Fix root certificate not found when using external directory (#4252) #9508
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Linux | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release/[0-9]+.[0-9]+ | |
| tags: | |
| - v[0-9]+.[0-9]+.[0-9]+ | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| merge_group: | |
| types: [checks_requested] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| CheckLint: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| conclusion: ${{ steps.check-lint.outputs.conclusion }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Check Lint Status | |
| id: check-lint | |
| uses: ./.github/actions/check-lint | |
| GetMatrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Determine job matrix | |
| id: set-matrix | |
| run: | | |
| set -euo pipefail | |
| MATRIX='{"build-type": "Debug"} | |
| {"build-type": "Clang"} | |
| {"build-type": "Release"}' | |
| if ${{ github.event_name != 'merge_group' && github.repository == 'canonical/multipass'}}; then | |
| MATRIX+='{"build-type": "Coverage" }' | |
| fi | |
| echo "${MATRIX}" | jq -cs '{"include": . }' | awk '{ print "matrix=" $0 }' >> $GITHUB_OUTPUT | |
| BuildAndTest: | |
| needs: [GetMatrix, CheckLint] | |
| # Proceed if Lint failed on a PR (but not if cancelled) | |
| if: ${{ !cancelled() && success() && | |
| (needs.CheckLint.outputs.conclusion == 'success' || | |
| (needs.CheckLint.outputs.conclusion == 'failure' && github.event_name == 'pull_request')) | |
| }} | |
| outputs: | |
| label: ${{ steps.build-params.outputs.label }} | |
| channel: ${{ steps.build-params.outputs.channel }} | |
| snap-file: ${{ steps.build-snap.outputs.snap-file }} | |
| strategy: | |
| matrix: ${{ fromJSON(needs.GetMatrix.outputs.matrix) }} | |
| fail-fast: ${{ github.event_name == 'merge_group' }} | |
| runs-on: ubuntu-latest | |
| env: | |
| SNAPCRAFT_BUILD_INFO: 1 | |
| timeout-minutes: 120 | |
| steps: | |
| # Free some disk space to avoid the "No space left on device" error. | |
| - name: Free Disk Space | |
| uses: jlumbroso/free-disk-space@v1.3.1 | |
| with: | |
| large-packages: false | |
| swap-storage: false | |
| - name: Install Snapcraft | |
| uses: samuelmeuli/action-snapcraft@v3 | |
| - name: Install LXD | |
| uses: canonical/setup-lxd@a3c85fc6fb7fff43fcfeae87659e41a8f635b7dd | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Need full history to derive version | |
| submodules: 'recursive' | |
| - name: Determine build parameters | |
| id: build-params | |
| uses: ./.github/actions/build-params | |
| - name: Patch | |
| env: | |
| PATCH_PREFIX: .github/workflows/linux | |
| run: > | |
| [ ! -f ${PATCH_PREFIX}.patch ] || patch -p1 --no-backup-if-mismatch < ${PATCH_PREFIX}.patch | |
| [ ! -f ${PATCH_PREFIX}-${{ matrix.build-type }}.patch ] || | |
| patch -p1 --no-backup-if-mismatch < ${PATCH_PREFIX}-${{ matrix.build-type }}.patch | |
| - name: Set up vcpkg | |
| id: setup-vcpkg | |
| uses: lukka/run-vcpkg@v11 | |
| with: | |
| vcpkgDirectory: '${{ github.workspace }}/3rd-party/vcpkg' | |
| - name: Set up CCache | |
| id: setup-ccache | |
| run: | | |
| sudo apt-get install ccache | |
| ccache --max-size=2G | |
| mkdir -p ${HOME}/.ccache | |
| /snap/bin/lxc profile device add default ccache disk source=${HOME}/.ccache/ path=/root/.ccache | |
| # Find common base between main and HEAD to use as cache key. | |
| git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules origin main | |
| echo "cache-key=$( git merge-base origin/main ${{ github.sha }} )" >> $GITHUB_OUTPUT | |
| - name: CCache | |
| uses: actions/cache@v4 | |
| with: | |
| key: ccache-${{ runner.os }}-${{ matrix.build-type }}-${{ steps.setup-ccache.outputs.cache-key }} | |
| restore-keys: | | |
| ccache-${{ runner.os }}-${{ matrix.build-type }}- | |
| path: ~/.ccache | |
| - name: Set up coverage | |
| id: coverage-setup | |
| if: ${{ matrix.build-type == 'Coverage' }} | |
| run: | | |
| MULTIPASS_PART=${HOME}/multipass_part | |
| mkdir --parents ${MULTIPASS_PART} | |
