-
-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test in Docker with Alpine Linux on CI #1826
Merged
Merged
Commits on Feb 15, 2024
-
With only one version of Python, currently 3.11.
Configuration menu - View commit details
-
Copy full SHA for 44b8562 - Browse repository at this point
Copy the full SHA 44b8562View commit details -
Work around different ownership in container
This handles the "dubious ownership" error for the Alpine Linux container using safe.directory as is done in the Cygwin job. Another approach may be to actually use a limited user account in the container, though, and that may be better, since I expect some of the rmtree tests in test_util.py to fail due to the root user being able to perform a delete operation the tests assume cannot be done.
Configuration menu - View commit details
-
Copy full SHA for cefb53e - Browse repository at this point
Copy the full SHA cefb53eView commit details -
To overcome "This environment is externally managed" blocker.
Configuration menu - View commit details
-
Copy full SHA for a45d0b0 - Browse repository at this point
Copy the full SHA a45d0b0View commit details -
Run tests as non-root user in Alpine Linux
- Add a note to the fixture in test_util.py that its ability to create files where rmtree will fail is contingent on not running as root (since root doesn't need to own a dir to delete from it). - Create a non-root user in the container. Give it the same UID as owns the repository files that are shared with the container. Also create a group with the GID of the repository files that are shared with the container and add the user to the group, though that is less important. Actually creating the user ensures it has a home directory and may help some commands work. Passing `options: --user 1001` under `container:` will not work because, even if we didn't make the user, the `apk add` commands still need to run as root. - Run all commands as the new non-root user, except for the system administration commands that install needed apk packages and set up the new non-root user account. To continue clearly expressing each step separately and have them automatically run in the container, this uses the hacky approach of having the default shell be a "sudo" command that runs the script step with "sh" (and passes the desired shell arguments). - Preserve environment variables that may have been set by or for the GHA runner, in commands that run as the non-root user. That is, pass those through, while still removing/resetting others. If this is not done, then the variables such as `CI`, which the init-tests-after-clone.sh uses to proceed without interactive confirmation, will not be set, and that step will fail. However, I think it is also a good idea to do this, which is why I've included all the relevant variables and not just `CI`. - Now that a non-root user is using "pip", stop using a venv, at least for now. The other test jobs don't use one, since the runners are isolated, and a container on a runner is even more isolated. But it may be best to bring the venv back, maybe even on the other test jobs, or alternatively to use "python -m pip" instead of "pip", to ensure expected version of pip is used. - Don't add safe.directory inside the container, in the hope that this may not be necessary because the cloned repository files should have the same UID (and even GID) as the user using them. But I expect this may need to be put back; it seems to be needed separately from that, as actions/checkout automatically attempts it for the git command it finds and attempts to use. This is not the only approach that could work. Another approach is to make use of the container explicit in each step, rather than using the `container` key. I think that would make the relationship between the commands here and in other test workflows less apparent and make the workflow a bit less clear, but it could also simplify things. A third approach is to create an image with the needed apk packages and user account, which switches to that user, by writing a Dockerfile and building in image, producing it in a previous job and sharing the image with the job that runs the tests so that `container` can still be used. That might be ideal if it could be done with upload-artifact and download-artifact, but I think `container` only supports getting images from registries.
Configuration menu - View commit details
-
Copy full SHA for 5de954a - Browse repository at this point
Copy the full SHA 5de954aView commit details -
Configuration menu - View commit details
-
Copy full SHA for ab37ae7 - Browse repository at this point
Copy the full SHA ab37ae7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 46e4234 - Browse repository at this point
Copy the full SHA 46e4234View commit details -
Configuration menu - View commit details
-
Copy full SHA for 20780cb - Browse repository at this point
Copy the full SHA 20780cbView commit details -
The "error: externally-managed-environment" stoppage occurs even when the Alpine Linux python command is run by a non-root user.
Configuration menu - View commit details
-
Copy full SHA for b32932f - Browse repository at this point
Copy the full SHA b32932fView commit details -
We chown the workspace, so this shouldn't be needed. This commit also removes the "Debug ownership" step.
Configuration menu - View commit details
-
Copy full SHA for bad545a - Browse repository at this point
Copy the full SHA bad545aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 4b427c9 - Browse repository at this point
Copy the full SHA 4b427c9View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.