From 5f4ac306b13685b90d86dfdba175f9638ce3d1b0 Mon Sep 17 00:00:00 2001 From: Kyujin Cho Date: Tue, 29 Aug 2023 15:02:35 +0900 Subject: [PATCH] feat: add release pipeline (#37) --- .github/workflows/release.yml | 37 ++++++++++++++++ .gitignore | 3 +- Cargo.toml | 1 + dockerfiles/Dockerfile.builder-alpine3.8 | 2 +- dockerfiles/Dockerfile.builder-ubuntu22.04 | 2 +- scripts/build-binaries.sh | 51 ++++++++++++++++++++++ scripts/build.sh | 12 +++++ src/arch/aarch64.rs | 20 ++++++--- src/arch/x86_64.rs | 20 ++++++--- src/jail.rs | 5 ++- 10 files changed, 138 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/release.yml create mode 100755 scripts/build-binaries.sh create mode 100755 scripts/build.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..7313b9a --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: default + +on: [push, pull_request] + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Rust + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + - name: Run rustfmt + uses: actions-rs/cargo@v1 + with: + command: fmt + args: --check + deploy-to-pypi: + needs: [lint] + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build jail + run: | + scripts/build-binaries.sh ubuntu18.04 + scripts/build-binaries.sh ubuntu20.04 + scripts/build-binaries.sh ubuntu22.04 + scripts/build-binaries.sh alpine3.17 + scripts/build-binaries.sh alpine3.18 + - name: Release to GitHub + uses: softprops/action-gh-release@v1 + with: + generate_release_notes: true + files: | + dist/*.bin diff --git a/.gitignore b/.gitignore index c2b9385..1632370 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /target -/out \ No newline at end of file +/out +/dist diff --git a/Cargo.toml b/Cargo.toml index 05372c9..fd54e90 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -23,3 +23,4 @@ fern = { version = "0.6", features = ["colored"] } chrono = "0.4" libloading = "0.7" which = "4.3.0" + diff --git a/dockerfiles/Dockerfile.builder-alpine3.8 b/dockerfiles/Dockerfile.builder-alpine3.8 index 2f9e7ac..d920470 100644 --- a/dockerfiles/Dockerfile.builder-alpine3.8 +++ b/dockerfiles/Dockerfile.builder-alpine3.8 @@ -4,4 +4,4 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="$PATH:/root/.cargo/bin" ENV RUSTFLAGS="-C target-feature=-crt-static" -CMD ["cargo", "build", "--release"] \ No newline at end of file +CMD ["cargo", "build", "--release"] diff --git a/dockerfiles/Dockerfile.builder-ubuntu22.04 b/dockerfiles/Dockerfile.builder-ubuntu22.04 index 2d32544..ec1b07d 100644 --- a/dockerfiles/Dockerfile.builder-ubuntu22.04 +++ b/dockerfiles/Dockerfile.builder-ubuntu22.04 @@ -3,4 +3,4 @@ RUN apt update && apt install -y gcc g++ libseccomp-dev curl && rm -rf /var/lib/ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="$PATH:/root/.cargo/bin" -CMD ["cargo", "build", "--release"] \ No newline at end of file +CMD ["cargo", "build", "--release"] diff --git a/scripts/build-binaries.sh b/scripts/build-binaries.sh new file mode 100755 index 0000000..53783aa --- /dev/null +++ b/scripts/build-binaries.sh @@ -0,0 +1,51 @@ +#! /bin/bash +if [ $(uname) = "Darwin" ]; then + readlink="greadlink" + dirname="gdirname" +else + readlink="readlink" + dirname="dirname" +fi + +PROJECT_ROOT=$($dirname $($dirname "$($readlink -f "$0")")) +PLATFORM=$1 + +mkdir -p dist + +case "$PLATFORM" in +"alpine3.17") DOCKER_TAG="3.17"; VARIANT="alpine";; +"alpine3.18") DOCKER_TAG="3.18"; VARIANT="alpine";; +"ubuntu18.04") DOCKER_TAG="buster"; VARIANT="debian";; +"ubuntu20.04") DOCKER_TAG="bullseye"; VARIANT="debian";; +"ubuntu22.04") DOCKER_TAG="bookworm"; VARIANT="debian";; +"buster") DOCKER_TAG="buster"; VARIANT="debian";; +"bullseye") DOCKER_TAG="bullseye"; VARIANT="debian";; +"bookworm") DOCKER_TAG="bookworm"; VARIANT="debian";; +*) echo "Unsupported Platform $1"; exit 1;; +esac + +if [ $VARIANT = "alpine" ]; then + DOCKERFILE=$(cat < jail-builder.dockerfile + +docker build -t jail-builder -f jail-builder.dockerfile . +docker run --rm -e FILEUSER="$(id -u):$(id -g)" -e PLATFORM=$PLATFORM -v $PROJECT_ROOT:/io jail-builder +rm jail-builder.dockerfile +ls dist/ diff --git a/scripts/build.sh b/scripts/build.sh new file mode 100755 index 0000000..d1bcd9f --- /dev/null +++ b/scripts/build.sh @@ -0,0 +1,12 @@ +#! /bin/sh + +ARCHITECTURE=$(uname -m) +if [ $ARCHITECTURE = "arm64" ]; then + ARCHITECTURE="aarch64" +fi + +cd /io +cargo build --release +cp /io/target/release/backendai-jail /io/dist/backendai-jail.$PLATFORM.$ARCHITECTURE.bin +chown $FILEUSER /io/dist/backendai-jail.$PLATFORM.$ARCHITECTURE.bin +rm -r /io/target/release diff --git a/src/arch/aarch64.rs b/src/arch/aarch64.rs index ada8546..9e4335a 100644 --- a/src/arch/aarch64.rs +++ b/src/arch/aarch64.rs @@ -4,23 +4,33 @@ use nix::errno::Errno; use nix::unistd::Pid; macro_rules! syscall_name { - ($x:expr) => ($x.regs[8]); + ($x:expr) => { + $x.regs[8] + }; } macro_rules! syscall_arg1 { - ($x:expr) => ($x.regs[0]); + ($x:expr) => { + $x.regs[0] + }; } macro_rules! syscall_arg2 { - ($x:expr) => ($x.regs[1]); + ($x:expr) => { + $x.regs[1] + }; } macro_rules! syscall_arg3 { - ($x:expr) => ($x.regs[2]); + ($x:expr) => { + $x.regs[2] + }; } macro_rules! syscall_ret { - ($x:expr) => ($x.regs[0]); + ($x:expr) => { + $x.regs[0] + }; } pub fn getregs(pid: Pid) -> Result { diff --git a/src/arch/x86_64.rs b/src/arch/x86_64.rs index 49237aa..220bb39 100644 --- a/src/arch/x86_64.rs +++ b/src/arch/x86_64.rs @@ -4,23 +4,33 @@ use nix::sys::ptrace; use nix::unistd::Pid; macro_rules! syscall_name { - ($x:expr) => ($x.orig_rax); + ($x:expr) => { + $x.orig_rax + }; } macro_rules! syscall_arg1 { - ($x:expr) => ($x.rdi); + ($x:expr) => { + $x.rdi + }; } macro_rules! syscall_arg2 { - ($x:expr) => ($x.rsi); + ($x:expr) => { + $x.rsi + }; } macro_rules! syscall_arg3 { - ($x:expr) => ($x.rdx); + ($x:expr) => { + $x.rdx + }; } macro_rules! syscall_ret { - ($x:expr) => ($x.rax); + ($x:expr) => { + $x.rax + }; } pub fn getregs(pid: Pid) -> Result { diff --git a/src/jail.rs b/src/jail.rs index f005e4d..d9f3c9e 100644 --- a/src/jail.rs +++ b/src/jail.rs @@ -572,7 +572,8 @@ impl Jail { 1 => {} 0 if allow => allow = false, err => { - let errno: Errno = unsafe { std::mem::transmute(err * -1) }; + let errno: Errno = + unsafe { std::mem::transmute(err * -1) }; warn!("Error while executing hook: {}", errno); } } @@ -620,7 +621,7 @@ impl Jail { target, ®s, ) { - 0 => {}, + 0 => {} err => { let errno: Errno = unsafe { std::mem::transmute(err * -1) };