test(volumes): Add K8s based test for block volumes

Add a test based on the existing K8s test (kind) which sets the default
devmapper to blockfile, installs longhorn and deploys a Linux container
over Qemu and Firecracker to check if block-based mounts were passed
and mounted correctly inside the VM.

Signed-off-by: Charalampos Mainas <cmainas@nubificus.co.uk>

Author: cmainas

.github/workflows/ci.yml

@@ -79,14 +79,14 @@ jobs:
       solo5_version: 'v0.9.3'
     secrets: inherit
 
-  kind_test:
+  kind_overlayfs-test:
     if: ${{ inputs.skip-build != 'yes' }}
     needs: [build, unit_test]
-    name:  Kubernetes test
-    uses: ./.github/workflows/kind_test.yml
+    name:  Kubernetes test with overlayfs
+    uses: ./.github/workflows/k8s_overlayfs_test.yml
     with:
       ref: ${{ inputs.ref }}
       firecracker_version: 'v1.7.0'
       solo5_version: 'v0.9.3'
-      runc_version: '1.3.0'
+      kind_version: '0.29.0'
     secrets: inherit

.github/workflows/kind_test.yml

@@ -20,19 +20,20 @@ on:
       solo5_version:
         type: string
         required: true
-      runc_version:
+      kind_version:
         required: true
         type: string
     secrets:
       GIT_CLONE_PAT:
         required: false
   workflow_dispatch:     
+
 permissions:
   contents: read
 
 jobs:
-  test:
-    name: Kubernetes test
+  setup:
+    name: Setup Kubernetes using kind and install urunc
     runs-on: ${{ matrix.runner }}
     strategy:
       matrix:
@@ -43,6 +44,27 @@ jobs:
             runner: ubuntu-22.04-arm
       fail-fast: false
     steps:
+
+    - name: Validate inputs (prevent command injection)
+      shell: bash
+      env:
+        FIRECRACKER_VERSION: ${{ inputs.firecracker_version }}
+        SOLO5_VERSION: ${{ inputs.solo5_version }}
+        KIND_VERSION: ${{ inputs.kind_version }}
+      run: |
+        SAFE_FIRECRACKER_VERSION="$FIRECRACKER_VERSION"
+        SAFE_SOLO5_VERSION="$SOLO5_VERSION"
+        SAFE_KIND_VERSION="$KIND_VERSION"
+
+        for var in SAFE_FIRECRACKER_VERSION SAFE_SOLO5_VERSION SAFE_KIND_VERSION; do
+          value="${!var}"
+          if ! [[ "$value" =~ ^v?[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then
+            echo "Invalid format for $var: $value"
+            exit 1
+          fi
+        done
+
+    steps:
     - name: Harden the runner (Audit all outbound calls)
       uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
       with:
@@ -51,17 +73,17 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-    - name: Install base dependencies
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y git wget build-essential libseccomp-dev pkg-config bc make 
     - name: Install kind
+      env:
+        KIND_VERSION: ${{ inputs.kind_version }}
+      run: |
       run: |
         ARCH=$(uname -m)
+        SAFE_KIND="${KIND_VERSION}"
         if [ "$ARCH" = "x86_64" ]; then
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-amd64
+          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${SAFE_KIND}/kind-linux-amd64
         elif [ "$ARCH" = "aarch64" ]; then
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-arm64
+          curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${SAFE_KIND}/kind-linux-arm64
         else
           echo "Unsupported architecture: $ARCH"
           exit 1
@@ -97,32 +119,46 @@ jobs:
     - name: Create kind cluster
       run: |
         sudo kind create cluster --name urunc-test --config kind-config.yaml
-    - name: Install dependencies inside kind node
+
+    - name: Install kubectl
       run: |
-        docker exec urunc-test-control-plane apt-get update
-        docker exec urunc-test-control-plane apt-get install -y git wget build-essential libseccomp-dev pkg-config bc
+        ARCH=$(uname -m)
+        if [ "$ARCH" = "x86_64" ]; then
+          KUBECTL_ARCH="amd64"
+        elif [ "$ARCH" = "aarch64" ]; then
+          KUBECTL_ARCH="arm64"
+        else
+          echo "Unsupported architecture: $ARCH"
+          exit 1
+        fi
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${KUBECTL_ARCH}/kubectl"
+        chmod +x kubectl
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 
-    - name: Install runc inside kind node
+    - name: Set up kubectl config
       run: |
-        docker exec urunc-test-control-plane bash -c '
-          if ! which runc; then
-            wget -q https://github.com/opencontainers/runc/releases/download/v${{ inputs.runc_version }}/runc.$(dpkg --print-architecture)
-            install -m 755 runc.$(dpkg --print-architecture) /usr/local/sbin/runc
-            rm -f ./runc.$(dpkg --print-architecture)
-          fi
-        '
+        mkdir -p ~/.kube
+        kind get kubeconfig --name urunc-test > ~/.kube/config
+        chmod 600 ~/.kube/config
+        export KUBECONFIG=~/.kube/config
+        kubectl config use-context kind-urunc-test
+        kubectl wait --for=condition=Ready nodes --all --timeout=200s
+        kubectl cluster-info
 
