containers
/
automation
mirror of https://github.com/containers/automation.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: containers:main
Branches Tags
containers:main
containers:renovate/gql-4.x
containers:renovate/actions-checkout-5.x
containers:v5.0.1
containers:v5.0.0
containers:v4.3.1
containers:v4.3.0
containers:v4.2.1
containers:v4.2.0
containers:v4.1.2
containers:v4.1.1
containers:v4.1.0
containers:v4.0.0
containers:v3.2.4
containers:v3.2.3
containers:v3.2.2
containers:v3.2.1
containers:v3.2.0
containers:v3.1.0
containers:v3.0.0
containers:v2.1.4
containers:v2.1.3
containers:v2.1.2
containers:v2.1.1
containers:v2.1.0
containers:v2.0.0
containers:v1.2.3
containers:v1.2.2
containers:v1.2.1
containers:v1.2.0
containers:v1.1.3
containers:v1.1.2
containers:v1.1.1
containers:v1.1.0
containers:v1.0.1
containers:v1.0.0
..
compare: containers:v4.3.0
Branches Tags
containers:renovate/gql-4.x
containers:main
containers:renovate/actions-checkout-5.x
containers:v5.0.1
containers:v5.0.0
containers:v4.3.1
containers:v4.3.0
containers:v4.2.1
containers:v4.2.0
containers:v4.1.2
containers:v4.1.1
containers:v4.1.0
containers:v4.0.0
containers:v3.2.4
containers:v3.2.3
containers:v3.2.2
containers:v3.2.1
containers:v3.2.0
containers:v3.1.0
containers:v3.0.0
containers:v2.1.4
containers:v2.1.3
containers:v2.1.2
containers:v2.1.1
containers:v2.1.0
containers:v2.0.0
containers:v1.2.3
containers:v1.2.2
containers:v1.2.1
containers:v1.2.0
containers:v1.1.3
containers:v1.1.2
containers:v1.1.1
containers:v1.1.0
containers:v1.0.1
containers:v1.0.0

No commits in common. "main" and "v4.3.0" have entirely different histories.
main ... v4.3.0

49 changed files with 275 additions and 2847 deletions
Show Stats Expand all files Collapse all files

14
.cirrus.yml
View File

@ -27,11 +27,13 @@ cirrus-ci/unit-test_task:
cirrus-ci/renovate_validation_task:
only_if: *not_docs
container:
image: "ghcr.io/renovatebot/renovate:latest"
image: docker.io/renovate/renovate:latest
env:
RCV: /usr/local/bin/renovate-config-validator
preset_validate_script:
- renovate-config-validator $CIRRUS_WORKING_DIR/renovate/defaults.json5
- $RCV $CIRRUS_WORKING_DIR/renovate/defaults.json5
repo_validate_script:
- renovate-config-validator $CIRRUS_WORKING_DIR/.github/renovate.json5
- $RCV $CIRRUS_WORKING_DIR/.github/renovate.json5
# This is the same setup as used for Buildah CI
gcp_credentials: ENCRYPTED[fc95bcc9f4506a3b0d05537b53b182e104d4d3979eedbf41cf54205be6397ca0bce0831d0d47580cf578dae5776548a5]
@ -51,10 +53,10 @@ cirrus-ci/build-push_test_task:
# only stock, google-managed generic image. This also avoids needing to
# update custom-image last-used timestamps.
image_project: centos-cloud
image_family: centos-stream-9
timeout_in: 30
image_family: centos-stream-8
timeout_in: 20
env:
CIMG: quay.io/buildah/stable:latest
CIMG: quay.io/buildah/stable:v1.23.0
TEST_FQIN: quay.io/buildah/do_not_use
# Robot account credentials for test-push to
# $TEST_FQIN registry by build-push/test/testbuilds.sh

4
.github/renovate.json5 vendored
View File

@ -12,7 +12,7 @@
podman run -it \
-v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
ghcr.io/renovatebot/renovate:latest \
docker.io/renovate/renovate:latest \
renovate-config-validator
3. Commit.
@ -42,4 +42,6 @@
/*************************************************
*** Repository-specific configuration options ***
*************************************************/
// Don't leave dep. update. PRs "hanging", assign them to people.
"assignees": ["cevich"],
}

2
.github/workflows/action_helper_test.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Clone the repository code
uses: actions/checkout@v4
uses: actions/checkout@v3
with:
persist-credentials: false
path: ./

74
.github/workflows/cirrus-ci_retrospective.yml vendored
View File

@ -44,7 +44,7 @@ jobs:
GITHUB_TOKEN: ${{ github.token }}
- name: Clone latest main branch repository code
uses: actions/checkout@v4
uses: actions/checkout@v3
with:
fetch-depth: 1
path: ./main
@ -64,14 +64,16 @@ jobs:
- if: steps.retro.outputs.do_intg == 'true'
id: create_pr_comment
name: Create a status comment in the PR
uses: thollander/actions-comment-pull-request@v3
# Ref: https://github.com/marketplace/actions/comment-action
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
issue_number: '${{ steps.retro.outputs.prn }}'
type: 'create'
token: '${{ secrets.GITHUB_TOKEN }}'
# N/B: At the time of this comment, it is not possible to provide
# direct links to specific job-steps (here) nor links to artifact
# files. There are open RFE's for this capability to be added.
message: >-
body: >-
[Cirrus-CI Retrospective Github
Action](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}})
has started. Running against
@ -82,7 +84,7 @@ jobs:
# block allow direct checkout of PR code.
- if: steps.retro.outputs.do_intg == 'true'
name: Clone all repository code
uses: actions/checkout@v4
uses: actions/checkout@v3
with:
# Get ALL available history to avoid problems during any run of
# 'git describe' from any script in the repo.
@ -117,11 +119,12 @@ jobs:
- if: steps.retro.outputs.do_intg == 'true'
id: edit_pr_comment_build
name: Update status comment on PR
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
message: >-
type: 'edit'
comment_id: '${{ steps.create_pr_comment.outputs.id }}'
token: '${{ secrets.GITHUB_TOKEN }}'
body: >-
Unit-testing passed (`${{ env.HELPER_LIB_TEST }}`)passed.
[Cirrus-CI Retrospective Github
Action](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}})
@ -132,11 +135,12 @@ jobs:
- if: steps.retro.outputs.do_intg == 'true'
id: edit_pr_comment_exec
name: Update status comment on PR again
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
message: >-
type: 'edit'
comment_id: '${{ steps.edit_pr_comment_build.outputs.id }}'
token: '${{ secrets.GITHUB_TOKEN }}'
body: >-
Smoke testing passed [Cirrus-CI Retrospective Github
Action](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}})
is triggering Cirrus-CI ${{ env.ACTION_TASK }} task.
@ -150,12 +154,12 @@ jobs:
run: |
set +x
trap "history -c" EXIT
curl --fail-with-body --request POST \
curl --request POST \
--url https://api.cirrus-ci.com/graphql \
--header "Authorization: Bearer ${{ secrets.CIRRUS_API_TOKEN }}" \
--header 'content-type: application/json' \
--data '{"query":"mutation {\n trigger(input: {taskId: \"${{steps.retro.outputs.tid}}\", clientMutationId: \"${{env.UUID}}\"}) {\n clientMutationId\n task {\n name\n }\n }\n}"}' \
| tee ./test_artifacts/action_task_trigger.json
> ./test_artifacts/action_task_trigger.json
actual=$(jq --raw-output '.data.trigger.clientMutationId' ./test_artifacts/action_task_trigger.json)
echo "Verifying '$UUID' matches returned tracking value '$actual'"
@ -163,11 +167,12 @@ jobs:
- if: steps.retro.outputs.do_intg == 'true'
name: Update comment on workflow success
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
message: >-
type: 'edit'
comment_id: '${{ steps.edit_pr_comment_exec.outputs.id }}'
token: '${{ secrets.GITHUB_TOKEN }}'
body: >-
Successfully triggered [${{ env.ACTION_TASK }}
task](https://cirrus-ci.com/task/${{ steps.retro.outputs.tid }}?command=main#L0)
to indicate
@ -178,11 +183,12 @@ jobs:
- if: failure() && steps.retro.outputs.do_intg == 'true'
name: Update comment on workflow failure
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
message: >-
type: 'edit'
comment_id: '${{ steps.create_pr_comment.outputs.id }}'
token: '${{ secrets.GITHUB_TOKEN }}'
body: >-
Failure running [Cirrus-CI Retrospective Github
Action](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}})
failed against this PR's
@ -191,22 +197,24 @@ jobs:
# This can happen because of --force push, manual cancel button press, or some other cause.
- if: cancelled() && steps.retro.outputs.do_intg == 'true'
name: Update comment on workflow cancellation
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: retro
message: '[Cancelled](https://github.com/${{github.repository}}/pull/${{steps.retro.outputs.prn}}/commits/${{steps.retro.outputs.sha}})'
type: 'edit'
comment_id: '${{ steps.create_pr_comment.outputs.id }}'
token: '${{ secrets.GITHUB_TOKEN }}'
body: '[Cancelled](https://github.com/${{github.repository}}/pull/${{steps.retro.outputs.prn}}/commits/${{steps.retro.outputs.sha}})'
# Abnormal workflow ($ACTION-TASK task already ran / not paused on a PR).
- if: steps.retro.outputs.is_pr == 'true' && steps.retro.outputs.do_intg != 'true'
id: create_error_pr_comment
name: Create an error status comment in the PR
# Ref: https://github.com/marketplace/actions/comment-action
uses: thollander/actions-comment-pull-request@v3
uses: jungwinter/comment@v1
with:
pr-number: '${{ steps.retro.outputs.prn }}'
comment-tag: error
message: >-
issue_number: '${{ steps.retro.outputs.prn }}'
type: 'create'
token: '${{ secrets.GITHUB_TOKEN }}'
body: >-
***ERROR***: [cirrus-ci_retrospective
action](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}})
found `${{ env.ACTION_TASK }}` task with unexpected `${{ steps.retro.outputs.tst }}`
@ -222,7 +230,7 @@ jobs:
# Provide an archive of files for debugging/analysis.
- if: always() && steps.retro.outputs.do_intg == 'true'
name: Archive event, build, and debugging output
uses: actions/upload-artifact@v4.6.2
uses: actions/upload-artifact@v3.1.2
with:
name: pr_${{ steps.retro.outputs.prn }}_debug.zip
path: ./test_artifacts

10
.github/workflows/release.yml vendored
View File

@ -28,9 +28,9 @@ jobs:
fi
unit-tests: # N/B: Duplicates `ubuntu_unit_tests.yml` - templating not supported
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v3
with:
# Testing installer requires a full repo. history
fetch-depth: 0
@ -77,7 +77,7 @@ jobs:
tag_name: ${{ steps.get_tag.outputs.TAG_NAME }}
release_name: ${{ steps.get_tag.outputs.TAG_NAME }}
- uses: actions/checkout@v4
- uses: actions/checkout@v3
with:
fetch-depth: 0
path: ./
@ -102,7 +102,7 @@ jobs:
REPO_USER: libpod
REPO_NAME: cirrus-ci_retrospective
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v3
with:
fetch-depth: 0
path: ./
@ -145,7 +145,7 @@ jobs:
run: jq --indent 4 --color-output . ${{ github.event_path }}
- if: always()
uses: actions/upload-artifact@v4.6.2
uses: actions/upload-artifact@v3.1.2
name: Archive triggering event JSON
with:
name: event.json.zip

4
.github/workflows/ubuntu_unit_tests.yml vendored
View File

@ -4,9 +4,9 @@ on: [push, pull_request]
jobs:
automation_unit-tests:
runs-on: ubuntu-24.04
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: false

2
README.md
View File

@ -80,7 +80,7 @@ if [[ -n "$AUTOMATION_LIB_PATH" ]]; then
else
(
echo "WARNING: It doesn't appear containers/automation common was installed."
) >> /dev/stderr
) > /dev/stderr
fi
...do stuff...

13
bin/install_automation.sh
View File

@ -36,7 +36,7 @@ INSTALL_PREFIX="${INSTALL_PREFIX%%/}" # Make debugging path problems easier
# When installing as root, allow sourcing env. vars. from this file
INSTALL_ENV_FILEPATH="${INSTALL_ENV_FILEPATH:-/etc/automation_environment}"
# Used internally here and in unit-testing, do not change without a really, really good reason.
_ARGS="$*"
_ARGS="$@"
_MAGIC_JUJU=${_MAGIC_JUJU:-XXXXX}
_DEFAULT_MAGIC_JUJU=d41d844b68a14ee7b9e6a6bb88385b4d
@ -109,8 +109,7 @@ install_automation() {
fi
# Allow re-installing different versions, clean out old version if found
if [[ -d "$actual_inst_path" ]] && [[ -r "$actual_inst_path/AUTOMATION_VERSION" ]]; then
local installed_version
installed_version=$(<"$actual_inst_path/AUTOMATION_VERSION")
local installed_version=$(cat "$actual_inst_path/AUTOMATION_VERSION")
msg "Warning: Removing existing installed version '$installed_version'"
rm -rvf "$actual_inst_path"
elif [[ -d "$actual_inst_path" ]]; then
@ -126,8 +125,8 @@ install_automation() {
dbg "Configuring environment file $INSTALLATION_SOURCE/environment"
cat <<EOF>"$INSTALLATION_SOURCE/environment"
# Added on $(date --utc --iso-8601=minutes) by $actual_inst_path/bin/$SCRIPT_FILENAME"
# for version '$AUTOMATION_VERSION'. Any manual modifications will be lost upon upgrade or reinstall.
# Added on $(date --iso-8601=minutes) by $actual_inst_path/bin/$SCRIPT_FILENAME"
# Any manual modifications will be lost upon upgrade or reinstall.
export AUTOMATION_LIB_PATH="$actual_inst_path/lib"
export PATH="$PATH:$actual_inst_path/bin"
EOF
@ -218,7 +217,7 @@ check_args() {
msg " Use version '$MAGIC_LOCAL_VERSION' to install from local source."
msg " Use version 'latest' to install from current upstream"
exit 2
elif ! echo "$AUTOMATION_VERSION" | grep -E -q "$arg_rx"; then
elif ! echo "$AUTOMATION_VERSION" | egrep -q "$arg_rx"; then
msg "Error: '$AUTOMATION_VERSION' does not appear to be a valid version number"
exit 4
elif [[ -z "$_ARGS" ]] && [[ "$_MAGIC_JUJU" == "XXXXX" ]]; then
@ -255,8 +254,6 @@ elif [[ "$_MAGIC_JUJU" == "$_DEFAULT_MAGIC_JUJU" ]]; then
CHAIN_TO="$INSTALLATION_SOURCE/$arg/.install.sh"
if [[ -r "$CHAIN_TO" ]]; then
# Cannot assume common was installed system-wide
# AUTOMATION_LIB_PATH defined by anchors.sh
# shellcheck disable=SC2154
env AUTOMATION_LIB_PATH=$AUTOMATION_LIB_PATH \
AUTOMATION_VERSION=$AUTOMATION_VERSION \
INSTALLATION_SOURCE=$INSTALLATION_SOURCE \

4
bin/run_all_tests.sh
View File

@ -20,10 +20,10 @@ runner_script_filename="$(basename $0)"
for test_subdir in $(find "$(realpath $(dirname $0)/../)" -type d -name test | sort -r); do
test_runner_filepath="$test_subdir/$runner_script_filename"
if [[ -x "$test_runner_filepath" ]] && [[ "$test_runner_filepath" != "$this_script_filepath" ]]; then
echo -e "\nExecuting $test_runner_filepath..." >> /dev/stderr
echo -e "\nExecuting $test_runner_filepath..." > /dev/stderr
$test_runner_filepath
else
echo -e "\nWARNING: Skipping $test_runner_filepath" >> /dev/stderr
echo -e "\nWARNING: Skipping $test_runner_filepath" > /dev/stderr
fi
done

108
build-push/bin/build-push.sh
View File

@ -22,7 +22,7 @@ if [[ ! -r "$AUTOMATION_LIB_PATH/common_lib.sh" ]]; then
echo "ERROR: Expecting \$AUTOMATION_LIB_PATH to contain the installation"
echo " directory path for the common automation tooling."
echo " Please refer to the README.md for installation instructions."
) >> /dev/stderr
) > /dev/stderr
exit 2 # Verified by tests
fi
@ -228,8 +228,7 @@ parse_args() {
dbg "Grabbing Context parameter: '$arg'."
CONTEXT=$(realpath -e -P $arg || die_help "$E_CONTEXT '$arg'")
else
# Hack: Allow array addition to handle any embedded special characters
# shellcheck disable=SC2207
# Properly handle any embedded special characters
BUILD_ARGS+=($(printf "%q" "$arg"))
fi
;;
@ -291,12 +290,12 @@ stage_notice() {
# N/B: It would be nice/helpful to resolve any env. vars. in '$@'
# for display. Unfortunately this is hard to do safely
# with (e.g.) eval echo "$@" :(
msg="$*"
msg="$@"
(
echo "############################################################"
echo "$msg"
echo "############################################################"
) >> /dev/stderr
) > /dev/stderr
}
BUILTIID="" # populated with the image-id on successful build
@ -323,31 +322,22 @@ parallel_build() {
# Keep user-specified BUILD_ARGS near the beginning so errors are easy to spot
# Provide a copy of the output in case something goes wrong in a complex build
stage_notice "Executing build command: '$RUNTIME build ${BUILD_ARGS[*]} ${_args[*]}'"
stage_notice "Executing build command: '$RUNTIME build ${BUILD_ARGS[@]} ${_args[@]}'"
"$RUNTIME" build "${BUILD_ARGS[@]}" "${_args[@]}"
}
confirm_arches() {
local inspjson
local filter=".manifests[].platform.architecture"
local arch
local maniarches
dbg "in confirm_arches()"
req_env_vars FQIN ARCHES RUNTIME
if ! inspjson=$($RUNTIME manifest inspect "containers-storage:$FQIN:latest"); then
die "Error reading manifest list metadata for 'containers-storage:$FQIN:latest'"
fi
# Convert into space-delimited string for grep error message (below)
# TODO: Use an array instead, could be simpler? Would need testing.
if ! maniarches=$(jq -r "$filter" <<<"$inspjson" | \
grep -v 'null' | \
tr -s '[:space:]' ' ' | \
sed -z '$ s/[\n ]$//'); then
die "Error processing manifest list metadata:
$inspjson"
fi
maniarches=$($RUNTIME manifest inspect "containers-storage:$FQIN:latest" | \
jq -r "$filter" | \
grep -v 'null' | \
tr -s '[:space:]' ' ' | \
sed -z '$ s/[\n ]$//')
dbg "Found manifest arches: $maniarches"
for arch in $ARCHES; do
@ -367,7 +357,7 @@ registry_login() {
$RUNTIME login --username "$NAMESPACE_USERNAME" --password-stdin \
"$REGSERVER/$NAMESPACE"
LOGGEDIN=1
elif ((PUSH)); then
else
dbg " Already logged in"
fi
@ -379,8 +369,6 @@ run_prepmod_cmd() {
local kind="$1"
shift
dbg "Exporting variables '$_CMD_ENV'"
# The indirect export is intentional here
# shellcheck disable=SC2163
export $_CMD_ENV
stage_notice "Executing $kind-command: " "$@"
bash -c "$@"
@ -389,72 +377,51 @@ run_prepmod_cmd() {
# Outputs sorted list of FQIN w/ tags to stdout, silent otherwise
get_manifest_tags() {
local result_json
local fqin_names
local _json
dbg "in get_manifest_fqins()"
# At the time of this comment, there is no reliable way to
# lookup all tags based solely on inspecting a manifest.
# However, since we know $FQIN (remember, value has no tag) we can
# use it to search all related names in container storage. Unfortunately
# use it to search all related names container storage. Unfortunately
# because images can have multiple tags, the `reference` filter
# can return names we don't care about. Work around this with a
# grep of $FQIN in the results.
if ! result_json=$($RUNTIME images --json --filter=reference=$FQIN); then
die "Error listing manifest-list images that reference '$FQIN'"
# can return names we don't care about. Work around this by
# sending the final result back through a grep of $FQIN
_json=$($RUNTIME images --json --filter=reference=$FQIN)
dbg "Image listing json: $_json"
if [[ -n "$_json" ]] && jq --exit-status '.[].names' <<<"$_json" &>/dev/null
then
jq --raw-output '.[].names[]'<<<"$_json" | grep "$FQIN" | sort
fi
dbg "Image listing json: $result_json"
if [[ -n "$result_json" ]]; then # N/B: value could be '[]'
# Rely on the caller to handle an empty list, ignore items missing a name key.
if ! fqin_names=$(jq -r '.[]? | .names[]?'<<<"$result_json"); then
die "Error obtaining image names from '$FQIN' manifest-list search result:
$result_json"
fi
dbg "Sorting fqin_names"
# Don't emit an empty newline when the list is empty
[[ -z "$fqin_names" ]] || \
sort <<<"$fqin_names"
fi
dbg "get_manifest_tags() returning successfully"
}
push_images() {
local fqin_list
local fqin
local _fqins
local _fqin
dbg "in push_images()"
# It's possible that --modcmd=* removed all images, make sure
# this is known to the caller.
if ! fqin_list=$(get_manifest_tags); then
die "Retrieving set of manifest-list tags to push for '$FQIN'"
fi
if [[ -z "$fqin_list" ]]; then
warn "No FQIN(s) to be pushed."
_fqins=$(get_manifest_tags)
if [[ -z "$_fqins" ]]; then
die "No FQIN(s) to be pushed."
fi
if ((PUSH)); then
dbg "Will try to push FQINs: '$fqin_list'"
dbg "Will try to push FQINs: $_fqins"
registry_login
for fqin in $fqin_list; do
# Note: --all means push manifest AND images it references
msg "Pushing $fqin"
$RUNTIME manifest push --all $fqin docker://$fqin
done
else
# Even if --nopush was specified, be helpful to humans with a lookup of all the
# relevant tags for $FQIN that would have been pushed and display them.
warn "Option --nopush specified, not pushing: '$fqin_list'"
fi
registry_login
for _fqin in $_fqins; do
# Note: --all means push manifest AND images it references
msg "Pushing $_fqin"
$RUNTIME manifest push --all $_fqin docker://$_fqin
done
}
##### MAIN() #####
# Handle requested help first before anything else
if grep -q -- '--help' <<<"$@"; then
echo "$E_USAGE" >> /dev/stdout # allow grep'ing
echo "$E_USAGE" > /dev/stdout # allow grep'ing
exit 0
fi
@ -466,16 +433,9 @@ if [[ -n "$PREPCMD" ]]; then
fi
parallel_build "$FQIN:latest"
# If a parallel build or the manifest-list assembly fails, buildah
# may still exit successfully. Catch this condition by verifying
# all expected arches are present in the manifest list.
confirm_arches
if [[ -n "$MODCMD" ]]; then
registry_login
run_prepmod_cmd mod "$MODCMD"
fi
# Handles --nopush internally
push_images
if ((PUSH)); then push_images; fi

