From 55257a2506210373f4038c7277225fcd50bbbbb4 Mon Sep 17 00:00:00 2001 From: Vivian Kong Date: Wed, 3 Apr 2024 16:10:30 +0000 Subject: [PATCH] add s390x yamls --- .github/workflows/ci.yml | 18 +- .../workflows/reusable_build_dev_s390x.yaml | 89 ++++++ .../reusable_build_packages_s390x.yaml | 288 ++++++++++++++++++ .../reusable_test_packages_s390x.yaml | 57 ++++ 4 files changed, 447 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/reusable_build_dev_s390x.yaml create mode 100644 .github/workflows/reusable_build_packages_s390x.yaml create mode 100644 .github/workflows/reusable_test_packages_s390x.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8474a89735..60c84a7acd0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,8 @@ jobs: sanitizers: true build-dev-packages-s390x: - runs-on: [self-hosted, S390X] needs: [fetch-version] - uses: ./.github/workflows/reusable_build_packages.yaml + uses: ./.github/workflows/reusable_build_packages_s390x.yaml with: # arch: s390x version: ${{ needs.fetch-version.outputs.version }} @@ -68,6 +67,16 @@ jobs: static: ${{ matrix.static != '' && true || false }} version: ${{ needs.fetch-version.outputs.version }} + test-dev-packages-s390x: + needs: [fetch-version, build-dev-packages-s390x] + uses: ./.github/workflows/reusable_test_packages_s390x.yaml + strategy: + fail-fast: false + with: +# arch: aarch64 + static: ${{ matrix.static != '' && true || false }} + version: ${{ needs.fetch-version.outputs.version }} + build-dev-minimal: uses: ./.github/workflows/reusable_build_dev.yaml with: @@ -85,8 +94,7 @@ jobs: build_type: Debug build-dev-minimal-s390x: - runs-on: [self-hosted, S390X] - uses: ./.github/workflows/reusable_build_dev.yaml + uses: ./.github/workflows/reusable_build_dev_s390x.yaml with: # arch: s390x git_ref: ${{ github.event.pull_request.head.sha }} @@ -168,4 +176,4 @@ jobs: else echo "engine version for baseref and headref differ too, so no bump is required" fi - fi + fi \ No newline at end of file diff --git a/.github/workflows/reusable_build_dev_s390x.yaml b/.github/workflows/reusable_build_dev_s390x.yaml new file mode 100644 index 00000000000..ca157385e1b --- /dev/null +++ b/.github/workflows/reusable_build_dev_s390x.yaml @@ -0,0 +1,89 @@ +# This is a reusable workflow used by the master CI +on: + workflow_call: + outputs: + cmdout: + description: "Post-build command output" + value: ${{ jobs.build-and-test.outputs.cmdout }} + inputs: +# arch: +# description: x86_64 or aarch64 +# required: true +# type: string + minimal: + description: Minimal build + required: true + type: boolean + sanitizers: + description: Enable sanitizer support + required: false + default: false + type: boolean + build_type: + description: One of 'Debug' or 'Release' + required: true + type: string + git_ref: + description: Git ref used for checking out the code + required: true + type: string + cmd: + description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output + required: false + default: '' + type: string + +jobs: + build-and-test: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: [self-hosted, S390X] #${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }} + outputs: + cmdout: ${{ steps.run_cmd.outputs.out }} + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + ref: ${{ inputs.git_ref }} + + - name: Update base image + run: sudo apt update -y + + - name: Install build dependencies + run: sudo DEBIAN_FRONTEND=noninteractive apt install libelf-dev libyaml-cpp-dev cmake build-essential git -y + + - name: Install build dependencies (non-minimal) + if: inputs.minimal != true + run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y + + - name: Prepare project + run: | + cmake -B build -S .\ + -DBUILD_FALCO_UNIT_TESTS=On \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ + -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ + -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ + -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ + -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ + -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ + -DUSE_BUNDLED_DEPS=Off \ + -DUSE_BUNDLED_NLOHMANN_JSON=On \ + -DUSE_BUNDLED_CXXOPTS=On \ + -DUSE_BUNDLED_CPPHTTPLIB=On \ + + - name: Build + run: | + KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4 + + - name: Run unit tests + run: | + pushd build + sudo ./unit_tests/falco_unit_tests + popd + + - name: Run command + id: run_cmd + if: inputs.cmd != '' + run: | + OUT=$(${{ inputs.cmd }}) + echo "out=${OUT}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/reusable_build_packages_s390x.yaml b/.github/workflows/reusable_build_packages_s390x.yaml new file mode 100644 index 00000000000..22e79f0cf33 --- /dev/null +++ b/.github/workflows/reusable_build_packages_s390x.yaml @@ -0,0 +1,288 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + inputs: +# arch: +# description: x86_64 or aarch64 +# required: true +# type: string + version: + description: The Falco version to use when building packages + required: true + type: string + build_type: + description: The build type + required: false + type: string + default: 'Release' + sanitizers: + description: enable sanitizer support + required: false + type: boolean + default: false + +jobs: + build-modern-bpf-skeleton: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: [self-hosted, S390X] #${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }} + container: fedora:latest + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel + + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + + - name: Build modern BPF skeleton + run: | + cmake -B skeleton-build -S . \ + -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} + cmake --build skeleton-build --target ProbeSkeleton -j6 + + - name: Upload skeleton + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: skeleton-build/skel_dir/bpf_probe.skel.h + retention-days: 1 + + build-packages: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: [self-hosted, S390X] #${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }} + needs: [build-modern-bpf-skeleton] + container: centos:7 + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + yum -y install centos-release-scl + yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ + source /opt/rh/devtoolset-9/enable + yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel + + - name: Checkout + # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc. + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Download skeleton + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: /tmp + + - name: Install updated cmake + run: | + curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \ + | tar --directory=/usr --strip-components=1 -xzp + + - name: Prepare project + run: | + source /opt/rh/devtoolset-9/enable + cmake -B build -S . \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ + -DUSE_BUNDLED_DEPS=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_FALCO_MODERN_BPF=ON \ + -DMODERN_BPF_SKEL_DIR=/tmp \ + -DBUILD_DRIVER=Off \ + -DBUILD_BPF=Off \ + -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \ + -DFALCO_VERSION=${{ inputs.version }} + + - name: Build project + run: | + source /opt/rh/devtoolset-9/enable + cmake --build build --target falco -j6 + + - name: Build packages + run: | + source /opt/rh/devtoolset-9/enable + cmake --build build --target package + + - name: Upload Falco tar.gz package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz + path: | + ${{ github.workspace }}/build/falco-*.tar.gz + + - name: Upload Falco deb package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb + path: | + ${{ github.workspace }}/build/falco-*.deb + + - name: Upload Falco rpm package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm + path: | + ${{ github.workspace }}/build/falco-*.rpm + + # The musl build job is currently disabled because we link libelf dynamically and it is + # not possible to dynamically link with musl + build-musl-package: + # x86_64 only for now + # if: ${{ inputs.arch == 'x86_64' }} + if: false + runs-on: ubuntu-latest + container: alpine:3.17 + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang + + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + + - name: Prepare project + run: | + cmake -B build -S . \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ + -DCPACK_GENERATOR=TGZ \ + -DBUILD_BPF=Off -DBUILD_DRIVER=Off \ + -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }} + + - name: Build project + run: | + cmake --build build -j6 + + - name: Build packages + run: | + cmake --build build -j6 --target package + + - name: Rename static package + run: | + cd build + mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz + + - name: Upload Falco static package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-static-x86_64.tar.gz + path: | + ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz + + build-wasm-package: + if: ${{ inputs.arch == 'x86_64' }} + runs-on: ubuntu-latest + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + sudo apt update + sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y + + - name: Select node version + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + with: + node-version: 14 + + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + + - name: Prepare project + run: | + emcmake cmake -B build -S . \ + -DBUILD_BPF=Off \ + -DBUILD_DRIVER=Off \ + -DBUILD_LIBSCAP_MODERN_BPF=OFF \ + -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ + -DUSE_BUNDLED_DEPS=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_FALCO_UNIT_TESTS=On \ + -DFALCO_VERSION=${{ inputs.version }} + + - name: Build project + run: | + cd build + emmake make -j6 all + + - name: Run unit Tests + run: | + cd build + node ./unit_tests/falco_unit_tests.js + + - name: Build packages + run: | + cd build + emmake make -j6 package + + - name: Upload Falco WASM package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-wasm.tar.gz + path: | + ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz + + build-win32-package: + if: ${{ inputs.arch == 'x86_64' }} + runs-on: windows-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + + # NOTE: Backslash doesn't work as line continuation on Windows. + - name: Prepare project + run: | + cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} + + - name: Build project + run: | + cmake --build build --target package --config ${{ inputs.build_type }} + + - name: Run unit Tests + run: | + build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe + + - name: Upload Falco win32 installer + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-installer-${{ inputs.version }}-win32.exe + path: build/falco-*.exe + + - name: Upload Falco win32 package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-win32.exe + path: | + ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe + + build-macos-package: + if: ${{ inputs.arch == 'x86_64' }} + runs-on: macos-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + + - name: Prepare project + run: | + cmake -B build -S . \ + -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }} + + - name: Build project + run: | + cmake --build build --target package + + - name: Run unit Tests + run: | + sudo build/unit_tests/falco_unit_tests + + - name: Upload Falco macos package + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: falco-${{ inputs.version }}-macos + path: | + ${{ github.workspace }}/build/userspace/falco/falco \ No newline at end of file diff --git a/.github/workflows/reusable_test_packages_s390x.yaml b/.github/workflows/reusable_test_packages_s390x.yaml new file mode 100644 index 00000000000..0c56afb8b01 --- /dev/null +++ b/.github/workflows/reusable_test_packages_s390x.yaml @@ -0,0 +1,57 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + inputs: +# arch: +# description: x86_64 or aarch64 +# required: true +# type: string + static: + description: Falco packages use a static build + required: false + type: boolean + default: false + version: + description: The Falco version to use when testing packages + required: true + type: string + +jobs: + test-packages: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: [self-hosted, S390X] #${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }} + steps: + - name: Download binary + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz + + - name: Install Falco package + run: | + ls falco-*.tar.gz + tar -xvf $(ls falco-*.tar.gz) + cd falco-${{ inputs.version }}-${{ inputs.arch }} + sudo cp -r * / + + # We only run driver loader tests on x86_64 + - name: Install kernel headers for falco-driver-loader tests + if: ${{ inputs.arch == 'x86_64' }} + run: | + sudo apt update -y + sudo apt install -y --no-install-recommends linux-headers-$(uname -r) + + # Some builds use sanitizers, we always install support for them so they can run + - name: Install sanitizer support + run: | + sudo apt update -y + sudo apt install -y libasan5 libubsan1 + + - name: Run tests + uses: falcosecurity/testing@main + with: + test-falco: 'true' + test-falcoctl: 'true' + test-k8saudit: 'true' + static: ${{ inputs.static && 'true' || 'false' }} + test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }} + show-all: 'true'