feat(libsinsp/container_engine): proper containerd support #2485
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Drivers CI Build | |
on: | |
pull_request: | |
push: | |
branches: | |
- master | |
- 'release/**' | |
- 'maintainers/**' | |
workflow_dispatch: | |
# we cannot use paths key here since otherwise required_status_checks jobs won't run. | |
# See https://github.com/orgs/community/discussions/26251. | |
# We need to use the paths-filter job. | |
# Checks if any concurrent jobs under the same pull request or branch are being executed | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
paths-filter: | |
runs-on: ubuntu-latest | |
outputs: | |
driver: ${{ steps.filter.outputs.driver }} | |
libscap: ${{ steps.filter.outputs.libscap }} | |
libpman: ${{ steps.filter.outputs.libpman }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
id: filter | |
with: | |
filters: | | |
driver: | |
- 'driver/**' | |
libscap: | |
- 'userspace/libscap/**' | |
libpman: | |
- 'userspace/libpman/**' | |
# This job run all engine tests and scap-open | |
test-scap: | |
name: test-scap-${{ matrix.arch }} 😆 (bundled_deps) | |
runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }} | |
needs: paths-filter | |
strategy: | |
matrix: | |
arch: [amd64, arm64] | |
include: | |
- arch: amd64 | |
enable_gvisor: True | |
- arch: amd64 | |
enable_gvisor: False | |
fail-fast: false | |
steps: | |
- name: Checkout Libs ⤵️ | |
# We need to skip each step because of https://github.com/orgs/community/discussions/9141. | |
# This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)" | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Install deps ⛓️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) | |
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch | |
cd bpftool | |
git submodule update --init | |
cd src && sudo make install | |
- name: Build scap-open and drivers 🏗️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
mkdir -p build | |
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../ | |
make scap-open driver bpf libscap_test -j6 | |
- name: Run scap-open with modern bpf 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 10 | |
- name: Run scap-open with bpf 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 10 | |
- name: Run scap-open with kmod 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo insmod ./driver/scap.ko | |
sudo ./libscap/examples/01-open/scap-open --kmod --num_events 10 | |
sudo rmmod scap | |
- name: Run libscap_test 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./test/libscap/libscap_test | |
test-drivers: | |
name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps) | |
runs-on: ${{ (matrix.arch == 'arm64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }} | |
needs: paths-filter | |
strategy: | |
matrix: | |
arch: [amd64, arm64] | |
fail-fast: false | |
steps: | |
- name: Checkout Libs ⤵️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Install deps ⛓️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r) | |
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch | |
cd bpftool | |
git submodule update --init | |
cd src && sudo make install | |
- name: Install multilib compilers for ia32 tests | |
if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64' | |
run: | | |
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib | |
- name: Build drivers tests 🏗️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
mkdir -p build | |
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../ | |
make drivers_test driver bpf -j6 | |
- name: Run drivers_test with modern bpf 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./test/drivers/drivers_test -m | |
- name: Run drivers_test with bpf 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./test/drivers/drivers_test -b | |
- name: Run drivers_test with kmod 🏎️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
run: | | |
cd build | |
sudo ./test/drivers/drivers_test -k | |
test-drivers-ppc64le: | |
name: test-drivers-ppc64le 😁 (system_deps,custom node) | |
runs-on: ubuntu-22.04 | |
# Avoid running on forks since this job uses a private secret | |
# not available on forks, leading to failures. | |
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' | |
needs: paths-filter | |
steps: | |
- name: Extract branch name | |
run: echo "GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV | |
- name: Build and test drivers on ppc64le node via ssh | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0 | |
with: | |
host: ${{ secrets.PPC64LE_HOST }} | |
username: ${{ secrets.PPC64LE_USERNAME }} | |
key: ${{ secrets.PPC64LE_KEY }} | |
port: ${{ secrets.PPC64LE_PORT }} | |
envs: GIT_BRANCH,GITHUB_REPOSITORY,GITHUB_SERVER_URL | |
command_timeout: 60m | |
script: | | |
sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel | |
git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs | |
cd libs | |
mkdir -p build | |