6
build-push/test/fake_buildah.sh
View File

@ -29,15 +29,13 @@ if [[ "$1" == "build" ]]; then
elif [[ "$1" == "manifest" ]]; then
# validate json while outputing it
jq . $DATF
elif [[ "$1" == "info" ]]; then
elif [[ "$1" =~ info ]]; then
case "$@" in
*arch*) echo "amd64" ;;
*cpus*) echo "2" ;;
*) exit 1 ;;
esac
elif [[ "$1" == "images" ]]; then
echo '[{"names":["localhost/foo/bar:latest"]}]'
else
echo "ERROR: Unexpected arg '$1' to fake_buildah.sh" >> /dev/stderr
echo "ERROR: Unexpected call to fake_buildah.sh"
exit 9
fi

10
build-push/test/qemusetup.sh
View File

@ -4,16 +4,22 @@
set -eo pipefail
# shellcheck disable=SC2154
if [[ "$CIRRUS_CI" == "true" ]]; then
# Cirrus-CI is setup (see .cirrus.yml) to run tests on CentOS
# for simplicity, but it has no native qemu-user-static. For
# the benefit of CI testing, cheat and use whatever random
# emulators are included in the container image.
# Workaround silly stupid hub rate-limiting
cat >> /etc/containers/registries.conf << EOF
[[registry]]
prefix="docker.io/library"
location="mirror.gcr.io"
EOF
# N/B: THIS IS NOT SAFE FOR PRODUCTION USE!!!!!
podman run --rm --privileged \
mirror.gcr.io/multiarch/qemu-user-static:latest \
docker.io/multiarch/qemu-user-static:latest \
--reset -p yes
elif [[ -x "/usr/bin/qemu-aarch64-static" ]]; then
# TODO: Better way to determine if kernel already setup?

27
build-push/test/testbuilds.sh
View File

@ -4,7 +4,7 @@
# Any/all other usage is virtually guaranteed to fail and/or cause
# harm to the system.
for varname in RUNTIME SUBJ_FILEPATH TEST_CONTEXT TEST_SOURCE_DIRPATH TEST_FQIN BUILDAH_USERNAME BUILDAH_PASSWORD; do
for varname in RUNTIME TEST_FQIN BUILDAH_USERNAME BUILDAH_PASSWORD; do
value=${!varname}
if [[ -z "$value" ]]; then
echo "ERROR: Required \$$varname variable is unset/empty."
@ -13,8 +13,6 @@ for varname in RUNTIME SUBJ_FILEPATH TEST_CONTEXT TEST_SOURCE_DIRPATH TEST_FQIN
done
unset value
# RUNTIME is defined by caller
# shellcheck disable=SC2154
$RUNTIME --version
test_cmd "Confirm $(basename $RUNTIME) is available" \
0 "buildah version .+" \
@ -25,9 +23,7 @@ test_cmd "Confirm skopeo is available" \
0 "skopeo version .+" \
skopeo --version
PREPCMD='echo "SpecialErrorMessage:$REGSERVER" >> /dev/stderr && exit 42'
# SUBJ_FILEPATH and TEST_CONTEXT are defined by caller
# shellcheck disable=SC2154
PREPCMD='echo "SpecialErrorMessage:$REGSERVER" > /dev/stderr && exit 42'
test_cmd "Confirm error output and exit(42) from --prepcmd" \
42 "SpecialErrorMessage:localhost" \
bash -c "$SUBJ_FILEPATH --nopush localhost/foo/bar $TEST_CONTEXT --prepcmd='$PREPCMD' 2>&1"
@ -57,7 +53,7 @@ test_cmd "Confirm manifest-list can be removed by name" \
$RUNTIME manifest rm containers-storage:localhost/foo/bar:latest
test_cmd "Verify expected partial failure when passing bogus architectures" \
125 "no image found in image index for architecture" \
125 "error creating build.+architecture staple" \
bash -c "A_DEBUG=1 $SUBJ_FILEPATH --arches=correct,horse,battery,staple localhost/foo/bar --nopush $TEST_CONTEXT 2>&1"
MODCMD='$RUNTIME tag $FQIN:latest $FQIN:9.8.7-testing'
@ -90,12 +86,15 @@ test_cmd "Verify tagged manifest image digest matches the same in latest" \
MODCMD='
set -x;
$RUNTIME images && \
$RUNTIME manifest rm $FQIN:latest && \
$RUNTIME manifest rm $FQIN:9.8.7-testing && \
$RUNTIME manifest rm containers-storage:$FQIN:latest && \
$RUNTIME manifest rm containers-storage:$FQIN:9.8.7-testing && \
echo "AllGone";
'
test_cmd "Verify --modcmd can execute command string that removes all tags" \
0 "AllGone.*No FQIN.+to be pushed" \
# TODO: Test fails due to: https://github.com/containers/buildah/issues/3490
# for now pretend it should exit(125) which will be caught when bug is fixed
# - causing it to exit(0) as it should
test_cmd "Verify --modcmd can execute a long string with substitutions" \
125 "AllGone" \
bash -c "A_DEBUG=1 $SUBJ_FILEPATH --modcmd='$MODCMD' localhost/foo/bar --nopush $TEST_CONTEXT 2>&1"
test_cmd "Verify previous --modcmd removed the 'latest' tagged image" \
@ -110,8 +109,6 @@ FAKE_VERSION=$RANDOM
MODCMD="set -ex;
\$RUNTIME tag \$FQIN:latest \$FQIN:$FAKE_VERSION;
\$RUNTIME manifest rm \$FQIN:latest;"
# TEST_FQIN and TEST_SOURCE_DIRPATH defined by caller
# shellcheck disable=SC2154
test_cmd "Verify e2e workflow w/ additional build-args" \
0 "Pushing $TEST_FQIN:$FAKE_VERSION" \
bash -c "env A_DEBUG=1 $SUBJ_FILEPATH \
@ -124,7 +121,7 @@ test_cmd "Verify e2e workflow w/ additional build-args" \
2>&1"
test_cmd "Verify latest tagged image was not pushed" \
2 'reading manifest latest in quay\.io/buildah/do_not_use: manifest unknown' \
1 "(Tag latest was deleted or has expired.)|(manifest unknown: manifest unknown)" \
skopeo inspect docker://$TEST_FQIN:latest
test_cmd "Verify architectures can be obtained from manifest list" \
@ -135,7 +132,7 @@ test_cmd "Verify architectures can be obtained from manifest list" \
for arch in amd64 s390x arm64 ppc64le; do
test_cmd "Verify $arch architecture present in $TEST_FQIN:$FAKE_VERSION" \
0 "" \
grep -Fqx "$arch" $TEST_TEMP/maniarches
fgrep -qx "$arch" $TEST_TEMP/maniarches
done
test_cmd "Verify pushed image can be removed" \

27
certificate-generator/README.md
View File

@ -1,27 +0,0 @@
# Podman First-Time Contributor Certificate Generator
This directory contains a simple web-based certificate generator to celebrate first-time contributors to the Podman project.
## Files
- **`certificate_generator.html`** - Interactive web interface for creating certificates
- **`certificate_template.html`** - The certificate template used for generation
- **`first_pr.png`** - Podman logo/branding image used in certificates
## Usage
1. Open `certificate_generator.html` in a web browser
2. Fill in the contributor's details:
- Name
- Pull Request number
- Date (defaults to current date)
3. Preview the certificate in real-time
4. Click "Download Certificate" to save as HTML
## Purpose
These certificates are designed to recognize and celebrate community members who make their first contribution to the Podman project. The certificates feature Podman branding and can be customized for each contributor.
## Contributing
Feel free to improve the design, add features, or suggest enhancements to make the certificate generator even better for recognizing our amazing contributors!

277
certificate-generator/certificate_generator.html
View File

@ -1,277 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Podman Certificate Generator</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;600&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Merriweather:wght@400;700;900&display=swap');
body {
font-family: 'Inter', sans-serif;
background-color: #f0f2f5;
margin: 0;
padding: 2rem;
}
.container {
display: grid;
grid-template-columns: 380px 1fr;
gap: 2rem;
max-width: 1600px;
margin: auto;
}
.form-panel {
background-color: white;
padding: 2rem;
border-radius: 8px;
box-shadow: 0 4px 12px rgba(0,0,0,0.1);
height: fit-content;
position: sticky;
top: 2rem;
}
.form-panel h2 {
margin-top: 0;
color: #333;
font-family: 'Merriweather', serif;
}
.form-group {
margin-bottom: 1.5rem;
}
.form-group label {
display: block;
margin-bottom: 0.5rem;
font-weight: 600;
color: #555;
}
.form-group input {
width: 100%;
padding: 0.75rem;
border: 1px solid #ccc;
border-radius: 4px;
box-sizing: border-box;
font-size: 1rem;
}
.action-buttons {
display: flex;
gap: 1rem;
margin-top: 1.5rem;
}
.action-buttons button {
flex-grow: 1;
padding: 0.75rem;
border: none;
border-radius: 4px;
font-size: 1rem;
font-weight: 600;
cursor: pointer;
transition: background-color 0.3s;
}
#downloadBtn {
background-color: #28a745;
color: white;
}
#downloadBtn:hover {
background-color: #218838;
}
.preview-panel {
display: flex;
justify-content: center;
align-items: flex-start;
}
/* Certificate Styles (copied from template and scaled) */
.certificate {
width: 800px;
height: 1100px;
background: #fdfaf0;
border: 2px solid #333;
position: relative;
box-shadow: 0 10px 30px rgba(0,0,0,0.2);
padding: 50px;
box-sizing: border-box;
display: flex;
flex-direction: column;
align-items: center;
font-family: 'Merriweather', serif;
transform: scale(0.8);
transform-origin: top center;
}
.party-popper { position: absolute; font-size: 40px; }
.top-left { top: 40px; left: 40px; }
.top-right { top: 40px; right: 40px; }
.main-title { font-size: 48px; font-weight: 900; color: #333; text-align: center; margin-top: 60px; line-height: 1.2; text-transform: uppercase; }
.subtitle { font-size: 24px; font-weight: 400; color: #333; text-align: center; margin-top: 30px; text-transform: uppercase; letter-spacing: 2px; }
.contributor-name { font-size: 56px; font-weight: 700; color: #333; text-align: center; margin: 15px 0 50px; }
.mascot-image { width: 450px; height: 450px; background-image: url('first_pr.png'); background-size: contain; background-repeat: no-repeat; background-position: center; margin-top: 20px; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.description { font-size: 22px; color: #333; line-height: 1.6; text-align: center; margin-top: 40px; }
.description strong { font-weight: 700; }
.footer { width: 100%; margin-top: auto; padding-top: 30px; border-top: 1px solid #ccc; display: flex; justify-content: space-between; align-items: flex-end; font-size: 16px; color: #333; }
.pr-info { text-align: left; }
.signature { text-align: right; font-style: italic; }
@media print {
body {
background: #fff;
margin: 0;
padding: 0;
}
.form-panel, .action-buttons {
display: none;
}
.container {
display: block;
margin: 0;
padding: 0;
}
.preview-panel {
padding: 0;
margin: 0;
}
.certificate {
transform: scale(1);
box-shadow: none;
width: 100%;
height: 100vh;
page-break-inside: avoid;
}
}
</style>
</head>
<body>
<div class="container">
<div class="form-panel">
<h2>Certificate Generator</h2>
<div class="form-group">
<label for="contributorName">Contributor Name</label>
<input type="text" id="contributorName" value="Mike McGrath">
</div>
<div class="form-group">
<label for="prNumber">PR Number</label>
<input type="text" id="prNumber" value="26393">
</div>
<div class="form-group">
<label for="mergeDate">Date</label>
<input type="text" id="mergeDate" value="June 13, 2025">
</div>
<div class="action-buttons">
<button id="downloadBtn">Download HTML</button>
</div>
</div>
<div class="preview-panel">
<div id="certificatePreview">
<!-- Certificate HTML will be injected here by script -->
</div>
</div>
</div>
<script>
const nameInput = document.getElementById('contributorName');
const prNumberInput = document.getElementById('prNumber');
const dateInput = document.getElementById('mergeDate');
const preview = document.getElementById('certificatePreview');
function generateCertificateHTML(name, prNumber, date) {
const prLink = `https://github.com/containers/podman/pull/${prNumber}`;
// This is the full, self-contained HTML for the certificate
return `
<div class="certificate">
<div class="party-popper top-left">🎉</div>
<div class="party-popper top-right">🎉</div>
<div class="main-title">Certificate of<br>Contribution</div>
<div class="subtitle">Awarded To</div>
<div class="contributor-name">${name}</div>
<div class="mascot-image"></div>
<div class="description">
For successfully submitting and merging their <strong>First Pull Request</strong> to the <strong>Podman project</strong>.<br>
Your contribution helps make open source better—one PR at a time!
</div>
<div class="footer">
<div class="pr-info">
<div>🔧 Merged PR: <a href="${prLink}" target="_blank">${prLink}</a></div>
<div style="margin-top: 5px;">${date}</div>
</div>
<div class="signature">
Keep hacking, keep contributing!<br>
The Podman Community
</div>
</div>
</div>
`;
}
function updatePreview() {
const name = nameInput.value || '[CONTRIBUTOR_NAME]';
const prNumber = prNumberInput.value || '[PR_NUMBER]';
const date = dateInput.value || '[DATE]';
preview.innerHTML = generateCertificateHTML(name, prNumber, date);
}
document.getElementById('downloadBtn').addEventListener('click', () => {
const name = nameInput.value || 'contributor';
const prNumber = prNumberInput.value || '00000';
const date = dateInput.value || 'Date';
const certificateHTML = generateCertificateHTML(name, prNumber, date);
const fullPageHTML = `
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Certificate for ${name}</title>
<style>
/* All the CSS from the generator page */
@import url('https://fonts.googleapis.com/css2?family=Merriweather:wght@400;700;900&display=swap');
body { margin: 20px; font-family: 'Merriweather', serif; background: #e0e0e0; }
.certificate {
transform: scale(1);
box-shadow: none;
margin: auto;
}
/* Paste all certificate-related styles here */
.certificate { width: 800px; height: 1100px; background: #fdfaf0; border: 2px solid #333; position: relative; padding: 50px; box-sizing: border-box; display: flex; flex-direction: column; align-items: center; }
.party-popper { position: absolute; font-size: 40px; }
.top-left { top: 40px; left: 40px; }
.top-right { top: 40px; right: 40px; }
.main-title { font-size: 48px; font-weight: 900; color: #333; text-align: center; margin-top: 60px; line-height: 1.2; text-transform: uppercase; }
.subtitle { font-size: 24px; font-weight: 400; color: #333; text-align: center; margin-top: 30px; text-transform: uppercase; letter-spacing: 2px; }
.contributor-name { font-size: 56px; font-weight: 700; color: #333; text-align: center; margin: 15px 0 50px; }
.mascot-image { width: 450px; height: 450px; background-image: url('first_pr.png'); background-size: contain; background-repeat: no-repeat; background-position: center; margin-top: 20px; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.description { font-size: 22px; color: #333; line-height: 1.6; text-align: center; margin-top: 40px; }
.description strong { font-weight: 700; }
.footer { width: 100%; margin-top: auto; padding-top: 30px; border-top: 1px solid #ccc; display: flex; justify-content: space-between; align-items: flex-end; font-size: 16px; color: #333; }
.pr-info { text-align: left; }
.signature { text-align: right; font-style: italic; }
@media print {
@page { size: A4 portrait; margin: 0; }
body, html { width: 100%; height: 100%; margin: 0; padding: 0; }
.certificate { width: 100%; height: 100%; box-shadow: none; transform: scale(1); }
}
</style>
</head>
<body>${certificateHTML}</body>
</html>
`;
const blob = new Blob([fullPageHTML], { type: 'text/html' });
const url = URL.createObjectURL(blob);
const a = document.createElement('a');
a.href = url;
a.download = `podman-contribution-certificate-${name.toLowerCase().replace(/\s+/g, '-')}.html`;
document.body.appendChild(a);
a.click();
document.body.removeChild(a);
URL.revokeObjectURL(url);
});
// Add event listeners to update preview on input change
[nameInput, prNumberInput, dateInput].forEach(input => {
input.addEventListener('input', updatePreview);
});
// Initial preview generation
updatePreview();
</script>
</body>
</html>

