From 6826ac58ce842393a8a7d8cf73cd0478d4456330 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 4 Feb 2025 16:10:02 +0000
Subject: [PATCH] ci: run tests on a nftables only system

Signed-off-by: Adrian Reber <areber@redhat.com>
---
 .github/workflows/nftables-test.yml | 24 ++++++++++++++++++++++++
 scripts/ci/run-ci-tests.sh          | 13 ++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/nftables-test.yml

diff --git a/.github/workflows/nftables-test.yml b/.github/workflows/nftables-test.yml
new file mode 100644
index 000000000..eb3d8e814
--- /dev/null
+++ b/.github/workflows/nftables-test.yml
@@ -0,0 +1,24 @@
+name: Nftables bases testing
+
+on: [push, pull_request]
+
+# Cancel any preceding run on the pull request.
+concurrency:
+  group: nftables-test-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/criu-dev' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Remove iptables
+      run: sudo apt remove -y iptables
+    - name: Install libnftables-dev
+      run: sudo scripts/ci/apt-install libnftables-dev
+    - name: chmod 755 /home/runner
+      # CRIU's tests are sometimes running as some random user and need
+      # to be able to access the test files.
+      run: sudo chmod 755 /home/runner
+    - name: Build with nftables network locking backend
+      run: sudo make -C scripts/ci local COMPILE_FLAGS="NETWORK_LOCK_DEFAULT=NETWORK_LOCK_NFTABLES"
diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh
index 611ff7803..0c4a08975 100755
--- a/scripts/ci/run-ci-tests.sh
+++ b/scripts/ci/run-ci-tests.sh
@@ -39,6 +39,10 @@ ci_prep () {
 	# This can fail on aarch64 travis
 	service apport stop || :
 
+	# Ubuntu has set up AppArmor in 24.04 so that it blocks use of user
+	# namespaces by unprivileged users. We need this for some of our tests.
+	sysctl kernel.apparmor_restrict_unprivileged_userns=0 || :
+
 	if [ "$CLANG" = "1" ]; then
 		# clang support
 		CC=clang
@@ -121,8 +125,14 @@ if [ "${CD_TO_TOP}" = "1" ]; then
 fi
 
 export GCOV CC
+if [ -z "$COMPILE_FLAGS" ]; then
+	LOCAL_COMPILE_FLAGS=("V=1")
+else
+	IFS=" " read -r -a LOCAL_COMPILE_FLAGS <<< "$COMPILE_FLAGS"
+	LOCAL_COMPILE_FLAGS=("V=1" "${LOCAL_COMPILE_FLAGS[@]}")
+fi
 $CC --version
-time make CC="$CC" -j4 V=1
+time make CC="$CC" -j4 "${LOCAL_COMPILE_FLAGS[@]}"
 
 ./criu/criu -v4 cpuinfo dump || :
 ./criu/criu -v4 cpuinfo check || :
@@ -150,6 +160,7 @@ ulimit -c unlimited
 cgid=$$
 cleanup_cgroup() {
 	./test/zdtm_umount_cgroups $cgid
+	dmesg
 }
 trap cleanup_cgroup EXIT
 ./test/zdtm_mount_cgroups $cgid