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../ | |
make drivers_test driver bpf -j6 | |
sudo ./test/drivers/drivers_test -m | |
rc_modern=$? | |
sudo ./test/drivers/drivers_test -b | |
rc_bpf=$? | |
sudo ./test/drivers/drivers_test -k | |
rc_kmod=$? | |
exit $(($rc_modern + $rc_bpf +$rc_kmod)) | |
build-drivers-s390x: | |
name: build-drivers-s390x 😁 (system_deps) | |
runs-on: ubuntu-22.04 | |
needs: paths-filter | |
steps: | |
- name: Checkout Libs ⤵️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1 | |
name: Run s390x build 🏗️ | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
with: | |
arch: s390x | |
distro: ubuntu22.04 | |
githubToken: ${{ github.token }} | |
install: | | |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic | |
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch | |
cd bpftool | |
git submodule update --init | |
cd src && make install | |
cd ../../ | |
git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch | |
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install | |
ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/ | |
# Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
.github/install-deps.sh | |
mkdir -p build | |
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../ | |
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6 | |
build-modern-bpf-skeleton: | |
needs: paths-filter | |
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936 | |
runs-on: 'ubuntu-latest' | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
container: fedora:latest | |
steps: | |
# Always install deps before invoking checkout action, to properly perform a full clone. | |
- name: Install build dependencies | |
run: | | |
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Build modern BPF skeleton | |
run: | | |
mkdir skeleton-build && cd skeleton-build | |
cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off .. | |
make ProbeSkeleton -j6 | |
- name: Upload skeleton | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: bpf_probe_x86_64.skel.h | |
path: skeleton-build/skel_dir/bpf_probe.skel.h | |
retention-days: 1 | |
build-scap-open-w-extern-bpf-skeleton: | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
needs: [paths-filter,build-modern-bpf-skeleton] | |
runs-on: 'ubuntu-latest' | |
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' | |
steps: | |
- name: Install build dependencies | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev | |
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 | |
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 | |
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90 | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Download skeleton | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: bpf_probe_x86_64.skel.h | |
path: /tmp | |
- name: Prepare project | |
run: | | |
mkdir build && cd build | |
cmake \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DUSE_BUNDLED_DEPS=On \ | |
-DBUILD_LIBSCAP_MODERN_BPF=ON \ | |
-DMODERN_BPF_SKEL_DIR=/tmp \ | |
-DBUILD_DRIVER=Off \ | |
-DBUILD_BPF=Off \ | |
.. | |
- name: Build project | |
run: | | |
cd build | |
make scap-open -j6 | |
# Only runs on pull request since on master branch it is already triggered by pages CI. | |
kernel-tests-dev: | |
needs: paths-filter | |
# Avoid running on forks since this job uses a private secret | |
# not available on forks, leading to failures. | |
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') | |
uses: ./.github/workflows/reusable_kernel_tests.yaml | |
with: | |
# Use real branch's HEAD sha, not the merge commit | |
libsversion: ${{ github.event.pull_request.head.sha }} | |
secrets: inherit | |
kernel-tests-pr-info-upload: | |
needs: kernel-tests-dev | |
# Avoid running on forks since this job uses a private secret | |
# not available on forks, leading to failures. | |
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download X64 matrix | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: matrix_X64 | |
path: matrix_X64 | |
- name: Download ARM64 matrix | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: matrix_ARM64 | |
path: matrix_ARM64 | |
- name: Save PR info | |
run: | | |
mkdir -p ./pr | |
echo ${{ github.event.number }} > ./pr/NR | |
touch ./pr/COMMENT | |
echo "# X64 kernel testing matrix" >> ./pr/COMMENT | |
echo "$(head -n $(grep -n -v -m1 '^|' matrix_X64/matrix.md | awk -F':' '{ print $1 }') matrix_X64/matrix.md)" >> ./pr/COMMENT | |
echo "" >> ./pr/COMMENT | |
echo "# ARM64 kernel testing matrix" >> ./pr/COMMENT | |
echo "$(head -n $(grep -n -v -m1 '^|' matrix_ARM64/matrix.md | awk -F':' '{ print $1 }') matrix_ARM64/matrix.md)" >> ./pr/COMMENT | |
echo Uploading PR info... | |
cat ./pr/COMMENT | |
echo "" | |
- name: Upload PR info as artifact | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: pr-kernel-testing | |
path: pr/ | |
retention-days: 1 | |
if-no-files-found: warn |