SHELL
  end

  # SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
  #   SELINUX=Disabled vagrant up --provision-with=selinux,test-integration
  #
  config.vm.provision "test-integration", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/test-integration"
    sh.env = {
        'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc",
        'GOTEST': ENV['GOTEST'] || "go test",
        'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
        'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        rm -rf /var/lib/containerd-test /run/containerd-test
        cd ${GOPATH}/src/github.com/containerd/containerd
        go test -v -count=1 -race ./metrics/cgroups
        make integration EXTRA_TESTFLAGS="-timeout 15m -no-criu -test.v" TEST_RUNTIME=io.containerd.runc.v2 RUNC_FLAVOR=$RUNC_FLAVOR
    SHELL
  end

  # SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
  #   SELINUX=Disabled vagrant up --provision-with=selinux,test-cri-integration
  #
  config.vm.provision "test-cri-integration", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/test-cri-integration"
    sh.env = {
        'GOTEST': ENV['GOTEST'] || "go test",
        'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
        'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
        'GITHUB_WORKSPACE': '',
        'ENABLE_CRI_SANDBOXES': ENV['ENABLE_CRI_SANDBOXES'],
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        cleanup() {
          rm -rf /var/lib/containerd* /run/containerd* /tmp/containerd* /tmp/test* /tmp/failpoint* /tmp/nri*
        }
        cleanup
        cd ${GOPATH}/src/github.com/containerd/containerd
        # cri-integration.sh executes containerd from ./bin, not from $PATH .
        make BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" binaries bin/cri-integration.test
        chcon -v -t container_runtime_exec_t ./bin/{containerd,containerd-shim*}
        CONTAINERD_RUNTIME=io.containerd.runc.v2 ./script/test/cri-integration.sh
        cleanup
    SHELL
  end

  # SELinux is Enforcing by default (via provisioning) in this VM. To re-run with SELinux disabled:
  #   SELINUX=Disabled vagrant up --provision-with=selinux,test-cri
  #
  config.vm.provision "test-cri", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/test-cri"
    sh.env = {
        'GOTEST': ENV['GOTEST'] || "go test",
        'REPORT_DIR': ENV['REPORT_DIR'],
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        source /etc/environment
        source /etc/profile.d/sh.local
        set -eux -o pipefail
        systemctl disable --now containerd || true
        rm -rf /var/lib/containerd /run/containerd
        function cleanup()
        {
            journalctl -u containerd > /tmp/containerd.log
            cat /tmp/containerd.log
            systemctl stop containerd
        }
        selinux=$(getenforce)
        if [[ $selinux == Enforcing ]]; then
            setenforce 0
        fi
        systemctl enable --now ${GOPATH}/src/github.com/containerd/containerd/containerd.service
        if [[ $selinux == Enforcing ]]; then
            setenforce 1
        fi
        trap cleanup EXIT
        ctr version
        critest --parallel=$[$(nproc)+2] --ginkgo.skip='HostIpc is true' --report-dir="${REPORT_DIR}"
    SHELL
  end

  # Rootless Podman is used for testing CRI-in-UserNS
  # (We could use rootless nerdctl, but we are using Podman here because it is available in dnf)
  config.vm.provision "install-rootless-podman", type: "shell", run: "never" do |sh|
    sh.upload_path = "/tmp/vagrant-install-rootless-podman"
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
        set -eux -o pipefail
        # Delegate cgroup v2 controllers to rootless
        mkdir -p /etc/systemd/system/user@.service.d
        cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
[Service]
Delegate=yes
EOF
        systemctl daemon-reload
        # Install Podman
        dnf install -y podman
        # Configure Podman to resolve `golang` to `docker.io/library/golang`
        mkdir -p /etc/containers
        cat > /etc/containers/registries.conf <<EOF
[registries.search]
registries = ['docker.io']
EOF
    SHELL
  end

end