ci: cache and rework Travis setup

We can cache the umoci/ci image using Travis's built-in caching support,
as well as reduce duplication between our test runs by moving the unit
and validation tests to separate stages.

This change does mean that code coverage checks are no longer done in
Travis, but this will be cleaned up in a follow-up commit where we add
support for Codecov (though hack/ci-coverage.sh will still be used for
the stock "make ci").

Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

.dockerignore

@@ -0,0 +1,4 @@
+/umoci
+/umoci.cov*
+/.cache
+/release

.gitignore

@@ -1,4 +1,4 @@
 /umoci
-/cache
 /umoci.cov*
+/.cache
 /release

.travis.yml

@@ -30,36 +30,36 @@ notifications:
 addons:
   apt:
     packages:
+      - bc
       - gcc-multilib
+      - zstd
   homebrew:
     packages:
       # Needed for sponge.
       # NOTE: This conflicts with gnu_parallel so we'll need to work
       #       around that when we enable integration testing.
       - moreutils
 
-before_install:
-  # Need to set GO111MODULE=off here because Travis runs inside our source repo
-  # (which is a Go module) and thus 'go get' will actually add dependencies to
-  # our go.mod file. Annoyingly this means we cannot require v2 of go-md2man
-  # because that requires Go module support.
-  - GO111MODULE=off go get -u -v github.com/cpuguy83/go-md2man
+_docker: &docker
+  |-
+    # Install a modern version of Docker which supports BuildKit.
+    ./hack/resilient-curl.sh -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) edge"
+    sudo apt-get update
+    sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
 
-env:
-  - DOCKER_IMAGE="opensuse/leap:latest"
-  - DOCKER_IMAGE="centos:latest"
-  - DOCKER_IMAGE="debian:latest"
-  - DOCKER_IMAGE="ubuntu:latest"
-  - DOCKER_IMAGE="fedora:latest"
+_cache: &cache
+  cache:
+    directories:
+      - .cache
+  before_script:
+    - make ci-cache
 
-script:
-  # Necessary to make Travis co-operate with Docker.
-  - chmod a+rwx .
-  # Make sure 32-bit builds work. I'm not sure why GO111MODULE breaks here, but
-  # disable it since we just care about whether you get compiler errors.
-  - make GO111MODULE=off GOARCH=386 local-validate-build
-  # Run the actual CI.
-  - make DOCKER_IMAGE=$DOCKER_IMAGE ci
+_matrix_integration: &matrix_integration
+    <<: *cache
+    before_install: *docker
+    script:
+      - make DOCKER_IMAGE=$DOCKER_IMAGE ci-integration
 
 matrix:
   fast_finish: true
@@ -70,13 +70,64 @@ matrix:
     # (~40 minutes on some days).
     - env: DOCKER_IMAGE="fedora:latest"
   include:
-    - os: osx
-      osx_image: xcode12
+    - name: "validate"
+      before_install:
+      # Install basic Go tooling.
+      - |-
+          # Need to set GO111MODULE=off here because Travis runs inside our
+          # source repo (which is a Go module) and thus 'go get' will actually
+          # add dependencies to our go.mod file. Annoyingly this means we
+          # cannot require v2 of go-md2man because that requires Go module
+          # support.
+          GO111MODULE=off go get -u github.com/cpuguy83/go-md2man
+          GO111MODULE=off go get -u golang.org/x/lint/golint
+          GO111MODULE=off go get -u github.com/securego/gosec/cmd/gosec
+          GO111MODULE=off go get -u github.com/client9/misspell/cmd/misspell
+      script:
+        # Make sure 32-bit builds work. I'm not sure why GO111MODULE breaks here, but
+        # disable it since we just care about whether you get compiler errors.
+        - make GO111MODULE=off GOARCH=386 local-validate-build
+        - make ci-validate
+        - |-
+            make umoci
+            ./umoci help
+
+    # Unit tests.
+    - name: "unit"
+      <<: *cache
+      before_install: *docker
+      script:
+        # Necessary to make Travis co-operate with Docker.
+        - chmod a+rwx .
+        - make ci-unit
+    - <<: *matrix_integration
+      name: "integration (opensuse/leap)"
+      env:
+        - DOCKER_IMAGE="opensuse/leap:latest"
+    - <<: *matrix_integration
+      name: "integration (centos)"
       env:
-        # Clear DOCKER_IMAGE since we don't use it.
-        - DOCKER_IMAGE=""
+        - DOCKER_IMAGE="centos:latest"
+    - <<: *matrix_integration
+      name: "integration (debian)"
+      env:
+        - DOCKER_IMAGE="debian:latest"
+    - <<: *matrix_integration
+      name: "integration (ubuntu)"
+      env:
+        - DOCKER_IMAGE="ubuntu:latest"
+    - <<: *matrix_integration
+      name: "integration (fedora)"
+      env:
+        - DOCKER_IMAGE="fedora:latest"
+    - name: "macos-unit"
+      os: osx
+      osx_image: xcode12
       script:
         # TODO: Run the integration tests and rest of the CI, so we don't need
         #       to special-case MacOS here.
         - make local-validate-build
         - make local-test-unit
+        - |-
+            make umoci
+            ./umoci help

