ci: run tests on a nftables only system

Signed-off-by: Adrian Reber <[email protected]>

Author: adrianreber

.github/workflows/nftables-test.yml

@@ -0,0 +1,24 @@
+name: Nftables bases testing
+
+on: [push, pull_request]
+
+# Cancel any preceding run on the pull request.
+concurrency:
+  group: nftables-test-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/criu-dev' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Remove iptables
+      run: sudo apt remove -y iptables
+    - name: Install libnftables-dev
+      run: sudo scripts/ci/apt-install libnftables-dev
+    - name: chmod 755 /home/runner
+      # CRIU's tests are sometimes running as some random user and need
+      # to be able to access the test files.
+      run: sudo chmod 755 /home/runner
+    - name: Build with nftables network locking backend
+      run: sudo make -C scripts/ci local COMPILE_FLAGS="NETWORK_LOCK_DEFAULT=NETWORK_LOCK_NFTABLES"

criu/cr-service.c

@@ -582,6 +582,7 @@ static int setup_opts_from_req(int sk, CriuOpts *req)
 			goto err;
 		}
 	}
+	pr_debug("opts.network_lock_method %d\n", opts.network_lock_method);
 
 	if (req->ps) {
 		opts.port = (short)req->ps->port;
@@ -701,6 +702,8 @@ static int setup_opts_from_req(int sk, CriuOpts *req)
 	if (req->lsm_profile) {
 		opts.lsm_supplied = true;
 		SET_CHAR_OPTS(lsm_profile, req->lsm_profile);
+		pr_debug("opts.lsm_supplied %d\n", opts.lsm_supplied);
+		pr_debug("lsm_profile %s\n", opts.lsm_profile);
 	}
 
 	if (req->lsm_mount_context)

criu/lsm.c

@@ -370,7 +370,7 @@ int render_lsm_profile(char *profile, char **val)
 	case LSMTYPE__APPARMOR:
 		return render_aa_profile(val, profile);
 	case LSMTYPE__SELINUX:
-		if (asprintf(val, "%s", profile) < 0) {
+		if (asprintf(val, "%s", opts.lsm_supplied ? opts.lsm_profile : profile) < 0) {
 			*val = NULL;
 			return -1;
 		}

scripts/ci/run-ci-tests.sh

@@ -39,6 +39,10 @@ ci_prep () {
 	# This can fail on aarch64 travis
 	service apport stop || :
 
+	# Ubuntu has set up AppArmor in 24.04 so that it blocks use of user
+	# namespaces by unprivileged users. We need this for some of our tests.
+	sysctl kernel.apparmor_restrict_unprivileged_userns=0 || :
+
 	if [ "$CLANG" = "1" ]; then
 		# clang support
 		CC=clang
@@ -121,8 +125,14 @@ if [ "${CD_TO_TOP}" = "1" ]; then
 fi
 
 export GCOV CC
+if [ -z "$COMPILE_FLAGS" ]; then
+	LOCAL_COMPILE_FLAGS=("V=1")
+else
+	IFS=" " read -r -a LOCAL_COMPILE_FLAGS <<< "$COMPILE_FLAGS"
+	LOCAL_COMPILE_FLAGS=("V=1" "${LOCAL_COMPILE_FLAGS[@]}")
+fi
 $CC --version
-time make CC="$CC" -j4 V=1
+time make CC="$CC" -j4 "${LOCAL_COMPILE_FLAGS[@]}"
 
 ./criu/criu -v4 cpuinfo dump || :
 ./criu/criu -v4 cpuinfo check || :
@@ -150,6 +160,7 @@ ulimit -c unlimited
 cgid=$$
 cleanup_cgroup() {
 	./test/zdtm_umount_cgroups $cgid
+	dmesg
 }
 trap cleanup_cgroup EXIT
 ./test/zdtm_mount_cgroups $cgid