175
certificate-generator/certificate_template.html
View File

@ -1,175 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Podman Certificate of Contribution</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=Merriweather:wght@400;700;900&display=swap');
body {
margin: 0;
padding: 20px;
font-family: 'Merriweather', serif;
background: #e0e0e0;
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
}
.certificate {
width: 800px;
height: 1100px;
background: #fdfaf0;
border: 2px solid #333;
position: relative;
box-shadow: 0 10px 30px rgba(0, 0, 0, 0.2);
padding: 50px;
box-sizing: border-box;
display: flex;
flex-direction: column;
align-items: center;
}
.party-popper {
position: absolute;
font-size: 40px;
}
.top-left {
top: 40px;
left: 40px;
}
.top-right {
top: 40px;
right: 40px;
}
.main-title {
font-size: 48px;
font-weight: 900;
color: #333;
text-align: center;
margin-top: 60px;
line-height: 1.2;
text-transform: uppercase;
}
.subtitle {
font-size: 24px;
font-weight: 400;
color: #333;
text-align: center;
margin-top: 30px;
text-transform: uppercase;
letter-spacing: 2px;
}
.contributor-name {
font-size: 56px;
font-weight: 700;
color: #333;
text-align: center;
margin: 15px 0 50px;
}
.mascot-image {
width: 450px;
height: 450px;
background-image: url('first_pr.png');
background-size: contain;
background-repeat: no-repeat;
background-position: center;
margin-top: 20px;
-webkit-print-color-adjust: exact;
print-color-adjust: exact;
}
.description {
font-size: 22px;
color: #333;
line-height: 1.6;
text-align: center;
margin-top: 40px;
}
.description strong {
font-weight: 700;
}
.footer {
width: 100%;
margin-top: auto;
padding-top: 30px;
border-top: 1px solid #ccc;
display: flex;
justify-content: space-between;
align-items: flex-end;
font-size: 16px;
color: #333;
}
.pr-info {
text-align: left;
}
.signature {
text-align: right;
font-style: italic;
}
@media print {
@page {
size: A4 portrait;
margin: 0;
}
body, html {
width: 100%;
height: 100%;
margin: 0;
padding: 0;
background: #fdfaf0;
}
.certificate {
width: 100%;
height: 100vh;
box-shadow: none;
transform: scale(1);
border-radius: 0;
page-break-inside: avoid;
}
}
</style>
</head>
<body>
<div class="certificate">
<div class="party-popper top-left">🎉</div>
<div class="party-popper top-right">🎉</div>
<div class="main-title">Certificate of<br>Contribution</div>
<div class="subtitle">Awarded To</div>
<div class="contributor-name">[CONTRIBUTOR_NAME]</div>
<div class="mascot-image"></div>
<div class="description">
For successfully submitting and merging their <strong>First Pull Request</strong> to the <strong>Podman project</strong>.<br>
Your contribution helps make open source better—one PR at a time!
</div>
<div class="footer">
<div class="pr-info">
<div>🔧 Merged PR: [PR_LINK]</div>
<div style="margin-top: 5px;">[DATE]</div>
</div>
<div class="signature">
Keep hacking, keep contributing!<br>
The Podman Community
</div>
</div>
</div>
</body>
</html>

BIN
certificate-generator/first_pr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 578 KiB

BIN
certificates/mohanboddu-122-2025-08-12T16-35-04-367Z.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 138 KiB

BIN
certificates/mohanboddu-122-2025-08-12T16-37-41-184Z.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 138 KiB

2
ci/Dockerfile
View File

@ -6,7 +6,7 @@ RUN microdnf update -y && \
perl-Test perl-Test-Simple perl-Test-Differences \
perl-YAML-LibYAML perl-FindBin \
python3 python3-virtualenv python3-pip gcc python3-devel \
python3-flake8 python3-pep8-naming python3-flake8-import-order python3-flake8-polyfill python3-mccabe python3-pep8-naming && \
python3-flake8 python3-pep8-naming python3-flake8-docstrings python3-flake8-import-order python3-flake8-polyfill python3-mccabe python3-pep8-naming && \
microdnf clean all && \
rm -rf /var/cache/dnf
# Required by perl

2
cirrus-ci_artifacts/cirrus-ci_artifacts
View File

@ -16,7 +16,7 @@ if [[ -z "$AUTOMATION_LIB_PATH" ]]; then
(
echo "ERROR: Expecting \$AUTOMATION_LIB_PATH to be defined with the"
echo " installation directory of automation tooling."
) >> /dev/stderr
) > /dev/stderr
exit 1
fi

2
cirrus-ci_artifacts/requirements.txt
View File

@ -16,4 +16,4 @@ PyYAML~=6.0
aiohttp[speedups]~=3.8
gql[requests]~=3.3
requests>=2,<3
urllib3<2.5.1
urllib3<2.0.0

2
cirrus-ci_artifacts/test/test_cirrus-ci_artifacts.py
View File

@ -160,8 +160,6 @@ class TestMain(unittest.TestCase):
fake_stdout = StringIO()
fake_stderr = StringIO()
with redirect_stderr(fake_stderr), redirect_stdout(fake_stdout):
import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
results = ccia.main(self.bid)
self.assertEqual(fake_stderr.getvalue(), '')
for line in fake_stdout.getvalue().splitlines():

4
cirrus-ci_retrospective/lib/cirrus-ci_retrospective.sh
View File

@ -64,7 +64,7 @@ curl_post() {
die "Expecting non-empty data argument"
[[ -n "$token" ]] || \
dbg "### Warning: \$GITHUB_TOKEN is empty, performing unauthenticated query" >> /dev/stderr
dbg "### Warning: \$GITHUB_TOKEN is empty, performing unauthenticated query" > /dev/stderr
# Don't expose secrets on any command-line
local headers_tmpf
local headers_tmpf=$(tmpfile headers)
@ -81,7 +81,7 @@ EOF
local curl_cmd="$CURL --silent --request POST --url $url --header @$headers_tmpf --data @$data_tmpf"
dbg "### Executing '$curl_cmd'"
local ret="0"
$curl_cmd >> /dev/stdout || ret=$?
$curl_cmd > /dev/stdout || ret=$?
# Don't leave secrets lying around in files
rm -f "$headers_tmpf" "$data_tmpf" &> /dev/null

101
cirrus-task-map/cirrus-task-map
View File

@ -197,12 +197,11 @@ sub write_img {
# Annotate: add signature line at lower left
# FIXME: include git repo info?
if (grep { -x "$_/magick" } split(":", $ENV{PATH})) {
if (grep { -x "$_/convert" } split(":", $ENV{PATH})) {
unlink $img_out_tmp;
my $signature = strftime("Generated %Y-%m-%dT%H:%M:%S%z by $ME v$VERSION", localtime);
my @cmd = (
"magick",
$img_out,
"convert",
'-family' => 'Courier',
'-pointsize' => '12',
# '-style' => 'Normal', # Argh! This gives us Bold!?
@ -210,7 +209,7 @@ sub write_img {
'-fill' => '#000',
'-gravity' => 'SouthWest',
"-annotate", "+5+5", $signature,
$img_out_tmp
"$img_out" => "$img_out_tmp"
);
if (system(@cmd) == 0) {
rename $img_out_tmp => $img_out;
@ -425,44 +424,18 @@ sub _size {
}
##############
# _by_type # sort helper, for clustering int/sys/machine tests
# _by_size # sort helper, for putting big nodes at bottom
##############
sub _by_type {
my $ax = $a->{name};
my $bx = $b->{name};
# The big test types, in the order we want to show them
my @types = qw(integration system bud machine);
my %type_order = map { $types[$_] => $_ } (0..$#types);
my $type_re = join('|', @types);
if ($ax =~ /($type_re)/) {
my $a_type = $1;
if ($bx =~ /($type_re)/) {
my $b_type = $1;
return $type_order{$a_type} <=> $type_order{$b_type}
|| $ax cmp $bx;
}
else {
# e.g., $b is "win installer", $a is in @types, $b < $a
return 1;
}
}
elsif ($bx =~ /($type_re)/) {
# e.g., $a is "win installer", $b is in @types, $a < $b
return -1;
}
# Neither a nor b is in @types
$ax cmp $bx;
sub _by_size {
_size($a) <=> _size($b) ||
$a->{name} cmp $b->{name};
}
sub depended_on_by {
my $self = shift;
if (my $d = $self->{_depended_on_by}) {
my @d = sort _by_type map { $self->{_tasklist}->find($_) } @$d;
my @d = sort _by_size map { $self->{_tasklist}->find($_) } @$d;
return @d;
}
return;
@ -782,16 +755,12 @@ sub _draw_boxes {
if (my $only_if = $task->{yml}{only_if}) {
$shape = 'record';
$label .= '|' if $label;
# Collapse whitespace, and remove leading/trailing
$only_if =~ s/[\s\n]+/ /g;
$only_if =~ s/^\s+|\s+$//g;
# 2024-06-18 Paul CI skips
if ($only_if =~ m{\$CIRRUS_PR\s+==\s+''\s+.*\$CIRRUS_CHANGE_TITLE.*CI:ALL.*changesInclude.*test}) {
$label .= "[SKIP if not needed]";
if ($only_if =~ /CI:DOCS.*CI:BUILD/) {
$label .= "[SKIP: CI:BUILD]\\l[SKIP: CI:DOCS]\\l";
}
elsif ($only_if =~ /CI:DOCS/) {
$label .= "[SKIP: CI:DOCS]\\l";
}
# 2020-10 used in automation_images repo
elsif ($only_if eq q{$CIRRUS_PR != ''}) {
$label .= "[only if PR]";
@ -834,28 +803,7 @@ sub _draw_boxes {
elsif ($only_if =~ /CIRRUS_BRANCH\s+==\s+'main'\s+&&\s+\$CIRRUS_CRON\s+==\s+''/) {
$label .= "[only on merge]";
}
elsif ($only_if =~ /CIRRUS_BRANCH\s+!=~\s+'v.*-rhel'\s+&&\s+\$CIRRUS_BASE_BRANCH\s+!=~\s+'v.*-rhel'/) {
$label .= "[only if no RHEL release]";
}
elsif ($only_if =~ /CIRRUS_CHANGE_TITLE.*CI:BUILD.*CIRRUS_CHANGE_TITLE.*CI:MACHINE/s) {
$label .= "[SKIP: CI:BUILD or CI:MACHINE]";
}
elsif ($only_if =~ /CIRRUS_CHANGE_TITLE\s+!=.*CI:MACHINE.*CIRRUS_BRANCH.*main.*CIRRUS_BASE_BRANCH.*main.*\)/s) {
$label .= "[only if: main]";
}
# automation_images
elsif ($only_if eq q{$CIRRUS_CRON == '' && $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH}) {
$label .= "[only if DEFAULT_BRANCH and not cron]";
}
elsif ($only_if eq q{$CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ ".*no_build-push.*"}) {
$label .= "[only if PR, but not no_build-push]";
}
elsif ($only_if eq q{$CIRRUS_CRON == 'lifecycle'}) {
$label .= "[only on cron=lifecycle]";
}
else {
warn "$ME: unexpected only_if: $only_if\n";
$label .= "[only if: $only_if]";
}
}
@ -870,27 +818,10 @@ sub _draw_boxes {
if (my $skip = $task->{yml}{skip}) {
$shape = 'record';
$label .= '|' if $label && $label !~ /SKIP/;
# Collapse whitespace, and remove leading/trailing
$skip =~ s/[\s\n]+/ /g;
$skip =~ s/^\s+|\s+$//g;
my @reasons;
# automation_images
if ($skip eq q{$CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*' || $CIRRUS_CHANGE_TITLE =~ '.*CI:TOOLING.*'}) {
push @reasons, "CI:DOCS or CI:TOOLING";
}
elsif ($skip eq q{$CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*'}) {
push @reasons, "CI:DOCS";
}
elsif ($skip eq '$CI == $CI') {
push @reasons, "DISABLED MANUALLY";
}
elsif ($skip) {
warn "$ME: unexpected skip '$skip'\n";
}
push @reasons, 'BRANCH','TAG' if $skip =~ /CIRRUS_PR.*CIRRUS_TAG/;
push @reasons, 'TAG' if $skip eq q{$CIRRUS_TAG != ''};
push @reasons, 'CI:DOCS' if $skip =~ /CI:DOCS/;
if (@reasons) {
$label .= join('', map { "[SKIP: $_]\\l" } @reasons);
}

26
cirrus-task-map/test/cirrus-task-map.t
View File

@ -90,14 +90,14 @@ end_task:
- "middle_2"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
"real_name_of_initial" [shape=ellipse style=bold color=a fontcolor=a]
"real_name_of_initial" -> "end" [color=a]
"end" [shape=ellipse style=bold color=z fontcolor=z]
"real_name_of_initial" -> "middle_1" [color=a]
"middle_1" [shape=ellipse style=bold color=b fontcolor=b]
"middle_1" -> "end" [color=b]
"end" [shape=ellipse style=bold color=z fontcolor=z]
"real_name_of_initial" -> "middle_2" [color=a]
"middle_2" [shape=ellipse style=bold color=c fontcolor=c]
"middle_2" -> "end" [color=c]
"real_name_of_initial" -> "end" [color=a]
<<<<<<<<<<<<<<<<<< env interpolation 1
env:
@ -510,12 +510,10 @@ success_task:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
"automation" [shape=ellipse style=bold color=a fontcolor=a]
"automation" -> "success" [color=a]
"success" [shape=ellipse style=bold color="#000000" fillcolor="#00f000" style=filled fontcolor="#000000"]
"automation" -> "build" [color=a]
"build" [shape=record style=bold color="#0000f0" fillcolor="#f0f0f0" style=filled fontcolor="#0000f0" label="build\l|- Build for fedora-32\l- Build for fedora-31\l- Build for ubuntu-20\l- Build for ubuntu-19\l"]
"build" -> "alt_build" [color="#0000f0"]
"alt_build" [shape=record style=bold color="#0000f0" fillcolor="#f0f0f0" style=filled fontcolor="#0000f0" label="alt build\l|- Build Each Commit\l- Windows Cross\l- Build Without CGO\l- Build varlink API\l- Static build\l- Test build RPM\l"]
"alt_build" -> "success" [color="#0000f0"]
"success" [shape=ellipse style=bold color="#000000" fillcolor="#00f000" style=filled fontcolor="#000000"]
"build" -> "bindings" [color="#0000f0"]
"bindings" [shape=ellipse style=bold color=b fontcolor=b]
"bindings" -> "success" [color=b]
@ -528,23 +526,25 @@ success_task:
"build" -> "osx_cross" [color="#0000f0"]
"osx_cross" [shape=ellipse style=bold color=e fontcolor=e]
"osx_cross" -> "success" [color=e]
"build" -> "success" [color="#0000f0"]
"build" -> "swagger" [color="#0000f0"]
"swagger" [shape=ellipse style=bold color=f fontcolor=f]
"swagger" -> "success" [color=f]
"build" -> "unit_test" [color="#0000f0"]
"unit_test" [shape=record style=bold color="#000000" fillcolor="#f09090" style=filled fontcolor="#000000" label="unit test\l|- Unit tests on fedora-32\l- Unit tests on fedora-31\l- Unit tests on ubuntu-20\l- Unit tests on ubuntu-19\l"]
"unit_test" -> "success" [color="#f09090"]
"build" -> "validate" [color="#0000f0"]
"validate" [shape=record style=bold color="#00c000" fillcolor="#f0f0f0" style=filled fontcolor="#00c000" label="validate\l|= Validate fedora-32 Build\l"]
"validate" -> "success" [color="#00c000"]
"build" -> "vendor" [color="#0000f0"]
"vendor" [shape=ellipse style=bold color=g fontcolor=g]
"vendor" -> "success" [color=g]
"automation" -> "success" [color=a]
"build" -> "unit_test" [color="#0000f0"]
"unit_test" [shape=record style=bold color="#000000" fillcolor="#f09090" style=filled fontcolor="#000000" label="unit test\l|- Unit tests on fedora-32\l- Unit tests on fedora-31\l- Unit tests on ubuntu-20\l- Unit tests on ubuntu-19\l"]
"unit_test" -> "success" [color="#f09090"]
"build" -> "alt_build" [color="#0000f0"]
"alt_build" [shape=record style=bold color="#0000f0" fillcolor="#f0f0f0" style=filled fontcolor="#0000f0" label="alt build\l|- Build Each Commit\l- Windows Cross\l- Build Without CGO\l- Build varlink API\l- Static build\l- Test build RPM\l"]
"alt_build" -> "success" [color="#0000f0"]
"build" -> "success" [color="#0000f0"]
"ext_svc_check" [shape=ellipse style=bold color=h fontcolor=h]
"ext_svc_check" -> "build" [color=h]
"ext_svc_check" -> "success" [color=h]
"ext_svc_check" -> "build" [color=h]
"smoke" [shape=ellipse style=bold color=i fontcolor=i]
"smoke" -> "build" [color=i]
"smoke" -> "success" [color=i]
"smoke" -> "build" [color=i]

2
common/bin/ooe.sh
View File

@ -10,7 +10,7 @@ set -eo pipefail
SCRIPT_BASEDIR="$(basename $0)"
badusage() {
echo "Incorrect usage: $SCRIPT_BASEDIR) <command> [options]" >> /dev/stderr
echo "Incorrect usage: $SCRIPT_BASEDIR) <command> [options]" > /dev/stderr
echo "ERROR: $1"
exit 121
}

2
common/lib/anchors.sh
View File

@ -28,7 +28,7 @@ automation_version() {
if [[ -n "$_avcache" ]]; then
echo "$_avcache"
else
echo "Error determining version number" >> /dev/stderr
echo "Error determining version number" > /dev/stderr
exit 1
fi
}

39
common/lib/console_output.sh
View File

@ -3,7 +3,6 @@
# A Library of contextual console output-related operations.
# Intended for use by other scripts, not to be executed directly.
# shellcheck source=common/lib/defaults.sh
source $(dirname $(realpath "${BASH_SOURCE[0]}"))/defaults.sh
# helper, not intended for use outside this file
@ -11,11 +10,10 @@ _rel_path() {
if [[ -z "$1" ]]; then
echo "<stdin>"
else
local abs_path rel_path abs_path_len rel_path_len
abs_path=$(realpath "$1")
rel_path=$(realpath --relative-to=. $abs_path)
abs_path_len=${#abs_path}
rel_path_len=${#rel_path}
local abs_path=$(realpath "$1")
local rel_path=$(realpath --relative-to=. $abs_path)
local abs_path_len=${#abs_path}
local rel_path_len=${#rel_path}
if ((abs_path_len <= rel_path_len)); then
echo "$abs_path"
else
@ -26,10 +24,9 @@ _rel_path() {
# helper, not intended for use outside this file
_ctx() {
local shortest_source_path grandparent_func
# Caller's caller details
shortest_source_path=$(_rel_path "${BASH_SOURCE[3]}")
grandparent_func="${FUNCNAME[2]}"
local shortest_source_path=$(_rel_path "${BASH_SOURCE[3]}")
local grandparent_func="${FUNCNAME[2]}"
[[ -n "$grandparent_func" ]] || \
grandparent_func="main"
echo "$shortest_source_path:${BASH_LINENO[2]} in ${FUNCNAME[3]}()"
@ -37,10 +34,9 @@ _ctx() {
# helper, not intended for use outside this file.
_fmt_ctx() {
local stars prefix message
stars="************************************************"
prefix="${1:-no prefix given}"
message="${2:-no message given}"
local stars="************************************************"
local prefix="${1:-no prefix given}"
local message="${2:-no message given}"
echo "$stars"
echo "$prefix ($(_ctx))"
echo "$stars"
@ -48,40 +44,37 @@ _fmt_ctx() {
# Print a highly-visible message to stderr. Usage: warn <msg>
warn() {
_fmt_ctx "$WARNING_MSG_PREFIX ${1:-no warning message given}" >> /dev/stderr
_fmt_ctx "$WARNING_MSG_PREFIX ${1:-no warning message given}" > /dev/stderr
}
# Same as warn() but exit non-zero or with given exit code
# usage: die <msg> [exit-code]
die() {
_fmt_ctx "$ERROR_MSG_PREFIX ${1:-no error message given}" >> /dev/stderr
_fmt_ctx "$ERROR_MSG_PREFIX ${1:-no error message given}" > /dev/stderr
local exit_code=${2:-1}
((exit_code==0)) || \
exit $exit_code
}
dbg() {
local shortest_source_path
if ((A_DEBUG)); then
shortest_source_path=$(_rel_path "${BASH_SOURCE[1]}")
local shortest_source_path=$(_rel_path "${BASH_SOURCE[1]}")
(
echo
echo "$DEBUG_MSG_PREFIX ${1:-No debugging message given} ($shortest_source_path:${BASH_LINENO[0]} in ${FUNCNAME[1]}())"
) >> /dev/stderr
) > /dev/stderr
fi
}
msg() {
echo "${1:-No message specified}" &>> /dev/stderr
echo "${1:-No message specified}" &> /dev/stderr
}
# Mimic set +x for a single command, along with calling location and line.
showrun() {
local -a context
# Tried using readarray, it broke tests for some reason, too lazy to investigate.
# shellcheck disable=SC2207
context=($(caller 0))
echo "+ $* # ${context[2]}:${context[0]} in ${context[1]}()" >> /dev/stderr
echo "+ $@ # ${context[2]}:${context[0]} in ${context[1]}()" > /dev/stderr
"$@"
}
@ -116,7 +109,7 @@ show_env_vars() {
warn "The \$SECRET_ENV_RE var. unset/empty: Not filtering sensitive names!"
fi
for env_var_name in $(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -Eiv "$filter_rx" | sort); do
for env_var_name in $(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -Eiv "$filter_rx" | sort -u); do
line="${env_var_name}=${!env_var_name}"
msg " $line"

