Commit graph

97 commits

Author SHA1 Message Date
MarcoFalke
faaa62754e
ci: Use podman stop over podman kill
This should avoid a race where the kill is not done when spinning up the
new container. podman stop waits 10 seconds by default.
2023-06-09 16:58:38 +02:00
MarcoFalke
fa123077bc
ci: Use podman for persistent workers 2023-05-30 10:27:23 +02:00
MarcoFalke
fa9c65a74c
ci: Prune dangling images on RESTART_CI_DOCKER_BEFORE_RUN 2023-05-30 08:51:53 +02:00
MarcoFalke
fa12558d21
ci: Avoid leaking HOME var into CI pod
This will lead to a duplicate install, see https://github.com/bitcoin/bitcoin/pull/27739#issuecomment-1564122573
2023-05-29 09:16:43 +02:00
MarcoFalke
fa8a428c92
move-only: Move almost all CI_EXEC code to 06_script_b.sh
[WARN] The commit is obviously broken and will not run the CI system. In
the rare case this is hit in a git bisect, just skip the commit.

The goal here was to make it trivial to review with the git option:
--color-moved=dimmed-zebra

It is required to move everything into one file because "exit 0" will
otherwise stop working as intended when the containing bash script is no
longer executed with "source ...".

If there is desire to split up 06_script_b.sh into logical chunks in the
future, it will also be easier after the following commit.
2023-05-10 14:10:38 +02:00
MarcoFalke
fa7d75540e
ci: Pass full env to CI pod to avoid missing a var
Instead of enumerating each passed env var, just pass all. This avoids
the risk of missing to enumerate one. Also, it is less code.

The risk could be that an env var causes non-deterministic behavior, but
this can be fixed by explicitly excluding it once the issue is known.

Values with newlines can not be stored in the file and parsed by
docker/podman, so they are excluded.
2023-05-05 08:46:35 +02:00
MarcoFalke
fa5af94de6
ci: Run base install at most once
This should avoid errors when running it twice. For example, network
errors on the second invocation of 'apt update'; or unguarded
modifications such as APPEND_APT_SOURCES_LIST, which will append the
same string repeatedly.

The base install may be run twice in Cirrus CI with dockerfiles, or
locally when running twice with DANGER_RUN_CI_ON_HOST specified.
2023-04-06 11:52:30 +02:00
josibake
ed4a8339b8
ci: fix git dubious permissions error 2023-04-05 14:25:13 +02:00
MarcoFalke
fafe3a8e38
ci: Remove second user account 2023-03-31 08:28:38 +02:00
MarcoFalke
faa0839837
ci: Cache more stuff in the ci images: msan, iwyu, pip, sdks 2023-03-24 10:19:25 +01:00
Hennadii Stepanov
8fe27fbed8
ci: Use clang-15 in "tidy" task 2023-03-22 15:21:39 +00:00
MarcoFalke
5fffff54e9
ci: Cache stuff in volumes, not host folders 2023-02-08 11:21:23 +01:00
MarcoFalke
fa486de212
ci: Cache package manager install step 2023-01-28 17:59:07 +01:00
MarcoFalke
fa88d42123
ci: Fix APPEND_APT_SOURCES_LIST trying to modify the host system 2023-01-24 20:33:55 +01:00
MarcoFalke
dddd462137
Bump minimum python version to 3.7 2023-01-18 12:59:11 +01:00
MarcoFalke
fa0584eb82
ci: Stop and remove CI container 2023-01-11 10:49:39 +01:00
MarcoFalke
fa5dccba32
scripted-diff: ci: Rework docker naming
DOCKER in names is confusingly used as synonym for "image", "container",
and "ci". Fix the confusion by picking the term that fits the context.

