The published package is now named 'radenv' and lives under
pypi.inkbridge.io/radenv/. Script entrypoints follow the same rename:
multi-server-test{,-config} -> radenv{,-config}.
See InkbridgeNetworks/radenv@v1.0.2 for the upstream rename.
multi-server: install radenv from inkbridge pypi instead of git clone
Drop the github.com/InkbridgeNetworks/radenv.git checkout + 'make
configure' dance and install the framework as a pip package from the
inkbridge index instead. Pinned version stays in RADENV_VERSION so
bumps are a one-line change.
The inkbridge host already serves the PEP 503 simple listing at its
root, so no /simple/ suffix. --extra-index-url keeps the default
PyPI fallback for transitive deps.
Switches the python3 -m src.<module> invocations over to the
multi-server-test / multi-server-test-config entrypoints that the
sdist exposes via [project.scripts]; the cd / venv-activate dance
in front of every call goes away.
Also bumps actions/upload-artifact from v4 (Node.js 20, deprecated
2026-06-02) to v6 (Node.js 24) so ci-multi-server-tests stops
emitting the deprecation warning on every run.
profiling image: stage /docker-entrypoint.sh so it's a drop-in for service
src/tests/multi-server/environments/kafka.yml.j2 (and the other env
templates) override the Dockerfile entrypoint with a bash wrapper that
still execs /docker-entrypoint.sh. The service image stages that file
via service.{deb,rpm}.m4 but the profiling image didn't, so the
kafka-producer1 container exited 127 ("command not found") in
profiling-mode multi-server runs.
Add the same COPY + chmod to common.freeradius-profile-build.m4. Leave
the per-distro profiling.{deb,rpm}.m4 EXPOSE / CMD (sleep loop) alone
since compose overrides them anyway.
The run-index now counts at the branch/commit level instead of per
(test, mode), so a single CI invocation's parallel tests share an
index and a re-run of the same commit gets the next index.
Also swap the unicode '->' arrows in docker.mk's DOCKER_BUILD header
for plain '>' to match the BUILD echo style.
profiling image: install with --prefix=/usr to match deb/rpm layout
The profiling Dockerfile chain used the default ./configure prefix
(/usr/local), so radclient / radiusd / etc. ended up under
/usr/local/bin and /usr/local/sbin while the service image (deb/rpm
install) puts them under /usr/bin and /usr/sbin. Test fixtures had
to either drop absolute paths or branch on mode.
Pass --prefix=/usr so the source build lands binaries at the same
absolute paths as the production packages. Update the radiusd ->
freeradius alias symlink to match. Restore /usr/bin/radclient in the
proxy-accept and proxy-multihop-accept test templates now that both
modes resolve it the same way.
multi-server: invoke radclient from PATH; surface docker build log on failure
The proxy-accept and proxy-multihop-accept test templates were calling
/usr/bin/radclient directly. That path is correct for service mode
(deb-installed FR) but the profiling image builds from source with the
default ./configure prefix, so radclient lands at /usr/local/bin/radclient
and the exec failed with 'No such file or directory'. Drop the absolute
path and rely on $PATH so both modes work.
Also add the same Show-docker-build-log failure step to
ci-multi-server-tests.yml that docker-refresh / docker-crossbuild /
docker-service already have, so the apt errors from a failed
crossbuild / profiling-deps build aren't trapped in a per-job runner
log file.
scripts/docker/docker.mk: switch the PULL echo from 'latest <- registry'
to 'latest < registry' to match the BUILD echo's plain redirect style.
common.deb.dbgsym: tolerate ddebs version skew per-package
ddebs.ubuntu.com and debian-debug rebuild dbgsyms slower than the
matching main package gets a security update. On any given day a
handful of entries are in skew: dbgsym pinned to -buildN while main
is at -ubuntuN.M.K, so an apt-get install of the full list fails with
unmet dependencies. Recent refresh runs caught 9 packages mid-skew on
jammy in one snapshot.
Switch back to per-package install with a WARNING fallback. Skewed
entries are logged loudly so missing symbols stay visible, and the
remaining ~15 of ~24 dbgsyms still land. The next refresh picks up
the previously-skewed ones once ddebs catches up.
docker-refresh: build crossbuild from upstream OS, run freeradius in parallel with CI bases
process-freeradius-images was overriding crossbuild's FROM to
self-hosted-ci-<distro> via CB_FROM_* env vars to reuse the slim CI
toolchain layer. The reuse saved a minute or two of apt-install per
distro at the cost of a hard dependency on process-ci-images
(crossbuild's FROM had to exist in the registry before the build).
Drop the CB_FROM_* block so crossbuild builds from the upstream
ubuntu/debian/rocky base directly, same path service uses. Trades a
modest build-time increase for parallelism with process-ci-images
and removes the cross-job FROM-chain that broke during the
self-hosted-{deb,rocky} -> self-hosted-ci rename.
Add a workflow-level concurrency group with cancel-in-progress: false
so a second refresh trigger (push to master + a manual workflow_dispatch,
two manual triggers in quick succession, or the nightly schedule
overlapping a push) queues behind the running one instead of starting
a second parallel refresh.
cancel-in-progress is left false: an in-flight refresh that's halfway
through publishing :latest tags shouldn't be torn down by the next
trigger; let it finish, then run the queued one which re-publishes
everything cleanly.
docker-refresh: chain freeradius-images on ci-images
process-freeradius-images was running in parallel with
process-ci-images, both gated on process-docker-cli. crossbuild
FROMs self-hosted-ci-<distro>:latest and resolved that via the
previous nightly's registry copy. The rename from
self-hosted-{deb-,rocky}<distro> to self-hosted-ci-<distro> means
no previous nightly has published the new tag yet, so the parallel
crossbuild step now fails with 'manifest not found' on the FROM.
