bitcoin/ci
MarcoFalke 85892f77c9
Merge bitcoin/bitcoin#25900: ci: run docker wrapper with a non-root user
849f20a6d3 ci: create and use non-root user for docker image (josibake)

Pull request description:

  Previously, everything in the ci docker image ran as the root user. This would lead to certain directories (`ci/scratch`, `depends`) being owned by `root` after running the ci locally which would lead to annoying behavior such as subsequent guix builds failing due to `depends/` being owned by root.

  This PR adds a non-root user in the container and chowns the mounted working directory. All the `docker exec` commands now run as the non-root user, except for the few that still need to run as root (mainly, installing packages).

  To test this I checked out a fresh copy of the repo, applied my changes, ran the CI, and verified all the local file permissions were unchanged after the CI was finished running.

ACKs for top commit:
  hebasto:
    ACK 849f20a6d3, tested on Ubuntu 22.04 by running commands as follows:

Tree-SHA512: 734dca0f36157fce5fab243b4ff657fc17ba980e8e4e4644305f41002ff21bd5cef02c306ea1e0b5c841d4c07c095e8e4be16722e6a38c890717c60a3f5ec62a
2022-11-22 12:46:40 +01:00
..
lint Remove clang-format from lint task 2022-10-05 10:52:42 +02:00
retry build: update retry to current version 2019-10-30 18:49:57 -04:00
test Merge bitcoin/bitcoin#25900: ci: run docker wrapper with a non-root user 2022-11-22 12:46:40 +01:00
lint_run_all.sh scripted-diff: Bump copyright headers 2020-12-31 09:45:41 +01:00
README.md doc: move doc to ci readme 2020-06-19 10:44:00 -04:00
test_run_all.sh scripted-diff: Bump copyright headers 2020-12-31 09:45:41 +01:00

CI Scripts

This directory contains scripts for each build step in each build stage.

Running a Stage Locally

Be aware that the tests will be built and run in-place, so please run at your own risk. If the repository is not a fresh git clone, you might have to clean files from previous builds or test runs first.

The ci needs to perform various sysadmin tasks such as installing packages or writing to the user's home directory. While most of the actions are done inside a docker container, this is not possible for all. Thus, cache directories, such as the depends cache, previous release binaries, or ccache, are mounted as read-write into the docker container. While it should be fine to run the ci system locally on you development box, the ci scripts can generally be assumed to have received less review and testing compared to other parts of the codebase. If you want to keep the work tree clean, you might want to run the ci system in a virtual machine with a Linux operating system of your choice.

To allow for a wide range of tested environments, but also ensure reproducibility to some extent, the test stage requires docker to be installed. To install all requirements on Ubuntu, run

sudo apt install docker.io bash

To run the default test stage,

./ci/test_run_all.sh

To run the test stage with a specific configuration,

FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh

Configurations

The test files (FILE_ENV) are constructed to test a wide range of configurations, rather than a single pass/fail. This helps to catch build failures and logic errors that present on platforms other than the ones the author has tested.

Some builders use the dependency-generator in ./depends, rather than using the system package manager to install build dependencies. This guarantees that the tester is using the same versions as the release builds, which also use ./depends.

If no FILE_ENV has been specified or values are left out, 00_setup_env.sh is used as the default configuration with fallback values.

It is also possible to force a specific configuration without modifying the file. For example,

MAKEJOBS="-j1" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh

The files starting with 0n (n greater than 0) are the scripts that are run in order.

Cache

In order to avoid rebuilding all dependencies for each build, the binaries are cached and re-used when possible. Changes in the dependency-generator will trigger cache-invalidation and rebuilds as necessary.