-BEGIN VERIFY SCRIPT-
 ren() { sed -i "s:$1:$2:g" $( git grep -l "$1" ) ; }

 ren DOCKER_PACKAGES CI_BASE_PACKAGES
 # This better reflects that they are the common base for all CI
 # containers.

 ren DOCKER_ID CI_CONTAINER_ID
 # This is according to the documentation of "--detach , -d: Run
 # container in background and print container ID".

 ren DOCKER_NAME_TAG CI_IMAGE_NAME_TAG
 # This avoids confusing with CONTAINER_NAME and clarifies that it is an
 # image.

 ren DOCKER_ADMIN CI_CONTAINER_CAP
 # This clarifies that it is a capability added to the container.

 ren DOCKER_CI_CMD_PREFIX CI_EXEC_CMD_PREFIX
 # This brings it in line with the CI_EXEC naming.

-END VERIFY SCRIPT-
2023-01-11 10:49:18 +01:00
MarcoFalke
fadfae42f1
ci: Remove unused busybox workaround
The find workaround is no longer needed after commit
d3d547c545
2023-01-09 12:40:45 +01:00
MarcoFalke
fac424fce7
ci: Create named symbol for BINS_SCRATCH_DIR
Also, create the dir a bit earlier, right after it was put in the PATH.
2023-01-09 11:53:20 +01:00
Hennadii Stepanov
306ccd4927
scripted-diff: Bump copyright headers
-BEGIN VERIFY SCRIPT-
./contrib/devtools/copyright_header.py update ./
-END VERIFY SCRIPT-

Commits of previous years:
- 2021: f47dda2c58
- 2020: fa0074e2d8
- 2019: aaaaad6ac9
2022-12-24 23:49:50 +00:00
josibake
54dd8f51ce
ci: use ci_exec_root for clang install 2022-11-25 14:13:29 +01:00
MarcoFalke
85892f77c9
Merge bitcoin/bitcoin#25900: ci: run docker wrapper with a non-root user
849f20a6d3 ci: create and use non-root user for docker image (josibake)

Pull request description:

  Previously, everything in the ci docker image ran as the root user. This would lead to certain directories (`ci/scratch`, `depends`) being owned by `root` after running the ci locally which would lead to annoying behavior such as subsequent guix builds failing due to `depends/` being owned by root.

  This PR adds a non-root user in the container and chowns the mounted working directory. All the `docker exec` commands now run as the non-root user, except for the few that still need to run as root (mainly, installing packages).

  To test this I checked out a fresh copy of the repo, applied my changes, ran the CI, and verified all the local file permissions were unchanged after the CI was finished running.

ACKs for top commit:
  hebasto:
    ACK 849f20a6d3, tested on Ubuntu 22.04 by running commands as follows:

Tree-SHA512: 734dca0f36157fce5fab243b4ff657fc17ba980e8e4e4644305f41002ff21bd5cef02c306ea1e0b5c841d4c07c095e8e4be16722e6a38c890717c60a3f5ec62a
2022-11-22 12:46:40 +01:00
josibake
849f20a6d3
ci: create and use non-root user for docker image
Running all commands as the root user in the docker image
will change local file permissions in the ci and depends directory.

Add a non-root user to the container and use this user whenever
possible when running docker exec commands.
2022-11-21 18:11:28 +01:00
Hennadii Stepanov
702836530f
ci: Make getopt path architecture agnostic 2022-10-25 09:49:07 +01:00
MacroFake
fa6054e952
ci: Allow PIP_PACKAGES on centos
This was added in 7fc5e865b9 but I can't
see a reason why this should be forbidden.
2022-10-04 11:53:31 +02:00
0xb10c
cc7335edc8
ci: run USDT interface test in a VM
Our CI tasks are run by CirrusCI in Docker containers in a Google
Compute Engine based Kubernetes environment. These containers have
limited capabilities - especially CAP_SYS_ADMIN is missing. See
https://github.com/bitcoin/bitcoin/issues/23296#issuecomment-1024920845

We need elevated privileges to hook into the USDT tracepoints. We use a
CirrusCI "compute_engine_instance" (a VM, not a container) where we have
the required privileges. The ubunut-mininmal-2204-lts was choosen with
debian-11 being an alternative. Both pack an outdated 'bpfcc-tools'
package (v0.18.0) from 2020. This version prints warnings to stderr
during BPF bytecode compilation, which causes our functional test runner
to fail. This is fixed in newer verison.