| /snap/bin/lxc profile device add default build disk source=${MULTIPASS_PART} path=/root/parts/multipass | |
| echo "build=${MULTIPASS_PART}/build" >> $GITHUB_OUTPUT | |
| - name: Build | |
| env: | |
| LABEL: ${{ steps.build-params.outputs.label }} | |
| run: | | |
| # Inject the build label. | |
| sed -i "/cmake-parameters:/a \ - -DMULTIPASS_BUILD_LABEL=${LABEL}" snap/snapcraft.yaml | |
| # Inject vcpkg GH Actions cache env vars if they exist | |
| if [ -n "${ACTIONS_CACHE_URL}" ]; then | |
| sed -i "/build-environment:/a \ - ACTIONS_CACHE_URL: ${ACTIONS_CACHE_URL}" snap/snapcraft.yaml | |
| fi | |
| if [ -n "${ACTIONS_RUNTIME_TOKEN}" ]; then | |
| sed -i "/build-environment:/a \ - ACTIONS_RUNTIME_TOKEN: ${ACTIONS_RUNTIME_TOKEN}" snap/snapcraft.yaml | |
| fi | |
| if [ -n "${VCPKG_BINARY_SOURCES}" ]; then | |
| sed -i "/build-environment:/a \ - VCPKG_BINARY_SOURCES: ${VCPKG_BINARY_SOURCES}" snap/snapcraft.yaml | |
| fi | |
| if [ -n "${GITHUB_ACTIONS}" ]; then | |
| sed -i "/build-environment:/a \ - GITHUB_ACTIONS: \"${GITHUB_ACTIONS}\"" snap/snapcraft.yaml | |
| fi | |
| # Build the `multipass` part. | |
| /snap/bin/snapcraft pull --use-lxd inject-apt-mirrors | |
| /snap/bin/snapcraft build --use-lxd multipass | |
| - name: Clear CCache stats | |
| run: ccache --show-stats --zero-stats | |
| - name: Set /proc/sys/kernel/core_pattern | |
| if: ${{ matrix.build-type == 'Debug' || matrix.build-type == 'Coverage' }} | |
| run : | | |
| # The LXC container share the same "/proc/sys/kernel/core_pattern" | |
| # with the host and it can't be overridden inside the container. Hence | |
| # we need to override it at the runner level. | |
| sudo bash -c 'echo "/coredump/%e.%p.%t" > /proc/sys/kernel/core_pattern' | |
| - name: Test | |
| id: test | |
| if: ${{ matrix.build-type == 'Debug' }} | |
| timeout-minutes: 2 | |
| run: | | |
| trap 'echo "MULTIPASS_TESTS_EXIT_CODE=$?" >> $GITHUB_ENV' EXIT | |
| instance_name=`/snap/bin/lxc --project snapcraft --format=csv --columns=n list | grep multipass` | |
| /snap/bin/lxc --project snapcraft start $instance_name | |
| # Let's print the core pattern so we can check if it's successfully propagated to the container. | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- bash -c 'cat /proc/sys/kernel/core_pattern' | |
| # Create the directory for the coredumps | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- bash -c 'mkdir -p /coredump' | |
| # Enable coredumps by setting the core dump size to "unlimited", and run the tests. | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- bash -c "\ | |
| ulimit -c unlimited && \ | |
| env CTEST_OUTPUT_ON_FAILURE=1 \ | |
| LD_LIBRARY_PATH=/root/stage/usr/lib/x86_64-linux-gnu/:/root/stage/lib/:/root/parts/multipass/build/lib/ \ | |
| /root/parts/multipass/build/bin/multipass_tests" | |
| - name: Measure coverage | |
| id: measure-coverage | |
| if: ${{ matrix.build-type == 'Coverage' }} | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| timeout-minutes: 5 | |
| run: | | |
| trap 'echo "MULTIPASS_TESTS_EXIT_CODE=$?" >> $GITHUB_ENV' EXIT | |
| instance_name=`/snap/bin/lxc --project snapcraft --format=csv --columns=n list | grep multipass` | |
| /snap/bin/lxc --project snapcraft start $instance_name | |
| # Wait for snapd to actually finish- in particular, that snaps are mounted | |
| timeout 10 sh -c \ | |
| 'while [ "$( /snap/bin/lxc --project snapcraft exec '$instance_name' -- \ | |
| systemctl show --property=ActiveState snapd )" != "ActiveState=active" ]; do sleep 1; done' | |
| # Wait for LXD container network to be ready like Snapcraft does | |
| timeout 40 sh -c \ | |
| 'while /snap/bin/lxc --project snapcraft exec '$instance_name' -- getent hosts canonical.com ; \ | |
| [ $? -ne 0 ] ; do sleep 1; done' | |
| # The following 2 commands workaround the issue in 20.04 where the default parsing of the coverage | |
| # JSON file is extremely slow. This makes is use fast parsing. | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- apt-get -y install libjson-xs-perl sudo | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- \ | |
