From cc3dbb3c60a7e49e28e744b2d2671acc3adca5b5 Mon Sep 17 00:00:00 2001 From: Philip Whineray Date: Thu, 31 Dec 2020 16:17:45 +0000 Subject: [PATCH 1/3] Fix for Ubuntu 20.20 output differences --- tests/tools/clean-qdisc | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/tools/clean-qdisc b/tests/tools/clean-qdisc index 9628a02..5511f95 100755 --- a/tests/tools/clean-qdisc +++ b/tests/tools/clean-qdisc @@ -4,6 +4,7 @@ my @lines; while (<>) { s/ memory_limit [^ ]*//g; s/ default 32768 / default 8000 /g; + s/ default 0x8000 / default 8000 /g; push @lines, $_; } From 40ce920fc8e70371a8a0aa35059c663d724a33c6 Mon Sep 17 00:00:00 2001 From: Philip Whineray Date: Thu, 31 Dec 2020 16:20:28 +0000 Subject: [PATCH 2/3] Print unit tests as we run them Give an idea of progress, even in non-verbose mode --- tests/unittest | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/unittest b/tests/unittest index c6caf32..c971de2 100755 --- a/tests/unittest +++ b/tests/unittest @@ -308,6 +308,8 @@ do if [ $verbose -eq 1 ] then echo "$conf: setup" + else + echo "Test: $conf" fi if [ -x "$pre_sh" ] then From d43bb2d52497ec98c0adbc59db5e6cd347e422d1 Mon Sep 17 00:00:00 2001 From: Philip Whineray Date: Thu, 31 Dec 2020 15:02:03 +0000 Subject: [PATCH 3/3] Replace Travis with Github actions --- .github/workflows/publish.yml | 169 ++++++++++++++++++++++++++++++++++ .github/workflows/setup.sh | 53 +++++++++++ .travis.yml | 74 --------------- .travis/decrypt-if-have-key | 33 ------- .travis/deploy-if-have-key | 39 -------- .travis/install-iprange | 53 ----------- .travis/replace-unshare | 40 -------- .travis/travis_rsa.enc | Bin 1680 -> 0 bytes packaging/tar-compare | 1 + 9 files changed, 223 insertions(+), 239 deletions(-) create mode 100644 .github/workflows/publish.yml create mode 100755 .github/workflows/setup.sh delete mode 100644 .travis.yml delete mode 100755 .travis/decrypt-if-have-key delete mode 100755 .travis/deploy-if-have-key delete mode 100755 .travis/install-iprange delete mode 100755 .travis/replace-unshare delete mode 100644 .travis/travis_rsa.enc diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..d8cfaab --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,169 @@ +on: [ push, pull_request, workflow_dispatch ] + +jobs: + prep: + runs-on: ubuntu-latest + name: Prepare build + steps: + - name: Extract tag/branch variables + shell: bash + run: | + echo "##[set-output name=tag;]$(echo ${GITHUB_REF#refs/tags/}|grep -v '/')" + echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/}|grep -v '/')" + id: extract + outputs: + tag: ${{ steps.extract.outputs.tag }} + branch: ${{ steps.extract.outputs.branch }} + + build: + runs-on: ubuntu-latest + name: Build package + needs: prep + steps: + - uses: actions/checkout@v2 + - name: Set up build tools + run: ./.github/workflows/setup.sh + - name: Server-side run of commit hooks in case developer skipped them + run: git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files - + env: + TRAVIS_TAG: ${{ needs.prep.outputs.tag }} + - name: Obtain GPG keys to validate tag signature + if: ${{ needs.prep.outputs.tag != '' }} + run: | + ./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237" + ./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863" + git fetch --tags -f + env: + KEYSERVER: pool.sks-keyservers.net + - name: Run build + run: | + fakeroot ./packaging/git-build + test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check + env: + TRAVIS_TAG: ${{ needs.prep.outputs.tag }} + - name: Create checksums + run: | + for i in *.tar.