Enhance rpm spec file

.github/workflows/build-rpm.yml

@@ -15,50 +15,116 @@ jobs:
       fail-fast: false
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        submodules: 'true'
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
 
-    - name: Check pre-release
-      run: |
-        tag="${GITHUB_REF#refs/*/}"
-        echo "tag=tag"
-        if [[ ${tag} == *alpha* || ${tag} == *beta* ]]
-        then
-            prerelease=true
-        else
-            prerelease=false
-        fi
-        echo "prerelease=$prerelease"
-        echo "PRE_RELEASE=$prerelease" >> $GITHUB_ENV
+      - name: Check pre-release
+        run: |
+          tag="${GITHUB_REF#refs/*/}"
+          echo "tag=tag"
+          if [[ ${tag} == *alpha* || ${tag} == *beta* ]]
+          then
+              prerelease=true
+          else
+              prerelease=false
+          fi
+          echo "prerelease=$prerelease"
+          echo "PRE_RELEASE=$prerelease" >> $GITHUB_ENV
 
-    - uses: dtolnay/[email protected]
+      - uses: dtolnay/[email protected]
 
-    - name: Build RPM package
-      run: |
-        make create-tarball
-        make rpm-build-in-docker
-        mkdir -p $GITHUB_WORKSPACE/rpmbuild
-        cp -r ~/rpmbuild/SRPMS/ $GITHUB_WORKSPACE/rpmbuild/
-        cp -r ~/rpmbuild/RPMS/ $GITHUB_WORKSPACE/rpmbuild/
+      - name: Build RPM package
+        run: |
+          make create-tarball
+          make rpm-build-in-docker
+          mkdir -p $GITHUB_WORKSPACE/rpmbuild
+          cp -r ~/rpmbuild/SRPMS/ $GITHUB_WORKSPACE/rpmbuild/
+          cp -r ~/rpmbuild/RPMS/ $GITHUB_WORKSPACE/rpmbuild/
+          mkdir -p $GITHUB_WORKSPACE/rpmbuild/SOURCES/
+          cp -r /tmp/cryptpilot-*.tar.gz $GITHUB_WORKSPACE/rpmbuild/SOURCES/
 
-    - name: Upload artifact
-      uses: actions/upload-artifact@v4
-      with:
-        name: rpm-packages
-        if-no-files-found: error
-        path: |
-          ./rpmbuild/SRPMS/*.src.rpm
-          ./rpmbuild/RPMS/*/*.rpm
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: rpm-packages
+          if-no-files-found: error
+          path: |
+            ./rpmbuild/SOURCES/cryptpilot-*.tar.gz
+            ./rpmbuild/SRPMS/*.src.rpm
+            ./rpmbuild/RPMS/*/*.rpm
 
-    - name: Release
-      uses: softprops/action-gh-release@v2
-      if: startsWith(github.ref, 'refs/tags/')
-      with:
-        fail_on_unmatched_files: true
-        prerelease: ${{ env.PRE_RELEASE }}
-        files: |
-          /tmp/cryptpilot-*.tar.gz
-          ./rpmbuild/SRPMS/*.src.rpm
-          ./rpmbuild/RPMS/*/*.rpm
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: ["alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest", "registry.openanolis.cn/openanolis/anolisos:8", "registry.openanolis.cn/openanolis/anolisos:23"]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    needs: build
+    container:
+      image: ${{ matrix.distro }}
+      options: --privileged
+    steps:
+      - name: Update yum mirror
+        run: |
+          set -e
+          set -x
+
+          # replace the mirror
+          sed -i -E 's|https?://mirrors.openanolis.cn/anolis/|https://mirrors.aliyun.com/anolis/|g' /etc/yum.repos.d/*.repo
+          sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo
+
+          # install development tools
+          yum install -y autoconf automake binutils bison flex gcc gcc-c++ gdb glibc-devel libtool make pkgconf pkgconf-m4 pkgconf-pkg-config rpm-build rpm-sign strace asciidoc byacc ctags diffstat elfutils-libelf-devel git intltool patchutils perl-Fedora-VSP perl-Sys-Syslog perl-generators pesign source-highlight systemtap valgrind valgrind-devel cmake expect rpmdevtools rpmlint perl clang
+
+          # install rpmdevtools
+          yum install -y git yum-utils
+
+      - name: Install Rust toolchain
+        uses: dtolnay/[email protected]
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./
+          merge-multiple: false
+      - name: Install RPM packages
+        run: |
+          set -e
+          set -x
+
+          # test rpm package install
+          yum install -y ./rpm-packages/RPMS/*/cryptpilot-*.rpm
+          cryptpilot --version
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+      - name: Install build dependencies
+        run: yum-builddep -y ./cryptpilot.spec
+      - name: Run test script from repo
+        run: make run-test
+
+  release:
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./
+          merge-multiple: false
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          fail_on_unmatched_files: true
+          prerelease: ${{ env.PRE_RELEASE }}
+          files: |
+            ./rpm-packages/SOURCES/cryptpilot-*.tar.gz
+            ./rpm-packages/SRPMS/*.src.rpm
+            ./rpm-packages/RPMS/*/*.rpm

Cargo.toml

@@ -56,13 +56,15 @@ shadow-rs = "0.35.2"
 ttrpc-codegen = {version = "0.4.2", optional = true}
 
 [dev-dependencies]
+cgroups-rs = "0.3.4"
 ctor = "=0.4.1"
 rstest = "0.25.0"
 rstest_reuse = "0.7.0"
 two-rusty-forks = {version = "0.4.0", features = ["macro"]}
 
