[CI] WIP: Add a VM-based Jenkins pipeline

New Jenkins pipeline runs a Docker container that creates a minimal VM based on https://github.com/gramineproject/device-testing-tools repo and runs a subset of Gramine tests, in particular, the device IOCTL tests. The pipeline uses Ubuntu 22.04 with modern Linux kernel (to have an upstream SGX driver and support for SGX in KVM) and QEMU/KVM to run the VM. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
gramineproject · Nov 8, 2022 · dff03d2 · dff03d2
1 parent 72f6524
commit dff03d2
Show file tree

Hide file tree

Showing 4 changed files with 231 additions and 0 deletions.
diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile
@@ -0,0 +1,66 @@
+stage('build') {
+    sh '''
+        git clone https://github.com/gramineproject/device-testing-tools.git
+        cd device-testing-tools
+        git checkout bca20ced0d2931ef4d785226a91cc2228969f7fc
+        cd initramfs_builder
+        make
+    '''
+
+    env.MESON_OPTIONS = ''
+    if (env.UBSAN == '1') {
+        env.MESON_OPTIONS += ' -Dubsan=enabled'
+    }
+    if (env.ASAN == '1') {
+        env.MESON_OPTIONS += ' -Dasan=enabled'
+    }
+    if (env.CC == 'clang') {
+        env.MESON_OPTIONS += ' -Dmusl=disabled'
+    }
+
+    try {
+        sh '''
+            meson setup build/ \
+                --werror \
+                --prefix="$PREFIX" \
+                --buildtype="$BUILDTYPE" \
+                -Ddirect=disabled \
+                -Dsgx=enabled \
+                -Dtests=enabled \
+                $MESON_OPTIONS
+            ninja -vC build/
+        '''
+
+        // install
+        sh '''
+            ninja -vC build/ install
+            gramine-sgx-gen-private-key
+        '''
+    } finally {
+        archiveArtifacts 'build/meson-logs/**/*'
+        archiveArtifacts 'build/subprojects/glibc-*/glibc-build.log'
+    }
+
+    // archive all installed files
+    // NOTE we can't use ${env.PREFIX} here, because path needs to be relative to workdir
+    archiveArtifacts "usr/**/*"
+
+    // Absolute path to libdir, as configured by Meson.
+    // For our current builds this should be "$WORKSPACE/usr/lib/x86_64-linux-gnu":
+    // --prefix is set from $PREFIX above (see config-docker.jenkinsfile) and should be "$WORKSPACE/usr";
+    // --libdir is distro-dependent, but on Debian and derivatives it's "lib/x86_64-linux-gnu"
+    libdir = sh(returnStdout: true, script: '''
+        meson introspect build/ --buildoptions \
+        | jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")'
+    ''').trim()
+
+    env.GRAMINE_PKGLIBDIR = libdir + '/gramine'
+
+    // In CI we install to non-standard --prefix (see above). This makes sure the libraries are
+    // available anyway (e.g. gramine-sgx-pf-crypt needs libsgx_util.so).
+    env.PKG_CONFIG_PATH = libdir + '/pkgconfig'
+
+    // prevent cheating and testing from repo
+    sh 'rm -rf build'
+    sh 'git clean -Xf subprojects'
+}
diff --git a/.ci/lib/stage-test-vm.jenkinsfile b/.ci/lib/stage-test-vm.jenkinsfile
@@ -0,0 +1,27 @@
+stage('test') {
+    // prepare files to pass current work dir and envvars into VM
+    sh '''
+        mkdir -p /opt/files_for_vm
+        echo $PWD > /opt/files_for_vm/pwd
+
+        touch /opt/files_for_vm/envs
+        echo "export SGX=$SGX" >> /opt/files_for_vm/envs
+        echo "export IS_VM=$IS_VM" >> /opt/files_for_vm/envs
+
+        echo "export PATH=\"$PATH\"" >> /opt/files_for_vm/envs
+        echo "export PKG_CONFIG_PATH=\"$PKG_CONFIG_PATH\"" >> /opt/files_for_vm/envs
+        echo "export PYTHONPATH=\"$PYTHONPATH\"" >> /opt/files_for_vm/envs
+        echo "export GRAMINE_PKGLIBDIR=\"$GRAMINE_PKGLIBDIR\"" >> /opt/files_for_vm/envs