| sh -c "sudo sed -i \"s/use JSON::PP/use JSON::XS/\" \`which geninfo\`" | |
| # Create the directory for the coredumps | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- bash -c 'mkdir -p /coredump' | |
| /snap/bin/lxc --project snapcraft exec $instance_name -- bash -c "\ | |
| ulimit -c unlimited && \ | |
| env CTEST_OUTPUT_ON_FAILURE=1 \ | |
| cmake --build /root/parts/multipass/build --target covreport" | |
| bash <(curl -s https://codecov.io/bash) -Z -s ${{ steps.coverage-setup.outputs.build }} | |
| - name: Pull coredump and executable from LXC container | |
| if: ${{ failure() && env.MULTIPASS_TESTS_EXIT_CODE != '0'}} | |
| # do not cause job to fail if there are no coredumps available. | |
| continue-on-error: true | |
| run: | | |
| set -o xtrace | |
| # Check whether the test executable is crashed or not. | |
| # If so, we'll need to pull the core dump and the executable from the container to the | |
| # runner, so we can upload them as artifacts later on. | |
| echo "Test executable crashed." | |
| # Make a directory in tmp to pull the coredump(s) and the test executable. | |
| # We'll need both to debug the crash. | |
| mkdir -p /tmp/coredump | |
| instance_name=`/snap/bin/lxc --project snapcraft --format=csv --columns=n list | grep multipass` | |
| # Pull the crashed executable from the container | |
| /snap/bin/lxc --project snapcraft file pull \ | |
| -p -r "$instance_name/root/parts/multipass/build/bin/multipass_tests" /tmp/coredump/multipass_tests | |
| echo "Pulled the executable." | |
| # Pull the coredump folder | |
| /snap/bin/lxc --project snapcraft file pull -p -r "$instance_name/coredump" /tmp/coredump | |
| echo "Pulled the coredumps folder." | |
| set +o xtrace | |
| - name: Upload test coredump | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() && env.MULTIPASS_TESTS_EXIT_CODE != '0' }} | |
| with: | |
| name: buildandtest-test-crash-${{ runner.os }}-${{ matrix.build-type }} | |
| path: /tmp/coredump/** | |
| - name: Continue on Error comment | |
| uses: mainmatter/continue-on-error-comment@v1 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| outcome: ${{ steps.measure-coverage.outcome }} | |
| test-id: Error with measuring coverage in ${{ matrix.build-type }} build | |
| - name: Build and verify the snap | |
| id: build-snap | |
| if: ${{ matrix.build-type == 'Release' }} | |
| env: | |
| SNAP_ENFORCE_RESQUASHFS: 0 | |
| run: | | |
| # Actually build the snap. | |
| /snap/bin/snapcraft --use-lxd | |
| sudo snap install review-tools | |
| /snap/bin/review-tools.snap-review --plugs=snap/local/plugs.json *.snap | |
| echo "snap-file=$( ls *.snap )" >> $GITHUB_OUTPUT | |
| - name: Upload the snap | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ matrix.build-type == 'Release' }} | |
| with: | |
| name: ${{ steps.build-snap.outputs.snap-file }} | |
| path: ${{ steps.build-snap.outputs.snap-file }} | |
| if-no-files-found: error | |
| retention-days: 30 | |
| # Publish the snap to the store if all is good, a channel was determined, and we have access to secrets. | |
| Publish-Snap: | |
| needs: BuildAndTest | |
| if: ${{ | |
| !cancelled() | |
| && success() | |
| && github.repository == 'canonical/multipass' | |
| && needs.BuildAndTest.outputs.channel != '' | |
| && (github.event_name == 'push' | |
| || github.event_name == 'merge_group' | |
| || github.event.pull_request.head.repo.full_name == github.repository) | |
| }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Download the built snap | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ needs.BuildAndTest.outputs.snap-file }} | |
| - name: Install Snapcraft and log in | |
| uses: samuelmeuli/action-snapcraft@v3 | |
| - name: Publish the snap | |
| env: | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }} | |
| run: | | |
| snapcraft upload *.snap --release ${{ needs.BuildAndTest.outputs.channel }} |