 [features]
 default = ["provider-kbs", "provider-kms", "provider-otp", "provider-tpm2", "provider-oidc", "provider-exec"]
+provider-exec = []
 provider-kbs = [
   "dep:ttrpc-codegen",
   "dep:ttrpc",
@@ -72,4 +74,3 @@ provider-kms = ["dep:kms"]
 provider-oidc = ["serde_json"]
 provider-otp = []
 provider-tpm2 = []
-provider-exec = []

README.md

@@ -1,5 +1,6 @@
 # cryptpilot: The confidentiality for OS booting and data at rest in confidential computing environments
 [![Building](/../../actions/workflows/build-rpm.yml/badge.svg)](/../../actions/workflows/build-rpm.yml)
+![GitHub Release](https://img.shields.io/github/v/release/openanolis/cryptpilot)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
 The cryptpilit project aims to provide a way that allows you to securely boot your system while ensuring the encryption and measurability of the entire operating system, as well as encryption and integrity protection for data at rest.

cryptpilot.spec

@@ -1,13 +1,14 @@
 %global debug_package %{nil}
+%define release_num 1
 
 Name: cryptpilot
 Version: 0.2.2
-Release: 1%{?dist}
+Release: %{release_num}%{?dist}
 Summary: A utility for protecting data at rest in confidential environment
 Group: Applications/System
 License: ASL 2.0
 URL: www.alibaba.com
-Source0: https://github.com/openanolis/cryptpilot/releases/download/v%{version}/cryptpilot-%{version}.tar.gz
+Source0: https://github.com/openanolis/cryptpilot/releases/download/v%{version}-%{release_num}/cryptpilot-%{version}.tar.gz
 
 Source1: config
 
@@ -19,6 +20,14 @@ Requires: systemd
 Requires: veritysetup
 Requires: veritysetup
 Requires: device-mapper-libs
+# mkfs.vfat
+Requires: dosfstools
+# mkfs.xfs
+Requires: xfsprogs
+# mkfs.ext4
+Requires: e2fsprogs
+# swapon
+Requires: util-linux
 
 # If not installed, the kbs and kms-oidc keyprovider will not work.
 Recommends: confidential-data-hub

src/fs/block/dummy.rs

@@ -49,7 +49,8 @@ impl DummyDevice {
         sparse_file.seek(std::io::SeekFrom::Start(device_size - 1))?;
         sparse_file.write_all(&[0])?;
 
-        let lc = LoopControl::open()?;
+        let lc = LoopControl::open()
+            .context("Failed to open loop control, maybe forgot to run 'sudo modprobe loop'?")?;
         // Retry to avoid conflicts and waiting for avaliable loop device
         let ld = RetryPolicy::exponential(Duration::from_millis(1))
             .with_max_retries(200)

src/fs/mkfs.rs

@@ -220,6 +220,7 @@ pub mod tests {
         config::{
             encrypt::{EncryptConfig, KeyProviderConfig},
             volume::{ExtraConfig, VolumeConfig},
+            ConfigBundle,
         },
         provider::otp::OtpConfig,
     };
@@ -244,6 +245,13 @@ pub mod tests {
             },
         };
 
+        crate::config::source::set_config_source(ConfigBundle {
+            global: None,
+            fde: None,
+            volumes: vec![volume_config.clone()],
+        })
+        .await;
+
         // Close the volume if it is already opened
         CloseCommand {
             close_options: CloseOptions {

src/lib.rs

@@ -137,7 +137,7 @@ pub async fn run() -> Result<()> {
 ///
 /// # Examples
 ///
-/// ```
+/// ```ignore
 /// async_defer!(async {
 ///     // Do some cleanup
 /// });

src/provider/exec.rs

@@ -94,8 +94,9 @@ pub mod tests {
 
     #[apply(test_volume_base)]
     async fn test_volume(makefs: &str, integrity: bool) -> Result<()> {
-        run_test_on_volume(&format!(
-            r#"
+        run_test_on_volume(
+            &format!(
+                r#"
             volume = "<placeholder>"
             dev = "<placeholder>"
             auto_open = true
@@ -106,7 +107,9 @@ pub mod tests {
             command = "echo"
             args = ["-n", "test-passphrase"]
             "#,
-        ))
+            ),
+            false,
+        )
         .await
     }
 }

src/provider/kbs.rs

@@ -125,8 +125,9 @@ pub mod tests {
 
     #[apply(test_volume_base)]
     async fn test_volume(makefs: &str, integrity: bool) -> Result<()> {
-        run_test_on_volume(&format!(
-            r#"
+        run_test_on_volume(
+            &format!(
+                r#"
             volume = "<placeholder>"
             dev = "<placeholder>"
             auto_open = true
@@ -143,7 +144,9 @@ pub mod tests {
             -----END CERTIFICATE-----
             """
             "#,
-        ))
+            ),
+            false,
+        )
         .await
     }
 }

src/provider/kms.rs

@@ -94,8 +94,9 @@ pub mod tests {
 
     #[apply(test_volume_base)]
     async fn test_volume(makefs: &str, integrity: bool) -> Result<()> {
-        run_test_on_volume(&format!(
-            r#"
+        run_test_on_volume(
+            &format!(
+                r#"
             volume = "<placeholder>"
             dev = "<placeholder>"
             auto_open = true
@@ -159,7 +160,9 @@ pub mod tests {
             -----END CERTIFICATE-----
             """
             "#,
-        ))
+            ),
+            false,
+        )
         .await
     }
 }