Skip to content

DebCI: avoid LXC connectivity issues with Docker #934

DebCI: avoid LXC connectivity issues with Docker

DebCI: avoid LXC connectivity issues with Docker #934

Workflow file for this run

name: Autopkgtest DebCI
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the main branch
on:
push:
branches: [ main, 'stable/**' ]
paths-ignore:
- 'doc/**'
pull_request:
branches: [ '**' ]
paths-ignore:
- 'doc/**'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
lxc-debian-testing:
# The type of runner that the job will run on
runs-on: ubuntu-24.04
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
#- uses: lkiesow/setup-lxc-container@v1
# id: lxc
# with:
# dist: debian
# release: trixie
# python: false
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- run: |
git fetch --unshallow --tags
# Install openvswitch-switch to make the OVS integration tests work
# Install linux-modules-extra-azure to provide the 'vrf' kernel module,
# it's needed (will be auto-loaded) by routing.test_vrf_basic
- name: Install dependencies
run: |
sudo add-apt-repository -y -n -s ppa:slyon/netplan-ci
cat /etc/apt/sources.list.d/ubuntu.sources
sudo sed -i 's/ noble / noble noble-proposed /g' /etc/apt/sources.list.d/ubuntu.sources
sudo apt update
# sudo apt purge docker-ce docker-ce-cli
sudo apt install debci lxc lxc-templates debian-archive-keyring autopkgtest ubuntu-dev-tools devscripts linux-modules-extra-$(uname -r) #openvswitch-switch
sudo apt install -t noble-proposed autopkgtest
# See: https://discourse.ubuntu.com/t/containers-lxc/11526 (Apparmor section)
# (LP: #1950787, LP: #1998943)
- name: Preparing autopkgtest-build-lxc
run: |
# Fix Docker blocking LXC networking:
# https://discuss.linuxcontainers.org/t/9953/4
# https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
sudo iptables -L
sudo iptables -I DOCKER-USER -i lxcbr0 -j ACCEPT
sudo iptables -I DOCKER-USER -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# sudo systemctl stop docker.socket
# sudo systemctl stop docker.service
# sudo iptables -I DOCKER-USER -j ACCEPT
# sudo ip6tables -I DOCKER-USER -j ACCEPT
# sudo iptables -I DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# sudo ip6tables -I DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
# sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disable/
# echo "lxc.apparmor.profile = unconfined" | sudo tee -a /etc/lxc/default.conf
sudo ip addr
sudo debci setup -s testing -a amd64 -b lxc
- name: Prepare test
run: |
# pull-debian-source netplan.io # snapshot.debian.org is not up-to-date
V=$(rmadison -u debian -s unstable -a source netplan.io | tail -n1 | cut -d"|" -f2 | xargs)
dget -u "https://deb.debian.org/debian/pool/main/n/netplan.io/netplan.io_$V.dsc"
cp -r netplan.io-*/debian .
rm -r debian/patches/ # clear any distro patches
sed -i 's|iproute2,|iproute2, ethtool,|' debian/control # add ethtool as a dependency of netplan.io temporarily
TAG=$(git describe --tags $(git rev-list --tags --max-count=1)) # find latest (stable) tag
REV=$(git rev-parse --short HEAD) # get current git revision
VER="$TAG+git~$REV"
dch -v "$VER" "Autopkgtest CI testing (Debian testing)"
- name: Run autopkgtest (incl. build)
run: |
# using --setup-commands='apt -y install ...' temporarily to install
# (test-/build-) deps until they become part of the packaging
sudo autopkgtest . \
-U --env=DPKG_GENSYMBOLS_CHECK_LEVEL=0 -- lxc autopkgtest-testing-amd64 || test $? -eq 2 # allow OVS test to be skipped (exit code = 2)