* + do + md5sum -b $i > $i.md5 + sha512sum -b $i > $i.sha + done + - name: Upload build artifacts + uses: actions/upload-artifact@v2 + with: + name: build-artifacts + path: | + *.tar.* + + publish_branch: + runs-on: ubuntu-latest + name: Publish to website if branch + needs: [ prep, build ] + env: + DEPLOY_ARTIFACTS: "*.tar.*" + DEPLOY_SERVER: travis@firehol.org + DEPLOY_DIR: uploads/firehol/${{needs.prep.outputs.branch}} + SERVER_DEPLOY_LOG: https://firehol.org/travis-project.log + SERVER_DEPLOY_TIMEOUT: 300 + if: >- + ${{ ( needs.prep.outputs.branch == 'main' + || needs.prep.outputs.branch == 'master' + || startsWith( needs.prep.outputs.branch, 'stable-' ) ) }} + steps: + - name: Download artifacts + uses: actions/download-artifact@v2 + with: + name: build-artifacts + - name: Setup SSH + id: ssh + run: | + echo "$FIREHOL_ORG_PUBLISH_SSH" > firehol_org_publish_key + chmod 600 firehol_org_publish_key + eval "$(ssh-agent)" + if ssh-add firehol_org_publish_key; then + echo "Key added: setting agent environment" + echo "##[set-output name=ssh_agent_pid;]$SSH_AGENT_PID" + echo "##[set-output name=ssh_auth_sock;]$SSH_AUTH_SOCK" + mkdir -p $HOME/.ssh + chmod 700 $HOME/.ssh + echo PasswordAuthentication=no >> $HOME/.ssh/config + chmod 644 $HOME/.ssh/config + else + echo "Key not added: skipping ssh-agent environment" + fi + rm -f firehol_org_publish_key + env: + FIREHOL_ORG_PUBLISH_SSH: ${{secrets.FIREHOL_ORG_PUBLISH_SSH}} + - name: Prepare deployment check + if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }} + run: curl -s -oresult.orig $SERVER_DEPLOY_LOG + - name: Deploy to website ${{needs.prep.outputs.branch}} + if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }} + run: | + ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts + ssh $DEPLOY_SERVER mkdir -p "$DEPLOY_DIR" + rsync -a $DEPLOY_ARTIFACTS "$DEPLOY_SERVER:$DEPLOY_DIR/" + ssh $DEPLOY_SERVER touch "$DEPLOY_DIR/complete.txt" + env: + SSH_AGENT_PID: ${{ steps.ssh.outputs.ssh_agent_pid }} + SSH_AUTH_SOCK: ${{ steps.ssh.outputs.ssh_auth_sock }} + - name: Check deployment + if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }} + run: | + pause=10 + attempts=$(( $SERVER_DEPLOY_TIMEOUT / $pause )) + while [ $attempts -gt 0 ] + do + sleep $pause + attempts=$((attempts - 1)) + curl -s -o result $SERVER_DEPLOY_LOG + if ! cmp -s result result.orig + then + cat result + if grep -q "not deploying" result + then + exit 2 + else + exit 0 + fi + fi + done + exit 1 + + publish_tag: + runs-on: ubuntu-latest + name: Publish to github if tag + needs: [ prep, build ] + if: ${{ needs.prep.outputs.tag != '' }} + steps: + - name: Download artifacts + uses: actions/download-artifact@v2 + with: + name: build-artifacts + - name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref }} + draft: true + - name: Upload + uses: actions/github-script@v3 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const path = require('path'); + const fs = require('fs'); + const