From 27fb2f1a343b84afabfafb92cc15f2247973b046 Mon Sep 17 00:00:00 2001 From: bootc-dev Bot Date: Thu, 12 Mar 2026 23:43:05 +0000 Subject: [PATCH] Sync common files from infra repository Synchronized from bootc-dev/infra@eee9b691c9fcf5783ca044671dade3e32efd7e7b. Signed-off-by: bootc-dev Bot --- .bootc-dev-infra-commit.txt | 2 +- .devcontainer/devcontainer.json | 26 ++--- .github/actions/bootc-ubuntu-setup/action.yml | 97 ------------------- .github/actions/setup-rust/action.yml | 20 ---- 4 files changed, 11 insertions(+), 134 deletions(-) delete mode 100644 .github/actions/bootc-ubuntu-setup/action.yml delete mode 100644 .github/actions/setup-rust/action.yml diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt index ff1331ff..571a1b84 100644 --- a/.bootc-dev-infra-commit.txt +++ b/.bootc-dev-infra-commit.txt @@ -1 +1 @@ -61b769aee4ec165dcbfd993aeaa10a7fae2cb629 +eee9b691c9fcf5783ca044671dade3e32efd7e7b diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 678171be..f1b43a85 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,30 +1,25 @@ { "name": "bootc-devenv-debian", - // TODO override this back to prod image "image": "ghcr.io/bootc-dev/devenv-debian", "customizations": { "vscode": { - // Abitrary, but most of our code is in one of these two + // Arbitrary, but most of our code is in one of these two "extensions": [ "rust-lang.rust-analyzer", "golang.Go" ] + }, + "devaipod": { + // When running under devaipod, use minimal capabilities + // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged. + "nestedContainers": true } }, "features": {}, - "runArgs": [ - // In general we hope that the outer environment has set up - // a user namespace to keep this secure. - "--cap-add=all", - // Required for mounting /proc in nested user namespace - "--security-opt", "label=disable", - // Allows access to /proc paths needed for nested containers - "--security-opt", "unmask=/proc/*", - // Device access for nested containers and VMs - "--device", "/dev/net/tun", - // I always want KVM - "--device", "/dev/kvm" - ], + // Use privileged mode for broad compatibility (Codespaces, Docker, + // stock devcontainer CLI). devaipod overrides this with tighter + // security via the nestedContainers customization above. + "privileged": true, "postCreateCommand": { // Our init script "devenv-init": "sudo /usr/local/bin/devenv-init.sh" @@ -33,4 +28,3 @@ "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin" } } - diff --git a/.github/actions/bootc-ubuntu-setup/action.yml b/.github/actions/bootc-ubuntu-setup/action.yml deleted file mode 100644 index 783c5050..00000000 --- a/.github/actions/bootc-ubuntu-setup/action.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: 'Bootc Ubuntu Setup' -description: 'Default host setup' -inputs: - libvirt: - description: 'Install libvirt and virtualization stack' - required: false - default: 'false' -runs: - using: 'composite' - steps: - # The default runners have TONS of crud on them... - - name: Free up disk space on runner - shell: bash - run: | - set -xeuo pipefail - sudo df -h - # Use globs for package patterns (apt and dpkg both support fnmatch globs) - unwanted_pkgs=('aspnetcore-*' 'dotnet-*' 'llvm-*' 'php*' 'mongodb-*' 'mysql-*' - azure-cli google-chrome-stable firefox mono-devel) - unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL) - # Start background removal operations as systemd units; if this causes - # races in the future around disk space we can look at waiting for cleanup - # before starting further jobs, but right now we spent a lot of time waiting - # on the network and scripts and such below, giving these plenty of time to run. - n=0 - runcleanup() { - sudo systemd-run -r -u action-cleanup-${n} -- "$@" - n=$(($n + 1)) - } - runcleanup docker image prune --all --force - for x in ${unwanted_dirs[@]}; do - runcleanup rm -rf "$x" - done - # Apt removals in foreground, as we can't parallelize these. - # Only attempt removal if matching packages are installed. - for x in ${unwanted_pkgs[@]}; do - if dpkg -l "$x" >/dev/null 2>&1; then - /bin/time -f '%E %C' sudo apt-get remove -y "$x" - fi - done - # We really want support for heredocs - - name: Update podman and install just - shell: bash - run: | - set -eux - # Require the runner is ubuntu-24.04 - IDV=$(. /usr/lib/os-release && echo ${ID}-${VERSION_ID}) - test "${IDV}" = "ubuntu-24.04" - # plucky is the next release - echo 'deb http://azure.archive.ubuntu.com/ubuntu plucky universe main' | sudo tee /etc/apt/sources.list.d/plucky.list - /bin/time -f '%E %C' sudo apt update - # skopeo is currently older in plucky for some reason hence --allow-downgrades - /bin/time -f '%E %C' sudo apt install -y --allow-downgrades crun/plucky podman/plucky skopeo/plucky just - # This is the default on e.g. Fedora derivatives, but not Debian - - name: Enable unprivileged /dev/kvm access - shell: bash - run: | - set -xeuo pipefail - echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - sudo udevadm control --reload-rules - sudo udevadm trigger --name-match=kvm - ls -l /dev/kvm - # Used by a few workflows, but generally useful - - name: Set architecture variable - id: set_arch - shell: bash - run: echo "ARCH=$(arch)" >> $GITHUB_ENV - # Install libvirt stack if requested - - name: Install libvirt and virtualization stack - if: ${{ inputs.libvirt == 'true' }} - shell: bash - run: | - set -xeuo pipefail - # renovate: datasource=github-releases depName=bootc-dev/bcvk - export BCVK_VERSION=0.10.0 - # see https://github.com/bootc-dev/bcvk/issues/176 - /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system python3-virt-firmware - # Something in the stack is overriding this, but we want session right now for bcvk - echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV - td=$(mktemp -d) - cd $td - # Install bcvk - target=bcvk-$(arch)-unknown-linux-gnu - /bin/time -f '%E %C' curl -LO https://github.com/bootc-dev/bcvk/releases/download/v${BCVK_VERSION}/${target}.tar.gz - tar xzf ${target}.tar.gz - sudo install -T ${target} /usr/bin/bcvk - cd - - rm -rf "$td" - - # Also bump the default fd limit as a workaround for https://github.com/bootc-dev/bcvk/issues/65 - sudo sed -i -e 's,^\* hard nofile 65536,* hard nofile 524288,' /etc/security/limits.conf - - name: Cleanup status - shell: bash - run: | - set -xeuo pipefail - systemctl list-units 'action-cleanup*' - df -h diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml deleted file mode 100644 index f2f5e067..00000000 --- a/.github/actions/setup-rust/action.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: 'Setup Rust' -description: 'Install Rust toolchain with caching and nextest' -runs: - using: 'composite' - steps: - - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable - - name: Install nextest - uses: taiki-e/install-action@v2 - with: - tool: nextest - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - with: - cache-all-crates: true - # Only generate caches on push to git main - save-if: ${{ github.ref == 'refs/heads/main' }} - # Suppress actually using the cache for builds running from - # git main so that we avoid incremental compilation bugs - lookup-only: ${{ github.ref == 'refs/heads/main' }}