Define a stable uid for the sssd user. #1024
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and test FreeIPA containers | |
on: | |
push: | |
pull_request: | |
workflow_dispatch: | |
schedule: | |
- cron: '15 4 * * 1,3,5' | |
jobs: | |
build: | |
name: Build image | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ fedora-rawhide, fedora-41, fedora-40, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ] | |
docker: [ docker ] | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Separate git work tree with just the files needed for build | |
run: git worktree add --no-checkout ../minimize-for-build | |
- name: Populate with the Dockerfile | |
run: cd ../minimize-for-build && git checkout HEAD Dockerfile.${{ matrix.os }} | |
- name: Populate with files referenced from the Dockerfile | |
run: cd ../minimize-for-build && awk '/^(ADD|COPY)/ { for (i = 2; i < NF; i++) print $i }' Dockerfile.${{ matrix.os }} | while read f ; do git checkout HEAD $f ; done | |
- name: Ensure docker images sees the named parent image | |
run: awk '$1 == "FROM" { print $2 ; exit }' ../minimize-for-build/Dockerfile.${{ matrix.os }} | xargs ${{ matrix.docker }} pull | |
- name: Build image | |
run: ${{ matrix.docker }} build -t localhost/freeipa-server:${{ matrix.os }} -f Dockerfile.${{ matrix.os }} ../minimize-for-build | |
- name: Label the built image | |
run: docker="${{ matrix.docker }}" ./ci/label-image.sh Dockerfile.${{ matrix.os }} localhost/freeipa-server:${{ matrix.os }} $( cd ../minimize-for-build && git write-tree ) "${{ github.server_url }}/${{ github.repository }}" "actions/runs/${{ github.run_id }}" | |
- name: File issue if building image failed | |
if: ${{ failure() && github.event_name == 'schedule' }} | |
run: | | |
curl -s '${{ github.api_url }}/repos/${{ github.repository }}/issues?labels=image-build-fail' | jq -r '.[0].state' | grep open \ | |
|| curl -s -X POST \ | |
--url ${{ github.api_url }}/repos/${{ github.repository }}/issues \ | |
-H 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ | |
-H 'Accept: application/vnd.github.v3+json' \ | |
-d '{ | |
"title": "Image build for ${{ matrix.os }} failed on '$( date -I )'", | |
"body": "This issue was automatically created by GitHub Action\n\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}.\n", | |
"labels": ["image-build-fail" ] | |
}' | |
- name: Create directory for artifacts | |
run: mkdir freeipa-server-${{ matrix.os }} | |
- name: Save image | |
run: ${{ matrix.docker }} save localhost/freeipa-server:${{ matrix.os }} | gzip > freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
path: freeipa-server-${{ matrix.os }} | |
retention-days: 1 | |
- name: Check resulting labels | |
run: | | |
skopeo inspect docker-archive:freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz | jq '.Labels' | |
diff -u <( skopeo inspect docker://quay.io/freeipa/freeipa-server:${{ matrix.os }} | jq '.Labels' ) <( skopeo inspect docker-archive:freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz | jq '.Labels' ) || true | |
shell: bash | |
test-docker: | |
name: Run with docker | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-41 | |
- os: fedora-41 | |
readonly: --read-only | |
volume: freeipa-data | |
- os: fedora-41 | |
readonly: --read-only | |
- os: fedora-rawhide | |
- os: fedora-rawhide | |
readonly: --read-only | |
ca: --external-ca | |
volume: freeipa-data | |
- os: centos-9-stream | |
- os: centos-9-stream | |
readonly: --read-only | |
volume: freeipa-data | |
- os: centos-9-stream | |
readonly: --read-only | |
ca: --external-ca | |
os: [ fedora-40, almalinux-9, rocky-8 ] | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/docker-cgroups-ubuntu-22 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- run: docker volume create ${{ matrix.volume }} | |
if: ${{ matrix.volume }} == freeipa-data | |
- name: Run master and replica | |
run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} VOLUME=${{ matrix.volume }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
- name: Show package difference | |
if: ${{ failure() }} | |
run: diff -U 0 <( docker run --rm --entrypoint rpm quay.io/freeipa/freeipa-server:${{ matrix.os }} -qa | sort ) <( docker run --rm --entrypoint rpm localhost/freeipa-server:${{ matrix.os }} -qa | sort ) || true | |
- name: Run partial tests | |
if: ${{ failure() }} | |
run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }} | |
test-rootless-docker: | |
name: Run with rootless docker | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-rawhide | |
readonly: --read-only | |
- os: fedora-41 | |
readonly: --read-only | |
volume: freeipa-data | |
- os: rocky-9 | |
readonly: --read-only | |
- os: almalinux-8 | |