Serialise: freeradius-images needs ci-images. One extra wait per
refresh in exchange for a working FROM chain through any future
rename.
docker-refresh: rename CI bases to self-hosted-ci-<distro>, surface build log on failure
The slim CI build bases (built from scripts/docker/build/<distro>/Dockerfile.ci
and consumed by ci-deb.yml / ci-rpm.yml) were named inconsistently:
the rpm side ran as self-hosted-rocky{9,10} and the deb side as
self-hosted-deb-{debian12,debian13,debiansid,ubuntu22,ubuntu24,ubuntu26}.
Unify on self-hosted-ci-<distro> across both families. self-hosted-ubuntu24
(no -ci-) stays as the GH runner host image so the two roles are
distinguishable.
Updates the matrix entries in docker-refresh.yml, the CB_FROM_* env
in process-freeradius-images and docker-crossbuild.yml, and the
BUILD_IMAGE strings in ci-deb.yml / ci-rpm.yml.
Also re-adds the Show docker build logs failure step to
process-freeradius-images (got lost in an earlier rewrite). Without
it the actual apt errors from the dbgsym install stay hidden in
build/docker/build.<os>.profiling-deps on the runner.
docker-refresh: force bash for container-based jobs
When a GH Actions job declares a container:, the per-step run: shell
defaults to /bin/sh (dash on the cli image's debian base). The Create
build dependency package step uses $(stat -c'%u:%g' .git) inside an
unquoted heredoc, and dash fails to parse that with a cryptic
'Syntax error: "(" unexpected'. Pin shell: bash for both
process-ci-images and process-freeradius-images.
Also renames process-images to process-ci-images for clarity now
that it only covers the CI runner / build bases plus pull-through
caches.
docker-refresh: rebuild freeradius-build-deps.deb for self-hosted-ubuntu24
scripts/ci/docker/Dockerfile COPYs /freeradius-build-deps.deb and
/freeradius-build-deps-extra.deb into the runner host image. After the
matrix split the build step was orphaned in process-host-bases so the
files were never generated, and the docker build failed with a 'cache
key not found' on the COPY. Re-add the dep-pkg step in
process-host-bases, gated on a needs_build_deps flag on the ubuntu24
matrix entry.
docker-refresh: build dind + cli first, run the rest under fresh dind
Split docker-refresh into a four-stage pipeline so the freshly built
dind sidecar and docker-cli job-container are in the registry before
anything else uses them.
process-host-bases raw host, parallel: self-hosted-ubuntu24
(alias self-hosted) and self-hosted-docker-dind
process-docker-cli raw host, needs process-host-bases: builds
self-hosted-docker-cli, which FROMs self-hosted
process-images dind + cli, needs process-docker-cli, parallel:
the remaining CI bases (rocky/deb-*) plus the
mariadb / postgres / 389ds pull-through caches
process-freeradius-images
dind + cli, needs process-docker-cli, parallel:
the freeradius4-{crossbuild,profiling-deps,
service} chain per distro
Stages 3 and 4 use fresh dind + cli from this run instead of the
previous cycle's copies. Stages 1 and 2 stay on the raw self-hosted
runner because they're building the very dind/cli they'd otherwise
sit inside.
Also switches all internal-registry logins to docker/login-action@v4
for consistency with the existing Docker Hub login.
docker-refresh: parallelise jobs and fix dbgsym install terminator
Drop the needs: chain in docker-refresh.yml so process-images,
process-docker-cli and process-freeradius-images all start in
parallel. Each job's container and FROM dependencies resolve from
the previous cycle's :latest, so a one-cycle staleness is acceptable.
Rename process-derived-images to process-docker-cli since it builds
exactly one image.
Fix common.deb.dbgsym.m4 to terminate the apt-get install reliably:
move libc6-dbg to the tail as the unconditional last token. On sid
and resolute the libxml2/libidn12/python ifelse blocks all evaluate
to empty, which left the previous-to-last package's trailing
backslash joining the apt-get install command with the next RUN.
Buildkit fed "RUN git clone FlameGraph ..." to apt as a package name
and exited 100. Also corrects the codename test from forky to sid to
match Dockerfile.m4's OS_CODENAME mapping for debiansid.
Merge profiling-multi-server-fixes into developer/arr2036
Pulls in the docker-refresh, profiling-deps split, /etc/freeradius
standardisation, ddebs version-skew tolerance, and matrix display
name work from profiling-multi-server-fixes. Resolves conflicts in
docker.mk and dockerfile.mk by keeping the cleaner per-type list
factoring from developer/arr2036 and extending it with profiling-deps.
Adds display: fields to every docker-refresh.yml matrix entry so the
GH Actions UI shows the actual image identity instead of the entry
dict serialisation, renames the workflow to "Docker refresh", and
labels the FR-image chain job as
freeradius4-{crossbuild,profiling-deps,service}-<os>.
common.deb.dbgsym: tolerate apt-get update flakiness for ddebs sources
The dbgsym RUN step did `apt-get update && for pkg in ...`. When the
update step fell over - typically because ddebs.ubuntu.com or
debug.mirrors.debian.org returned a 5xx mid-fetch despite the
Acquire::Retries=3 we set in the toolchain template - the && killed
the whole RUN with exit 100 before any of the per-package installs
ran. The per-package loop already prints a WARNING and continues
for any individual package the cache can't resolve, so letting the
update itself fail soft means partial cache + best-effort installs
still happen rather than tipping the whole image build over.
Concretely: docker.profiling.ubuntu24 stopped building on the
docker-server workflow each time ddebs hiccupped, even though every
dbgsym package is technically optional and FR ships fine without
them.
projects / thirdparty / freeradius-server.git / log