44
common/lib/platform.sh
View File

@ -8,8 +8,6 @@ OS_REL_VER="${OS_REL_VER:-$OS_RELEASE_ID-$OS_RELEASE_VER}"
# Ensure no user-input prompts in an automation context
export DEBIAN_FRONTEND="${DEBIAN_FRONTEND:-noninteractive}"
# _TEST_UID only needed for unit-testing
# shellcheck disable=SC2154
if ((UID)) || ((_TEST_UID)); then
SUDO="${SUDO:-sudo}"
if [[ "$OS_RELEASE_ID" =~ (ubuntu)|(debian) ]]; then
@ -45,51 +43,13 @@ passthrough_envars() {
for envar in SECRET_ENV_RE PASSTHROUGH_ENV_EXACT PASSTHROUGH_ENV_ATSTART PASSTHROUGH_ENV_ANYWHERE passthrough_env_re; do
if [[ -z "${!envar}" ]]; then
echo "Error: Required env. var. \$$envar is unset or empty in call to passthrough_envars()" >> /dev/stderr
echo "Error: Required env. var. \$$envar is unset or empty in call to passthrough_envars()" > /dev/stderr
exit 1
fi
done
echo "Warning: Will pass env. vars. matching the following regex:
$passthrough_env_re" >> /dev/stderr
$passthrough_env_re" > /dev/stderr
compgen -A variable | grep -Ev "$SECRET_ENV_RE" | grep -E "$passthrough_env_re"
}
# On more occasions than we'd like, it's necessary to put temporary
# platform-specific workarounds in place. To help ensure they'll
# actually be temporary, it's useful to place a time limit on them.
# This function accepts two arguments:
# - A (required) future date of the form YYYYMMDD (UTC based).
# - An (optional) message string to display upon expiry of the timebomb.
timebomb() {
local expire="$1"
if ! expr "$expire" : '[0-9]\{8\}$' > /dev/null; then
echo "timebomb: '$expire' must be UTC-based and of the form YYYYMMDD"
exit 1
fi
if [[ $(date -u +%Y%m%d) -lt $(date -u -d "$expire" +%Y%m%d) ]]; then
return
fi
declare -a frame
read -a frame < <(caller)
cat << EOF >> /dev/stderr
***********************************************************
* TIME BOMB EXPIRED!
*
* >> ${frame[1]}:${frame[0]}: ${2:-No reason given, tsk tsk}
*
* Temporary workaround expired on ${expire:0:4}-${expire:4:2}-${expire:6:2}.
*
* Please review the above source file and either remove the
* workaround or, if absolutely necessary, extend it.
*
* Please also check for other timebombs while you're at it.
***********************************************************
EOF
exit 1
}

2
common/test/run_all_tests.sh
View File

@ -6,6 +6,6 @@ set -e
cd $(dirname $0)
for testscript in test???-*.sh; do
echo -e "\nExecuting $testscript..." >> /dev/stderr
echo -e "\nExecuting $testscript..." > /dev/stderr
./$testscript
done

37
common/test/testlib-platform.sh
View File

@ -3,14 +3,9 @@
# Unit-tests for library script in the current directory
# Also verifies test script is derived from library filename
# shellcheck source-path=./
source $(dirname ${BASH_SOURCE[0]})/testlib.sh || exit 1
# Must be statically defined, 'source-path' directive can't work here.
# shellcheck source=../lib/platform.sh disable=SC2154
source "$TEST_DIR/$SUBJ_FILENAME" || exit 2
# For whatever reason, SCRIPT_PATH cannot be resolved.
# shellcheck disable=SC2154
test_cmd "Library $SUBJ_FILENAME is not executable" \
0 "" \
test ! -x "$SCRIPT_PATH/$SUBJ_FILENAME"
@ -31,12 +26,8 @@ done
for OS_RELEASE_ID in 'debian' 'ubuntu'; do
(
export _TEST_UID=$RANDOM # Normally $UID is read-only
# Must be statically defined, 'source-path' directive can't work here.
# shellcheck source=../lib/platform.sh disable=SC2154
source "$TEST_DIR/$SUBJ_FILENAME" || exit 2
# The point of this test is to confirm it's defined
# shellcheck disable=SC2154
test_cmd "The '\$SUDO' env. var. is non-empty when \$_TEST_UID is non-zero" \
0 "" \
test -n "$SUDO"
@ -65,10 +56,12 @@ test_cmd "The passthrough_envars() func. has output by default." \
# Test from a mostly empty environment to limit possibility of expr mismatch flakes
declare -a printed_envs
readarray -t printed_envs <<<$(env --ignore-environment PATH="$PATH" FOOBARBAZ="testing" \
SECRET_ENV_RE="(^PATH$)|(^BASH_FUNC)|(^_.*)|(FOOBARBAZ)|(SECRET_ENV_RE)" \
CI="true" AUTOMATION_LIB_PATH="/path/to/some/place" \
bash -c "source $TEST_DIR/$SUBJ_FILENAME && passthrough_envars")
printed_envs=(\
$(env --ignore-environment PATH="$PATH" FOOBARBAZ="testing" \
SECRET_ENV_RE="(^PATH$)|(^BASH_FUNC)|(^_.*)|(FOOBARBAZ)|(SECRET_ENV_RE)" \
CI="true" AUTOMATION_LIB_PATH="$AUTOMATION_LIB_PATH" \
bash -c "source $TEST_DIR/$SUBJ_FILENAME && passthrough_envars")
)
test_cmd "The passthrough_envars() func. w/ overriden \$SECRET_ENV_RE hides test variable." \
1 "0" \
@ -78,23 +71,5 @@ test_cmd "The passthrough_envars() func. w/ overriden \$SECRET_ENV_RE returns CI
0 "[1-9]+[0-9]*" \
expr match "${printed_envs[*]}" '.*CI.*'
test_cmd "timebomb() function requires at least one argument" \
1 "must be UTC-based and of the form YYYYMMDD" \
timebomb
TZ=UTC12 \
test_cmd "timebomb() function ignores TZ and compares < UTC-forced current date" \
1 "TIME BOMB EXPIRED" \
timebomb $(TZ=UTC date +%Y%m%d)
test_cmd "timebomb() alerts user when no description given" \
1 "No reason given" \
timebomb 00010101
EXPECTED_REASON="test${RANDOM}test"
test_cmd "timebomb() gives reason when one was provided" \
1 "$EXPECTED_REASON" \
timebomb 00010101 "$EXPECTED_REASON"
# Must be last call
exit_with_status

4
github/lib/github.sh
View File

@ -2,7 +2,7 @@
# This file is intended for sourcing by the cirrus-ci_retrospective workflow
# It should not be used under any other context.
source $(dirname ${BASH_SOURCE[0]})/github_common.sh || exit 1
source $(dirname $BASH_SOURCE[0])/github_common.sh || exit 1
# Cirrus-CI Build status codes that represent completion
COMPLETE_STATUS_RE='FAILED|COMPLETED|ABORTED|ERRORED'
@ -63,7 +63,7 @@ load_ccir() {
was_pr='true'
# Don't race vs another cirrus-ci build triggered _after_ GH action workflow started
# since both may share the same check_suite. e.g. task re-run or manual-trigger
if echo "$bst" | grep -E -q "$COMPLETE_STATUS_RE"; then
if echo "$bst" | egrep -q "$COMPLETE_STATUS_RE"; then
if [[ -n "$tst" ]] && [[ "$tst" == "PAUSED" ]]; then
dbg "Detected action status $tst"
do_intg='true'

5
mac_pw_pool/.gitignore vendored
View File

@ -1,5 +0,0 @@
/Cron.log
/utilization.csv
/dh_status.txt*
/pw_status.txt*
/html/utilization.png*

200
mac_pw_pool/AllocateTestDH.sh
View File

@ -1,200 +0,0 @@
#!/bin/bash
# This script is intended for use by humans to allocate a dedicated-host
# and create an instance on it for testing purposes. When executed,
# it will create a temporary clone of the repository with the necessary
# modifications to manipulate the test host. It's the user's responsibility
# to cleanup this directory after manually removing the instance (see below).
#
# **Note**: Due to Apple/Amazon restrictions on the removal of these
# resources, cleanup must be done manually. You will need to shutdown and
# terminate the instance, then wait 24-hours before releasing the
# dedicated-host. The hosts cost money w/n an instance is running.
#
# The script assumes:
#
# * The current $USER value reflects your actual identity such that
# the test instance may be labeled appropriatly for auditing.
# * The `aws` CLI tool is installed on $PATH.
# * Appropriate `~/.aws/credentials` credentials are setup.
# * The us-east-1 region is selected in `~/.aws/config`.
# * The $POOLTOKEN env. var. is set to value available from
# https://cirrus-ci.com/pool/1cf8c7f7d7db0b56aecd89759721d2e710778c523a8c91c7c3aaee5b15b48d05
# * The local ssh-agent is able to supply the appropriate private key (stored in BW).
set -eo pipefail
# shellcheck source-path=SCRIPTDIR
source $(dirname ${BASH_SOURCE[0]})/pw_lib.sh
# Support debugging all mac_pw_pool scripts or only this one
I_DEBUG="${I_DEBUG:0}"
if ((I_DEBUG)); then
X_DEBUG=1
warn "Debugging enabled."
fi
dbg "\$USER=$USER"
[[ -n "$USER" ]] || \
die "The variable \$USER must not be empty"
[[ -n "$POOLTOKEN" ]] || \
die "The variable \$POOLTOKEN must not be empty"
INST_NAME="${USER}Testing"
LIB_DIRNAME=$(realpath --relative-to=$REPO_DIRPATH $LIB_DIRPATH)
# /tmp is usually a tmpfs, don't let an accidental reboot ruin
# access to a test DH/instance for a developer.
TMP_CLONE_DIRPATH="/var/tmp/${LIB_DIRNAME}_${INST_NAME}"
dbg "\$TMP_CLONE_DIRPATH=$TMP_CLONE_DIRPATH"
if [[ -d "$TMP_CLONE_DIRPATH" ]]; then
die "Found existing '$TMP_CLONE_DIRPATH', assuming in-use/relevant; If not, manual cleanup is required."
fi
msg "Creating temporary clone dir and transfering any uncommited files."
git clone --no-local --no-hardlinks --depth 1 --single-branch --no-tags --quiet "file://$REPO_DIRPATH" "$TMP_CLONE_DIRPATH"
declare -a uncommited_filepaths
readarray -t uncommited_filepaths <<<$(
pushd "$REPO_DIRPATH" &> /dev/null
# Obtaining uncommited relative staged filepaths
git diff --name-only HEAD
# Obtaining uncommited relative unstaged filepaths
git ls-files . --exclude-standard --others
popd &> /dev/null
)
dbg "Copying \$uncommited_filepaths[*]=${uncommited_filepaths[*]}"
for uncommited_file in "${uncommited_filepaths[@]}"; do
uncommited_file_src="$REPO_DIRPATH/$uncommited_file"
uncommited_file_dest="$TMP_CLONE_DIRPATH/$uncommited_file"
uncommited_file_dest_parent=$(dirname "$uncommited_file_dest")
#dbg "Working on uncommited file '$uncommited_file_src'"
if [[ -r "$uncommited_file_src" ]]; then
mkdir -p "$uncommited_file_dest_parent"
#dbg "$uncommited_file_src -> $uncommited_file_dest"
cp -a "$uncommited_file_src" "$uncommited_file_dest"
fi
done
declare -a modargs
# Format: <pw_lib.sh var name> <new value> <old value>
modargs=(
# Necessary to prevent in-production macs from trying to use testing instance
"DH_REQ_VAL $INST_NAME $DH_REQ_VAL"
# Necessary to make test dedicated host stand out when auditing the set in the console
"DH_PFX $INST_NAME $DH_PFX"
# The default launch template name includes $DH_PFX, ensure the production template name is used.
# N/B: The old/unmodified pw_lib.sh is still loaded for the running script
"TEMPLATE_NAME $TEMPLATE_NAME Cirrus${DH_PFX}PWinstance"
# Permit developer to use instance for up to 3 days max (orphan vm cleaning process will nail it after that).
"PW_MAX_HOURS 72 $PW_MAX_HOURS"
# Permit developer to execute as many Cirrus-CI tasks as they want w/o automatic shutdown.
"PW_MAX_TASKS 9999 $PW_MAX_TASKS"
)
for modarg in "${modargs[@]}"; do
set -- $modarg # Convert the "tuple" into the param args $1 $2...
dbg "Modifying pw_lib.sh \$$1 definition to '$2' (was '$3')"
sed -i -r -e "s/^$1=.*/$1=\"$2\"/" "$TMP_CLONE_DIRPATH/$LIB_DIRNAME/pw_lib.sh"
# Ensure future script invocations use the new values
unset $1
done
cd "$TMP_CLONE_DIRPATH/$LIB_DIRNAME"
source ./pw_lib.sh
# Before going any further, make sure there isn't an existing
# dedicated-host named ${INST_NAME}-0. If there is, it can
# be re-used instead of failing the script outright.
existing_dh_json=$(mktemp -p "." dh_allocate_XXXXX.json)
$AWS ec2 describe-hosts --filter "Name=tag:Name,Values=${INST_NAME}-0" --query 'Hosts[].HostId' > "$existing_dh_json"
if grep -Fqx '[]' "$existing_dh_json"; then
msg "Creating the dedicated host '${INST_NAME}-0'"
declare dh_allocate_json
dh_allocate_json=$(mktemp -p "." dh_allocate_XXXXX.json)
declare -a awsargs
# Word-splitting of $AWS is desireable
# shellcheck disable=SC2206
awsargs=(
$AWS
ec2 allocate-hosts
--availability-zone us-east-1a
--instance-type mac2.metal
--auto-placement off
--host-recovery off
--host-maintenance off
--quantity 1
--tag-specifications
"ResourceType=dedicated-host,Tags=[{Key=Name,Value=${INST_NAME}-0},{Key=$DH_REQ_TAG,Value=$DH_REQ_VAL},{Key=PWPoolReady,Value=true},{Key=automation,Value=false}]"
)
# N/B: Apple/Amazon require min allocation time of 24hours!
dbg "Executing: ${awsargs[*]}"
"${awsargs[@]}" > "$dh_allocate_json" || \
die "Provisioning new dedicated host $INST_NAME failed. Manual debugging & cleanup required."
dbg $(jq . "$dh_allocate_json")
dhid=$(jq -r -e '.HostIds[0]' "$dh_allocate_json")
[[ -n "$dhid" ]] || \
die "Obtaining DH ID of new host. Manual debugging & cleanup required."
# There's a small delay between allocating the dedicated host and LaunchInstances.sh
# being able to interact with it. There's no sensible way to monitor for this state :(
sleep 3s
else # A dedicated host already exists
dhid=$(jq -r -e '.[0]' "$existing_dh_json")
fi
# Normally allocation is fairly instant, but not always. Confirm we're able to actually
# launch a mac instance onto the dedicated host.
for ((attempt=1 ; attempt < 11 ; attempt++)); do
msg "Attempt #$attempt launching a new instance on dedicated host"
./LaunchInstances.sh --force
if grep -E "^${INST_NAME}-0 i-" dh_status.txt; then
attempt=-1 # signal success
break
fi
sleep 1s
done
[[ "$attempt" -eq -1 ]] || \
die "Failed to use LaunchInstances.sh. Manual debugging & cleanup required."
# At this point the script could call SetupInstances.sh in another loop
# but it takes about 20-minutes to complete. Also, the developer may
# not need it, they may simply want to ssh into the instance to poke
# around. i.e. they don't need to run any Cirrus-CI jobs on the test
# instance.
warn "---"
warn "NOT copying/running setup.sh to new instance (in case manual activities are desired)."
warn "---"
w="PLEASE REMEMBER TO terminate instance, wait two hours, then
remove the dedicated-host in the web console, or run
'aws ec2 release-hosts --host-ids=$dhid'."
msg "---"
msg "Dropping you into a shell inside a temp. repo clone:
($TMP_CLONE_DIRPATH/$LIB_DIRNAME)"
msg "---"
msg "Once it finishes booting (5m), you may use './InstanceSSH.sh ${INST_NAME}-0'
to access it. Otherwise to fully setup the instance for Cirrus-CI, you need
to execute './SetupInstances.sh' repeatedly until the ${INST_NAME}-0 line in
'pw_status.txt' includes the text 'complete alive'. That process can take 20+
minutes. Once alive, you may then use Cirrus-CI to test against this specific
instance with any 'persistent_worker' task having a label of
'$DH_REQ_TAG=$DH_REQ_VAL' set."
msg "---"
warn "$w"
export POOLTOKEN # ensure availability in sub-shell
bash -l
warn "$w"

70
mac_pw_pool/Cron.sh
View File

@ -1,70 +0,0 @@
#!/bin/bash
# Intended to be run from $HOME/deve/automation/mac_pw_pool/
# using a crontab like:
# # Every date/timestamp in PW Pool management is UTC-relative
# # make cron do the same for consistency.
# CRON_TZ=UTC
#
# PATH=/home/shared/.local/bin:/home/shared/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
#
# # Keep log from filling up disk & make sure webserver is running
# # (5am UTC is during CI-activity lul)
# 59 4 * * * $HOME/devel/automation/mac_pw_pool/nightly_maintenance.sh &>> $CRONLOG
#
# # PW Pool management (usage drop-off from 03:00-15:00 UTC)
# POOLTOKEN=<from https://cirrus-ci.com/pool/1cf8c7f7d7db0b56aecd89759721d2e710778c523a8c91c7c3aaee5b15b48d05>
# CRONLOG=/home/shared/devel/automation/mac_pw_pool/Cron.log
# */5 * * * * /home/shared/devel/automation/mac_pw_pool/Cron.sh &>> $CRONLOG
# shellcheck disable=SC2154
[ "${FLOCKER}" != "$0" ] && exec env FLOCKER="$0" flock -e -w 300 "$0" "$0" "$@" || :
# shellcheck source=./pw_lib.sh
source $(dirname "${BASH_SOURCE[0]}")/pw_lib.sh
cd $SCRIPT_DIRPATH || die "Cannot enter '$SCRIPT_DIRPATH'"
# SSH agent required to provide key for accessing workers
# Started with `ssh-agent -s > /run/user/$UID/ssh-agent.env`
# followed by adding/unlocking the necessary keys.
# shellcheck disable=SC1090
source /run/user/$UID/ssh-agent.env
date -u -Iminutes
now_minutes=$(date -u +%M)
if (($now_minutes%10==0)); then
$SCRIPT_DIRPATH/LaunchInstances.sh
echo "Exit: $?"
fi
$SCRIPT_DIRPATH/SetupInstances.sh
echo "Exit: $?"
[[ -r "$PWSTATE" ]] || \
die "Can't read $PWSTATE to generate utilization data."
uzn_file="$SCRIPT_DIRPATH/utilization.csv"
# Run input through `date` to validate values are usable timestamps
timestamp=$(date -u -Iseconds -d \
$(grep -E '^# SetupInstances\.sh run ' "$PWSTATE" | \
awk '{print $4}'))
pw_state=$(grep -E -v '^($|#+| +)' "$PWSTATE")
n_workers=$(grep 'complete alive' <<<"$pw_state" | wc -l)
n_tasks=$(awk "BEGIN{B=0} /${DH_PFX}-[0-9]+ complete alive/{B+=\$4} END{print B}" <<<"$pw_state")
n_taskf=$(awk "BEGIN{E=0} /${DH_PFX}-[0-9]+ complete alive/{E+=\$5} END{print E}" <<<"$pw_state")
printf "%s,%i,%i,%i\n" "$timestamp" "$n_workers" "$n_tasks" "$n_taskf" | tee -a "$uzn_file"
# Prevent uncontrolled growth of utilization.csv. Assume this script
# runs every $interval minutes, keep only $history_hours worth of data.
interval_minutes=5
history_hours=36
lines_per_hour=$((60/$interval_minutes))
max_uzn_lines=$(($history_hours * $lines_per_hour))
tail -n $max_uzn_lines "$uzn_file" > "${uzn_file}.tmp"
mv "${uzn_file}.tmp" "$uzn_file"
# If possible, generate the webpage utilization graph
gnuplot -c Utilization.gnuplot || true

