mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

[9.20] chg: ci: Use AlmaLinux for FIPS testing in AWS

Browse Source 
Backport of MR !10433

Merge branch 'backport-mnowak/alma-linux-with-fips-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10517
This commit is contained in:
Michal Nowak
2025-05-29 18:03:36 +00:00
parent f0f140d4f0 0c6a806405
commit 24e2b7ab88
2 changed files with 54 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
.gitlab-ci.yml
View File

@@ -66,6 +66,19 @@ variables:
SHOTGUN_EVAL_THRESHOLD_LATENCY_PCTL_MIN: '-inf' SHOTGUN_EVAL_THRESHOLD_LATENCY_PCTL_MIN: '-inf'
SHOTGUN_EVAL_THRESHOLD_LATENCY_PCTL_DRIFT_MIN: '-inf' SHOTGUN_EVAL_THRESHOLD_LATENCY_PCTL_DRIFT_MIN: '-inf'
# Even though there's only one job per runtime environment, the GitLab
# "instance" executor insists on cloning the Git repository to a path that
# contains a variable number from zero to the "maximum concurrent instances
# count" allowed on the GitLab Runner. See the "0" directory in this example
# path: /home/ec2-user/builds/t1_4FZzvz/0/isc-projects/bind9/.git/.
#
# This is not a problem for isolated jobs like "stress" tests that depend on
# no other jobs. However, it is a problem for jobs that need other jobs'
# artifacts. For example, a system test job that has its Git repo cloned to
# the "/1/" sub-path will fail if it downloads build job artifacts that have
# ./configure output files with "/0/" in its sub-path recorded.
GIT_CLONE_PATH_INSTANCE_EXECUTOR: "/home/ec2-user/builds/${CI_PROJECT_PATH}/"
default: default:
# Allow all running CI jobs to be automatically canceled when a new # Allow all running CI jobs to be automatically canceled when a new
# version of a branch is pushed. # version of a branch is pushed.
@@ -94,10 +107,23 @@ stages:
### Runner Tag Templates ### Runner Tag Templates
.libvirt-amd64: &libvirt_amd64 # AlmaLinux autoscaling GitLab Runners on AWS EC2 (amd64)
.almalinux-8fips-amd64-image: &almalinux_8fips_amd64_image
tags: tags:
- libvirt - almalinux-8
- amd64 - amd64
- autoscaler
- aws
- shell
.almalinux-9fips-amd64-image: &almalinux_9fips_amd64_image
tags:
- almalinux-9
- amd64
- autoscaler
- aws
- shell
# Autoscaling GitLab Runner on AWS EC2 (amd64) # Autoscaling GitLab Runner on AWS EC2 (amd64)
@@ -139,18 +165,7 @@ stages:
variables: variables:
CC: clang CC: clang
CFLAGS: "${CFLAGS_COMMON} -Og" CFLAGS: "${CFLAGS_COMMON} -Og"
# Even though there's only one job per runtime environment, the GitLab GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
# "instance" executor insists on cloning the Git repository to a path that
# contains a variable number from zero to the "maximum concurrent instances
# count" allowed on the GitLab Runner. See the "0" directory in this
# example path: /home/ec2-user/builds/t1_4FZzvz/0/isc-projects/bind9/.git/.
#
# This is not a problem for isolated jobs like "stress" tests that depend
# on no other jobs. However, it is a problem for jobs that need other jobs'
# artifacts. For example, a system test job that has its Git repo cloned to
# the "/1/" sub-path will fail if it downloads build job artifacts that
# have ./configure output files with "/0/" in its sub-path recorded.
GIT_CLONE_PATH: "/home/ec2-user/builds/${CI_PROJECT_PATH}/"
# Use MIT Kerberos5 for BIND 9 GSS-API support because of FreeBSD Heimdal # Use MIT Kerberos5 for BIND 9 GSS-API support because of FreeBSD Heimdal
# incompatibility; see https://bugs.freebsd.org/275241. # incompatibility; see https://bugs.freebsd.org/275241.
EXTRA_CONFIGURE: "${WITH_READLINE_EDITLINE} --with-gssapi=/usr/local/bin/krb5-config" EXTRA_CONFIGURE: "${WITH_READLINE_EDITLINE} --with-gssapi=/usr/local/bin/krb5-config"
@@ -185,16 +200,6 @@ stages:
image: "$CI_REGISTRY_IMAGE:almalinux-9-amd64" image: "$CI_REGISTRY_IMAGE:almalinux-9-amd64"
<<: *linux_amd64 <<: *linux_amd64
# Oracle Linux
.oraclelinux-8fips-amd64: &oraclelinux_8fips_amd64_image
image: "oraclelinux-8fips-x86_64"
<<: *libvirt_amd64
.oraclelinux-9fips-amd64: &oraclelinux_9fips_amd64_image
image: "oraclelinux-9fips-x86_64"
<<: *libvirt_amd64
# Debian # Debian
.debian-bookworm-amd64: &debian_bookworm_amd64_image .debian-bookworm-amd64: &debian_bookworm_amd64_image
@@ -326,6 +331,9 @@ stages:
- rm -f bind-*.tar.xz - rm -f bind-*.tar.xz
- cd bind-* - cd bind-*
.fips-feature-test: &fips_feature_test
- if bin/tests/system/feature-test --have-fips-mode; then fips-mode-setup --check; fips-mode-setup --is-enabled; fi
.build: &build_job .build: &build_job
<<: *default_triggering_rules <<: *default_triggering_rules
stage: build stage: build
@@ -344,6 +352,7 @@ stages:
