Skip to content

Commit

Permalink
[CI] WIP: Add a VM-based Jenkins pipeline
Browse files Browse the repository at this point in the history 
New Jenkins pipeline runs a Docker container that creates a minimal VM
based on https://github.com/gramineproject/device-testing-tools repo and
runs a subset of Gramine tests, in particular, the device IOCTL tests.
The pipeline uses Ubuntu 22.04 with modern Linux kernel (to have an
upstream SGX driver and support for SGX in KVM) and QEMU/KVM to run the
VM.

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
  • Loading branch information
@dimakuv
dimakuv committed Nov 9, 2022
1 parent 72f6524 commit ec0301d
Show file tree
Hide file tree
Showing 5 changed files with 246 additions and 1 deletion.
74 changes: 74 additions & 0 deletions .ci/lib/stage-build-sgx-vm.jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
stage('build') {
// we add `/sbin` to PATH to find the `modprobe` program
sh '''
export PATH="/sbin:$PATH"

git clone https://github.com/gramineproject/device-testing-tools.git
cd device-testing-tools
git checkout d8701dd6b064ed01a9392854db6584f3db72977f

cd initramfs_builder
cp -f new_init_jenkins new_init
make

cd ../gramine-device-testing-module
make
'''

env.MESON_OPTIONS = ''
if (env.UBSAN == '1') {
env.MESON_OPTIONS += ' -Dubsan=enabled'
}
if (env.ASAN == '1') {
env.MESON_OPTIONS += ' -Dasan=enabled'
}
if (env.CC == 'clang') {
env.MESON_OPTIONS += ' -Dmusl=disabled'
}

try {
sh '''
meson setup build/ \
--werror \
--prefix="$PREFIX" \
--buildtype="$BUILDTYPE" \
-Ddirect=disabled \
-Dsgx=enabled \
-Dtests=enabled \
$MESON_OPTIONS
ninja -vC build/
'''

// install
sh '''
ninja -vC build/ install
gramine-sgx-gen-private-key
'''
} finally {
archiveArtifacts 'build/meson-logs/**/*'
archiveArtifacts 'build/subprojects/glibc-*/glibc-build.log'
}

// archive all installed files
// NOTE we can't use ${env.PREFIX} here, because path needs to be relative to workdir
archiveArtifacts "usr/**/*"

// Absolute path to libdir, as configured by Meson.
// For our current builds this should be "$WORKSPACE/usr/lib/x86_64-linux-gnu":
// --prefix is set from $PREFIX above (see config-docker.jenkinsfile) and should be "$WORKSPACE/usr";
// --libdir is distro-dependent, but on Debian and derivatives it's "lib/x86_64-linux-gnu"
libdir = sh(returnStdout: true, script: '''
meson introspect build/ --buildoptions \
| jq -r '(map(select(.name == "prefix")) + map(select(.name == "libdir"))) | map(.value) | join("/")'
''').trim()

env.GRAMINE_PKGLIBDIR = libdir + '/gramine'

// In CI we install to non-standard --prefix (see above). This makes sure the libraries are
// available anyway (e.g. gramine-sgx-pf-crypt needs libsgx_util.so).
env.PKG_CONFIG_PATH = libdir + '/pkgconfig'

// prevent cheating and testing from repo
sh 'rm -rf build'
sh 'git clean -Xf subprojects'
}
28 changes: 28 additions & 0 deletions .ci/lib/stage-test-vm.jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
stage('test') {
// prepare files to pass current work dir and envvars into VM
sh '''
mkdir -p $HOME/files_for_vm
echo $PWD > $HOME/files_for_vm/pwd

touch $HOME/files_for_vm/envs
echo "export SGX=$SGX" >> $HOME/files_for_vm/envs
echo "export IS_VM=$IS_VM" >> $HOME/files_for_vm/envs

echo "export PATH=\"$PATH\"" >> $HOME/files_for_vm/envs
echo "export PKG_CONFIG_PATH=\"$PKG_CONFIG_PATH\"" >> $HOME/files_for_vm/envs
echo "export PYTHONPATH=\"$PYTHONPATH\"" >> $HOME/files_for_vm/envs
echo "export GRAMINE_PKGLIBDIR=\"$GRAMINE_PKGLIBDIR\"" >> $HOME/files_for_vm/envs
echo "export XDG_CONFIG_HOME=\"$XDG_CONFIG_HOME\"" >> $HOME/files_for_vm/envs