Dockerfile

@@ -18,14 +18,17 @@ MAINTAINER "Aleksa Sarai <[email protected]>"
 
 # We have to use out-of-tree repos because several packages haven't been merged
 # into openSUSE Leap yet, or are out of date in Leap.
-RUN zypper ar -f -p 10 -g obs://Virtualization:containers obs-vc && \
+RUN zypper mr -d repo-non-oss repo-update-non-oss && \
+	zypper ar -f -p 10 -g obs://Virtualization:containers obs-vc && \
 	zypper ar -f -p 10 -g obs://devel:tools obs-tools && \
 	zypper ar -f -p 10 -g obs://devel:languages:go obs-go && \
 	zypper --gpg-auto-import-keys -n ref && \
 	zypper -n up
 RUN zypper -n in \
 		attr \
 		bats \
+		bc \
+		curl \
 		git \
 		gnu_parallel \
 		go1.14 \
@@ -55,4 +58,3 @@ RUN skopeo copy docker://$DOCKER_IMAGE oci:$SOURCE_IMAGE:$SOURCE_TAG
 
 VOLUME ["/go/src/github.com/opencontainers/umoci"]
 WORKDIR /go/src/github.com/opencontainers/umoci
-COPY . /go/src/github.com/opencontainers/umoci

Makefile

@@ -26,24 +26,20 @@ PROJECT := github.com/opencontainers/umoci
 CMD := ${PROJECT}/cmd/umoci
 
 # We use Docker because Go is just horrific to deal with.
-UMOCI_IMAGE := umoci_dev
+UMOCI_IMAGE := umoci/ci:latest
 
 # TODO: We should test umoci with all of the security options disabled so that
 #       we can make sure umoci inside containers works fine (all of these
 #       security options are necessary for the test code to run, not umoci
 #       itself). The AppArmor/SELinux settings are needed because of the
 #       mount-related tests, and the seccomp/systempaths settings are required
 #       for the runc tests for rootless containers.
-# XXX: Ideally we'd use --security-opt systempaths=unconfined, but the version
-#      of Docker in Travis-CI doesn't support that. Bind-mounting the host's
-#      proc into the container is more dangerous but has the same effect on the
-#      in-kernel mnt_too_revealing() checks and works on old Docker.
-DOCKER_RUN          := docker run --rm -it \
+DOCKER_RUN          := docker run --rm \
                                   -v ${PWD}:/go/src/${PROJECT} \
-                                  --security-opt seccomp=unconfined \
                                   --security-opt apparmor=unconfined \
                                   --security-opt label=disable \
-                                  -v /proc:/tmp/.HOTFIX-stashed-proc
+                                  --security-opt seccomp=unconfined \
+                                  --security-opt systempaths=unconfined
 DOCKER_ROOTPRIV_RUN := $(DOCKER_RUN) --privileged --cap-add=SYS_ADMIN
 DOCKER_ROOTLESS_RUN := $(DOCKER_RUN) -u 1000:1000 --cap-drop=all
 
@@ -113,11 +109,11 @@ uninstall:
 
 .PHONY: clean
 clean:
-	rm -f umoci umoci.static umoci.cov*
+	rm -f umoci umoci.static umoci-ci.tar umoci.cov*
 	rm -f $(MANPAGES)
 
 .PHONY: validate
-validate: umociimage
+validate: ci-image
 	$(DOCKER_RUN) $(UMOCI_IMAGE) make local-validate
 
 .PHONY: local-validate
@@ -170,19 +166,15 @@ doc/man/%.1: doc/man/%.1.md
 docs: $(MANPAGES)
 
