From 0abbdd4e2ce13cf4e5debf00aa03920231843bfc Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 1 Nov 2024 08:26:04 -0400 Subject: [PATCH] ci: Enable fsverity on / in GHA runner This is just cleaner than dealing with loopback. Signed-off-by: Colin Walters --- .github/workflows/test.yaml | 6 +++--- tests/integration.sh | 14 +------------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 0f3bd595..09e79644 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -156,6 +156,8 @@ jobs: - run: sudo apt-get update -y - name: Install erofs kmod run: sudo apt install linux-modules-extra-$(uname -r) + - name: Enable verity + run: sudo tune2fs -O verity $(findmnt -vno SOURCE /) - name: Install dependencies run: sudo apt install libasan6 libubsan1 fsverity - name: Checkout repository @@ -166,9 +168,7 @@ jobs: name: composefs.tar - run: sudo tar -C / -xvf composefs.tar - name: Integration tests - run: sudo ./tests/integration.sh - - name: Integration tests (fsverity required) - run: sudo env WITH_TEMP_VERITY=1 unshare -m ./tests/integration.sh + run: sudo env CI_VERITY_REQUIRED=1 ./tests/integration.sh rust: needs: build-noasan runs-on: ubuntu-latest diff --git a/tests/integration.sh b/tests/integration.sh index 2f615416..aca30f0e 100755 --- a/tests/integration.sh +++ b/tests/integration.sh @@ -4,18 +4,6 @@ # the output of ls -lR (without hardlink counts). set -xeuo pipefail -# Set to setup an explicit temporary ext4 loopback mounted fs with fsverity -WITH_TEMP_VERITY=${WITH_TEMP_VERITY:-} -if test -n "${WITH_TEMP_VERITY}"; then - tmpdisk=$(mktemp -p /var/tmp) - truncate -s 100G ${tmpdisk} - mkfs.ext4 -O verity ${tmpdisk} - tmp_mnt=$(mktemp -d) - mount -o loop ${tmpdisk} ${tmp_mnt} - rm -f ${tmpdisk} - cfsroot=${tmp_mnt} -fi - orig=$(pwd) cfsroot=${cfsroot:-/composefs} rm ${cfsroot}/tmp -rf @@ -68,7 +56,7 @@ echo "fsverity test" > ${cfsroot}/test-fsverity if fsverity enable ${cfsroot}/test-fsverity; then echo "fsverity is supported" else - if test -n "${WITH_TEMP_VERITY}"; then + if test -n "${CI_VERITY_REQUIRED}"; then echo "fsverity unsupported, but is required" 1>&2 exit 1 fi