summaryrefslogtreecommitdiffhomepage
path: root/.github (follow)
AgeCommit message (Collapse)AuthorFilesLines
2024-12-05ci: Build with --otel on dev distrosAndrew Clayton1-6/+8
This just builds the OTEL stuff for the Fedora Rawhide and Alpine Edge distributions. If we ever get test cases covering OTEL we can figure out the best way to do it in the ci.yaml, but right now I don't see the point in building OTEL in every test configuration there... Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-10-29ci: Add a clang-ast workflowAndrew Clayton1-0/+76
This does compile-time type and argument checking using a clang-plugin. It was run as part of buildbot. This covers unitd, src/test and the php, perl, python, ruby, wasm, java and nodejs language modules/support. It doesn't cover Go as that doesn't build anything with clang (uses cgo) or wasm-wasi-component as that uses rustc. Link: <https://github.com/nginx/clang-ast/tree/unit> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-10-17ci: Drop PHP 8.1 from our testsAndrew Clayton1-2/+0
Under Ubuntu 24.04 the pytest for test/test_php_isolation.py::test_php_isolation_rootfs fails due to Unit aborting (SIGABRT) in the PHP language module due to FORIFY_SOURCE hardening detecting a buffer overflow 2024/10/16 16:46:54 [info] 11661#11661 "phpinfo" application started *** buffer overflow detected ***: terminated 2024/10/16 16:46:54 [alert] 11660#11660 app process 11661 exited on signal 6 After spending an extraordinary amount of time faffing around with Ubuntu and pytests (they don't make for a pleasant combination) I was able to reproduce it. The crash was occurring here #4 0x00007ebe818288ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ebe818297b6 in __libc_message_impl ( fmt=fmt@entry=0x7ebe819ce765 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:132 #6 0x00007ebe81936c19 in __GI___fortify_fail ( msg=msg@entry=0x7ebe819ce74c "buffer overflow detected") at ./debug/fortify_fail.c:24 #7 0x00007ebe819365d4 in __GI___chk_fail () at ./debug/chk_fail.c:28 #8 0x00007ebe8134a055 in mempcpy (__len=10, __src=0x7ebe8160ade8, __dest=0x571ba9bd0930) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:45 #9 fake_data_segment (info=0x0, sysdb=0x571ba9bcf080) at /usr/src/php8.1-8.1.30-1+ubuntu24.04.1+deb.sury.org+1/ext/date/lib/parse_tz.c:921 #10 timelib_builtin_db () at /usr/src/php8.1-8.1.30-1+ubuntu24.04.1+deb.sury.org+1/ext/date/lib/parse_tz.c:1084 #11 0x00007ebe812e0885 in zm_info_date (zend_module=0x571ba9a14420) [Well as best as I can tell, as this is from the php 8.1 packages from <https://github.com/oerdnj/deb.sury.org>, I don't know where the packages (I'm assuming it's packages) shivammathur/setup-php@v2 installs come from.] So we get killed in fake_data_segment(), the thing is, that function (as well as timelib_builtin_db()) doesn't exist in upstream PHP. It turns out these come from a patch that is applied by distributions to make PHP use the system installed timezone database rather than the one built into PHP. I was unable to reproduce this with vanilla PHP 8.1. It can be triggered on affected builds with the following config { "listeners": { "[::1]:8080": { "pass": "applications/php" } }, "applications": { "php": { "type": "php", "root": "/app/php", "isolation": { "rootfs": "/tmp/unit-root", "namespaces": { "mount": true, "credential": true, "pid": true } } } } } The crux of the issue seems to come down to in this case PHP can't open the tz database as it's not contained in the new mount namespace. 190437 openat(AT_FDCWD, "/usr/share/zoneinfo/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) 190437 openat(AT_FDCWD, "/usr/share/zoneinfo/zone.tab", O_RDONLY) = -1 ENOENT (No such file or directory) 190437 writev(2, [{iov_base="*** ", iov_len=4}, {iov_base="buffer overflow detected", iov_len=24}, {iov_base=" ***: terminated\n", iov_len=17}], 3) = 45 ... 190437 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2, si_uid=65534} --- 190437 +++ killed by SIGABRT +++ Specifically the issue is with the following code in the patch (certainly an earlier version of the patch, this is from a Debian patch <https://sources.debian.org/src/php8.2/8.2.20-1~deb12u1/debian/patches/0007-Add-support-for-use-of-the-system-timezone-database.patch/>) + data = malloc(3 * sysdb->index_size + 7); + + p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); If the zone file hasn't been found then sysdb->index_size is 0. So we malloc(3) a total of 7 bytes. However, sizeof(FAKE_HEADER) - 1 is 10. (Hence the __len=10 in the mempcpy(3) in the above backtrace). Of course 10 doesn't fit into 7 and the FORTIFY_SOURCE hardening kicks in and SIGABRTs the process. Now, it's worth noting that this issue doesn't occur with PHP 8.2 and 8.3. As can been seen from the Fedora patch for this <https://src.fedoraproject.org/rpms/php/blob/rawhide/f/php-8.4.0-systzdata-v24.patch> They actually have a fix incorporated r23: fix possible buffer overflow So the above patch now does + data = malloc(3 * sysdb->index_size + sizeof(FAKE_HEADER) - 1); + + p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); So you will always get at least the required 10 bytes allocated. I assume the PHP 8.2 & 8.3 packages either no longer use this patch or have the fixed version. I don't know... I haven't found the sources... Anyway the above was more about satisfying myself that the problem wasn't with Unit. PHP 8.1 is now in security maintenance mode and people are actively encouraged to upgrade to 8.2/8.3 So lets just remove 8.1 from our testing... [It's also worth noting that after all this, the ubuntu-latest runners seemed to have switched back from 24.04 to 22.04. However lets stick with this and the other ci fixes as who knows when it'll go back to 24.04 (or some other version) again...] Link: <https://www.php.net/supported-versions.php> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-10-17ci: Install pytest via apt(8)Andrew Clayton1-7/+4