// TODO: I don't care about this, but maybe should keep?
echo "export CARGO_HOME=\"$CARGO_HOME\"" >> $HOME/files_for_vm/envs
'''

timeout(time: 15, unit: 'MINUTES') {
sh '''
cd device-testing-tools/initramfs_builder
./run.sh | tee OUTPUT
grep "TESTS OK" OUTPUT
'''
}
}
31 changes: 31 additions & 0 deletions .ci/linux-sgx-vm-gcc-release.jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
node('whatnots') {
checkout scm

env.SGX = '1'
env.IS_VM = '1'

load '.ci/lib/config-docker.jenkinsfile'

if (fileExists('/dev/kvm')) {
env.DOCKER_ARGS_COMMON += ' --device=/dev/kvm:/dev/kvm'
}

// Overwrite Gramine-specific seccomp policy because it conflicts with KVM requirements, see
// https://github.com/moby/moby/issues/42963 for details.
// FIXME: remove this line once seccomp policy is updated in core Gramine repo.
env.DOCKER_ARGS_COMMON += ' --security-opt seccomp=unconfined'

docker.build(
"local:${env.BUILD_TAG}",
'-f .ci/ubuntu22.04.dockerfile .'
).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
load '.ci/lib/config.jenkinsfile'
load '.ci/lib/config-release.jenkinsfile'

load '.ci/lib/stage-lint.jenkinsfile'
load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
load '.ci/lib/stage-build-sgx-vm.jenkinsfile'
load '.ci/lib/stage-test-vm.jenkinsfile'
load '.ci/lib/stage-clean-check.jenkinsfile'
}
}
112 changes: 112 additions & 0 deletions .ci/ubuntu22.04.dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
FROM ubuntu:22.04

# Add steps here to set up dependencies
RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
autoconf \
bc \
bison \
build-essential \
cargo \
clang \
cpio \
curl \
flex \
gawk \
gdb \
gettext \
git \
jq \
kmod \
libapr1-dev \
libaprutil1-dev \
libcjson-dev \
libcurl4-openssl-dev \
libelf-dev \
libevent-dev \
libexpat1 \
libexpat1-dev \
libmemcached-tools \
libnss-mdns \
libnuma1 \
libomp-dev \
libpcre2-dev \
libpcre3-dev \
libprotobuf-c-dev \
libssl-dev \
libunwind8 \
libxfixes3 \
libxi6 \
libxml2-dev \
libxrender1 \
libxxf86vm1 \
linux-headers-generic \
musl \
musl-tools \
nasm \
net-tools \
netcat-openbsd \
ninja-build \
pkg-config \
protobuf-c-compiler \
protobuf-compiler \
pylint \
python3 \
python3-apport \
python3-apt \
python3-breathe \
python3-click \
python3-cryptography \
python3-jinja2 \
python3-lxml \
python3-numpy \
python3-pip \
python3-protobuf \
python3-pyelftools \
python3-pytest \
python3-pytest-xdist \
python3-scipy \
python3-sphinx-rtd-theme \
python3-toml \
qemu-kvm \
shellcheck \
sphinx-doc \
sqlite3 \
texinfo \
uthash-dev \
wget \
zlib1g \
zlib1g-dev

# NOTE about meson version: we support "0.56 or newer", so in CI we pin to latest patch version of
# the earliest supported minor version (pip implicitly installs latest version satisfying the
# specification)
RUN python3 -m pip install -U \
'meson>=0.56,<0.57' \
'docutils>=0.17,<0.18'

# Add the user UID:1001, GID:1001, home at /leeroy
RUN \
groupadd -r leeroy -g 1001 && \
useradd -u 1001 -r -g leeroy -m -d /leeroy -c "Leeroy Jenkins" leeroy && \
chmod 755 /leeroy

# Make sure /leeroy can be written by leeroy
RUN chown 1001 /leeroy

# Blow away any random state
RUN rm -f /leeroy/.rnd

# Make a directory for the intel driver
RUN mkdir -p /opt/intel && chown 1001 /opt/intel

# Set the working directory to leeroy home directory
WORKDIR /leeroy

# Specify the user to execute all commands below
USER leeroy

# Set environment variables.
ENV HOME /leeroy

# Define default command.
CMD ["bash"]
2 changes: 1 addition & 1 deletion scripts/gitignore-check-files
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -eu -o pipefail
# Intended to be run before a build. Returns 1 (i.e. failure) if there's at
# least one file that should be ignored.

files="$(git ls-files -i --exclude-standard)"
files="$(git ls-files -i -o --exclude-standard)"
if [ -z "${files}" ]; then
exit 0
fi
Expand Down

0 comments on commit ec0301d

Please sign in to comment.