Until debian-12 or a newer Ubuntu release is avaliable as image in GCE
(https://cloud.google.com/compute/docs/images/os-details), we use a
third-party and untrusted PPA that releases up-to-date versions of the
package.

The official iovisor (authors of BCC) PPA is outdated too. An
alternative would be to compile BCC from source in the CI.

Co-authored-by: MacroFake <falke.marco@gmail.com>
2022-07-08 19:41:58 +02:00
MacroFake
fa847ed2f6
ci: Clone iwyu only if missing 2022-04-30 09:23:56 +02:00
fanquake
9b0a13a289
tidy: Add include-what-you-use 2022-04-20 14:14:52 +01:00
MarcoFalke
fa73f8a469
ci: Use clang-12 and libcxx-12 for msan 2022-03-30 11:56:06 +02:00
MarcoFalke
fa33236e77
scripted-diff: Rename DOCKER_EXEC to CI_EXEC
-BEGIN VERIFY SCRIPT-
 sed -i "s/DOCKER_EXEC/CI_EXEC/g" $(git grep -l DOCKER_EXEC)
-END VERIFY SCRIPT-
2022-02-01 10:14:53 +01:00
MarcoFalke
fa5457e64a
ci: Bump CentOS 8 image 2022-02-01 10:13:25 +01:00
Hennadii Stepanov
0b7c55f157
ci: Clone entire bitcoin-core/qa-assets repo only when run fuzzing 2022-01-06 16:23:48 +02:00
Hennadii Stepanov
f47dda2c58
scripted-diff: Bump copyright headers
-BEGIN VERIFY SCRIPT-
./contrib/devtools/copyright_header.py update ./
-END VERIFY SCRIPT-

Commits of previous years:
* 2020: fa0074e2d8
* 2019: aaaaad6ac9
2021-12-30 19:36:57 +02:00
Hennadii Stepanov
fe0ff569ea
test: Enable SC2046 shellcheck rule 2021-11-13 18:05:26 +02:00
Hennadii Stepanov
9a1ad7bc0d
test: Enable SC2086 shellcheck rule 2021-11-13 16:54:56 +02:00
Kiminuo
30450a1bd5 Do not clone qa-assets git repository if not necessary 2021-06-30 11:59:49 +02:00
Tushar Singla
057750c09d ci: Upgrading pip version in macos environment
During each CI run, for macos native environment, python packages lief
and zmq are rebuilt everytime which wastes a lot of resources and time.
The latest version of pip directly fetches pre-built binaries. Through
this commit pip version is upgraded in macos environment before
installation of these packages.
2021-06-28 11:57:19 +05:30
W. J. van der Laan
b7c2625703
Merge bitcoin/bitcoin#21664: contrib: use LIEF for macOS and Windows symbol & security checks
7fc5e865b9 test: install lief in CI (fanquake)
955140b326 contrib: consolidate PIE and NX security checks (fanquake)
2aa1631822 contrib: use LIEF in PE symbol checks (fanquake)
e93ac26b85 contrib: use LIEF in macOS symbol checks (fanquake)
a632cbcee5 contrib: use f strings in symbol-check.py (fanquake)
0f5d77c8e4 contrib: add PE PIE check to security checks (fanquake)
8e1f40dd9a contrib: use LIEF for PE security checks (fanquake)
a25b2e965c contrib: use LIEF for macOS security checks (fanquake)
7e7eae7aa8 contrib: use f strings in security-check.py (fanquake)
2e7a9f7ade guix: install LIEF in Guix container (fanquake)
465967b5ef gitian: install LIEF in gitian container (fanquake)

Pull request description:

  This PR is a proof of concept for using [LIEF](https://github.com/lief-project/LIEF) for the PE and MACHO symbol and security checks. It replaces our current approach of manually parsing the output of `objdump` & `otool`. If the consensus is that using LIEF is ok, then I also plan on replacing [pixie.py](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/pixie.py), and using LIEF for all checks. LIEF for Linux is also currently blocked (on the next release, unless we want to build master) on one change for RISC-V that I [sent upstream](https://github.com/lief-project/LIEF/pull/562).