 # Used for tests.
-DOCKER_IMAGE :=opensuse/amd64:tumbleweed
-
-.PHONY: umociimage
-umociimage:
-	docker build -t $(UMOCI_IMAGE) --build-arg DOCKER_IMAGE=$(DOCKER_IMAGE) .
+DOCKER_IMAGE ?=opensuse/amd64:tumbleweed
 
 ifndef COVERAGE
 COVERAGE := $(notdir $(shell mktemp -u umoci.cov.XXXXXX))
-export COVERAGE
 endif
+export COVERAGE
 
 .PHONY: test-unit
-test-unit: umociimage
+test-unit: ci-image
 	touch $(COVERAGE) && chmod a+rw $(COVERAGE)
 	$(DOCKER_ROOTPRIV_RUN) -e COVERAGE $(UMOCI_IMAGE) make local-test-unit
 	$(DOCKER_ROOTLESS_RUN) -e COVERAGE $(UMOCI_IMAGE) make local-test-unit
@@ -192,7 +184,7 @@ local-test-unit:
 	GO=$(GO) hack/test-unit.sh
 
 .PHONY: test-integration
-test-integration: umociimage
+test-integration: ci-image
 	touch $(COVERAGE) && chmod a+rw $(COVERAGE)
 	$(DOCKER_ROOTPRIV_RUN) -e COVERAGE -e TESTS $(UMOCI_IMAGE) make local-test-integration
 	$(DOCKER_ROOTLESS_RUN) -e COVERAGE -e TESTS $(UMOCI_IMAGE) make local-test-integration
@@ -202,17 +194,49 @@ local-test-integration: umoci.cover
 	TESTS="${TESTS}" hack/test-integration.sh
 
 .PHONY: shell
-shell: umociimage
-	$(DOCKER_RUN) $(UMOCI_IMAGE) bash
+shell: ci-image
+	$(DOCKER_RUN) -it $(UMOCI_IMAGE) bash
 
 .PHONY: root-shell
-root-shell: umociimage
-	$(DOCKER_ROOTPRIV_RUN) $(UMOCI_IMAGE) bash
+root-shell: ci-image
+	$(DOCKER_ROOTPRIV_RUN) -it $(UMOCI_IMAGE) bash
 
 .PHONY: rootless-shell
-rootless-shell: umociimage
-	$(DOCKER_ROOTLESS_RUN) $(UMOCI_IMAGE) bash
+rootless-shell: ci-image
+	$(DOCKER_ROOTLESS_RUN) -it $(UMOCI_IMAGE) bash
+
+CACHE := .cache
+CACHE_IMAGE := $(CACHE)/ci-image.tar.zst
+
+.PHONY: ci-image
+ci-image:
+	docker pull opensuse/leap:latest
+	! [ -f "$(CACHE_IMAGE)" ] || unzstd < "$(CACHE_IMAGE)" | docker load
+	DOCKER_BUILDKIT=1 docker build -t $(UMOCI_IMAGE) \
+	                               --progress plain \
+	                               --cache-from $(UMOCI_IMAGE) \
+	                               --build-arg DOCKER_IMAGE=$(DOCKER_IMAGE) \
+	                               --build-arg BUILDKIT_INLINE_CACHE=1 .
+
+.PHONY: ci-cache
+ci-cache: ci-image
+	rm -rf $(CACHE) && mkdir -p $(CACHE)
+	docker save $(UMOCI_IMAGE) | zstd > $(CACHE_IMAGE)
+
+.PHONY: ci-validate
+ci-validate: umoci umoci.static
+	make docs local-validate
+
+.PHONY: ci-unit
+ci-unit: umoci.cover
+	make test-unit
+
+.PHONY: ci-integration
+ci-integration: umoci.cover
+	make test-integration
 
 .PHONY: ci
-ci: umoci umoci.static umoci.cover validate docs test-unit test-integration
+ci:
+	@echo "NOTE: This is not identical to the upstream CI, but the tests are the same."
+	make ci-validate ci-unit ci-integration
 	hack/ci-coverage.sh $(COVERAGE)

hack/resilient-curl.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# umoci: Umoci Modifies Open Containers' Images
+# Copyright (C) 2016-2020 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeuo pipefail
+
+ATTEMPT=0
+MAX_ATTEMPTS=10
+BACKOFF=0.2
+
+until ( timeout 5s curl "$@" )
+do
+	[[ "$((++ATTEMPT))" -lt "$MAX_ATTEMPTS" ]] || exit 1
+	sleep "$(bc <<<"$BACKOFF * 2*$ATTEMPT")"
+done