-    - name: Configure containerd inside kind node
+    - name: Create RuntimeClass
       run: |
-        docker exec urunc-test-control-plane bash -c '
-          systemctl status containerd || containerd &
-          mkdir -p /etc/containerd
-          containerd config default > /etc/containerd/config.toml
-        '
-    - name: Set snapshotter to overlayfs
+        cat <<EOF | kubectl apply -f -
+          kind: RuntimeClass
+          apiVersion: node.k8s.io/v1
+          metadata:
+            name: urunc
+          handler: urunc
+        EOF
+
+    - name: Install base dependencies inside kind
       run: |
-        docker exec urunc-test-control-plane bash -c \
-        'sed -i "s/snapshotter = \"devmapper\"/snapshotter = \"overlayfs\"/g" /etc/containerd/config.toml'
+        docker exec urunc-test-control-plane apt-get update
+        docker exec urunc-test-control-plane apt-get install -y git wget build-essential libseccomp-dev pkg-config bc
 
     - name: Download urunc artifact
       uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -136,9 +172,6 @@ jobs:
         name: containerd-shim-urunc-v2_${{ matrix.arch }}-${{ github.run_id }}
         path: ./artifacts    
 
-    - name: List artifacts dir
-      run: ls -lR ./artifacts
-
     - name: Copy and install urunc binaries
       run: |
         docker exec urunc-test-control-plane mkdir -p /urunc-temp
@@ -165,23 +198,27 @@ jobs:
       run: |
         docker exec urunc-test-control-plane apt-get install -y qemu-system
 
-
     - name: Install Firecracker inside kind node
+      if: matrix.arch == 'amd64'
+      env:
+        FC_VERSION: ${{ inputs.firecracker_version }}
       run: |      
-        FC_VERSION="${{ inputs.firecracker_version }}"
+        SAFE_FC="${FC_VERSION}"
         docker exec urunc-test-control-plane bash -c '
           ARCH=$(uname -m)
-          echo "Downloading Firecracker version: '"$FC_VERSION"'"
-          curl -fsSL https://github.com/firecracker-microvm/firecracker/releases/download/'"$FC_VERSION"'/firecracker-'"$FC_VERSION"'-${ARCH}.tgz | tar -xz
-          install -m 755 release-'"$FC_VERSION"'-${ARCH}/firecracker-'"$FC_VERSION"'-${ARCH} /usr/local/bin/firecracker
+          echo "Downloading Firecracker version: '"$SAVE_FC"'"
+          curl -fsSL https://github.com/firecracker-microvm/firecracker/releases/download/'"$SAFE_FC"'/firecracker-'"$SAFE_FC"'-${ARCH}.tgz | tar -xz
+          install -m 755 release-'"$SAFE_FC"'-${ARCH}/firecracker-'"$SAFE_FC"'-${ARCH} /usr/local/bin/firecracker
           firecracker --version
         '
 
     - name: Install Solo5 inside kind node
+      env:
+        SOLO5_VERSION: ${{ inputs.solo5_version }}
       run: |
-        SOLO5_VERSION="${{ inputs.solo5_version }}"
+        SAFE_SOLO5="${SOLO5_VERSION}"
         docker exec urunc-test-control-plane bash -c '
-          git clone -b "'"$SOLO5_VERSION"'" https://github.com/Solo5/solo5.git
+          git clone -b "'"$SAFE_SOLO5"'" https://github.com/Solo5/solo5.git
           cd solo5
           ./configure.sh && make -j$(nproc)
           install -m 755 tenders/hvt/solo5-hvt /usr/local/bin/
@@ -191,153 +228,19 @@ jobs:
           solo5-hvt --version
         '
 