  LIEF is seemingly well maintained, and is the basis for a number of other tools. It also has some very nice documentation; i.e the [Python API for ELF](https://lief.quarkslab.com/doc/latest/api/python/elf.html). It also has many builtins we can take advantage of. i.e [`is_pie`](https://lief.quarkslab.com/doc/latest/api/python/macho.html#lief.MachO.Binary.is_pie), [`has_nx`](https://lief.quarkslab.com/doc/latest/api/python/macho.html#lief.MachO.Binary.has_nx) etc. This means we can [consolidate some of our checks](9c5eeb5484). If/when end up using LIEF for lightning then we can consolidate further, and cleanup these scripts. i.e to not parse the binary inside the checks, but once at the start of the script.

  Guix builds:
  ```bash
  # find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
  963a08638c46f9a3d75cd4b0c155d1ca091bbeba27167291adcd3dca03fd4c3d  guix-build-f51237d94d98/output/aarch64-linux-gnu/bitcoin-f51237d94d98-aarch64-linux-gnu-debug.tar.gz
  a3ce927c46b103789a010c41a6ebfafe4548d90ee7d88f2a735c9183b775da5c  guix-build-f51237d94d98/output/aarch64-linux-gnu/bitcoin-f51237d94d98-aarch64-linux-gnu.tar.gz
  2503ac8901068805d5e7251fd5cfeb7c1f8ba3528bdfcf3aa1e0c40bfd5c1cbc  guix-build-f51237d94d98/output/arm-linux-gnueabihf/bitcoin-f51237d94d98-arm-linux-gnueabihf-debug.tar.gz
  5798697e58e1788df85aa9e2e4d33fef0456169fcbd2521f13b3b5806ac0d84d  guix-build-f51237d94d98/output/arm-linux-gnueabihf/bitcoin-f51237d94d98-arm-linux-gnueabihf.tar.gz
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  guix-build-f51237d94d98/output/dist-archive/bitcoin-f51237d94d98.tar.gz
  9b4b8756c5c84295eb6b61b6b32a07a8d07723fb38aaa8f519b6133935061bda  guix-build-f51237d94d98/output/powerpc64-linux-gnu/bitcoin-f51237d94d98-powerpc64-linux-gnu-debug.tar.gz
  cbd821aa464a9c16f7979dbec1a5e66939e777a567f55f7081499a8d528d42c5  guix-build-f51237d94d98/output/powerpc64-linux-gnu/bitcoin-f51237d94d98-powerpc64-linux-gnu.tar.gz
  abed530a82e97e3cf621c90a13c0881b0e39ccce2a6f42a3ff80de76e2abc5f7  guix-build-f51237d94d98/output/powerpc64le-linux-gnu/bitcoin-f51237d94d98-powerpc64le-linux-gnu-debug.tar.gz
  8b6d2bdd8b58ff1f6072bf8693abe3ce773ff3a7d8d2b7218207e69945b9d31b  guix-build-f51237d94d98/output/powerpc64le-linux-gnu/bitcoin-f51237d94d98-powerpc64le-linux-gnu.tar.gz
  d99cc705032d22ae819975992216899ed960ba25871a05c8789d00b80418511f  guix-build-f51237d94d98/output/riscv64-linux-gnu/bitcoin-f51237d94d98-riscv64-linux-gnu-debug.tar.gz
  5240ca4f4ef7c62088185224ac319ad9a4a9b40075df10af18d8a6355bca32fb  guix-build-f51237d94d98/output/riscv64-linux-gnu/bitcoin-f51237d94d98-riscv64-linux-gnu.tar.gz
  adc16eaee4b51e8615ce8b3be9f6c018698237df4ad6e0886cf0d4ab6bc9e5c4  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx-unsigned.dmg
  b188af0572ee682d74cc82c7e6e464115205fc130a457cfe19d42ac9ddd267f8  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx-unsigned.tar.gz
  e764062fde144e6fb5d6dd776c10fc2daa8d775831f7e43247d17a6c6e060c97  guix-build-f51237d94d98/output/x86_64-apple-darwin18/bitcoin-f51237d94d98-osx64.tar.gz
  dab3d26ac94c669140f7329d14e57ef02b0fe92b8a8f9d96c32a416adea0da0f  guix-build-f51237d94d98/output/x86_64-linux-gnu/bitcoin-f51237d94d98-x86_64-linux-gnu-debug.tar.gz
  ca59d4379fbe2b9a52deebeaf88508e0eda4215f28d319aff0781289dd159712  guix-build-f51237d94d98/output/x86_64-linux-gnu/bitcoin-f51237d94d98-x86_64-linux-gnu.tar.gz
  52b7c35321a85c4f6c95bf0e687574454b71ede9bec1c9cf17f37c578c888a94  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win-unsigned.tar.gz
  a543895a00f8ffb3ba50ca68396d52ad5a18dd8efe38730e0049dd70d283a092  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64-debug.zip
  aec050d03c65268a986148500f7341cceb8c5f85287e0e3cde8933ce4b4dee32  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64-setup-unsigned.exe
  57ba33ed6ee8d3a885e342471359301473e83037d5442895beb686921a4c50e9  guix-build-f51237d94d98/output/x86_64-w64-mingw32/bitcoin-f51237d94d98-win64.zip
  ```