release_id = '${{ steps.create_release.outputs.id }}'; + for (let file of await fs.readdirSync('./')) { + console.log('uploadReleaseAsset', file); + await github.repos.uploadReleaseAsset({ + owner: context.repo.owner, + repo: context.repo.repo, + release_id: release_id, + name: file, + data: await fs.readFileSync(`./${file}`) + }); + } diff --git a/.github/workflows/setup.sh b/.github/workflows/setup.sh new file mode 100755 index 0000000..ca0ce88 --- /dev/null +++ b/.github/workflows/setup.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +set -e +set -x + +sudo apt install gnupg pandoc fakeroot +sudo apt install texlive-base texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-latex-recommended +sudo apt install lmodern libxml2-utils traceroute ipset + +# +# Set up to ensure tests run: +# - Ensure unprivileged user namespaces enabled +# - Install required kernel modules +# - Get latest version of iprange from firehol project +sudo sysctl kernel.unprivileged_userns_clone=1 +sudo modprobe iptable_mangle +sudo modprobe ip6table_mangle +sudo modprobe iptable_raw +sudo modprobe ip6table_raw +sudo modprobe iptable_nat +sudo modprobe ip6table_nat +sudo modprobe iptable_filter +sudo modprobe ip6table_filter + +orig=`pwd` +mkdir iprange +cd iprange +curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest +dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json) + +if [ "$dl" = "" ] +then + echo "Could not find download for latest iprange" + exit 1 +fi + +curl -s -L -o iprange.tar.gz "$dl" +if [ $? -ne 0 ] +then + echo "Could not download $dl" + exit 1 +else + echo "Building $dl" +fi + +mkdir build +tar xfzC iprange.tar.gz build + +cd build/iprange* +./configure --disable-man +sudo make install +cd $orig +rm -rf iprange diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index d8cf30a..0000000 --- a/.travis.yml +++ /dev/null @@ -1,74 +0,0 @@ -# Use trusty (for recent pandoc) -# https://docs.travis-ci.com/user/trusty-ci-environment/ -dist: trusty -# -# Use full virtualisation to allow use of user namespaces -sudo: true -# -# C includes autotools and make by default -language: c -# -# Extra packages -addons: - apt: - packages: - - gnupg - - pandoc - - texlive-base - - texlive-latex-base - - texlive-latex-extra - - texlive-fonts-recommended - - texlive-latex-recommended - - lmodern - - libxml2-utils - - traceroute - - ipset - - fakeroot -# -# Setup environment -before_install: - # Decrypt our private files for CI use only - - eval "$(ssh-agent -s)" - - ./.travis/decrypt-if-have-key 45263037bf08 - - export KEYSERVER=pool.sks-keyservers.net - # - # Set up to ensure tests run: - # - Ensure unprivileged user namespaces enabled - # - Get latest version of iprange from firehol project - # - Get a version of util-linux which has the user namespace options - # - Install required kernel modules - - sudo sysctl kernel.unprivileged_userns_clone=1 - - sudo .travis/install-iprange - - sudo .travis/replace-unshare - - sudo modprobe iptable_mangle - - sudo modprobe ip6table_mangle - - sudo modprobe iptable_raw - - sudo modprobe ip6table_raw - - sudo modprobe ip6table_nat -# -# Run -before_script: - # Download keys - builds of tags check for a recognised signature - - ./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237" - - ./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863" - # Run the commit hooks in case the developer didn't - - git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files - -script: - - fakeroot ./packaging/git-build - - (test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check) -# -# Deploy as required -after_success: - - for i in *.tar.