39
mac_pw_pool/InstanceSSH.sh
View File

@ -1,39 +0,0 @@
#!/bin/bash
set -eo pipefail
# Helper for humans to access an existing instance. It depends on:
#
# * You know the instance-id or name.
# * All requirements listed in the top `LaunchInstances.sh` comment.
# * The local ssh-agent is able to supply the appropriate private key.
# shellcheck source-path=SCRIPTDIR
source $(dirname ${BASH_SOURCE[0]})/pw_lib.sh
SSH="ssh $SSH_ARGS" # N/B: library default nulls stdin
if nc -z localhost 5900; then
# Enable access to VNC if it's running
# ref: https://repost.aws/knowledge-center/ec2-mac-instance-gui-access
SSH+=" -L 5900:localhost:5900"
fi
[[ -n "$1" ]] || \
die "Must provide EC2 instance ID as first argument"
case "$1" in
i-*)
inst_json=$($AWS ec2 describe-instances --instance-ids "$1") ;;
*)
inst_json=$($AWS ec2 describe-instances --filter "Name=tag:Name,Values=$1") ;;
esac
shift
pub_dns=$(jq -r -e '.Reservations?[0]?.Instances?[0]?.PublicDnsName?' <<<"$inst_json")
if [[ -z "$pub_dns" ]] || [[ "$pub_dns" == "null" ]]; then
die "Instance '$1' does not exist, or have a public DNS address allocated (yet)."
fi
echo "+ $SSH ec2-user@$pub_dns $*" >> /dev/stderr
exec $SSH ec2-user@$pub_dns "$@"

310
mac_pw_pool/LaunchInstances.sh
View File

@ -1,310 +0,0 @@
#!/bin/bash
set -eo pipefail
# Script intended to be executed by humans (and eventually automation) to
# ensure instances are launched from the current template version, on all
# available Cirrus-CI Persistent Worker M1 Mac dedicated hosts. These
# dedicated host (slots) are selected at runtime based their possessing a
# 'true' value for their `PWPoolReady` tag. The script assumes:
#
# * The `aws` CLI tool is installed on $PATH.
# * Appropriate `~/.aws/credentials` credentials are setup.
# * The us-east-1 region is selected in `~/.aws/config`.
#
# N/B: Dedicated Host names and instance names are assumed to be identical,
# only the IDs differ.
# shellcheck source-path=SCRIPTDIR
source $(dirname ${BASH_SOURCE[0]})/pw_lib.sh
L_DEBUG="${L_DEBUG:0}"
if ((L_DEBUG)); then
X_DEBUG=1
warn "Debugging enabled - temp. dir will not be cleaned up '$TEMPDIR' $(ctx 0)."
trap EXIT
fi
# Helper intended for use inside `name_hostid` loop.
# arg1 either "INST" or "HOST"
# arg2: Brief failure message
# arg3: Failure message details
handle_failure() {
[[ -n "$inststate" ]] || die "Expecting \$inststate to be set $(ctx 2)"
[[ -n "$name" ]] || die "Expecting \$name to be set $(ctx 2)"
if [[ "$1" != "INST" ]] && [[ "$1" != "HOST" ]]; then
die "Expecting either INST or HOST as argument $(ctx 2)"
fi
[[ -n "$2" ]] || die "Expecting brief failure message $(ctx 2)"
[[ -n "$3" ]] || die "Expecting detailed failure message $(ctx 2)"
warn "$2 $(ctx 2)"
(
# Script is sensitive to this first-line format
echo "# $name $1 ERROR: $2"
# Make it obvious which host/instance the details pertain to
awk -e '{print "# "$0}'<<<"$3"
) > "$inststate"
}
# Wrapper around handle_failure()
host_failure() {
[[ -r "$hostoutput" ]] || die "Expecting readable $hostoutput file $(ctx)"
handle_failure HOST "$1" "aws CLI output: $(<$hostoutput)"
}
inst_failure() {
[[ -r "$instoutput" ]] || die "Expecting readable $instoutput file $(ctx)"
handle_failure INST "$1" "aws CLI output: $(<$instoutput)"
}
# Find dedicated hosts to operate on.
dh_name_flt="Name=tag:Name,Values=${DH_PFX}-*"
dh_tag_flt="Name=tag:$DH_REQ_TAG,Values=$DH_REQ_VAL"
dh_qry='Hosts[].{HostID:HostId, Name:[Tags[?Key==`Name`].Value][] | [0]}'
dh_searchout="$TEMPDIR/hosts.output" # JSON or error message
if ! $AWS ec2 describe-hosts --filter "$dh_name_flt" "$dh_tag_flt" --query "$dh_qry" &> "$dh_searchout"; then
die "Searching for dedicated hosts $(ctx 0):
$(<$dh_searchout)"
fi
# Array item format: "<Name> <ID>"
dh_fmt='.[] | .Name +" "+ .HostID'
# Avoid always processing hosts in the same alpha-sorted order, as that would
# mean hosts at the end of the list consistently wait the longest for new
# instances to be created (see creation-stagger code below).
if ! readarray -t NAME2HOSTID <<<$(json_query "$dh_fmt" "$dh_searchout" | sort --random-sort); then
die "Extracting dedicated host 'Name' and 'HostID' fields $(ctx 0):
$(<$dh_searchout)"
fi
n_dh=0
n_dh_total=${#NAME2HOSTID[@]}
if [[ -z "${NAME2HOSTID[*]}" ]] || ! ((n_dh_total)); then
msg "No dedicated hosts found"
exit 0
fi
latest_launched="1970-01-01T00:00+00:00" # in case $DHSTATE is missing
dcmpfmt="+%Y%m%d%H%M" # date comparison format compatible with numeric 'test'
# To find the latest instance launch time, script can't rely on reading
# $DHSTATE or $PWSTATE because they may not exist or be out of date.
# Search for all running instances by name and running state, returning
# their launch timestamps.
declare -a pw_filt
pw_filts=(
"Name=tag:Name,Values=${DH_PFX}-*"
'Name=tag:PWPoolReady,Values=true'
"Name=tag:$DH_REQ_TAG,Values=$DH_REQ_VAL"
'Name=instance-state-name,Values=running'
)
pw_query='Reservations[].Instances[].LaunchTime'
inst_lt_f=$TEMPDIR/inst_launch_times
dbg "Obtaining launch times for all running ${DH_PFX}-* instances"
dbg "$AWS ec2 describe-instances --filters '${pw_filts[*]}' --query '$pw_query' &> '$inst_lt_f'"
if ! $AWS ec2 describe-instances --filters "${pw_filts[@]}" --query "$pw_query" &> "$inst_lt_f"; then
die "Can not query instances:
$(<$inst_lt_f)"
else
declare -a launchtimes
if ! readarray -t launchtimes<<<$(json_query '.[]?' "$inst_lt_f") ||
[[ "${#launchtimes[@]}" -eq 0 ]] ||
[[ "${launchtimes[0]}" == "" ]]; then
warn "Found no running instances, this should not happen."
else
dbg "launchtimes=[${launchtimes[*]}]"
for launch_time in "${launchtimes[@]}"; do
if [[ "$launch_time" == "" ]] || [[ "$launch_time" == "null" ]]; then
warn "Ignoring empty/null instance launch time."
continue
fi
# Assume launch_time is never malformed
launched_hour=$(date -u -d "$launch_time" "$dcmpfmt")
latest_launched_hour=$(date -u -d "$latest_launched" "$dcmpfmt")
dbg "instance launched on $launched_hour; latest launch hour: $latest_launched_hour"
if [[ $launched_hour -gt $latest_launched_hour ]]; then
dbg "Updating latest launched timestamp"
latest_launched="$launch_time"
fi
done
fi
fi
# Increase readability for humans by always ensuring the two important
# date stamps line up regardless of the length of $n_dh_total.
_n_dh_sp=$(printf ' %.0s' seq 1 ${#n_dh_total})
msg "Operating on $n_dh_total dedicated hosts at $(date -u -Iseconds)"
msg " ${_n_dh_sp}Last instance launch on $latest_launched"
echo -e "# $(basename ${BASH_SOURCE[0]}) run $(date -u -Iseconds)\n#" > "$TEMPDIR/$(basename $DHSTATE)"
# When initializing a new pool of workers, it would take many hours
# to wait for the staggered creation mechanism on each host. This
# would negativly impact worker utilization. Provide a workaround.
force=0
# shellcheck disable=SC2199
if [[ "$@" =~ --force ]]; then
warn "Forcing instance creation: Ignoring staggered creation limits."
force=1
fi
for name_hostid in "${NAME2HOSTID[@]}"; do
n_dh=$(($n_dh+1))
_I=" "
msg " " # make output easier to read
read -r name hostid junk<<<"$name_hostid"
msg "Working on Dedicated Host #$n_dh/$n_dh_total '$name' for HostID '$hostid'."
hostoutput="$TEMPDIR/${name}_host.output" # JSON or error message from aws describe-hosts
instoutput="$TEMPDIR/${name}_inst.output" # JSON or error message from aws describe-instance or run-instance
inststate="$TEMPDIR/${name}_inst.state" # Line to append to $DHSTATE
if ! $AWS ec2 describe-hosts --host-ids $hostid &> "$hostoutput"; then
host_failure "Failed to look up dedicated host."
continue
# Allow hosts to be taken out of service easily/manually by editing its tags.
# Also detect any JSON parsing problems in the output.
elif ! PWPoolReady=$(json_query '.Hosts?[0]?.Tags? | map(select(.Key == "PWPoolReady")) | .[].Value' "$hostoutput"); then
host_failure "Empty/null/failed JSON query of PWPoolReady tag."
continue
elif [[ "$PWPoolReady" != "true" ]]; then
msg "Dedicated host tag 'PWPoolReady' == '$PWPoolReady' != 'true'."
echo "# $name HOST DISABLED: PWPoolReady==$PWPoolReady" > "$inststate"
continue
fi
if ! hoststate=$(json_query '.Hosts?[0]?.State?' "$hostoutput"); then
host_failure "Empty/null/failed JSON query of dedicated host state."
continue
fi
if [[ "$hoststate" == "pending" ]] || \
[[ "$hoststate" == "under-assessment" ]] || \
[[ "$hoststate" == "released" ]]
then
# When an instance is terminated, its dedicated host goes into an unusable state
# for about 1-1/2 hours. There's absolutely nothing that can be done to avoid
# this or work around it. Ignore hosts in this state, assuming a later run of the
# script will start an instance on the (hopefully) available host).
#
# I have no idea what 'under-assessment' means, and it doesn't last as long as 'pending',
# but functionally it behaves the same.
#
# Hosts in 'released' state are about to go away, hopefully due to operator action.
# Don't treat this as an error.
msg "Dedicated host is untouchable due to '$hoststate' state."
# Reference the actual output text, in case of false-match or unexpected contents.
echo "# $name HOST BUSY: $hoststate" > "$inststate"
continue
elif [[ "$hoststate" != "available" ]]; then
# The "available" state means the host is ready for zero or more instances to be created.
# Detect all other states (they should be extremely rare).
host_failure "Unsupported dedicated host state '$hoststate'."
continue
fi
# Counter-intuitively, dedicated hosts can support more than one running instance. Except
# for Mac instances, but this is not reflected anywhere in the JSON. Trying to start a new
# Mac instance on an already occupied host is bound to fail. Inconveniently this error
# will look an aweful lot like many other types of errors, confusing any human examining
# $DHSTATE. Detect dedicated-hosts with existing instances.
InstanceId=$(set +e; jq -r '.Hosts?[0]?.Instances?[0].InstanceId?' "$hostoutput")
dbg "InstanceId='$InstanceId'"
# Stagger creation of instances by $CREATE_STAGGER_HOURS
launch_new=0
if [[ "$InstanceId" == "null" ]] || [[ "$InstanceId" == "" ]]; then
launch_threshold=$(date -u -Iseconds -d "$latest_launched + $CREATE_STAGGER_HOURS hours")
launch_threshold_hour=$(date -u -d "$launch_threshold" "$dcmpfmt")
now_hour=$(date -u "$dcmpfmt")
dbg "launch_threshold_hour=$launch_threshold_hour"
dbg " now_hour=$now_hour"
if [[ "$force" -eq 0 ]] && [[ $now_hour -lt $launch_threshold_hour ]]; then
msg "Cannot launch new instance until $launch_threshold"
echo "# $name HOST THROTTLE: Inst. creation delayed until $launch_threshold" > "$inststate"
continue
else
launch_new=1
fi
fi
if ((launch_new)); then
msg "Creating new $name instance on $name host."
if ! $AWS ec2 run-instances \
--launch-template LaunchTemplateName=${TEMPLATE_NAME} \
--tag-specifications \
"ResourceType=instance,Tags=[{Key=Name,Value=$name},{Key=$DH_REQ_TAG,Value=$DH_REQ_VAL},{Key=PWPoolReady,Value=true},{Key=automation,Value=true}]" \
--placement "HostId=$hostid" &> "$instoutput"; then
inst_failure "Failed to create new instance on available host."
continue
else
# Block further launches (assumes script is running in a 10m while loop).
latest_launched=$(date -u -Iseconds)
msg "Successfully created new instance; Waiting for 'running' state (~1m typical)..."
# N/B: New Mac instances take ~5-10m to actually become ssh-able
if ! InstanceId=$(json_query '.Instances?[0]?.InstanceId' "$instoutput"); then
inst_failure "Empty/null/failed JSON query of brand-new InstanceId"
continue
fi
# Instance "running" status is good enough for this script, and since network
# accessibility can take 5-20m post creation.
# Polls 40 times with 15-second delay (non-configurable).
if ! $AWS ec2 wait instance-running \
--instance-ids $InstanceId &> "${instoutput}.wait"; then
# inst_failure() would include unhelpful $instoutput detail
(
echo "# $name INST ERROR: Running-state timeout."
awk -e '{print "# "$0}' "${instoutput}.wait"
) > "$inststate"
continue
fi
fi
fi
# If an instance was created, $instoutput contents are already obsolete.
# If an existing instance, $instoutput doesn't exist.
if ! $AWS ec2 describe-instances --instance-ids $InstanceId &> "$instoutput"; then
inst_failure "Failed to describe host instance."
continue
fi
# Describe-instance has unnecessarily complex structure, simplify it.
if ! json_query '.Reservations?[0]?.Instances?[0]?' "$instoutput" > "${instoutput}.simple"; then
inst_failure "Empty/null/failed JSON simplification of describe-instances."
fi
mv "$instoutput" "${instoutput}.describe" # leave for debugging
mv "${instoutput}.simple" "${instoutput}"
msg "Parsing new or existing instance ($InstanceId) details."
if ! InstanceId=$(json_query '.InstanceId' $instoutput); then
inst_failure "Empty/null/failed JSON query of InstanceId"
continue
elif ! InstName=$(json_query '.Tags | map(select(.Key == "Name")) | .[].Value' $instoutput) || \
[[ "$InstName" != "$name" ]]; then
inst_failure "Inst. name '$InstName' != DH name '$name'"
elif ! LaunchTime=$(json_query '.LaunchTime' $instoutput); then
inst_failure "Empty/null/failed JSON query of LaunchTime"
continue
fi
echo "$name $InstanceId $LaunchTime" > "$inststate"
done
_I=""
msg " "
msg "Processing all dedicated host and instance states."
# Consuming state file in alpha-order is easier on human eyes
readarray -t NAME2HOSTID <<<$(json_query "$dh_fmt" "$dh_searchout" | sort)
for name_hostid in "${NAME2HOSTID[@]}"; do
read -r name hostid<<<"$name_hostid"
inststate="$TEMPDIR/${name}_inst.state"
[[ -r "$inststate" ]] || \
die "Expecting to find instance-state file $inststate for host '$name' $(ctx 0)."
cat "$inststate" >> "$TEMPDIR/$(basename $DHSTATE)"
done
dbg "Creating/updating state file"
if [[ -r "$DHSTATE" ]]; then
cp "$DHSTATE" "${DHSTATE}~"
fi
mv "$TEMPDIR/$(basename $DHSTATE)" "$DHSTATE"

