Skip to content

ci: add in-container CI tests#385

Merged
cyphar merged 11 commits into
mainfrom
ci-in-ctr
Jun 17, 2026
Merged

ci: add in-container CI tests#385
cyphar merged 11 commits into
mainfrom
ci-in-ctr

Conversation

@cyphar

@cyphar cyphar commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Fixes #372
Implements #376

@codecov

codecov Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 92.93680% with 19 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/tests/common/mntns.rs 72.72% 6 Missing ⚠️
src/tests/common/handle.rs 75.00% 4 Missing ⚠️
src/tests/test_root_ops.rs 96.52% 4 Missing ⚠️
src/tests/test_resolve.rs 85.71% 3 Missing ⚠️
src/tests/capi/test_compat.rs 96.77% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@cyphar cyphar force-pushed the ci-in-ctr branch 28 times, most recently from c42e237 to 0bfd742 Compare June 4, 2026 11:50
@cyphar cyphar force-pushed the ci-in-ctr branch 4 times, most recently from fa366a5 to b8c3ad0 Compare June 4, 2026 12:30
@cyphar

This comment was marked as resolved.

Sign in to view
cyphar added 4 commits June 17, 2026 15:56
@cyphar
tests: improve propagated error messages
1c716d0 
We made pretty judicious use of ?, which leads to problems if you have
an error somewhere deep as there is little information at the error
source about what was being attempted.

The goal here is to just improve the overall amount of information we
are providing when an error happens deep within some helper. This is
really dumb grunt work so I used an LLM for parts of it.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
tests: capi: use O_NOCTTY rather than O_NOATIME
0d962e2 
O_NOATIME requires privileges that we might not have and appears to be
problematic in containers. O_NOCTTY is a better "dummy" flag to use.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
tests: add _test_can_mknod feature
eb678fd 
When we start running tests in containers, mknod(2) is blocked by the
devices cgroup and so will fail even for root.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
hotfix: tests: allow skipping in-mntns tests
e261ad1 
When running in a container without CAP_SYS_ADMIN or with AppArmor
enabled, you end up not being able to create namespaces or mount and
it's not really easy to detect this at compile-time.

This is just a hotfix because it fakes the test results to look like a
pass, ideally we would be using the test-if crate I'm working on to let
you do runtime conditional skipping.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the ci-in-ctr branch 2 times, most recently from b399a1a to 26b317f Compare June 17, 2026 14:05
@cyphar cyphar marked this pull request as ready for review June 17, 2026 14:06
@cyphar cyphar force-pushed the ci-in-ctr branch 2 times, most recently from 773e935 to 57b65d9 Compare June 17, 2026 14:37
cyphar added 7 commits June 17, 2026 17:35
@cyphar
hotfix: tests: skip procfs tests if /proc/sys is overmounted
ea52dd5 
This is really not an ideal solution but for now we should just skip the
overmount tests if /proc/sys is already overmounted as the tests will
fail when expecting no overmounts. The same goes for the sysctl unit
tests, which expect /proc/sys to not be overmounted.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
e2e-tests: don't use /proc/sys for readlink tests
9de3ae2 
This breaks under containers and there is no real need to use /proc/sys
specifically for this test, though I guess we will eventually need to do
skipping of e2e tests based on overmounts.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
hack: rust-tests: add --help option
21630f1 
Minor quality of life improvement when running this script from inside a
container.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
hack: rust-tests: auto-set _test_as_root if running as root
7410107 
In a container we actually do run as root by default, so we should
handle that case automatically in a similar way to --sudo.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
hack: rust-tests: support --report-output-path
741c3e4 
This will be needed to make it easier to exfiltrate test data from
containers into a volume without making targets/llvm-cov-target a volume
(which has some other potential downsides).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
ci: add Dockerfile
e9bf98c 
The primary use-case for this image is for CI, but I've included a very
minimal install image that you could in principle use to make use of
libpathrs on container infrastructure without needing to build it
yourself.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
gha: run container tests in CI
a77345d 
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar mentioned this pull request Jun 17, 2026
Merged
@cyphar cyphar merged commit 032a07a into main Jun 17, 2026
139 checks passed
@cyphar cyphar deleted the ci-in-ctr branch June 17, 2026 16:16
This was referenced Jun 17, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

container workloads with /proc/sys ro mount are problematic

1 participant

@cyphar