With Ubuntu 24.04 installing it via pip gave this error error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install python3-xyz, where xyz is the package you are trying to install. If you wish to install a non-Debian-packaged Python package, create a virtual environment using python3 -m venv path/to/venv. Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have python3-full installed. If you wish to install a non-Debian packaged Python application, it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. See /usr/share/doc/python3.12/README.venv for more information. Installing it via the package manager is the better option anyway... Under Ubuntu 22.04 it only installs a /usr/bin/pytest-3 binary, rather than installing a /usr/bin/pytest binary and symlink for pytest-3, so use pytest-3 as the command. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-10-17ci: Fix disabling of the mono-xsp4.serviceAndrew Clayton1-6/+12
With Ubuntu 24.04 this service is no longer enabled/installed and so this bit would fail. This commit makes it handle both cases (installed/not-installed). Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-10ci: Trigger ci.yml for changes under pkg/contribAndrew Clayton1-0/+2
This will catch changes to the likes of wasmtime and njs. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-09ci: Fix wasmtime paths in ci.ymlAndrew Clayton1-1/+1
With commit 9998918db ("Packages: bump wasmtime to 24.0.0 and wasi-sysroot to 24.0.") the paths to the wasmtime C API include and lib directories changed which broke the wasm ci tests. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-09ci: Fix tags on ad hoc unitctl releasesDan Callahan1-4/+2
- Adds `unitctl/` prefix to tags generated by manual workflow runs. Previously, only release titles (but not tags) were prefixed. - Omits superfluous `name` field; falls back to `tag` when absent. - Removes unnecessary conditional from `prelease` field. This results in the following tagging / releasing behavior: 1. Running manually creates a pre-release and tags it `unitctl/VERSION` 2. Pushing a tag formatted like `x.y.z` creates a normal release Refines: 3501a50ffb93756e145295021ff9313ac77f1ba9
2024-08-28ci: Enable the wasm-wasi-component testsAndrew Clayton1-9/+14
We now have tests for this module via commit cad6aed52 ("Tests: initial "wasm-wasi-component" test"). We need to install cargo-component for this test target. Also the only way I found I could get this test to run was by running as non-root. The issue I was seeing was that despite cargo being installed into /home/runner/.cargo/bin *and* that being in the path, it kept claiming it couldn't find cargo. E.g. $ sudo -E echo $PATH Showed /home/runner/.cargo/bin in there. $ sudo -E /home/runner/.cargo/bin/cargo -V Worked. $ sudo -E cargo -V cargo command not found. (Also other oddities, despite claiming to be using bash, it couldn't find shell builtins like 'hash' and 'export', perhaps some Ubuntu weirdness...) However, no problem, there is *no* need for it run as root anyway so result! Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-20ci/unitctl: Update pathsAndrew Clayton1-0/+1
unitctl makes use of 'docs/unit-openapi.yaml' so be sure to run these checks if that file changes. Fixes: 6d0880c99 ("Add unitctl build and release CI") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-07-16ci: cifuzz: Bump github/codeql-action from 2 to 3dependabot[bot]1-1/+1
Bumps <https://github.com/github/codeql-action> from 2 to 3. Link: Release notes <https://github.com/github/codeql-action/releases> Link: Changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md> Link: Commits <https://github.com/github/codeql-action/compare/v2...v3> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-07-15fuzzing: added cifuzz workflowArjun1-0/+41
Signed-off-by: Arjun <pkillarjun@protonmail.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-06-18ci: tweak unitctl github releaseAva Hahn1-1/+18
* add body and text to github release for unitctl Signed-off-by: Ava Hahn <a.hahn@f5.com>
2024-06-12ci: Limit when to run checks on pull-requestsAndrew Clayton1-0/+7
Commit 4fc50258b ("ci: Be more specific when to run the main Unit checks") limited when the checks for the main ci run, on pushes to master. It should have done the same for pull-requests. Fixes: 4fc50258b ("ci: Be more specific when to run the main Unit checks") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-05-29ci: Be more specific when to run the main Unit checksAndrew Clayton1-2/+8
ci-dev-distro-compiler.yaml already limits itself to running only when relevant things are updated. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-05-15Add GitHub workflows for extra coverageAndrew Clayton1-0/+177