138
mac_pw_pool/README.md
View File

@ -1,138 +0,0 @@
# Cirrus-CI persistent worker maintenance
These scripts are intended to be used from a repository clone,
by cron, on an always-on cloud machine. They make a lot of
other assumptions, some of which may not be well documented.
Please see the comments at the top of each scripts for more
detailed/specific information.
## Prerequisites
* The `aws` binary present somewhere on `$PATH`.
* Standard AWS `credentials` and `config` files exist under `~/.aws`
and set the region to `us-east-1`.
* A copy of the ssh-key referenced by `CirrusMacM1PWinstance` launch template
under "Assumptions" below.
* The ssh-key has been added to a running ssh-agent.
* The running ssh-agent sh-compatible env. vars. are stored in
`/run/user/$UID/ssh-agent.env`
* The env. var. `POOLTOKEN` is set to the Cirrus-CI persistent worker pool
token value.
## Assumptions
* You've read all scripts in this directory, generally follow
their purpose, and meet any requirements stated within the
header comment.
* You've read the [private documentation](https://docs.google.com/document/d/1PX6UyqDDq8S72Ko9qe_K3zoV2XZNRQjGxPiWEkFmQQ4/edit)
and understand the safety/security section.
* You have permissions to access all referenced AWS resources.
* There are one or more dedicated hosts allocated and have set:
* A name tag like `MacM1-<some number>` (NO SPACES!)
* The `mac2` instance family
* The `mac2.metal` instance type
* Disabled "Instance auto-placement", "Host recovery", and "Host maintenance"
* Quantity: 1
* Tags: `automation=false`, `purpose=prod`, and `PWPoolReady=true`
* The EC2 `CirrusMacM1PWinstance` instance-template exists and sets:
* Shutdown-behavior: terminate
* Same "key pair" referenced under `Prerequisites`
* All other required instance parameters complete
* A user-data script that shuts down the instance after 2 days.
## Operation (Theory)
The goal is to maintain sufficient alive/running/working instances
to service most Cirrus-CI tasks pointing at the pool. This is
best achieved with slower maintenance of hosts compared to setup
of ready instances. This is because hosts can be inaccessible for
up to 2 hours, but instances come up in ~10-20m, ready to run tasks.
Either hosts and/or instances may be removed from management by
setting "false" or removing their `PWPoolReady=true` tag. Otherwise,
the pool should be maintained by installing the crontab lines
indicated in the `Cron.sh` script.
Cirrus-CI will assign tasks (specially) targeted at the pool, to an
instance with a running listener (`cirrus worker run` process). If
there are none, the task will queue forever (there might be a 24-hour
timeout, I can't remember). From a PR perspective, there is little
control over which instance you get. It could easily be one where
a previous task barfed all over and rendered unusable.
## Initialization
It is assumed that neither the `Cron.sh` nor any related maintenance
scripts are installed (in crontab) or currently running.
Once several dedicated hosts have been manually created, they
should initially have no instances on them. If left alone, the
maintenance scripts will eventually bring them all up, however
complete creation and setup will take many hours. This may be
bypassed by *manually* running `LaunchInstances.sh --force`.
In order to prevent all the instances from being recycled at the same
(future) time, the shutdown time installed by `SetupInstances.sh` also
needs to be adjusted. The operator should first wait about 20 minutes
for all new instances to fully boot. Followed by a call to
`SetupInstances.sh --force`.
Now the `Cron.sh` cron-job may be installed, enabled and started.
## Manual Testing
Verifying changes to these scripts / cron-job must be done manually.
To support this, every dedicated host and instance has a `purpose`
tag, which must correspond to the value indicated in `pw_lib.sh`
and in the target repo `.cirrus.yml`. To test script and/or
CI changes:
1. Make sure you have locally met all requirements spelled out in the
header-comment of `AllocateTestDH.sh`.
1. Execute `AllocateTestDH.sh`. It will operate out of a temporary
clone of the repository to prevent pushing required test-modifications
upstream.
1. Repeatedly execute `SetupInstances.sh`. It will update `pw_status.txt`
with any warnings/errors. When successful, lines will include
the host name, "complete", and "alive" status strings.
1. If instance debugging is needed, the `InstanceSSH.sh` script may be
used. Simply pass the name of the host you want to access. Every
instance should have a `setup.log` file in the `ec2-user` homedir. There
should also be `/private/tmp/<name>-worker.log` with entries from the
pool listener process.
1. To test CI changes against the test instance(s), push a PR that includes
`.cirrus.yml` changes to the task's `persistent_worker` dictionary's
`purpose` attribute. Set the value the same as the tag in step 1.
1. When you're done with all testing, terminate the instance. Then wait
a full 24-hours before "releasing" the dedicated host. Both operations
can be performed using the AWS EC2 WebUI. Please remember to do the
release step, as the $-clock continues to run while it's allocated.
Note: Instances are set to auto-terminate on shutdown. They should
self shutdown after 24-hours automatically. After termination for
any cause, there's about a 2-hour waiting period before a new instance
can be allocated. The `LaunchInstances.sh` script is able deal with this
properly.
## Script Debugging Hints
* On each MacOS instance:
* The pool listener process (running as the worker user) keeps a log under `/private/tmp`. The
file includes the registered name of the worker. For example, on MacM1-7 you would find `/private/tmp/MacM1-7-worker.log`.
This log shows tasks taken on, completed, and any errors reported back from Cirrus-CI internals.
* In the ec2-user's home directory is a `setup.log` file. This stores the output from executing
`setup.sh`. It also contains any warnings/errors from the (very important) `service_pool.sh` script - which should
_always_ be running in the background.
* There are several drop-files in the `ec2-user` home directory which are checked by `SetupInstances.sh`
to record state. If removed, along with `setup.log`, the script will re-execute (a possibly newer version of) `setup.sh`.
* On the management host:
* Automated operations are setup and run by `Cron.sh`, and logged to `Cron.log`. When running scripts manually, `Cron.sh`
can serve as a template for the intended order of operations.
* Critical operations are protected by a mandatory, exclusive file lock on `mac_pw_pool/Cron.sh`. Should
there be a deadlock, management of the pool (by `Cron.sh`) will stop. However the effects of this will not be observed
until workers begin hitting their lifetime and/or task limits.
* Without intervention, the `nightly_maintenance.sh` script will update the containers/automation repo clone on the
management VM. This happens if the repo becomes out of sync by more than 7 days (or as defined in the script).
When the repo is updated, the `pw_pool_web` container will be restarted. The container will also be restarted if its
found to not be running.

463
mac_pw_pool/SetupInstances.sh
View File

@ -1,463 +0,0 @@
#!/bin/bash
set -eo pipefail
# Script intended to be executed by humans (and eventually automation)
# to provision any/all accessible Cirrus-CI Persistent Worker instances
# as they become available. This is intended to operate independently
# from `LaunchInstances.sh` soas to "hide" the nearly 2-hours of cumulative
# startup and termination wait times. This script depends on:
#
# * All requirements listed in the top `LaunchInstances.sh` comment.
# * The $DHSTATE file created/updated by `LaunchInstances.sh`.
# * The $POOLTOKEN env. var. is defined
# * The local ssh-agent is able to supply the appropriate private key.
# shellcheck source-path=SCRIPTDIR
source $(dirname ${BASH_SOURCE[0]})/pw_lib.sh
# Update temporary-dir status file for instance $name
# status type $1 and value $2. Where status type is
# 'setup', 'listener', 'tasks', 'taskf' or 'comment'.
set_pw_status() {
[[ -n "$name" ]] || \
die "Expecting \$name to be set"
case $1 in
setup) ;;
listener) ;;
tasks) ;; # started
taskf) ;; # finished
ftasks) ;;
comment) ;;
*) die "Status type must be 'setup', 'listener', 'tasks', 'taskf' or 'comment'"
esac
if [[ "$1" != "comment" ]] && [[ -z "$2" ]]; then
die "Expecting comment text (status argument) to be non-empty."
fi
echo -n "$2" > $TEMPDIR/${name}.$1
}
# Wrapper around msg() and warn() which also set_pw_status() comment.
pwst_msg() { set_pw_status comment "$1"; msg "$1"; }
pwst_warn() { set_pw_status comment "$1"; warn "$1"; }
# Attempt to signal $SPOOL_SCRIPT to stop picking up new CI tasks but
# support PWPoolReady being reset to 'true' in the future to signal
# a new $SETUP_SCRIPT run. Cancel future $SHDWN_SCRIPT action.
# Requires both $pub_dns and $name are set
stop_listener(){
dbg "Attempting to stop pool listener and reset setup state"
$SSH ec2-user@$pub_dns rm -f \
"/private/tmp/${name}_cfg_*" \
"./.setup.done" \
"./.setup.started" \
"/var/tmp/shutdown.sh"
}
# Forcibly shutdown an instance immediately, printing warning and status
# comment from first argument. Requires $name, $instance_id, and $pub_dns
# to be set.
force_term(){
local varname
local termoutput
termoutput="$TEMPDIR/${name}_term.output"
local term_msg
term_msg="${1:-no inst_panic() message provided} Terminating immediately! $(ctx)"
for varname in name instance_id pub_dns; do
[[ -n "${!varname}" ]] || \
die "Expecting \$$varname to be set/non-empty."
done
# $SSH has built-in -n; ignore failure, inst may be in broken state already
echo "$term_msg" | ssh $SSH_ARGS ec2-user@$pub_dns sudo wall || true
# Set status and print warning message
pwst_warn "$term_msg"
# Instance is going to be terminated, immediately stop any attempts to
# restart listening for jobs. Ignore failure if unreachable for any reason -
# we/something else could have already started termination previously
stop_listener || true
# Termination can take a few minutes, block further use of instance immediately.
$AWS ec2 create-tags --resources $instance_id --tags "Key=PWPoolReady,Value=false" || true
# Prefer possibly recovering a broken pool over debug-ability.
if ! $AWS ec2 terminate-instances --instance-ids $instance_id &> "$termoutput"; then
# Possible if the instance recently/previously started termination process.
warn "Could not terminate instance $instance_id $(ctx 0):
$(<$termoutput)"
fi
}
# Set non-zero to enable debugging / prevent removal of temp. dir.
S_DEBUG="${S_DEBUG:0}"
if ((S_DEBUG)); then
X_DEBUG=1
warn "Debugging enabled - temp. dir will not be cleaned up '$TEMPDIR' $(ctx 0)."
trap EXIT
fi
[[ -n "$POOLTOKEN" ]] || \
die "Expecting \$POOLTOKEN to be defined/non-empty $(ctx 0)."
[[ -r "$DHSTATE" ]] || \
die "Can't read from state file: $DHSTATE"
if [[ -z "$SSH_AUTH_SOCK" ]] || [[ -z "$SSH_AGENT_PID" ]]; then
die "Cannot access an ssh-agent. Please run 'ssh-agent -s > /run/user/$UID/ssh-agent.env' and 'ssh-add /path/to/required/key'."
fi
declare -a _dhstate
readarray -t _dhstate <<<$(grep -E -v '^($|#+| +)' "$DHSTATE" | sort)
n_inst=0
n_inst_total="${#_dhstate[@]}"
if [[ -z "${_dhstate[*]}" ]] || ! ((n_inst_total)); then
msg "No operable hosts found in $DHSTATE:
$(<$DHSTATE)"
# Assume this script is running in a loop, and unf. there are
# simply no dedicated-hosts in 'available' state.
exit 0
fi
# N/B: Assumes $DHSTATE represents reality
msg "Operating on $n_inst_total instances from $(head -1 $DHSTATE)"
echo -e "# $(basename ${BASH_SOURCE[0]}) run $(date -u -Iseconds)\n#" > "$TEMPDIR/$(basename $PWSTATE)"
# Previous instance state needed for some optional checks
declare -a _pwstate
n_pw_total=0
if [[ -r "$PWSTATE" ]]; then
readarray -t _pwstate <<<$(grep -E -v '^($|#+| +)' "$PWSTATE" | sort)
n_pw_total="${#_pwstate[@]}"
# Handle single empty-item array
if [[ -z "${_pwstate[*]}" ]] || ! ((n_pw_total)); then
_pwstate=()
_n_pw_total=0
fi
fi
# Assuming the `--force` option was used to initialize a new pool of
# workers, then instances need to be configured with a staggered
# self-termination shutdown delay. This prevents all the instances
# from being terminated at the same time, potentially impacting
# CI usage.
runtime_hours_reduction=0
# shellcheck disable=SC2199
if [[ "$@" =~ --force ]]; then
warn "Forcing instance creation w/ staggered existence limits."
runtime_hours_reduction=$CREATE_STAGGER_HOURS
fi
for _dhentry in "${_dhstate[@]}"; do
read -r name instance_id launch_time junk<<<"$_dhentry"
_I=" "
msg " "
n_inst=$(($n_inst+1))
msg "Working on Instance #$n_inst/$n_inst_total '$name' with ID '$instance_id'."
# Clear buffers used for updating status files
n_started_tasks=0
n_finished_tasks=0
instoutput="$TEMPDIR/${name}_inst.output"
ncoutput="$TEMPDIR/${name}_nc.output"
logoutput="$TEMPDIR/${name}_log.output"
# Most operations below 'continue' looping on error. Ensure status files match.
set_pw_status tasks 0
set_pw_status taskf 0
set_pw_status setup error
set_pw_status listener error
set_pw_status comment ""
if ! $AWS ec2 describe-instances --instance-ids $instance_id &> "$instoutput"; then
pwst_warn "Could not query instance $instance_id $(ctx 0)."
continue
fi
dbg "Verifying required $DH_REQ_TAG=$DH_REQ_VAL"
tagq=".Reservations?[0]?.Instances?[0]?.Tags | map(select(.Key == \"$DH_REQ_TAG\")) | .[].Value"
if ! inst_tag=$(json_query "$tagq" "$instoutput"); then
pwst_warn "Could not look up instance $DH_REQ_TAG tag"
continue
fi
if [[ "$inst_tag" != "$DH_REQ_VAL" ]]; then
pwst_warn "Required inst. '$DH_REQ_TAG' tag != '$DH_REQ_VAL'"
continue
fi
dbg "Looking up instance name"
nameq='.Reservations?[0]?.Instances?[0]?.Tags | map(select(.Key == "Name")) | .[].Value'
if ! inst_name=$(json_query "$nameq" "$instoutput"); then
pwst_warn "Could not look up instance Name tag"
continue
fi
if [[ "$inst_name" != "$name" ]]; then
pwst_warn "Inst. name '$inst_name' != DH name '$name'"
continue
fi
dbg "Looking up public DNS"
if ! pub_dns=$(json_query '.Reservations?[0]?.Instances?[0]?.PublicDnsName?' "$instoutput"); then
pwst_warn "Could not lookup of public DNS for instance $instance_id $(ctx 0)"
continue
fi
# It's really important that instances have a defined and risk-relative
# short lifespan. Multiple mechanisms are in place to assist, but none
# are perfect. Ensure instances running for an excessive time are forcefully
# terminated as soon as possible from this script.
launch_epoch=$(date -u -d "$launch_time" +%s)
now_epoch=$(date -u +%s)
age_sec=$((now_epoch-launch_epoch))
hard_max_sec=$((PW_MAX_HOURS*60*60*2)) # double PW_MAX_HOURS
dbg "launch_epoch=$launch_epoch"
dbg " now_epoch=$now_epoch"
dbg " age_sec=$age_sec"
dbg "hard_max_sec=$hard_max_sec"
# Soft time limit is enforced via 'sleep $PW_MAX_HOURS && shutdown' started during instance setup (below).
msg "Instance alive for $((age_sec/60/60)) hours (soft max: $PW_MAX_HOURS hard: $((hard_max_sec/60/60)))"
if [[ $age_sec -gt $hard_max_sec ]]; then
force_term "Excess instance lifetime; $(((age_sec - hard_max_sec)/60))m past hard max limit."
continue
elif [[ $age_sec -gt $((PW_MAX_HOURS*60*60)) ]]; then
pwst_warn "Instance alive longer than soft max. Investigation recommended."
fi
dbg "Attempting to contact '$name' at $pub_dns"
if ! nc -z -w 13 $pub_dns 22 &> "$ncoutput"; then
pwst_warn "Could not connect to port 22 on '$pub_dns' $(ctx 0)."
continue
fi
if ! $SSH ec2-user@$pub_dns true; then
pwst_warn "Could not ssh to 'ec2-user@$pub_dns' $(ctx 0)."
continue
fi
dbg "Check if instance should be managed"
if ! PWPoolReady=$(json_query '.Reservations?[0]?.Instances?[0]?.Tags? | map(select(.Key == "PWPoolReady")) | .[].Value' "$instoutput"); then
pwst_warn "Instance does not have a PWPoolReady tag"
PWPoolReady="absent"
fi
# Mechanism for a developer to manually debug operations w/o fear of new tasks or instance shutdown.
if [[ "$PWPoolReady" != "true" ]]; then
pwst_msg "Instance disabled via tag 'PWPoolReady' == '$PWPoolReady'."
set_pw_status setup disabled
set_pw_status listener disabled
(
set +e # All commands below are best-effort only!
dbg "Attempting to stop any pending shutdowns"
$SSH ec2-user@$pub_dns sudo pkill shutdown
stop_listener
dbg "Attempting to stop shutdown sleep "
$SSH ec2-user@$pub_dns pkill -u ec2-user -f "'bash -c sleep'"
if $SSH ec2-user@$pub_dns pgrep -u ec2-user -f service_pool.sh; then
sleep 10s # Allow service_pool to exit gracefully
fi
# N/B: This will not stop any currently running CI tasks.
dbg "Guarantee pool listener is dead"
$SSH ec2-user@$pub_dns sudo pkill -u ${name}-worker -f "'cirrus worker run'"
)
continue
fi
if ! $SSH ec2-user@$pub_dns test -r .setup.done; then
if ! $SSH ec2-user@$pub_dns test -r .setup.started; then
if $SSH ec2-user@$pub_dns test -r setup.log; then
# Can be caused by operator flipping PWPoolReady value on instance for debugging
pwst_warn "Setup log found, prior executions may have failed $(ctx 0)."
fi
pwst_msg "Setting up new instance"
# Ensure bash used for consistency && some ssh commands below
# don't play nicely with zsh.
$SSH ec2-user@$pub_dns sudo chsh -s /bin/bash ec2-user &> /dev/null
if ! $SCP $SETUP_SCRIPT $SPOOL_SCRIPT $SHDWN_SCRIPT ec2-user@$pub_dns:/var/tmp/; then
pwst_warn "Could not scp scripts to instance $(ctx 0)."
continue # try again next loop
fi
if ! $SCP $CIENV_SCRIPT ec2-user@$pub_dns:./; then
pwst_warn "Could not scp CI Env. script to instance $(ctx 0)."
continue # try again next loop
fi
if ! $SSH ec2-user@$pub_dns chmod +x "/var/tmp/*.sh" "./ci_env.sh"; then
pwst_warn "Could not chmod scripts $(ctx 0)."
continue # try again next loop
fi
# Keep runtime_hours_reduction w/in sensible, positive bounds.
if [[ $runtime_hours_reduction -ge $((PW_MAX_HOURS - CREATE_STAGGER_HOURS)) ]]; then
runtime_hours_reduction=$CREATE_STAGGER_HOURS
fi
shutdown_seconds=$((60*60*PW_MAX_HOURS - 60*60*runtime_hours_reduction))
[[ $shutdown_seconds -gt $((60*60*CREATE_STAGGER_HOURS)) ]] || \
die "Detected unacceptably short \$shutdown_seconds ($shutdown_seconds) value."
pwst_msg "Starting automatic instance recycling in $((shutdown_seconds/60/60)) hours"
# Darwin is really weird WRT active terminals and the shutdown
# command. Instead of installing a future shutdown, stick an
# immediate shutdown at the end of a long sleep. This is the
# simplest workaround I could find :S
# Darwin sleep only accepts seconds.
if ! $SSH ec2-user@$pub_dns bash -c \
"'sleep $shutdown_seconds && /var/tmp/shutdown.sh' </dev/null >>setup.log 2>&1 &"; then
pwst_warn "Could not start automatic instance recycling."
continue # try again next loop
fi
pwst_msg "Executing setup script."
# Run setup script in background b/c it takes ~10m to complete.
# N/B: This drops .setup.started and eventually (hopefully) .setup.done
if ! $SSH ec2-user@$pub_dns \
env POOLTOKEN=$POOLTOKEN \
bash -c "'/var/tmp/setup.sh $DH_REQ_TAG:\ $DH_REQ_VAL' </dev/null >>setup.log 2>&1 &"; then
# This is critical, no easy way to determine what broke.
force_term "Failed to start background setup script"
continue
fi
msg "Setup script started."
set_pw_status setup started
# No sense in incrementing if there was a failure running setup
# shellcheck disable=SC2199
if [[ "$@" =~ --force ]]; then
runtime_hours_reduction=$((runtime_hours_reduction + CREATE_STAGGER_HOURS))
fi
# Let setup run in the background
continue
fi
# Setup started in previous loop. Set to epoch on error.
since_timestamp=$($SSH ec2-user@$pub_dns tail -1 .setup.started || echo "@0")
since_epoch=$(date -u -d "$since_timestamp" +%s)
running_seconds=$((now_epoch-since_epoch))
# Be helpful to human monitors, show the last few lines from the log to help
# track progress and/or any errors/warnings.
pwst_msg "Setup incomplete; Running for $((running_seconds/60)) minutes (~10 typical)"
msg "setup.log tail: $($SSH ec2-user@$pub_dns tail -n 1 setup.log)"
if [[ $running_seconds -gt $SETUP_MAX_SECONDS ]]; then
force_term "Setup running for ${running_seconds}s, max ${SETUP_MAX_SECONDS}s."
fi
continue
fi
dbg "Instance setup has completed"
set_pw_status setup complete
# Spawned by setup.sh
dbg "Checking service_pool.sh script"
if ! $SSH ec2-user@$pub_dns pgrep -u ec2-user -q -f service_pool.sh; then
# This should not happen at this stage; Nefarious or uncontrolled activity?
force_term "Pool servicing script (service_pool.sh) is not running."
continue
fi
dbg "Checking cirrus listener"
state_fault=0
if ! $SSH ec2-user@$pub_dns pgrep -u "${name}-worker" -q -f "'cirrus worker run'"; then
# Don't try to examine prior state if there was none.
if ((n_pw_total)); then
for _pwentry in "${_pwstate[@]}"; do
read -r _name _setup_state _listener_state _tasks _taskf _junk <<<"$_pwentry"
dbg "Examining pw_state.txt entry '$_name' with listener state '$_listener_state'"
if [[ "$_name" == "$name" ]] && [[ "$_listener_state" != "alive" ]]; then
# service_pool.sh did not restart listener since last loop
# and node is not in maintenance mode (PWPoolReady == 'true')
force_term "Pool listener '$_listener_state' state fault."
state_fault=1
break
fi
done
fi
# The instance is in the process of shutting-down/terminating, move on to next instance.
if ((state_fault)); then
continue
fi
# Previous state didn't exist, or listener status was 'alive'.
# Process may have simply crashed, allow service_pool.sh time to restart it.
pwst_warn "Cirrus worker listener process NOT running, will recheck again $(ctx 0)."
# service_pool.sh should catch this and restart the listener. If not, the next time
# through this loop will force_term() the instance.
set_pw_status listener dead # service_pool.sh should restart listener
continue
else
set_pw_status listener alive
fi
dbg "Checking worker log"
logpath="/private/tmp/${name}-worker.log" # set in setup.sh
if ! $SSH ec2-user@$pub_dns cat "'$logpath'" &> "$logoutput"; then
# The "${name}-worker" user has write access to this log
force_term "Missing worker log $logpath."
continue
fi
dbg "Checking worker registration"
# First lines of log should always match this
if ! head -10 "$logoutput" | grep -q 'worker successfully registered'; then
# This could signal log manipulation by worker user, or it could be harmless.
pwst_warn "Missing registration log entry"
fi
# The CI user has write-access to this log file on the instance,
# make this known to humans in case they care.
n_started_tasks=$(grep -Ei 'started task [0-9]+' "$logoutput" | wc -l) || true
n_finished_tasks=$(grep -Ei 'task [0-9]+ completed' "$logoutput" | wc -l) || true
set_pw_status tasks $n_started_tasks
set_pw_status taskf $n_finished_tasks
msg "Apparent tasks started/finished/running: $n_started_tasks $n_finished_tasks $((n_started_tasks-n_finished_tasks)) (max $PW_MAX_TASKS)"
dbg "Checking apparent task limit"
# N/B: This is only enforced based on the _previous_ run of this script worker-count.
# Doing this on the _current_ alive worker count would add a lot of complexity.
if [[ "$n_finished_tasks" -gt $PW_MAX_TASKS ]] && [[ $n_pw_total -gt $PW_MIN_ALIVE ]]; then
# N/B: Termination based on _finished_ tasks, so if a task happens to be currently running
# it will very likely have _just_ started in the last few seconds. Cirrus will retry
# automatically on another worker.
force_term "Instance exceeded $PW_MAX_TASKS apparent tasks."
elif [[ $n_pw_total -le $PW_MIN_ALIVE ]]; then
pwst_warn "Not enforcing max-tasks limit, only $n_pw_total workers online last run."
fi
done
_I=""
msg " "
msg "Processing all persistent worker states."
for _dhentry in "${_dhstate[@]}"; do
read -r name otherstuff<<<"$_dhentry"
_f1=$name
_f2=$(<$TEMPDIR/${name}.setup)
_f3=$(<$TEMPDIR/${name}.listener)
_f4=$(<$TEMPDIR/${name}.tasks)
_f5=$(<$TEMPDIR/${name}.taskf)
_f6=$(<$TEMPDIR/${name}.comment)
[[ -z "$_f6" ]] || _f6=" # $_f6"
printf '%s %s %s %s %s%s\n' \
"$_f1" "$_f2" "$_f3" "$_f4" "$_f5" "$_f6" >> "$TEMPDIR/$(basename $PWSTATE)"
done
dbg "Creating/updating state file"
if [[ -r "$PWSTATE" ]]; then
cp "$PWSTATE" "${PWSTATE}~"
fi
mv "$TEMPDIR/$(basename $PWSTATE)" "$PWSTATE"

