From: Jason Ish Date: Thu, 27 Oct 2022 19:14:07 +0000 (-0600) Subject: github-ci: non-root builder X-Git-Tag: suricata-7.0.0-rc1~334 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64fab3be0403c62a343f515bcb23b3986541c1b4;p=thirdparty%2Fsuricata.git github-ci: non-root builder All the GitHub CI jobs run as root inside a container. This means the testing is done in a different environment than a developer typically uses, running as a user. Add a job that does the build as a non-root user. --- diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 177a900db2..694818db43 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -660,6 +660,74 @@ jobs: # Check compilation against systemd - run: ldd src/suricata | grep libsystemd &> /dev/null + fedora-36-non-root: + name: Fedora 36 (non-root, debug, clang, asan, wshadow, rust-strict, systemd) + runs-on: ubuntu-latest + container: fedora:36 + needs: [prepare-deps, prepare-cbindgen] + steps: + - run: | + dnf -y install \ + autoconf \ + automake \ + cargo \ + ccache \ + clang \ + diffutils \ + file-devel \ + gcc \ + gcc-c++ \ + git \ + hiredis-devel \ + jansson-devel \ + jq \ + lua-devel \ + libasan \ + libtool \ + libyaml-devel \ + libnfnetlink-devel \ + libnetfilter_queue-devel \ + libnet-devel \ + libcap-ng-devel \ + libevent-devel \ + libmaxminddb-devel \ + libpcap-devel \ + libtool \ + lz4-devel \ + make \ + nss-softokn-devel \ + pcre2-devel \ + pkgconfig \ + python3-yaml \ + sudo \ + systemd-devel \ + which \ + zlib-devel + - run: adduser suricata + - uses: actions/checkout@v3.1.0 + - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 + with: + name: prep + path: prep + - run: tar xf prep/libhtp.tar.gz + - run: tar xf prep/suricata-update.tar.gz + - run: tar xf prep/suricata-verify.tar.gz + - run: mkdir /home/suricata/suricata + - run: cp -a . /home/suricata/suricata + - run: chown -R suricata:suricata /home/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh cbindgen + working-directory: /home/suricata/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh autogen + working-directory: /home/suricata/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh configure + working-directory: /home/suricata/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh make + working-directory: /home/suricata/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh unit-test + working-directory: /home/suricata/suricata + - run: sudo -u suricata -s ./.github/workflows/scripts/fedora-non-root.sh verify + working-directory: /home/suricata/suricata + fedora-35: name: Fedora 35 (debug, clang, asan, wshadow, rust-strict) runs-on: ubuntu-latest diff --git a/.github/workflows/scripts/fedora-non-root.sh b/.github/workflows/scripts/fedora-non-root.sh new file mode 100755 index 0000000000..601aa4dcaf --- /dev/null +++ b/.github/workflows/scripts/fedora-non-root.sh @@ -0,0 +1,47 @@ +#! /usr/bin/env bash +# +# Helper script for Fedora build as a non-root user. +# +# We break the build up into parts that need to be called individually +# to avoid outputting too much data in a single step so we can see the +# output in the UI. + +set -e +set -x + +export PATH="$HOME/.cargo/bin:$PATH" + +case "$1" in + cbindgen) + # Setup cbindgen. + mkdir -p $HOME/.cargo/bin + cp prep/cbindgen $HOME/.cargo/bin + chmod 755 $HOME/.cargo/bin/cbindgen + ;; + autogen) + ./autogen.sh + ;; + configure) + ac_cv_func_realloc_0_nonnull="yes" \ + ac_cv_func_malloc_0_nonnull="yes" \ + LDFLAGS="-fsanitize=address" \ + CC="clang" \ + CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" \ + ./configure \ + --enable-debug \ + --enable-unittests \ + --disable-shared \ + --enable-rust-strict \ + --enable-hiredis \ + --enable-nfqueue + ;; + make) + make -j2 + ;; + unit-test) + ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l . + ;; + verify) + python3 ./suricata-verify/run.py + ;; +esac