  Gitian builds:
  ```bash
  # macOS:
  2f066e852bdd30ac46e5ecdf7619d19d408035c318a3edf0f1893ec2e25efb69  bitcoin-41a1b3d1b130-osx-unsigned.dmg
  8cf8ac4d21740f490262453c330b5f4a5c5b8139dfc1b322efefce3f3b93d1b2  bitcoin-41a1b3d1b130-osx-unsigned.tar.gz
  cf1b84efdd9d2588a1ce9513580fb56b38bfafe60e18f8adbeedf03521c6c2b2  bitcoin-41a1b3d1b130-osx64.tar.gz
  14995244b0bb3e80e7b79975c9c70fdfb3ee3c04fda3efd5358ce1c4efa3a312  src/bitcoin-41a1b3d1b130.tar.gz
  93881069d5e1dc385c08895a7b035a94eb010325afc2776c99b6aafa21096eb8  bitcoin-core-osx-22-res.yml

  # Windows:
  4d56dd7713121684b7eaa448679c65df2fd0aa5319bf8d12fb6cfa9f0b005cf7  bitcoin-f51237d94d98-win-unsigned.tar.gz
  4558f4173152b084bcba25aa1a53c605208a70fe20392141b63cefb476528c85  bitcoin-f51237d94d98-win64-debug.zip
  b63feaca010e86d514cfe38d716e3c8a8b8058e4f969b868aaaeb8a8a3d3dc81  bitcoin-f51237d94d98-win64-setup-unsigned.exe
  de7d8586cc91ba391fe911853a99d9fd15fc6f9a60f9b91a0447940173aac67a  bitcoin-f51237d94d98-win64.zip
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  src/bitcoin-f51237d94d98.tar.gz
  45efaca35b5fad0a04dfd06e44f7c00b990aa91c7bf2faea57e020d3491a6cf0  bitcoin-core-win-22-res.yml

  # Linux:
  055d646c5f8cf4708008374546176012ff758566a2645a3a01e1a33eab1002fe  bitcoin-f51237d94d98-aarch64-linux-gnu-debug.tar.gz
  bfc8b0efc36b0474c88546b12d2723c04b4dc629ae311082025c7e0b8f0d1aa9  bitcoin-f51237d94d98-aarch64-linux-gnu.tar.gz
  9dfaa5acfffadad8942b32996458013a155d12ed07be76601f232233627b5cb9  bitcoin-f51237d94d98-arm-linux-gnueabihf-debug.tar.gz
  54eb57905ff8513b9f628707b61aa4659c362fb2f6d17e0ee240b4da3674907d  bitcoin-f51237d94d98-arm-linux-gnueabihf.tar.gz
  ad98d876616eff578ad8cfd17dfbabe48ed14200823579687d66694bae3d2fe3  bitcoin-f51237d94d98-powerpc64-linux-gnu-debug.tar.gz
  fe1b421dd1cb6e04d5dc5d341459dc15fa6e15b80906e5d8e0405cf43495e0f7  bitcoin-f51237d94d98-powerpc64-linux-gnu.tar.gz
  9001d95cc7d2722d9d7dd83d9da8e5adf575fddf91b615b76b9bcfece30ecf6f  bitcoin-f51237d94d98-powerpc64le-linux-gnu-debug.tar.gz
  9e0650ad2aba70c0fd1608a077e95f335dc1bb4a79eab9b0b56ac87427a4fd4f  bitcoin-f51237d94d98-powerpc64le-linux-gnu.tar.gz
  fbfde0134944d3dbd32991455b0a8abdd334853ab8a4c1a1a4c060d9de071c50  bitcoin-f51237d94d98-riscv64-linux-gnu-debug.tar.gz
  2fa2cfddce98c44c65305326fc623a7f065129208337503d813a08d51580cb8a  bitcoin-f51237d94d98-riscv64-linux-gnu.tar.gz
  b2d6caeee0e3c350a43165c39876ebed8e588958007af0d06996e341c7060683  bitcoin-f51237d94d98-x86_64-linux-gnu-debug.tar.gz
  bfdb827e75d43d61462513c9a843620b93c9160d9d246cad13278baaa07f64ea  bitcoin-f51237d94d98-x86_64-linux-gnu.tar.gz
  4185adebc6a0abe7241a3cd409a6ab7be031c26f1c4245e30bb5f87eef0925d2  src/bitcoin-f51237d94d98.tar.gz
  34820a093916fa35b0fd98806a50092f46b20271af7422f43e2a4223ef6f9bb7  bitcoin-core-linux-22-res.yml
  ```