+
+        // TODO: Do we care about these?
+        echo "export XDG_CONFIG_HOME=\"$XDG_CONFIG_HOME\"" >> /opt/files_for_vm/envs
+        echo "export CARGO_HOME=\"$CARGO_HOME\"" >> /opt/files_for_vm/envs
+    '''
+
+    timeout(time: 15, unit: 'MINUTES') {
+        sh '''
+            cd device-testing-tools/initramfs_builder
+            ./run.sh
+        '''
+    }
+}
diff --git a/.ci/linux-sgx-vm-gcc-release.jenkinsfile b/.ci/linux-sgx-vm-gcc-release.jenkinsfile
@@ -0,0 +1,28 @@
+node('whatnots') {
+    checkout scm
+
+    env.SGX = '1'
+    env.IS_VM = '1'
+
+    load '.ci/lib/config-docker.jenkinsfile'
+
+    if (fileExists('/dev/kvm')) {
+        env.DOCKER_ARGS_COMMON += ' --device=/dev/kvm:/dev/kvm'
+    }
+
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu22.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
+        load '.ci/lib/config.jenkinsfile'
+        // FIXME: below is not needed
+        load '.ci/lib/config-ubuntu20.04.jenkinsfile'
+        load '.ci/lib/config-release.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-sgx-vm.jenkinsfile'
+        load '.ci/lib/stage-test-vm.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}
diff --git a/.ci/ubuntu22.04.dockerfile b/.ci/ubuntu22.04.dockerfile
@@ -0,0 +1,110 @@
+FROM ubuntu:22.04
+
+# Add steps here to set up dependencies
+RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    autoconf \
+    bc \
+    bison \
+    build-essential \
+    cargo \
+    clang \
+    curl \
+    flex \
+    gawk \
+    gdb \
+    gettext \
+    git \
+    jq \
+    libapr1-dev \
+    libaprutil1-dev \
+    libcjson-dev \
+    libcurl4-openssl-dev \
+    libelf-dev \
+    libevent-dev \
+    libexpat1 \
+    libexpat1-dev \
+    libmemcached-tools \
+    libnss-mdns \
+    libnuma1 \
+    libomp-dev \
+    libpcre2-dev \
+    libpcre3-dev \
+    libprotobuf-c-dev \
+    libssl-dev \
+    libunwind8 \
+    libxfixes3 \
+    libxi6 \
+    libxml2-dev \
+    libxrender1 \
+    libxxf86vm1 \
+    linux-headers-generic \
+    musl \
+    musl-tools \
+    nasm \
+    net-tools \
+    netcat-openbsd \
+    ninja-build \
+    pkg-config \
+    protobuf-c-compiler \
+    protobuf-compiler \
+    pylint3 \
+    python \
+    python3-apport \
+    python3-apt \
+    python3-breathe \
+    python3-click \
+    python3-cryptography \
+    python3-jinja2 \
+    python3-lxml \
+    python3-numpy \
+    python3-pip \
+    python3-protobuf \
+    python3-pyelftools \
+    python3-pytest \
+    python3-pytest-xdist \
+    python3-scipy \
+    python3-sphinx-rtd-theme \
+    python3-toml \
+    qemu \
+    shellcheck \
+    sphinx-doc \
+    sqlite3 \
+    texinfo \
+    uthash-dev \
+    wget \
+    zlib1g \
+    zlib1g-dev
+
+# NOTE about meson version: we support "0.56 or newer", so in CI we pin to latest patch version of
+# the earliest supported minor version (pip implicitly installs latest version satisfying the
+# specification)
+RUN python3 -m pip install -U \
+    'meson>=0.56,<0.57' \
+    'docutils>=0.17,<0.18'
+
+# Add the user UID:1001, GID:1001, home at /leeroy
+RUN \
+    groupadd -r leeroy -g 1001 && \
+    useradd -u 1001 -r -g leeroy -m -d /leeroy -c "Leeroy Jenkins" leeroy && \
+    chmod 755 /leeroy
+
+# Make sure /leeroy can be written by leeroy
+RUN chown 1001 /leeroy
+
+# Blow away any random state
+RUN rm -f /leeroy/.rnd
+
+# Make a directory for the intel driver
+RUN mkdir -p /opt/intel && chown 1001 /opt/intel
+
+# Set the working directory to leeroy home directory
+WORKDIR /leeroy
+
+# Specify the user to execute all commands below
+USER leeroy
+
+# Set environment variables.
+ENV HOME /leeroy
+
+# Define default command.
+CMD ["bash"]