forked from open-quantum-safe/openssh
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
We are hitting the 1 hour time limit of Circle CI (Issue open-quantum-safe#166). This migrates the existing CircleCI job completely to Github Actions which has a 5 hour time limit. For the most part, this is pretty much a one-to-one migration. Since upstream OpenSSH provided its own set of Github Actions, I simply moved those to the `upstream-github` directory to avoid conflicts and preserve the source. I did run into two issues with getting the integration tests to pass. Beyond that, I ran into two issues that arose from migrating to Github Actions which need to be partched around. The combination of Github Actions' host with the OQS CI container results in a lazier reaping of zombie processes which breaks this test. In this test, ssh-agent is run as a subprocess to some arbitrary user command. This enables exclusive access to ssh-agent to that specific process. The way this works under the hood is that ssh-agent forks into a child process and the parent process exec's into the arbitrary command ([code ref](https://github.com/open-quantum-safe/openssh/blob/OQS-v9/ssh-agent.c#L2384)) which runs to completion. The child process than polls its parent process until it detects its own orphaned status and terminates itself. This, by design, results in a zombie process which must be reaped. The test's assertion uses `kill -0` to check for liveness, but that counts zombies as "alive". The workaround for this then is to add an additional check to assert that zombies are in fact "dead". The `percent` test tests % expansions inside SSH config files (e.g. home directory, username, port number). The assertion for the home directory uses the `HOME` environmental variable. Unfortunately, when running a container on a Github Runner, they unconditionally override the value of `HOME` with `/github/home` ([issue ref](actions/runner#863)) and this breaks the test assertion. The fix here is to get a more reliable reference for the home directory and use that for the assertion. Signed-off-by: gcr <[email protected]>
- Loading branch information
Showing
13 changed files
with
30 additions
and
53 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: CI Checks | ||
on: [ push, pull_request, workflow_dispatch ] | ||
jobs: | ||
ubuntu_build: | ||
runs-on: ubuntu-latest | ||
container: | ||
image: openquantumsafe/ci-ubuntu-focal-x86_64:latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Set up SSH environment | ||
run: | | ||
mkdir -p -m 0755 /var/empty | ||
groupadd sshd | ||
useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd | ||
- name: Clone liboqs | ||
run: ./oqs-scripts/clone_liboqs.sh | ||
- name: Build liboqs | ||
run: ./oqs-scripts/build_liboqs.sh | ||
- name: Build OpenSSH | ||
run: env WITH_OPENSSL=true ./oqs-scripts/build_openssh.sh | ||
- name: Run tests documented to pass | ||
run: ./oqs-test/run_tests.sh | ||
- name: Ensure we have the ssh and sshd syntax right once for each algorithm | ||
run: python3 oqs-test/try_connection.py doone |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.