mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-21 17:37:39 +00:00
Code Issues Releases Wiki Activity
criu/.cirrus.yml
Radostin Stoyanov 68f92b551c images: remove symlink for descriptor.proto 
Currently the build scripts create the following symlink:

  criu-4.1/images/google/protobuf/descriptor.proto -> /usr/include/google/protobuf/descriptor.proto

This symlink points to a system-wide absolute-path target. Also,
this symlink ends up in the release tarball. The tarball may later be
downloaded and unpacked by e.g. OS distributions. If unpacking is
done using Python 3.14+, it will fail.

This happens because Python 3.14 will switch the default behavior of
extractall() from "fully trusting the content of archive" to
"disallow common attack vectors while extracting the archive".
With this new behavior, extractall() raises an exception when at
least one file in the archive extracts or points to outside of the
extraction directory (these are called path traversal attacks and
zip slip attacks).

Reported-by: Dmitrii Kuvaiskii <dimakuv@amazon.de>
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2025-07-21 17:48:26 -07:00

124 lines
3.5 KiB
YAML
Raw Permalink Blame History

task:
name: Vagrant Fedora based test (no VDSO)
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"
compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
cpu: 4
memory: 16G
nested_virtualization: true
setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok
build_script: |
make -C scripts/ci vagrant-fedora-no-vdso
task:
name: CentOS Stream 9 based test
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"
compute_engine_instance:
image_project: centos-cloud
image: family/centos-stream-9
platform: linux
cpu: 4
memory: 8G
setup_script: |
dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
dnf -y install epel-release epel-next-release
dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata xmlto libdrm-devel libuuid-devel
# The image has a too old version of nettle which does not work with gnutls.
# Just upgrade to the latest to make the error go away.
dnf -y upgrade nettle nettle-devel
systemctl stop sssd
# Even with selinux in permissive mode the selinux tests will be executed.
# The Cirrus CI user runs as a service from selinux point of view and is
# much more restricted than a normal shell (system_u:system_r:unconfined_service_t:s0).
# The test case above (vagrant-fedora-no-vdso) should run selinux tests in enforcing mode.
setenforce 0
build_script: |
make -C scripts/ci local SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 ZDTM_OPTS="-x zdtm/static/socket-raw"
task:
name: Vagrant Fedora Rawhide based test
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"
compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
cpu: 4
memory: 16G
nested_virtualization: true
setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok
build_script: |
make -C scripts/ci vagrant-fedora-rawhide
task:
name: Vagrant Fedora based test (non-root)
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"
compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
cpu: 4
memory: 16G
nested_virtualization: true
setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok
build_script: |
make -C scripts/ci vagrant-fedora-non-root
task:
name: aarch64 build GCC (native)
arm_container:
image: docker.io/library/ubuntu:jammy
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/apt-install make
make -C scripts/ci local
task:
name: aarch64 build CLANG (native)
arm_container:
image: docker.io/library/ubuntu:jammy
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/apt-install make
make -C scripts/ci local CLANG=1
task:
name: aarch64 Fedora Rawhide
arm_container:
image: registry.fedoraproject.org/fedora:rawhide
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/prepare-for-fedora-rawhide.sh
make -C scripts/ci/ local CC=gcc SKIP_CI_PREP=1 SKIP_CI_TEST=1 CD_TO_TOP=1
make -C test/zdtm -j 4
Reference in New Issue View Git Blame Copy Permalink