*; do md5sum -b $i > $i.md5; sha512sum -b $i > $i.sha; done - - ./.travis/deploy-if-have-key firehol -deploy: - # Upload results to GitHub (tag only) - - provider: releases - api_key: - secure: S5EMYcFY70JpCBgZHqWbcwAXg5jbKd+X1rdA8FMX3c0+mJQ0LaHgqjyIrjZVV3AMdFToZDMD9VmIJARXUU9UY7SH7kp0Txf1g7WetLLN4X53InTFdx4O2Khtnj8osM51R3lyrZw2FPB6af4/ZhNkv/mZgHUg7jQ3Gags6L2NzeGyEZzUVoZEz+qxLXQACKDgEWL1v7D+5vn+v2JjtW1i5LlbWS37u+SXufxvlVcAXSTNWGf3Q1pv2vnjxUkjZcz9A2Zk+DADE9RpdKyUN2279Kx5rpUc4qzET3HZP79Lwp8Cj6Gfd1GOsagM2TXHo5fg38K/mTCUrJ97wdg2uzgvsOZBhLysZVwkikGWnkuM2xQW3NpYmWGpeDRhUnEotZeQ4N1R4dpbQ79oxVEb0wkFAXUUU0qCDPpjA0YUb1c9pRuomCsB7a/SxwNrldCK8XvNFyiCF28yetnjp5O2dytRMQPn7+SU9YdoKe+3k78J/YSdmAFFKvfEwwtz/jAlFjwt6NmV2byAUWOt4k5FTyEsz+Y+P7lkbOJGYpAz7nNvLtp4AcdS30QT7+qW6Hl2y2XeQkTMQS5/k5opVNOrn9oSfRV863tJDFplujtPbYC89Y16vD9MjzYpY7oCJ8njU5vaIx3PcGNeVDO68cqddE/YqqsuHOP8fBdKGbOrLIKZgys= - skip_cleanup: true - file_glob: true - file: "firehol*.tar.*" - on: - repo: firehol/firehol - tags: true diff --git a/.travis/decrypt-if-have-key b/.travis/decrypt-if-have-key deleted file mode 100755 index 7fcab89..0000000 --- a/.travis/decrypt-if-have-key +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -set -e - -# Decrypt our private files; changes to this file should be inspected -# closely to ensure they do not create information leaks - -eval key="\${encrypted_${1}_key}" -eval iv="\${encrypted_${1}_iv}" - -if [ ! "$key" ] -then - echo "No aes key present - skipping decryption" - exit 0 -fi - -for i in .travis/*.enc -do - u=$(echo $i | sed -e 's/.enc$//') - openssl aes-256-cbc -K "$key" -iv "$iv" -in $i -out $u -d -done - -if [ -f .travis/travis_rsa ] -then - echo "ssh key present - loading to agent" - # add key, then remove to prevent leaks - chmod 600 .travis/travis_rsa - ssh-add .travis/travis_rsa - rm -f .travis/travis_rsa - touch /tmp/ssh-key-loaded -else - echo "No ssh key present - skipping agent start" -fi diff --git a/.travis/deploy-if-have-key b/.travis/deploy-if-have-key deleted file mode 100755 index 017af1e..0000000 --- a/.travis/deploy-if-have-key +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -set -e - -# Deploy tar-files and checksums to the firehol website - -if [ ! -f /tmp/ssh-key-loaded ] -then - echo "No ssh key decrypted - skipping deployment to website" - exit 0 -fi - -case "$TRAVIS_BRANCH" in - master|stable-*) - : - ;; - *) - echo "Not on master or stable-* branch - skipping deployment to website" - exit 0 - ;; -esac - -if [ "$TRAVIS_PULL_REQUEST" = "true" ] -then - echo "Building pull request - skipping deployment to website" - exit 0 -fi - -if [ "$TRAVIS_TAG" != "" ] -then - echo "Building tag - skipping deployment to website" - exit 0 -fi - -ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts -ssh travis@firehol.org mkdir -p uploads/$1/$TRAVIS_BRANCH/ -scp -p *.tar.