+    - name: Configure containerd inside kind node
+      run: |
+        docker exec urunc-test-control-plane bash -c '
+          systemctl status containerd || containerd &
+          mkdir -p /etc/containerd
+          containerd config default > /etc/containerd/config.toml
+        '
+
     - name: Add urunc to containerd config
       run: |
         docker exec urunc-test-control-plane bash -c "cat <<'EOF' >> /etc/containerd/config.toml
         [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.urunc]
           runtime_type = \"io.containerd.urunc.v2\"
           container_annotations = [\"com.urunc.unikernel.*\"]
           pod_annotations = [\"com.urunc.unikernel.*\"]
-          snapshotter = \"overlayfs\"
         EOF"
-    
-
-    - name: Restart containerd inside urunc-test-control-plane
-      run: |
-        docker exec urunc-test-control-plane bash -c "
-          systemctl stop containerd
-          rm -f /var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db
-          systemctl restart containerd
-          sleep 10
-          systemctl status containerd
-        "
-    - name: Verify urunc installation
-      run: |
-        docker exec urunc-test-control-plane bash -c '
-        ls -la /usr/local/bin/urunc*
-        ls -la /usr/local/bin/containerd-shim-urunc-v2*
-        containerd --version
-        '
-
-    - name: Install kubectl
-      run: |
-        ARCH=$(uname -m)
-        if [ "$ARCH" = "x86_64" ]; then
-          KUBECTL_ARCH="amd64"
-        elif [ "$ARCH" = "aarch64" ]; then
-          KUBECTL_ARCH="arm64"
-        else
-          echo "Unsupported architecture: $ARCH"
-          exit 1
-        fi
-        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${KUBECTL_ARCH}/kubectl"
-        chmod +x kubectl
-        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
-
-    - name: Set up kubectl config
-      run: |
-        mkdir -p ~/.kube
-        kind get kubeconfig --name urunc-test > ~/.kube/config
-        chmod 600 ~/.kube/config
-        export KUBECONFIG=~/.kube/config
-        kubectl config use-context kind-urunc-test
-        kubectl wait --for=condition=Ready nodes --all --timeout=200s
-        kubectl cluster-info
-
-    - name: Create RuntimeClass
-      run: |
-        cat <<EOF | kubectl apply -f -
-          kind: RuntimeClass
-          apiVersion: node.k8s.io/v1
-          metadata:
-            name: urunc
-          handler: urunc
-        EOF
-    - name: Deploy hello world unikernel (amd64)
-      if: matrix.arch == 'amd64'
-      run: |
-        cat <<EOF | kubectl apply -f -
-            apiVersion: v1
-            kind: Pod
-            metadata:
-              name: hello-spt-rumprun-block
-              labels:
-                run: hello-spt-rumprun-block
-            spec:
-              runtimeClassName: urunc
-              restartPolicy: Never
-              containers:
-                - name: hello-spt-rumprun-block
-                  image: harbor.nbfc.io/nubificus/urunc/hello-spt-rumprun-block:latest
-                  imagePullPolicy: Always
-                  ports:
-                  - containerPort: 80
-                    protocol: TCP
-                  resources:
-                    requests:
-                      cpu: 10m
-        EOF
-        
-    - name: Verify hello-spt-rumprun-block deployment
-      if: matrix.arch == 'amd64'
-      run: |
-        kubectl wait --for=condition=Succeeded pod/hello-spt-rumprun-block --timeout=180s || true
-        kubectl logs hello-spt-rumprun-block | tee /tmp/logs.txt
-        if ! grep "Hello world" /tmp/logs.txt; then
-          echo "=== LOGS ==="
-          cat /tmp/logs.txt
-          exit 1
-        fi
-        kubectl describe pod hello-spt-rumprun-block || true
-        
-
-    - name: Deploy hello world unikernel (arm64)
-      if: matrix.arch == 'arm64'
-      run: |
-        cat <<EOF | kubectl apply -f -
-            apiVersion: v1
-            kind: Pod
-            metadata:
-              name: hello-spt-rumprun-block
-              labels:
-                run: hello-spt-rumprun-block
-            spec:
-              runtimeClassName: urunc
-              restartPolicy: Never
-              containers:
-                - name: hello-spt-rumprun-block
-                  image: harbor.nbfc.io/nubificus/urunc/hello-spt-rumprun-block:latest
-                  imagePullPolicy: Always
-                  ports:
-                  - containerPort: 80
-                    protocol: TCP
-                  resources:
-                    requests:
-                      cpu: 10m
-        EOF
-
-    - name: Verify hello world deployment (arm64)
-      if: matrix.arch == 'arm64'
-      run: |
-        kubectl wait --for=condition=Succeeded pod/hello-spt-rumprun-block --timeout=180s  || true
-        kubectl logs hello-spt-rumprun-block | tee /tmp/logs.txt
-        grep "Hello world" /tmp/logs.txt
-        kubectl describe pod hello-spt-rumprun-block || true
-
-    - name: Debug pod failure
-      if: failure()
-      run: |
-        echo "=== Debugging failure ==="
-        echo "=== Describe Pod ==="
-        if [ "${{ matrix.arch }}" = "amd64" ]; then
-          echo "=== Debugging hello-spt-rumprun-block (amd64) ==="
-          kubectl describe pod hello-spt-rumprun-block || true
-          echo "=== Logs ==="
-          kubectl logs hello-spt-rumprun-block || true
-        else
-          echo "=== Debugging hello-spt-rumprun-block (arm64) ==="
-          kubectl describe pod hello-spt-rumprun-block || true
-          echo "=== Logs ==="
-          kubectl logs hello-spt-rumprun-block || true
-        fi
-