1# -*- mode: ruby -*- 2# vi: set ft=ruby : 3 4# Copyright The containerd Authors. 5# 6# Licensed under the Apache License, Version 2.0 (the "License"); 7# you may not use this file except in compliance with the License. 8# You may obtain a copy of the License at 9 10# http://www.apache.org/licenses/LICENSE-2.0 11 12# Unless required by applicable law or agreed to in writing, software 13# distributed under the License is distributed on an "AS IS" BASIS, 14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15# See the License for the specific language governing permissions and 16# limitations under the License. 17 18# Vagrantfile for cgroup2 and SELinux 19Vagrant.configure("2") do |config| 20 config.vm.box = "fedora/32-cloud-base" 21 memory = 4096 22 cpus = 2 23 config.vm.provider :virtualbox do |v| 24 v.memory = memory 25 v.cpus = cpus 26 end 27 config.vm.provider :libvirt do |v| 28 v.memory = memory 29 v.cpus = cpus 30 end 31 32 # Disabled by default. To run: 33 # vagrant up --provision-with=upgrade-packages 34 # To upgrade only specific packages: 35 # UPGRADE_PACKAGES=selinux vagrant up --provision-with=upgrade-packages 36 # 37 config.vm.provision "upgrade-packages", type: "shell", run: "never" do |sh| 38 sh.upload_path = "/tmp/vagrant-upgrade-packages" 39 sh.env = { 40 'UPGRADE_PACKAGES': ENV['UPGRADE_PACKAGES'], 41 } 42 sh.inline = <<~SHELL 43 #!/usr/bin/env bash 44 set -eux -o pipefail 45 dnf -y upgrade ${UPGRADE_PACKAGES} 46 SHELL 47 end 48 49 # To re-run, installing CNI from RPM: 50 # INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages 51 # 52 config.vm.provision "install-packages", type: "shell", run: "once" do |sh| 53 sh.upload_path = "/tmp/vagrant-install-packages" 54 sh.env = { 55 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], 56 } 57 sh.inline = <<~SHELL 58 #!/usr/bin/env bash 59 set -eux -o pipefail 60 dnf -y install \ 61 container-selinux \ 62 curl \ 63 gcc \ 64 git \ 65 iptables \ 66 libseccomp-devel \ 67 libselinux-devel \ 68 lsof \ 69 make \ 70 ${INSTALL_PACKAGES} 71 SHELL 72 end 73 74 # To re-run this provisioner, installing a different version of go: 75 # GO_VERSION="1.14.6" vagrant up --provision-with=install-golang 76 # 77 config.vm.provision "install-golang", type: "shell", run: "once" do |sh| 78 sh.upload_path = "/tmp/vagrant-install-golang" 79 sh.env = { 80 'GO_VERSION': ENV['GO_VERSION'] || "1.15.5", 81 } 82 sh.inline = <<~SHELL 83 #!/usr/bin/env bash 84 set -eux -o pipefail 85 curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local 86 cat >> /etc/environment <<EOF 87PATH=/usr/local/go/bin:$PATH 88GO111MODULE=off 89EOF 90 source /etc/environment 91 cat >> /etc/profile.d/sh.local <<EOF 92GOPATH=\\$HOME/go 93PATH=\\$GOPATH/bin:\\$PATH 94export GOPATH PATH 95EOF 96 source /etc/profile.d/sh.local 97 SHELL 98 end 99 100 config.vm.provision "setup-gopath", type: "shell", run: "once" do |sh| 101 sh.upload_path = "/tmp/vagrant-setup-gopath" 102 sh.inline = <<~SHELL 103 #!/usr/bin/env bash 104 source /etc/environment 105 source /etc/profile.d/sh.local 106 set -eux -o pipefail 107 mkdir -p ${GOPATH}/src/github.com/containerd 108 ln -fnsv /vagrant ${GOPATH}/src/github.com/containerd/containerd 109 SHELL 110 end 111 112 config.vm.provision "install-runc", type: "shell", run: "once" do |sh| 113 sh.upload_path = "/tmp/vagrant-install-runc" 114 sh.env = { 115 'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc", 116 } 117 sh.inline = <<~SHELL 118 #!/usr/bin/env bash 119 source /etc/environment 120 source /etc/profile.d/sh.local 121 set -eux -o pipefail 122 ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-runc 123 type runc 124 runc --version 125 chcon -v -t container_runtime_exec_t $(type -ap runc) 126 SHELL 127 end 128 129 config.vm.provision "install-cni", type: "shell", run: "once" do |sh| 130 sh.upload_path = "/tmp/vagrant-install-cni" 131 sh.env = { 132 'CNI_BINARIES': 'bridge dhcp flannel host-device host-local ipvlan loopback macvlan portmap ptp tuning vlan', 133 } 134 sh.inline = <<~SHELL 135 #!