* travis@firehol.org:uploads/$1/$TRAVIS_BRANCH/ -ssh travis@firehol.org touch uploads/$1/$TRAVIS_BRANCH/complete.txt -echo "Visit https://firehol.org/travis-project.log check deployment" diff --git a/.travis/install-iprange b/.travis/install-iprange deleted file mode 100755 index a904a1a..0000000 --- a/.travis/install-iprange +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -if ! MYTMP="`mktemp -d -t install-iprange-XXXXXX`" -then - echo >&2 - echo >&2 - echo >&2 "Cannot create temporary directory." - echo >&2 - exit 1 -fi -export MYTMP - -myexit() { - rm -rf $MYTMP - exit 0 -} - -trap myexit INT -trap myexit HUP -trap myexit 0 - -DIR=`pwd`/ -export DIR - -cd $MYTMP - -set -e - -curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest -dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json) -dl=https://github.com/firehol/iprange/releases/download/v1.0.4/iprange-1.0.4.tar.gz - -if [ "$dl" = "" ] -then - echo "Could not find download for latest iprange" - exit 1 -fi - -curl -s -L -o iprange.tar.gz "$dl" -if [ $? -ne 0 ] -then - echo "Could not download $dl" - exit 1 -else - echo "Building $dl" -fi - -mkdir build -tar xfzC iprange.tar.gz build - -cd build/iprange* -./configure --disable-man -make install diff --git a/.travis/replace-unshare b/.travis/replace-unshare deleted file mode 100755 index 7700e0a..0000000 --- a/.travis/replace-unshare +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -if ! MYTMP="`mktemp -d -t replace-unshare-XXXXXX`" -then - echo >&2 - echo >&2 - echo >&2 "Cannot create temporary directory." - echo >&2 - exit 1 -fi -export MYTMP - -myexit() { - rm -rf $MYTMP - exit 0 -} - -trap myexit INT -trap myexit HUP -trap myexit 0 - -DIR=`pwd`/ -export DIR - -cd $MYTMP - -set -e - -dl=https://launchpad.net/ubuntu/+archive/primary/+files/util-linux_2.27.1.orig.tar.xz - -echo $dl -curl -s -L -o util-linux.tar.xz "$dl" - -mkdir build -tar xfJC util-linux.tar.xz build - -cd build/util-* -./configure --disable-all-programs --enable-unshare -make -make install diff --git a/.travis/travis_rsa.enc b/.travis/travis_rsa.enc deleted file mode 100644 index 3a28030b5c593b920b9bcee3767574c907d43789..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1680 zcmV;B25c?#6kqdL(bM#qIS<-ujjHs}^4wC~9*Ju&=q>PTxuW2`!o!`0eA82EADmaK-Az-Y1nS zGjGxn9Bv=<(VR1nl40#mUmxVi(>Gwk0>=C?KB;X@cj9L(-198SD)f}!@J*InRW&^t z_6veI@&fyPYp=N_RI^sd4ca;M&Sj!LIsUR68XsBGbe;=4ObL6|X+9d16_w<9KeUp8 z;I1QE|W{|kUBVhWK@A$g`lDP;@_$qZ;pPBzxP>~48~^JD~tdl zI`ai#49bWmSLPpp!aael0;B>-xNYg6!L8>WF_%ro@&kU-Z04I^L6c>{=W*LGMpxM# z=N0i9xMhI1VRD|o?!-ShGagaM&V(EKQ?U2BoJLb2nEF~s8`WAXkKnn!kgtvOOo1(U z5anqV2d)UBR>LYrBZezbFsov!5Ko%t3*;60)1OgGDBgh}h2Hly7ULnLNccw}iyk!w zc|fp5xb}s5ogF(-y&B8qej%dfA0c%25A4O_ff$liZt-C)c5kkE|QFAV@%YFsuP`!?koQrO&Ad00Lh1%bddCE0bT>YK}E$ga@nWW20$d@deY{hB*1{xpIG>KITg%{v4K+a5H@Pdwu6LE02w{s<-=Z@SlZ#hlicg6@ z60QLq{m4L+F`>&Vx7BZSEmb!uj>iBWgskc=W!DA!!%FpNi=o`6ePowdX(^SqJYQv| z&pSHj;?%}%V&3l6$DIiVv@VSj%AHcAD$$fiz&rf1adlCsWuTGn5|HL+$%kgmeM5`Y z)I}6g-`Hf&C>#H14leSwTyR`-VHMb%1b^29z&{iz)VbH!@8wiXBRO7 zh%v#$sa-qaBsc=6db)&5M{2L0!%;LO_f`N>vfj=63guMzGfK8^VPGd7Z4Te*Pmhqn zqKV=`#am%P6Fil&u_VM;-Tr*eqo+bQ6&~41eI3_LErKxh6*Kcm*P#p;nd4(b6WFvt z=-6}jkc{}DuK{%_z?p1fj>@@SzmvSf7CWSRr@{omJW^Usf)qj0>A8ncbWwkwEQ#On^ruPHns1%9p#znnIaz;RA9riqyl0dYLe-L19A($90bA ag?O#yqehsd>O@!FcTOuoKiq#F=!5XTD?p