- test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" ) - test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" )
- if test -z "${OUT_OF_TREE_WORKSPACE}" && test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi - if test -z "${OUT_OF_TREE_WORKSPACE}" && test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- bin/named/named -V - bin/named/named -V
- *fips_feature_test
needs: needs:
- job: autoreconf - job: autoreconf
artifacts: true artifacts: true
@@ -413,6 +422,7 @@ stages:
- test -n "${OUT_OF_TREE_WORKSPACE}" && cp -r bin/tests/system/* "${OUT_OF_TREE_WORKSPACE}/bin/tests/system/" && cd "${OUT_OF_TREE_WORKSPACE}" - test -n "${OUT_OF_TREE_WORKSPACE}" && cp -r bin/tests/system/* "${OUT_OF_TREE_WORKSPACE}/bin/tests/system/" && cd "${OUT_OF_TREE_WORKSPACE}"
- *setup_interfaces - *setup_interfaces
script: script:
- *fips_feature_test
- *find_pytest - *find_pytest
- *find_python - *find_python
- ( if [ "${CI_DISPOSABLE_ENVIRONMENT}" = "true" ]; then sleep 3000; "$PYTHON" "${CI_PROJECT_DIR}/util/get-running-system-tests.py"; fi ) & - ( if [ "${CI_DISPOSABLE_ENVIRONMENT}" = "true" ]; then sleep 3000; "$PYTHON" "${CI_PROJECT_DIR}/util/get-running-system-tests.py"; fi ) &
@@ -474,6 +484,7 @@ stages:
before_script: before_script:
- test -n "${OUT_OF_TREE_WORKSPACE}" && cd "${OUT_OF_TREE_WORKSPACE}" - test -n "${OUT_OF_TREE_WORKSPACE}" && cd "${OUT_OF_TREE_WORKSPACE}"
script: script:
- *fips_feature_test
- make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1 - make -j${TEST_PARALLEL_JOBS:-1} -k unit V=1
- test "$CLEAN_BUILD_ARTIFACTS_ON_SUCCESS" -eq 0 || make clean >/dev/null 2>&1 - test "$CLEAN_BUILD_ARTIFACTS_ON_SUCCESS" -eq 0 || make clean >/dev/null 2>&1
after_script: after_script:
@@ -890,27 +901,32 @@ unit:gcc:almalinux9:amd64:
needs: needs:
- job: gcc:almalinux9:amd64 - job: gcc:almalinux9:amd64
# Jobs for scheduled GCC builds on Oracle Linux 8 & 9 FIPS-aware images with # Jobs for scheduled GCC builds on AlmaLinux 8 & 9 FIPS-aware images with FIPS
# FIPS mode in BIND 9 enabled # mode in BIND 9 enabled
gcc:8fips:amd64: gcc:8fips:amd64:
variables: variables:
CC: gcc CC: gcc
CFLAGS: "${CFLAGS_COMMON}" CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-tracing" EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-tracing"
<<: *oraclelinux_8fips_amd64_image GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
<<: *almalinux_8fips_amd64_image
<<: *build_job <<: *build_job
system:gcc:8fips:amd64: system:gcc:8fips:amd64:
<<: *oraclelinux_8fips_amd64_image <<: *almalinux_8fips_amd64_image
<<: *system_test_job <<: *system_test_job
variables:
GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
needs: needs:
- job: gcc:8fips:amd64 - job: gcc:8fips:amd64
artifacts: true artifacts: true
unit:gcc:8fips:amd64: unit:gcc:8fips:amd64:
<<: *oraclelinux_8fips_amd64_image <<: *almalinux_8fips_amd64_image
<<: *unit_test_job <<: *unit_test_job
variables:
GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
needs: needs:
- job: gcc:8fips:amd64 - job: gcc:8fips:amd64
artifacts: true artifacts: true
@@ -920,21 +936,26 @@ gcc:9fips:amd64:
CC: gcc CC: gcc
CFLAGS: "${CFLAGS_COMMON}" CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-leak-detection --disable-tracing" EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-leak-detection --disable-tracing"
<<: *oraclelinux_9fips_amd64_image GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
<<: *almalinux_9fips_amd64_image
<<: *build_job <<: *build_job
system:gcc:9fips:amd64: system:gcc:9fips:amd64:
<<: *oraclelinux_9fips_amd64_image <<: *almalinux_9fips_amd64_image
<<: *system_test_job <<: *system_test_job
<<: *api_pipelines_schedules_tags_triggers_web_triggering_rules <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
variables:
GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
needs: needs:
- job: gcc:9fips:amd64 - job: gcc:9fips:amd64
artifacts: true artifacts: true
unit:gcc:9fips:amd64: unit:gcc:9fips:amd64:
<<: *oraclelinux_9fips_amd64_image <<: *almalinux_9fips_amd64_image
<<: *unit_test_job <<: *unit_test_job
<<: *api_pipelines_schedules_tags_triggers_web_triggering_rules <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
variables:
GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
needs: needs:
- job: gcc:9fips:amd64 - job: gcc:9fips:amd64
artifacts: true artifacts: true

2
doc/arm/platforms.inc.rst
View File

@@ -46,7 +46,7 @@ following systems:
- Debian 12 - Debian 12
- Ubuntu LTS 22.04, 24.04 - Ubuntu LTS 22.04, 24.04
- Fedora 42 - Fedora 42
- Red Hat Enterprise Linux / CentOS / Oracle Linux / AlmaLinux 8, 9 - Red Hat Enterprise Linux / CentOS / AlmaLinux 8, 9
- FreeBSD 13.4, 14.2 - FreeBSD 13.4, 14.2
- Alpine Linux 3.21 - Alpine Linux 3.21