32
mac_pw_pool/Utilization.gnuplot
View File

@ -1,32 +0,0 @@
# Intended to be run like: `gnuplot -p -c Utilization.gnuplot`
# Requires a file named `utilization.csv` produced by commands
# in `Cron.sh`.
#
# Format Ref: http://gnuplot.info/docs_5.5/Overview.html
set terminal png enhanced rounded size 1400,800 nocrop
set output 'html/utilization.png'
set title "Persistent Workers & Utilization"
set xdata time
set timefmt "%Y-%m-%dT%H:%M:%S+00:00"
set xtics nomirror rotate timedate
set xlabel "time/date"
set xrange [(system("date -u -Iseconds -d '26 hours ago'")):(system("date -u -Iseconds"))]
set ylabel "Workers Online"
set ytics border nomirror numeric
# Not practical to lookup $DH_PFX from pw_lib.sh
set yrange [0:(system("grep -E '^[a-zA-Z0-9]+-[0-9]' dh_status.txt | wc -l") * 1.5)]
set y2label "Worker Utilization"
set y2tics border nomirror numeric
set y2range [0:100]
set datafile separator comma
set grid
plot 'utilization.csv' using 1:2 axis x1y1 title "Workers" pt 7 ps 2, \
'' using 1:((($3-$4)/$2)*100) axis x1y2 title "Utilization" with lines lw 2

50
mac_pw_pool/ci_env.sh
View File

@ -1,50 +0,0 @@
#!/bin/bash
# This script drops the caller into a bash shell inside an environment
# substantially similar to a Cirrus-CI task running on this host.
# The envars below may require adjustment to better fit them to
# current/ongoing development in podman's .cirrus.yml
set -eo pipefail
# Not running as the pool worker user
if [[ "$USER" == "ec2-user" ]]; then
PWINST=$(curl -sSLf http://instance-data/latest/meta-data/tags/instance/Name)
PWUSER=$PWINST-worker
if [[ ! -d "/Users/$PWUSER" ]]; then
echo "Warnin: Instance hasn't been setup. Assuming caller will tend to this."
sudo sysadminctl -addUser $PWUSER
fi
sudo install -o $PWUSER "${BASH_SOURCE[0]}" "/Users/$PWUSER/"
exec sudo su -c "/Users/$PWUSER/$(basename ${BASH_SOURCE[0]})" - $PWUSER
fi
# Export all CI-critical envars defined below
set -a
CIRRUS_SHELL="/bin/bash"
CIRRUS_TASK_ID="0123456789"
CIRRUS_WORKING_DIR="$HOME/ci/task-${CIRRUS_TASK_ID}"
GOPATH="$CIRRUS_WORKING_DIR/.go"
GOCACHE="$CIRRUS_WORKING_DIR/.go/cache"
GOENV="$CIRRUS_WORKING_DIR/.go/support"
CONTAINERS_MACHINE_PROVIDER="applehv"
MACHINE_IMAGE="https://fedorapeople.org/groups/podman/testing/applehv/arm64/fedora-coreos-38.20230925.dev.0-applehv.aarch64.raw.gz"
GINKGO_TAGS="remote exclude_graphdriver_btrfs btrfs_noversion exclude_graphdriver_devicemapper containers_image_openpgp remote"
DEBUG_MACHINE="1"
ORIGINAL_HOME="$HOME"
HOME="$HOME/ci"
TMPDIR="/private/tmp/ci"
mkdir -p "$TMPDIR" "$CIRRUS_WORKING_DIR"
# Drop caller into the CI-like environment
cd "$CIRRUS_WORKING_DIR"
bash -il

20
mac_pw_pool/html/index.html
View File

@ -1,20 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cirrus-CI Persistent Workers</title>
</head>
<body>
<center>
<a href="https://cirrus-ci.com/pool/1cf8c7f7d7db0b56aecd89759721d2e710778c523a8c91c7c3aaee5b15b48d05">
<img src="utilization.png">
</a>
<p>
<h3>
<a href="https://docs.google.com/document/d/1PX6UyqDDq8S72Ko9qe_K3zoV2XZNRQjGxPiWEkFmQQ4/edit">
Documentation
</a>
</h3>
</center>
</body>
</html>

69
mac_pw_pool/nightly_maintenance.sh
View File

@ -1,69 +0,0 @@
#!/bin/bash
set -euo pipefail
cd $(dirname "${BASH_SOURCE[0]}")
SCRIPTNAME="$(basename ${BASH_SOURCE[0]})"
WEB_IMG="docker.io/library/nginx:latest"
CRONLOG="Cron.log"
CRONSCRIPT="Cron.sh"
KEEP_LINES=10000
REFRESH_REPO_EVERY=7 # days
# Do not use, these are needed to control script execution.
_CNTNAME=pw_pool_web
_FLOCKER="${_FLOCKER:-notlocked}"
_RESTARTED_SCRIPT="${_RESTARTED_SCRIPT:-0}"
if [[ ! -r "$CRONLOG" ]] || [[ ! -r "$CRONSCRIPT" ]] || [[ ! -d "../.git" ]]; then
echo "ERROR: $SCRIPTNAME not executing from correct directory" >> /dev/stderr
exit 1
fi
relaunch_web_container() {
# Assume code change or image update, restart container.
(
# Prevent podman and/or sub-processes from inheriting the lock FD.
# This would deadlock all future runs of this script or Cron.sh
# Can't use `flock --close ...` here because it "hangs" in this context.
for fd_nr in $(/bin/ls /proc/self/fd/); do
[[ $fd_nr -ge 3 ]] || \
continue
# Bash doesn't allow direct substitution of the FD number
eval "exec $fd_nr>&-"
done
set -x
podman run --replace --name "$_CNTNAME" -d --rm --pull=newer -p 8080:80 \
-v $HOME/devel/automation/mac_pw_pool/html:/usr/share/nginx/html:ro,Z \
$WEB_IMG
)
echo "$SCRIPTNAME restarted pw_poolweb container"
}
# Don't perform maintenance while $CRONSCRIPT is running
[[ "${_FLOCKER}" != "$CRONSCRIPT" ]] && exec env _FLOCKER="$CRONSCRIPT" flock -e -w 300 "$CRONSCRIPT" "$0" "$@" || :
echo "$SCRIPTNAME running at $(date -u -Iseconds)"
if ! ((_RESTARTED_SCRIPT)); then
today=$(date -u +%d)
if ((today%REFRESH_REPO_EVERY)); then
git remote update && git reset --hard origin/main
# maintain the same flock
echo "$SCRIPTNAME updatedd code after $REFRESH_REPO_EVERY days, restarting script..."
env _RESTARTED_SCRIPT=1 _FLOCKER=$_FLOCKER "$0" "$@"
exit $? # all done
fi
fi
tail -n $KEEP_LINES $CRONLOG > ${CRONLOG}.tmp && mv ${CRONLOG}.tmp $CRONLOG
echo "$SCRIPTNAME rotated log"
# Always restart web-container when code changes, otherwise only if required
if ((_RESTARTED_SCRIPT)); then
relaunch_web_container
else
podman container exists "$_CNTNAME" || relaunch_web_container
fi

126
mac_pw_pool/pw_lib.sh
View File

@ -1,126 +0,0 @@
# This library is intended to be sourced by other scripts inside this
# directory. All other usage contexts may lead to unintended outcomes.
# only the IDs differ. Assumes the sourcing script defines a `dbg()`
# function.
SCRIPT_FILENAME=$(basename "$0") # N/B: Caller's arg0, not this library file path.
SCRIPT_DIRPATH=$(dirname "$0")
LIB_DIRPATH=$(dirname "${BASH_SOURCE[0]}")
REPO_DIRPATH=$(realpath "$LIB_DIRPATH/../")
TEMPDIR=$(mktemp -d -p '' "${SCRIPT_FILENAME}_XXXXX.tmp")
trap "rm -rf '$TEMPDIR'" EXIT
# Dedicated host name prefix; Actual name will have a "-<X>" (number) appended.
# N/B: ${DH_PFX}-<X> _MUST_ match dedicated host names as listed in dh_status.txt
# using the regex ^[a-zA-Z0-9]+-[0-9] (see Utilization.gnuplot)
DH_PFX="MacM1"
# Only manage dedicated hosts with the following tag & value
DH_REQ_TAG="purpose"
DH_REQ_VAL="prod"
# Path to file recording the most recent state of each dedicated host.
# Format is simply one line per dedicated host, with it's name, instance id, start
# date/time separated by a space. Exceptional conditions are recorded as comments
# with the name and details. File is refreshed/overwritten each time script runs
# without any fatal/uncaught command-errors. Intended for reference by humans
# and/or other tooling.
DHSTATE="${PWSTATE:-$LIB_DIRPATH/dh_status.txt}"
# Similar to $DHSTATE but records the status of each instance. Format is
# instance name, setup status, listener status, # started tasks, # finished tasks,
# or the word 'error' indicating a fault accessing the remote worker logfile.
# Optionally, there may be a final comment field, beginning with a # and text
# suggesting where there may be a fault.
# Possible status field values are as follows:
# setup - started, complete, disabled, error
# listener - alive, dead, disabled, error
PWSTATE="${PWSTATE:-$LIB_DIRPATH/pw_status.txt}"
# At maximum possible creation-speed, there's aprox. 2-hours of time between
# an instance going down, until another can be up and running again. Since
# instances are all on shutdown/terminated on pre-set timers, it would hurt
# pool availability if multiple instances all went down at the same time.
# Therefore, host and instance creations will be staggered by according
# to this interval.
CREATE_STAGGER_HOURS=2
# Instance shutdown controls (assumes terminate-on-shutdown behavior)
PW_MAX_HOURS=24 # Since successful configuration
PW_MAX_TASKS=24 # Logged by listener (N/B: Log can be manipulated by tasks!)
PW_MIN_ALIVE=3 # Bypass enforcement of $PW_MAX_TASKS if <= alive/operating workers
# How long to wait for setup.sh to finish running (drop a .setup.done file)
# before forcibly terminating.
SETUP_MAX_SECONDS=2400 # Typical time ~10 minutes, use 2x safety-factor.
# Name of launch template. Current/default version will be used.
# https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#LaunchTemplates:
TEMPLATE_NAME="${TEMPLATE_NAME:-Cirrus${DH_PFX}PWinstance}"
# Path to scripts to copy/execute on Darwin instances
SETUP_SCRIPT="$LIB_DIRPATH/setup.sh"
SPOOL_SCRIPT="$LIB_DIRPATH/service_pool.sh"
SHDWN_SCRIPT="$LIB_DIRPATH/shutdown.sh"
CIENV_SCRIPT="$LIB_DIRPATH/ci_env.sh"
# Set to 1 to enable debugging
X_DEBUG="${X_DEBUG:-0}"
# AWS CLI command and general args
AWS="aws --no-paginate --output=json --color=off --no-cli-pager --no-cli-auto-prompt"
# Common ssh/scp arguments
SSH_ARGS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -F /dev/null -o LogLevel=ERROR -o ConnectTimeout=13"
# ssh/scp commands to run w/ arguments
SSH="${SSH:-ssh -n $SSH_ARGS}" # N/B: default nulls stdin
SCP="${SCP:-scp -q $SSH_ARGS}"
# Indentation to prefix msg/warn/die messages with to assist humans understanding context.
_I="${_I:-}"
# Print details $1 (defaults to 1) calls above the caller in the stack.
# usage e.x. $(ctx 0) - print details about current function
# $(ctx) - print details about current function's caller
# $(ctx 2) - print details about current functions's caller's caller.
ctx() {
local above level
above=${1:-1}
level=$((1+$above))
script=$(basename ${BASH_SOURCE[$level]})
echo "($script:${FUNCNAME[$level]}():${BASH_LINENO[$above]})"
}
msg() { echo "${_I}${1:-No text message provided}"; }
warn() { echo "${1:-No warning message provided}" | awk -e '{print "'"${_I}"'WARNING: "$0}' >> /dev/stderr; }
die() { echo "${1:-No error message provided}" | awk -e '{print "'"${_I}"'ERROR: "$0}' >> /dev/stderr; exit 1; }
dbg() {
if ((X_DEBUG)); then
msg "${1:-No debug message provided} $(ctx 1)" | awk -e '{print "'"${_I}"'DEBUG: "$0}' >> /dev/stderr
fi
}
# Obtain a JSON string value by running the provided query filter (arg 1) on
# JSON file (arg 2). Return non-zero on jq error (1), or if value is empty
# or null (2). Otherwise print value and return 0.
jq_errf="$TEMPDIR/jq_error.output"
json_query() {
local value
local indent=" "
dbg "jq filter $1
$indent on $(basename $2) $(ctx)"
if ! value=$(jq -r "$1" "$2" 2>"$jq_errf"); then
dbg "$indent error: $(<$jq_errf)"
return 1
fi
if [[ -z "$value" ]] || [[ "$value" == "null" ]]; then
dbg "$indent result: Empty or null"
return 2
fi
dbg "$indent result: '$value'"
echo "$value"
return 0
}

79
mac_pw_pool/service_pool.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
# Launch Cirrus-CI PW Pool listener & manager process.
# Intended to be called once from setup.sh on M1 Macs.
# Expects configuration filepath to be passed as the first argument.
# Expects the number of hours until shutdown (and self-termination)
# as the second argument.
set -o pipefail
msg() { echo "##### ${1:-No message message provided}"; }
die() { echo "ERROR: ${1:-No error message provided}"; exit 1; }
for varname in PWCFG PWUSER PWREADYURL PWREADY; do
varval="${!varname}"
[[ -n "$varval" ]] || \
die "Env. var. \$$varname is unset/empty."
done
[[ "$USER" == "ec2-user" ]] || \
die "Expecting to execute as 'ec2-user'."
# All operations assume this CWD
cd $HOME
# For whatever reason, when this script is run through ssh, the default
# environment isn't loaded automatically.
. /etc/profile
# This can be leftover under certain conditions
# shellcheck disable=SC2154
sudo pkill -u $PWUSER -f "cirrus worker run" || true
# Configuring a launchd agent to run the worker process is a major
# PITA and seems to require rebooting the instance. Work around
# this with a really hacky loop masquerading as a system service.
# envar exported to us
# shellcheck disable=SC2154
while [[ -r $PWCFG ]] && [[ "$PWREADY" == "true" ]]; do # Remove file or change tag to shutdown this "service"
# The $PWUSER has access to kill it's own listener, or it could crash.
if ! pgrep -u $PWUSER -f -q "cirrus worker run"; then
# FIXME: CI Tasks will execute as $PWUSER and ordinarily would have
# read access to $PWCFG file containing $POOLTOKEN. While not
# disastrous, it's desirable to not leak potentially sensitive
# values. Work around this by keeping the file unreadable by
# $PWUSER except for a brief period while starting up.
sudo chmod 0644 $PWCFG
msg "$(date -u -Iseconds) Starting PW pool listener as $PWUSER"
# This is intended for user's setup.log
# shellcheck disable=SC2024
sudo su -l $PWUSER -c "/opt/homebrew/bin/cirrus worker run --file $PWCFG &" >>setup.log 2>&1 &
sleep 10 # eek!
sudo chmod 0600 $PWCFG
fi
# This can fail on occasion for some reason
# envar exported to us
# shellcheck disable=SC2154
if ! PWREADY=$(curl -sSLf $PWREADYURL); then
PWREADY="recheck"
fi
# Avoid re-launch busy-wait
sleep 10
# Second-chance
if [[ "$PWREADY" == "recheck" ]] && ! PWREADY=$(curl -sSLf $PWREADYURL); then
msg "Failed twice to obtain PWPoolReady instance tag. Disabling listener."
rm -f "$PWCFG"
break
fi
done
set +e
msg "Configuration file not readable; PWPoolReady tag '$PWREADY'."
msg "Terminating $PWUSER PW pool listner process"
# N/B: This will _not_ stop the cirrus agent (i.e. a running task)
sudo pkill -u $PWUSER -f "cirrus worker run"