ACKs for top commit:
  laanwj:
    re-ACK 7fc5e865b9

Tree-SHA512: 0c30838413448ecfcf55e6273f607fdb01cb1acafa1d2762afad59360fca7d8efa78ec55064f50cba56cb2c9e98741e13665cba8e9b4b8e5b62b8a53f9bf8990
2021-05-05 13:22:59 +02:00
MarcoFalke
fa399a76c6
ci: Use clang-12 in msan task 2021-05-04 15:04:11 +02:00
fanquake
7fc5e865b9
test: install lief in CI 2021-05-04 20:48:53 +08:00
MarcoFalke
fa278412a0
ci: Restart docker before run
Also, add setting for persistent worker in .cirrus.yml
2021-04-09 15:56:23 +02:00
MarcoFalke
fa73674738
ci: Run i686 centos ci config on cirrus 2020-11-23 17:09:12 +01:00
MarcoFalke
faaee810e6
build: Require C++17 compiler 2020-11-18 15:15:04 +01:00
MarcoFalke
77777c8b5e
ci: Run windows ci config on cirrus 2020-11-09 10:16:45 +01:00
MarcoFalke
3333d6942e
ci: Run macos ci config on cirrus 2020-11-09 10:15:59 +01:00
MarcoFalke
fa0795f54d
ci: Replace TRAVIS_OS_NAME with CI_OS_NAME
Also enable free disk space check unconditionally
2020-11-09 10:15:48 +01:00
Pieter Wuille
4567ba034c tests: add generic qa-asset-based script verification unit test
This adds a unit test that does generic script verification tests,
with positive/negative witnesses/scriptsigs, under various flags.
The test data is large (several MB) so it's stored in the qa-assets
repo.
2020-10-12 17:18:47 -07:00
Hennadii Stepanov
557d3f1cc0
ci: Do not activate Travis ccache caching strategy
It is sufficient to specify CCACHE_DIR to cache.
Also this change fixes ccache on native macOS build.
2020-07-14 02:35:02 +03:00
practicalswift
870f0cd2a0 build: Add MemorySanitizer (MSan) in Travis to detect use of uninitialized memory 2020-06-23 09:09:30 +00:00
MarcoFalke
fa0d5ee112
ci: Set halt_on_error=1 for tsan 2020-05-30 08:32:58 -04:00