readonly: --read-only | |
volume: freeipa-data | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- run: sudo systemctl disable --now docker.service docker.socket | |
- run: curl -fsSL https://get.docker.com/rootless | FORCE_ROOTLESS_INSTALL=1 sh | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- run: docker volume create ${{ matrix.volume }} | |
if: ${{ matrix.volume }} == freeipa-data | |
- name: Run master and replica | |
run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} VOLUME=${{ matrix.volume }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
- name: Run partial tests | |
if: ${{ failure() }} | |
run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }} | |
test-docker-20-04: | |
name: Run with docker on Ubuntu 20.04 with hybrid cgroups | |
runs-on: ubuntu-20.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-41 | |
readonly: --read-only | |
- os: centos-9-stream | |
readonly: --read-only | |
timeout-minutes: 30 | |
steps: | |
- run: ls -la /sys/fs/cgroup/unified | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- name: Run master and replica | |
run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
- name: Run partial tests | |
if: ${{ failure() }} | |
run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }} | |
test-podman: | |
name: Run with sudo podman 4 | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ fedora-41, centos-9-stream ] | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install podman 4.* | |
uses: ./.github/actions/install-podman-4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | sudo podman load | |
- name: Run master and replica | |
run: docker='sudo podman' tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
- name: Run partial tests | |
if: ${{ failure() }} | |
run: docker='sudo podman' tests/run-partial-tests.sh Dockerfile.${{ matrix.os }} | |
test-rootless-podman: | |
name: Run with rootless podman 4 | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-41 | |
readonly: --read-only | |
volume: freeipa-data | |
- os: almalinux-9 | |
readonly: --read-only | |
volume: freeipa-data | |
- os: rocky-8 | |
readonly: --read-only | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install podman 4.* | |
uses: ./.github/actions/install-podman-4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load | |
- run: podman volume create ${{ matrix.volume }} | |
if: ${{ matrix.volume }} == freeipa-data | |
- name: Run master and replica | |
run: docker=podman VOLUME=${{ matrix.volume }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
- name: Run partial tests | |
if: ${{ failure() }} | |
run: docker=podman tests/run-partial-tests.sh Dockerfile.${{ matrix.os }} | |
test-upgrade: | |
name: Upgrade from older version or build | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-rawhide | |
data-from: fedora-41 | |
- os: fedora-41 | |
data-from: fedora-41 | |
- os: fedora-41 | |
data-from: fedora-40 | |
- os: fedora-40 | |
data-from: fedora-39 | |
- os: rocky-8 | |
data-from: centos-8-certs-updated-data | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/docker-cgroups-ubuntu-22 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- name: Populate volume with data | |
run: docker volume create loaded-data && docker create --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop && mkdir /tmp/freeipa-data && docker run --security-opt label=disable --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out' | |
- name: Run master and replica | |
run: VOLUME=/tmp/freeipa-data tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
test-upgrade-podman: | |
name: Upgrade from older version with podman 4 | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-41 | |
data-from: fedora-40 | |
- os: almalinux-8 | |
data-from: centos-8-certs-updated-data | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install podman 4.* | |
uses: ./.github/actions/install-podman-4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load | |
- name: Populate volume with data | |
run: podman volume create loaded-data && podman run --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop || true | |
- name: Copy the content of the volume to directory | |
run: mkdir /tmp/freeipa-data && podman run --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out' | |
- name: Run master and replica | |
run: docker=podman VOLUME=/tmp/freeipa-data tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
test-upgrade-20-04: | |
name: Upgrade from older version or build on Ubuntu 20.04 | |
runs-on: ubuntu-20.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: fedora-41 | |
data-from: fedora-41 | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- name: Populate volume with data | |