251
mac_pw_pool/setup.sh
View File

@ -1,251 +0,0 @@
#!/bin/bash
# Setup and launch Cirrus-CI PW Pool node. It must be called
# with the env. var. `$POOLTOKEN` set. It is assumed to be
# running on a fresh AWS EC2 mac2.metal instance as `ec2-user`
# The instance must have both "metadata" and "Allow tags in
# metadata" options enabled. The instance must set the
# "terminate" option for "shutdown behavior".
#
# This script should be called with a single argument string,
# of the label YAML to configure. For example "purpose: prod"
#
# N/B: Under special circumstances, this script (possibly with modifications)
# can be executed more than once. All operations which modify state/config.
# must be wrapped in conditional checks.
set -eo pipefail
GVPROXY_RELEASE_URL="https://github.com/containers/gvisor-tap-vsock/releases/latest/download/gvproxy-darwin"
STARTED_FILE="$HOME/.setup.started"
COMPLETION_FILE="$HOME/.setup.done"
# Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
PWNAME=$(curl -sSLf http://instance-data/latest/meta-data/tags/instance/Name)
PWREADYURL="http://instance-data/latest/meta-data/tags/instance/PWPoolReady"
PWREADY=$(curl -sSLf $PWREADYURL)
PWUSER=$PWNAME-worker
rm -f /private/tmp/*_cfg_*
PWCFG=$(mktemp /private/tmp/${PWNAME}_cfg_XXXXXXXX)
PWLOG="/private/tmp/${PWUSER}.log"
msg() { echo "##### ${1:-No message message provided}"; }
die() { echo "ERROR: ${1:-No error message provided}"; exit 1; }
die_if_empty() {
local tagname
tagname="$1"
[[ -n "$tagname" ]] || \
die "Unexpectedly empty instance '$tagname' tag, is metadata tag access enabled?"
}
[[ -n "$POOLTOKEN" ]] || \
die "Must be called with non-empty \$POOLTOKEN set."
[[ "$#" -ge 1 ]] || \
die "Must be called with a 'label: value' string argument"
echo "$1" | grep -i -q -E '^[a-z0-9]+:[ ]?[a-z0-9]+' || \
die "First argument must be a string in the format 'name: value'. Not: '$1'"
msg "Configuring pool worker for '$1' tasks."
[[ ! -r "$COMPLETION_FILE" ]] || \
die "Appears setup script already ran at '$(cat $COMPLETION_FILE)'"
[[ "$USER" == "ec2-user" ]] || \
die "Expecting to execute as 'ec2-user'."
die_if_empty PWNAME
die_if_empty PWREADY
[[ "$PWREADY" == "true" ]] || \
die "Found PWPoolReady tag not set 'true', aborting setup."
# All operations assume this CWD
cd $HOME
# Checked by instance launch script to monitor setup status & progress
msg $(date -u -Iseconds | tee "$STARTED_FILE")
msg "Configuring paths"
grep -q homebrew /etc/paths || \
echo -e "/opt/homebrew/bin\n/opt/homebrew/opt/coreutils/libexec/gnubin\n$(cat /etc/paths)" \
| sudo tee /etc/paths > /dev/null
# For whatever reason, when this script is run through ssh, the default
# environment isn't loaded automatically.
. /etc/profile
msg "Installing podman-machine, testing, and CI deps. (~5-10m install time)"
if [[ ! -x /usr/local/bin/gvproxy ]]; then
declare -a brew_taps
declare -a brew_formulas
brew_taps=(
# Required to use upstream vfkit
cfergeau/crc
# Required to use upstream krunkit
slp/krunkit
)
brew_formulas=(
# Necessary for worker-pool participation + task execution
cirruslabs/cli/cirrus
# Necessary for building podman|buildah|skopeo
go go-md2man coreutils pkg-config pstree gpgme
# Necessary to compress the podman repo tar
zstd
# Necessary for testing podman-machine
vfkit
# Necessary for podman-machine libkrun CI testing
krunkit
)
# msg() includes a ##### prefix, ensure this text is simply
# associated with the prior msg() output.
echo " Adding taps[] ${brew_taps[*]}"
echo " before installing formulas[] ${brew_formulas[*]}"
for brew_tap in "${brew_taps[@]}"; do
brew tap $brew_tap
done
brew install "${brew_formulas[@]}"
# Normally gvproxy is installed along with "podman" brew. CI Tasks
# on this instance will be running from source builds, so gvproxy must
# be install from upstream release.
curl -sSLfO "$GVPROXY_RELEASE_URL"
sudo install -o root -g staff -m 0755 gvproxy-darwin /usr/local/bin/gvproxy
rm gvproxy-darwin
fi
msg "Setting up hostname"
# Make host easier to identify from CI logs (default is some
# random internal EC2 dns name).
if [[ "$(uname -n)" != "$PWNAME" ]]; then
sudo hostname $PWNAME
sudo scutil --set HostName $PWNAME
sudo scutil --set ComputerName $PWNAME
fi
msg "Adding/Configuring PW User"
if ! id "$PWUSER" &> /dev/null; then
sudo sysadminctl -addUser $PWUSER
fi
msg "Setting up local storage volume for PW User"
if ! mount | grep -q "$PWUSER"; then
# User can't remove own pre-existing homedir crap during cleanup
sudo rm -rf /Users/$PWUSER/*
sudo rm -rf /Users/$PWUSER/.??*
# This is really clunky, but seems the best that Apple Inc. can support.
# Show what is being worked with to assist debugging
diskutil list virtual
local_storage_volume=$(diskutil list virtual | \
grep -m 1 -B 5 "InternalDisk" | \
grep -m 1 -E '^/dev/disk[0-9].+synthesized' | \
awk '{print $1}')
(
set -x
# Fail hard if $local_storage_volume is invalid, otherwise show details to assist debugging
diskutil info "$local_storage_volume"
# CI $TEMPDIR - critical for podman-machine storage performance
ci_tempdir="/private/tmp/ci"
mkdir -p "$ci_tempdir"
sudo diskutil apfs addVolume "$local_storage_volume" APFS "ci_tempdir" -mountpoint "$ci_tempdir"
sudo chown $PWUSER:staff "$ci_tempdir"
sudo chmod 1770 "$ci_tempdir"
# CI-user's $HOME - not critical but might as well make it fast while we're
# adding filesystems anyway.
ci_homedir="/Users/$PWUSER"
sudo diskutil apfs addVolume "$local_storage_volume" APFS "ci_homedir" -mountpoint "$ci_homedir"
sudo chown $PWUSER:staff "$ci_homedir"
sudo chmod 0750 "$ci_homedir"
df -h
)
# Disk indexing is useless on a CI system, and creates un-deletable
# files whereever $TEMPDIR happens to be pointing. Ignore any
# individual volume failures that have an unknown state.
sudo mdutil -a -i off || true
# User likely has pre-existing system processes trying to use
# the (now) over-mounted home directory.
sudo pkill -u $PWUSER || true
fi
msg "Setting up Rosetta"
# Rosetta 2 enables arm64 Mac to use Intel Apps. Only install if not present.
if ! arch -arch x86_64 /usr/bin/uname -m; then
sudo softwareupdate --install-rosetta --agree-to-license
echo -n "Confirming rosetta is functional"
if ! arch -arch x86_64 /usr/bin/uname -m; then
die "Rosetta installed but non-functional, see setup log for details."
fi
fi
msg "Restricting appstore/software install to admin-only"
# Abuse the symlink existance as a condition for running `sudo defaults write ...`
# since checking the state of those values is complex.
if [[ ! -L /usr/local/bin/softwareupdate ]]; then
# Ref: https://developer.apple.com/documentation/devicemanagement/softwareupdate
sudo defaults write com.apple.SoftwareUpdate restrict-software-update-require-admin-to-install -bool true
sudo defaults write com.apple.appstore restrict-store-require-admin-to-install -bool true
# Unf. interacting with the rosetta installer seems to bypass both of the
# above settings, even when run as a regular non-admin user. However, it's
# also desireable to limit use of the utility in a CI environment generally.
# Since /usr/sbin is read-only, but /usr/local is read-write and appears first
# in $PATH, deploy a really fragile hack as an imperfect workaround.
sudo ln -sf /usr/bin/false /usr/local/bin/softwareupdate
fi
# FIXME: Semi-secret POOLTOKEN value should not be in this file.
# ref: https://github.com/cirruslabs/cirrus-cli/discussions/662
cat << EOF | sudo tee $PWCFG > /dev/null
---
name: "$PWNAME"
token: "$POOLTOKEN"
labels:
$1
log:
file: "${PWLOG}"
security:
allowed-isolations:
none: {}
EOF
sudo chown ${USER}:staff $PWCFG
# Monitored by instance launch script
echo "# Log created $(date -u -Iseconds) - do not manually remove or modify!" > $PWLOG
sudo chown ${USER}:staff $PWLOG
sudo chmod g+rw $PWLOG
if ! pgrep -q -f service_pool.sh; then
# Allow service_pool.sh access to these values
export PWCFG
export PWUSER
export PWREADYURL
export PWREADY
msg "Spawning listener supervisor process."
/var/tmp/service_pool.sh </dev/null >>setup.log 2>&1 &
disown %-1
else
msg "Warning: Listener supervisor already running"
fi
# Monitored by instance launch script
date -u -Iseconds >> "$COMPLETION_FILE"

38
mac_pw_pool/shutdown.sh
View File

@ -1,38 +0,0 @@
#!/bin/bash
# Script intended to be called by automation only.
# Should never be called from any other context.
# Log on the off-chance it somehow helps somebody debug something one day
(
echo "Starting ${BASH_SOURCE[0]} at $(date -u -Iseconds)"
PWNAME=$(uname -n)
PWUSER=$PWNAME-worker
if id -u "$PWUSER" &> /dev/null; then
# Try to not reboot while a CI task is running.
# Cirrus-CI imposes a hard-timeout of 2-hours.
now=$(date -u +%s)
timeout_at=$((now+60*60*2))
echo "Waiting up to 2 hours for any pre-existing cirrus agent (i.e. running task)"
while pgrep -u $PWUSER -q -f "cirrus-ci-agent"; do
if [[ $(date -u +%s) -gt $timeout_at ]]; then
echo "Timeout waiting for cirrus-ci-agent to terminate"
break
fi
echo "Found cirrus-ci-agent still running, waiting..."
sleep 60
done
fi
echo "Initiating shutdown at $(date -u -Iseconds)"
# This script is run with a sleep in front of it
# as a workaround for darwin's shutdown-command
# terminal weirdness.
sudo shutdown -h now "Automatic instance recycling"
) < /dev/null >> setup.log 2>&1

206
renovate/defaults.json5
View File

@ -4,20 +4,21 @@ Validate this file before commiting with (from repository root):
podman run -it \
-v ./renovate/defaults.json5:/usr/src/app/renovate.json5:z \
ghcr.io/renovatebot/renovate:latest \
docker.io/renovate/renovate:latest \
renovate-config-validator
and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
*/
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"description": "This is a basic preset intended\
for reuse to reduce the amount of boiler-plate\
configuration that otherwise would need to be\
duplicated. It should be referenced from other\
repositories renovate config under the 'extends'\
section as: github>containers/automation//renovate/defaults.json5\
section as:\
github>containers/automation//renovate/defaults.json5\
(optionally with a '#X.Y.Z' version-tag suffix).",
/*************************************************
@ -27,13 +28,13 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
// Re-use predefined sets of configuration options to DRY
"extends": [
// https://docs.renovatebot.com/presets-config/#configbase
"config:recommended",
"config:base",
// https://docs.renovatebot.com/presets-default/#gitsignoff
":gitSignOff",
// Always rebase dep. update PRs from `main` when PR is stale
":rebaseStalePrs"
":rebaseStalePrs",
],
// The default setting is ambiguous, explicitly base schedules on UTC
@ -48,7 +49,6 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
// Default setting is an "empty" schedule. Explicitly set this
// such that security-alert PRs may be opened immediately.
"vulnerabilityAlerts": {
// Distinguish PRs from regular dependency updates
"labels": ["dependencies", "security"],
// Force-enable renovate management of deps. which are otherwise
@ -57,13 +57,16 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
// (last-match wins rule).
"enabled": true,
// Note: As of 2024-06-25 indirect golang dependency handling is
// broken in Renovate, and disabled by default. This affects
// vulnerabilityAlerts in that if the dep is 'indirect' no PR
// will ever open, it must be handled manually. Attempting
// to enable indirect deps (for golang) in this section will
// not work, it will always be overriden by the global golang
// indirect dep. setting.
// Indirect dependencies are disabled by default for the `gomod` manager.
// However, for vulnerability updates we may want them even if they break
// during renovate's automatic top-level `go mod tidy`.
"packageRules": [
{
"matchManagers": ["gomod"],
"matchDepTypes": ["indirect"],
"enabled": true,
}
]
},
// On a busy repo, automatic-rebasing will swamp the CI system.
@ -71,16 +74,67 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
// it as appropriate.
"rebaseWhen": "never",
/*************************************************
***** Golang-specific configuration options *****
*************************************************/
"golang": {
// disabled by default, safe to enable since "tidy" enforced by CI.
"postUpdateOptions": ["gomodTidy"],
// In case a version in use is retracted, allow going backwards.
// N/B: This is NOT compatible with pseudo versions, see below.
"rollbackPrs": false,
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace",
// N/B: LAST MATCHING RULE WINS
// https://docs.renovatebot.com/configuration-options/#packagerules
"packageRules": [
// Golang pseudo-version packages will spam with every Commit ID change.
// Limit update frequency.
{
"matchUpdateTypes": ["digest"],
"schedule": ["after 1am and before 11am on the first day of the month"],
},
// Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
// is broken in Renovate. And no repo should use these retracted versions.
// ref: https://github.com/renovatebot/renovate/issues/13012
{
"matchPackageNames": ["github.com/containers/common"],
// Both v1.0.0 and v1.0.1 should be ignored.
"allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
},
],
},
/*************************************************
***** Rust-specific configuration options *****
*************************************************/
"rust": {
// Update both Cargo.toml and Cargo.lock when possible
// i.e. bump the range even if the new version satisfies the existing range.
// https://docs.renovatebot.com/configuration-options/#rangestrategy
"rangeStrategy": "bump",
},
/*************************************************
***** Python-specific configuration options *****
*************************************************/
"python": {
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace",
},
/**************************************************
***** Manager-specific configuration options *****
**************************************************/
"customManagers": [
// Track the latest CI VM images by tag on the containers/automation_images
// repo. Propose updates when newer tag available compared to what is
// referenced in a repo's .cirrus.yml file.
"regexManagers": [
{
"customType": "regex",
"fileMatch": "^.cirrus.yml$",
// Expected veresion format: c<automation_images IMG_SFX value>
// For example `c20230120t152650z-f37f36u2204`
@ -88,119 +142,35 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
"depNameTemplate": "containers/automation_images",
"datasourceTemplate": "github-tags",
"versioningTemplate": "loose",
"autoReplaceStringTemplate": "c{{{newVersion}}}"
"autoReplaceStringTemplate": "c{{{newVersion}}}",
},
// For skopeo and podman, manage the golangci-lint version as
// referenced in their Makefile.
{
"customType": "regex",
"fileMatch": "^Makefile$",
// make ignores whitespace around the value, make renovate do the same.
"matchStrings": [
"GOLANGCI_LINT_VERSION\\s+:=\\s+(?<currentValue>.+)\\s*"
],
"matchStrings": ["GOLANGCI_LINT_VERSION\\s+:=\\s+(?<currentValue>.+)\\s*"],
"depNameTemplate": "golangci/golangci-lint",
"datasourceTemplate": "github-releases",
"versioningTemplate": "semver-coerced",
// Podman's installer script will puke if there's a 'v' prefix, as represented
// in upstream golangci/golangci-lint releases.
"extractVersionTemplate": "v(?<version>.+)"
"extractVersionTemplate": "v(?<version>.+)",
}
],
/*************************************************
***** Language-specific configuration options ****
**************************************************/
// ***** ATTENTION WARNING CAUTION DANGER ***** //
// Go versions 1.21 and later will AUTO-UPDATE based on _module_
// _requirements_. ref: https://go.dev/doc/toolchain Because
// many different projects covered by this config, build under
// different distros and distro-versions, golang version consistency
// is desireable across build outputs. In golang 1.21 and later,
// it's possible to pin the version in each project using the
// toolchain go.mod directive. This should be done to prevent
// unwanted auto-updates.
// Ref: Upstream discussion https://github.com/golang/go/issues/65847
"constraints": {"go": "1.23"},
// N/B: LAST MATCHING RULE WINS, match statems are ANDed together.
// https://docs.renovatebot.com/configuration-options/#packagerules
"packageRules": [
/*************************************************
****** Rust-specific configuration options *******
**************************************************/
// Workaround: rollbackPRs are not compatible with digest updates.
// This is a catch-the-rest rule which must appear AFTER the go
// "digest" rule (above).
// Ref: https://github.com/renovatebot/renovate/discussions/18250
{
"matchCategories": ["rust"],
// Update both Cargo.toml and Cargo.lock when possible
// i.e. bump the range even if the new version satisfies the existing range.
// https://docs.renovatebot.com/configuration-options/#rangestrategy
"rangeStrategy": "bump"
"matchLanguages": ["go"],
// Open rollback PR if updated dep. is removed (i.e. tag pulled
// due to major bug or security issue).
"rollbackPrs": true,
},
{
"matchCategories": ["rust"],
"matchPackageNames": ["serde", "clap"],
// Update both Cargo.toml and Cargo.lock when possible
"rangeStrategy": "bump",
// These packages roll updates far too often, slow them down.
// Ref: https://github.com/containers/netavark/issues/772
"schedule": ["after 1am and before 11am on the first day of the month"]
},
/*************************************************
****** Python-specific configuration options *****
**************************************************/
{
"matchCategories": ["python"],
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace"
},
/*************************************************
****** Golang-specific configuration options *****
**************************************************/
{
"matchCategories": ["golang"],
// disabled by default, safe to enable since "tidy" enforced by CI.
"postUpdateOptions": ["gomodTidy"],
// In case a version in use is retracted, allow going backwards.
// N/B: This is NOT compatible with pseudo versions, see below.
"rollbackPrs": false,
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace"
},
// Golang pseudo-version packages will spam with every Commit ID change.
// Limit update frequency.
{
"matchCategories": ["golang"],
"matchUpdateTypes": ["digest"],
"schedule": ["after 1am and before 11am on the first day of the month"]
},
// Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
// is broken in Renovate. And no repo should use these retracted versions.
// ref: https://github.com/renovatebot/renovate/issues/13012
{
"matchCategories": ["golang"],
"matchPackageNames": ["github.com/containers/common"],
// Both v1.0.0 and v1.0.1 should be ignored.
"allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
},
// Skip updating the go.mod toolchain directive, humans will manage this.
{
"matchCategories": ["golang"],
"matchDepTypes": ["toolchain"],
"enabled": false
},
/*************************************************
************ CI configuration options ************
**************************************************/
// Github-action updates cannot consistently be tested in a PR.
// This is caused by an unfixable architecture-flaw: Execution
// context always depends on trigger, and we (obvious) can't know
@ -217,13 +187,13 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
// example, flagging an important TODO or FIXME item. Or, where CI VM
// images are split across multiple IMG_SFX values that all need to be updated.
{
"matchManagers": ["custom.regex"],
"matchFileNames": [".cirrus.yml"],
"matchManagers": ["regex"],
"matchFiles": [".cirrus.yml"], // full-path exact-match
"groupName": "CI VM Image",
// Somebody(s) need to check image update PRs as soon as they open.
"reviewers": ["Luap99"],
"reviewers": ["cevich"],
// Don't wait, roll out CI VM Updates immediately
"schedule": ["at any time"]
"schedule": ["at any time"],
},
]
],
}