/usr/bin/env bash 136 source /etc/environment 137 source /etc/profile.d/sh.local 138 set -eux -o pipefail 139 ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-cni 140 PATH=/opt/cni/bin:$PATH type ${CNI_BINARIES} || true 141 SHELL 142 end 143 144 config.vm.provision "install-cri-tools", type: "shell", run: "once" do |sh| 145 sh.upload_path = "/tmp/vagrant-install-cri-tools" 146 sh.env = { 147 'CRI_TOOLS_VERSION': ENV['CRI_TOOLS_VERSION'] || '16911795a3c33833fa0ec83dac1ade3172f6989e', 148 'GOBIN': '/usr/local/bin', 149 } 150 sh.inline = <<~SHELL 151 #!/usr/bin/env bash 152 source /etc/environment 153 source /etc/profile.d/sh.local 154 set -eux -o pipefail 155 ${GOPATH}/src/github.com/containerd/containerd/script/setup/install-critools 156 type crictl critest 157 critest --version 158 SHELL 159 end 160 161 config.vm.provision "install-containerd", type: "shell", run: "once" do |sh| 162 sh.upload_path = "/tmp/vagrant-install-containerd" 163 sh.inline = <<~SHELL 164 #!/usr/bin/env bash 165 source /etc/environment 166 source /etc/profile.d/sh.local 167 set -eux -o pipefail 168 cd ${GOPATH}/src/github.com/containerd/containerd 169 make BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" binaries install 170 type containerd 171 containerd --version 172 chcon -v -t container_runtime_exec_t /usr/local/bin/{containerd,containerd-shim*} 173 ./script/setup/config-containerd 174 SHELL 175 end 176 177 # SELinux is Enforcing by default. 178 # To set SELinux as Disabled on a VM that has already been provisioned: 179 # SELINUX=Disabled vagrant up --provision-with=selinux 180 # To set SELinux as Permissive on a VM that has already been provsioned 181 # SELINUX=Permissive vagrant up --provision-with=selinux 182 config.vm.provision "selinux", type: "shell", run: "never" do |sh| 183 sh.upload_path = "/tmp/vagrant-selinux" 184 sh.env = { 185 'SELINUX': ENV['SELINUX'] || "Enforcing" 186 } 187 sh.inline = <<~SHELL 188 /vagrant/script/setup/config-selinux 189 /vagrant/script/setup/config-containerd 190 SHELL 191 end 192 193 # SELinux is permissive by default (via provisioning) in this VM. To re-run with SELinux enforcing: 194 # vagrant up --provision-with=selinux-enforcing,test-integration 195 # 196 config.vm.provision "test-integration", type: "shell", run: "never" do |sh| 197 sh.upload_path = "/tmp/test-integration" 198 sh.env = { 199 'RUNC_FLAVOR': ENV['RUNC_FLAVOR'] || "runc", 200 } 201 sh.inline = <<~SHELL 202 #!/usr/bin/env bash 203 source /etc/environment 204 source /etc/profile.d/sh.local 205 set -eux -o pipefail 206 rm -rf /var/lib/containerd-test /run/containerd-test 207 cd ${GOPATH}/src/github.com/containerd/containerd 208 make integration EXTRA_TESTFLAGS="-no-criu -test.v" TEST_RUNTIME=io.containerd.runc.v2 RUNC_FLAVOR=$RUNC_FLAVOR 209 SHELL 210 end 211 212 # SELinux is permissive by default (via provisioning) in this VM. To re-run with SELinux enforcing: 213 # vagrant up --provision-with=selinux-enforcing,test-cri 214 # 215 config.vm.provision "test-cri", type: "shell", run: "never" do |sh| 216 sh.upload_path = "/tmp/test-cri" 217 sh.env = { 218 'CRITEST_ARGS': ENV['CRITEST_ARGS'], 219 } 220 sh.inline = <<~SHELL 221 #!/usr/bin/env bash 222 source /etc/environment 223 source /etc/profile.d/sh.local 224 set -eux -o pipefail 225 systemctl disable --now containerd || true 226 rm -rf /var/lib/containerd /run/containerd 227 function cleanup() 228 { 229 journalctl -u containerd > /tmp/containerd.log 230 systemctl stop containerd 231 } 232 selinux=$(getenforce) 233 if [[ $selinux == Enforcing ]]; then 234 setenforce 0 235 fi 236 systemctl enable --now ${GOPATH}/src/github.com/containerd/containerd/containerd.service 237 if [[ $selinux == Enforcing ]]; then 238 setenforce 1 239 fi 240 trap cleanup EXIT 241 ctr version 242 critest --parallel=$(nproc) ${CRITEST_ARGS} 243 SHELL 244 end 245 246end 247