run: docker volume create loaded-data && docker create --name loaded-data -v loaded-data:/data:z quay.io/freeipa/freeipa-server:data-${{ matrix.data-from }} noop && mkdir /tmp/freeipa-data && docker run --security-opt label=disable --volumes-from loaded-data -v /tmp/freeipa-data:/data-out:z --rm docker.io/library/busybox sh -c 'cd /data && cp -a . /data-out' | |
- name: Run master and replica | |
run: VOLUME=/tmp/freeipa-data tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |
test-k3s: | |
name: Run with K3s with docker | |
runs-on: ubuntu-22.04 | |
needs: [ build ] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ fedora-rawhide, fedora-41, rocky-9, almalinux-8, centos-9-stream ] | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/docker-cgroups-ubuntu-22 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Download latest cri-dockerd | |
run: curl -s ${{ github.api_url }}/repos/Mirantis/cri-dockerd/releases/latest | jq -r '.assets[].browser_download_url' | grep jammy_amd64.deb | tee /dev/stderr | xargs curl -LO | |
- name: Install cri-dockerd | |
run: sudo apt install -y ./cri-dockerd_*.deb | |
- name: Unset network-plugin | |
run: | | |
sudo mkdir /etc/systemd/system/cri-docker.service.d | |
( echo '[Service]' ; echo 'ExecStart=' ; sed 's/ExecStart=.*/& --network-plugin=/;t;d' /lib/systemd/system/cri-docker.service ) | sudo tee /etc/systemd/system/cri-docker.service.d/network-plugin.conf | |
sudo systemctl daemon-reload | |
sudo systemctl restart cri-docker | |
- name: Load image | |
run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load | |
- name: Run K3s and master in it | |
run: tests/run-master-in-k3s.sh localhost/freeipa-server:${{ matrix.os }} | |
push-after-success: | |
name: Push images to registries | |
runs-on: ubuntu-22.04 | |
needs: [ test-docker, test-rootless-docker, test-docker-20-04, test-podman, test-rootless-podman, test-upgrade, test-upgrade-20-04, test-k3s ] | |
if: github.event_name != 'pull_request' && github.repository == 'freeipa/freeipa-container' && github.ref == 'refs/heads/master' | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ fedora-rawhide, fedora-41, fedora-40, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ] | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
name: freeipa-server-${{ matrix.os }} | |
- name: Prepare authentication file | |
run: | | |
cat > auth.json << 'EOF' | |
${{ secrets.REGISTRY_CREDENTIALS_FILE }} | |
EOF | |
- name: Copy ${{ matrix.os }} to registries | |
run: | | |
set -e | |
f=docker-archive:freeipa-server-${{ matrix.os }}.tar.gz | |
while read r ; do | |
if cmp \ | |
<( skopeo inspect $r:${{ matrix.os }} \ | |
| jq -r '.Labels."org.opencontainers.image.base.digest", .Labels."org.opencontainers.image.version"' ) \ | |
<( skopeo inspect $f \ | |
| jq -r '.Labels."org.opencontainers.image.base.digest", .Labels."org.opencontainers.image.version"' ) ; then | |
echo Built freeipa-server:${{ matrix.os }} is the same as image at ${r#docker://}, not pushing | |
continue | |
fi | |
echo Copying freeipa-server:${{ matrix.os }} to ${r#docker://} | |
skopeo copy --authfile=auth.json $f $r:${{ matrix.os }} | |
VERSION=$( skopeo inspect --format='{{index .Labels "org.opencontainers.image.version"}}' $f | sed 's/-.*//' ) | |
test -n "$VERSION" | |
skopeo copy --authfile=auth.json $r:${{ matrix.os }} $r:${{ matrix.os }}-$VERSION | |
echo Tagged as ${{ matrix.os }}-$VERSION as well | |
done << 'EOF' | |
${{ secrets.REGISTRY_TARGET_LIST }} | |
EOF | |
test-subscription: | |
# Workaround https://github.com/actions/runner/issues/1138 | |
name: Prerequisite for RHEL builds | |
runs-on: ubuntu-latest | |
timeout-minutes: 1 | |
outputs: | |
has_rhel_subscriptions: ${{ steps.check.outputs.has_rhel_subscriptions }} | |
steps: | |
- id: check | |
run: | | |
if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then | |
echo "has_rhel_subscriptions=1" >> $GITHUB_OUTPUT | |
fi | |
build-test-rhel-podman: | |
name: Build and test RHEL image | |
runs-on: ubuntu-22.04 | |
needs: [ test-subscription ] | |
if: needs.test-subscription.outputs.has_rhel_subscriptions == 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ rhel-9, rhel-8 ] | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install podman 4.* | |
uses: ./.github/actions/install-podman-4 | |
- name: For RHEL builds, use entitlements | |
uses: ./.github/actions/podman-entitlement | |
with: | |
org: ${{ secrets.REDHAT_ORG }} | |
activationkey: ${{ secrets.REDHAT_ACTIVATIONKEY }} | |
- name: Build image | |
run: podman build -t localhost/freeipa-server:${{ matrix.os }} -f Dockerfile.${{ matrix.os }} . | |
- name: Run master | |
run: docker=podman tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} | |