Can I run incus from Github Actions to spin up an archlinux vm?

carlotm · February 23, 2024, 8:08am

Hi all,

I manage my dotfiles and system with Ansible.
I host my Ansible playbooks on Github.

I would like to create a Github Action Workflow that, at every push:

Arrange
1. Creates an Archlinux vm and starts it
2. Clone my dotfiles on the vm
Act
1. Runs the Ansible playbooks on the vm as I normally do on my systems
Assert
1. Make some assertion about the state of the vm so I can check my playbooks did the right things

Github actions runs on Ubuntu 22.04

Do you think it is possible, or do you know in advance it would be a mess/impossible?

Cheers!

stgraber · February 23, 2024, 10:55pm

Containers (not VMs) definitely work great. For VMs, I believe it’s possible these days but you need to make sure you get a Github Actions runner that supports nested virtualization.

I don’t know if they’ve just enabled that as large or if you need to somehow request it.

carlotm · February 28, 2024, 7:26am

Thank you, that seems to work.

This is what I am doing right now:

github.com

carlotm/dotfiles/blob/master/.github/workflows/build.yml

name: Dotfiles CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install incus
        run: |
          sudo mkdir -p /etc/apt/keyrings
          wget -qO - https://pkgs.zabbly.com/key.asc | sudo tee /etc/apt/keyrings/zabbly.asc
          sudo bash -c 'cat << EOF > /etc/apt/sources.list.d/zabbly-incus-stable.sources
          Enabled: yes

This file has been truncated. show original

The ping command fails on the container though, with this error:

ping: mirrors.kernel.org: Temporary failure in name resolution

I suspect this is related to the network setup when I run incus admin init but I am not sure.

Any idea how to debug this?

Cheers!
And thanks everyone for incus!

stgraber · February 28, 2024, 12:38pm

Most likely it’s the pre-installed Docker in the Github Actions image that’s causing some networking issues. See How to configure your firewall - Incus documentation for some options.

Given that removing it + rebooting is not likely to work well within a CI job, maybe try running (as root):

iptables -I DOCKER-USER -i incusbr0 -j ACCEPT
iptables -I DOCKER-USER -o incusbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

carlotm · February 29, 2024, 6:19am

Unfortunately the third options seems the only one I can try,
and the iptables commands don’t seem to work.

As I am not an expert, I just copy/pasted the commands from the docs,
I am sorry for not being much helpful.

Shame I was close to make that work

Giving up for now, thanks for the support!

Cheers

stgraber · February 29, 2024, 4:43pm

name: Dotfiles CI
on:
  - push

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install incus
        run: |
          curl https://pkgs.zabbly.com/get/incus-stable | sudo sh -x

      - name: Reset the firewall
        run: |
          sudo nft flush ruleset

      - name: Init incus
        run: sudo incus admin init --auto

      - name: Launch an arch container
        run: sudo incus launch images:b0b987c75be9 archbox

      - name: Install ansible on arch
        run: |
          sleep 10
          sudo incus exec archbox -- pacman -Syu ansible --noconfirm

Here you go

carlotm · February 29, 2024, 4:55pm

heheheh thanks