This adds a workflow for building Unit under Fedora Rawhide and Alpine Edge with both GCC and Clang. These are the development branches from which releases are cut. This usually consists of the latest versions of software and will hopefully catch new compiler issues and API breakages in the various languages we support. With Alpine and Clang that also gives us musl libc + clang coverage. On Alpine we don't build the wasm and wasm-wasi-component modules, mainly as this would require messing around with all the rust stuff and building wasmtime from source (as there's no musl libc based packages) and the wasm module is pretty small, any new compiler issues would hopefully show up in the rest. We _do_ build the wasm module with gcc and clang on Fedora. But not wasm-wasi-component in the interests of time. Can be added at a later date if deemed necessary. We don't build the Perl language module on Fedora with clang due to the Fedora (and probably Red Hat) Perl CFLAGS having incompatible with clang flags. We probably could work around it if we really wanted to, but not sure it's worth it and on Red Hat/Fedora, GCC _is_ the system compiler. On Alpine we also don't build the nodejs and go language modules as there's nothing that actually gets compiled there and the _main_ reason for building on Alpine is to get musl libc + clang coverage. We're also not bothering with njs for now... can be revisited at a later date. Also no pytests, these should be well covered via other workflows for example by running on latest Alpine releases. Closes: https://github.com/nginx/unit/issues/949 Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-05-14ci: Add unit testing to unitctl CI workflowAva Hahn1-4/+61
* fix a few misspellings in unitctl CI workflow * add unit testing job * exclude unitd integration test from unit tests * add workflow dispatch trigger * add calls to get workflow dispatch version Signed-off-by: Ava Hahn <a.hahn@f5.com>
2024-05-09trigger unitctl CI on version tags of existing formatAva Hahn1-3/+3
Signed-off-by: Ava Hahn <a.hahn@f5.com>
2024-05-09Add unitctl build and release CIDylan Arbour1-0/+132
Adds a GitHub Actions workflow that builds and releases unitctl binaries when a tag prefixed with `unitctl/` is pushed. Binaries are built on pull-requests that change any files within `tools/unitctl`, on `master` branch pushes and when `unitctl/` prefixed tags are pushed.
2024-05-02Add a GitHub workflow to check for whitespace issuesAndrew Clayton1-0/+48
If it fails you can check the 'git log --check' output of the workflow to see what the issue is. E.g --- 93ec0133 Oops... README.md:1: trailing whitespace. +# NGINX Unit Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-03-11Add dependabot.ymlDylan Arbour1-0/+6
We already use dependabot for security related patches, by default. This change adds a dependabot.yml configuration file that explicitly enables the service to manage versions of Actions in GitHub Actions. This ensures that Actions like `setup-go` are updated timely. This change does not affect how Dependabot manages versions for Go, Rust, etc. The file can be used to configure that for additional package managers and languages in the future, if desired.
2024-03-07Add GitHub workflow for wasm-wasi-componentAndrew Clayton1-5/+35
This adds a GitHub CI workflow for the new wasm-wasi-component language module. Some things of note. 1) We need to special case 'wasm-wasi-component' in the 'Output build metadata' section as we are splitting the module names on '-' to split them into name and version. 2) Apart from needing to tell bindgen about the njs include paths, we also need to explicitly specify which version of clang to use to work around an issue with multiple versions of clang installed. Link: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/7268> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-03-07Test with root access in GitHub workflowsDylan Arbour1-31/+13
To enable tests that require privileged root access, this commit tests with `sudo`. The Java and Python jobs have additional permissions issues, so they are also configured and made with `sudo`. A small permissions fix is required before running tests to allow non-root users to execute within the `/home/runner` directory. This change also removes the custom directories that were required without root access. Reviewed-by: Andrew Clayton <a.clayton@nginx.com> Signed-off-by: Dylan Arbour <d.arbour@f5.com>
2024-02-24Update setup-go to v5Dylan Arbour1-1/+2
Removes deprecation notices on actions builds. v5 updates the version of node and `cache: false` disables the errors related to not finding a go.sum
2024-02-23Add PHP 8.2 and 8.1 to test matrixDylan Arbour1-0/+4
`setup-php` action was fixed to add embed SAPI for older versions of PHP
2024-02-22Remove debug from builds and testsDylan Arbour1-2/+1
The info and above errors should be more than enough for debugging failures in GitHuB Actions CI.
2024-02-21Add GitHub ActionsDylan Arbour1-0/+335
This commit adds GitHub Actions configuration, running tests on pull-requests and master push changes. This change is meant to be a first-pass at our evolving CI processes. - Tests run in parallel per language for speed and isolation - Test matrix is composed by a string list of languages and versions - `setup-${language}` actions are preferred over base (and changing) versions from `ubuntu-latest` operating system A few caveats with the current setup: - Only tests on Ubuntu (no FreeBSD or Alpine) - Unpriviledged tests only - No core dumps available on failure