Xmas 2022 updates

[frankpengau]

• Upgrading bats-core/bats-assert from v0.3.0 to v2.1.0
• Upgrading bats-core/bats-core (bats/bats) from v1.7.0 to v1.8.2 (no-faccessat2)
• Upgrading buildkite-plugins/docker-compose from v4.5.0 to v4.9.0
• Upgrading buildkite-plugins/bats-mock from v2.0.1 to v2.1.0
• Upgrading docker-compose spec from v2.0 to v3.7
• Upgrading the test.bats and splitting the tests into:
  • test-success.bats
  • test-failure.bats

Resolves #56

[frankpengau]

Just a note: I am using test-success.bats and test-failure.bats to show variations in how you can do the BATS test setup and test cases with bats-assert. Trying to demonstrate what's on offer and also a simple way to help people to have something to reference.

[frankpengau]

Another note: This upgrade also fixes the dind (docker-in-docker) issue with using the buildkite-plugins/docker-buildkite-plugin with the buildkite/plugin-tester docker image.

Example
Running the following code:

  - label: ":shell: Test using Buildkite's own Bats docker box"
    command: "bats tests/"
    plugins:
      - docker#v5.3.0:
          image: buildkite/plugin-tester:latest
          workdir: /plugin
    agents:
      queue: elastic

Would produce this error:
Error: BATS_TMPDIR (/tmp) is not writable🚨 Error: The command exited with status 1

This is not related to forgetting to chmod a file or directory or the lack of permissions/access or wrong user.

This is caused by an underlying issue with the new system call (faccessat2) which was introduced in Linux 5.8. It returns a different error code, from ENOSYS to EPERM.

As a result, it has wide-ranging effects on both linux and docker, affected by the underlying dependencies/libraries that are used (glibc, seccomp...etc.)

References:

• Issue raised in bats-core: GitLab CI - Error: BATS_TMPDIR (/tmp) is not writable bats-core/bats-core#564
• Issue raised in runc (used by docker): seccomp filter should return ENOSYS for unknown syscalls opencontainers/runc#2151
• Issue raised in 'moby' (used by docker): [Question] rootless seccomp warnings during the build steps moby/moby#42154
• Issue raised in WSL: faccessat2 throws EPERM instead of ENOSYS microsoft/WSL#6562
• Bug Report in Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1900021
• Bug Report in Arch Linux: https://bugs.archlinux.org/index.php?do=details&task_id=69563
• Release Notes for Alpine 3.14: https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0

Release Notes Extract:

faccessat2

Use of the faccessat2 syscall has been enabled in musl. Due to runc issue 2151, new system calls incorrectly returned EPERM instead of ENOSYS when invoked under a Docker with libseccomp predating their release. Therefore, Alpine Linux 3.14 requires at least one of the following:

• runc v1.0.0-rc93
  • if using Docker's Debian repositories, this is part of containerd.io 1.4.3-2
  • if using Docker Desktop for Windows or Mac, this is part of Docker Desktop 3.3.0
• Docker 20.10.0 (which contains moby commit a181391) or greater, AND libseccomp 2.4.4 (which contains backported libseccomp commit 5696c89) or greater. In this case, to check if your host libseccomp is faccessat2-compatible, invoke scmp_sys_resolver faccessat2. If 439 is returned, faccessat2 is supported. If -1 is returned, faccessat2 is not supported. Note that if runc is older than v1.0.0-rc93, Docker must still be at least version 20.10.0, regardless of the result of this command.
• As a workaround, in order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2, defaultAction changed to SCMP_ACT_TRACE, then --seccomp-profile=default.json can be passed to dockerd, or --security-opt=seccomp=default.json passed to docker create or docker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.

Note also that when using nested Docker, every layer must meet one of the above requirements, since if any layer improperly denies the use of faccessat2, Alpine Linux 3.14 will not function correctly.

[frankpengau]

Just another note:

These changes have been tested with the following:

• Local Testing with bk local run
• Local Testing with docker-compose run --rm tests

Local Testing with bk local run

>>> Starting local agent 🤖
>>> Starting build 👟
>>> Executing initial command: buildkite-agent pipeline upload
>>> Executing command step :docker: 🔨

~~~ Preparing plugins
# Plugin "github.com/buildkite-plugins/docker-compose-buildkite-plugin" will be checked out to "/var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-393153070/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0"
# Switching to the temporary plugin directory
$ cd /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-393153070/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-03444664275
$ git clone -v --recursive -- https://github.com/buildkite-plugins/docker-compose-buildkite-plugin .
Cloning into '.'...
POST git-upload-pack (193 bytes)
POST git-upload-pack (gzip 3820 to 1927 bytes)
remote: Enumerating objects: 3676, done.
remote: Counting objects: 100% (856/856), done.
remote: Compressing objects: 100% (339/339), done.
remote: Total 3676 (delta 576), reused 740 (delta 515), pack-reused 2820
Receiving objects: 100% (3676/3676), 900.53 KiB | 1.58 MiB/s, done.
Resolving deltas: 100% (2116/2116), done.
# Checking out `v4.9.0`
$ git checkout -f v4.9.0
Note: switching to 'v4.9.0'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at bf6b5a1 Merge pull request #364 from buildkite-plugins/toote_separator_issue-363
# Moving temporary plugin directory to final location
$ cd /private/var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-build-367920459
$ cd /Users/frank.peng/Repos/experiments/git-forks/buildkite-plugin-tester

~~~ Running plugin docker-compose command hook
$ /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-393153070/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0/hooks/command
2022-12-28 14:28:19 WARN   POST http://127.0.0.1:52540/jobs/f308c8b4-d47c-47d1-abfd-80d001c5bc48/data/exists: 404 (Attempt 1/10 Retrying in 5s)
2022-12-28 14:28:19 FATAL  Failed to see if meta-data exists: POST http://127.0.0.1:52540/jobs/f308c8b4-d47c-47d1-abfd-80d001c5bc48/data/exists: 404

~~~ :docker: Building Docker Compose Service: tests
⚠️ No pre-built image found from a previous 'build' step for this service and config file. Building image...
$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 build --pull tests
[+] Building 7.4s (2/3)                                                         
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 32B                                        0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest@sha256:c3db40  7.3s
Failed to fire hook: while creating logrus local file hook: user: Current requires cgo or $USER set in environment
[2022-12-28T03:28:26.916490000Z][docker-credential-desktop][F] user: Current requires cgo or $USER set in environment
[common/pkg/paths.Home()
[	common/pkg/paths/paths.go:105 +0x58
[common/pkg/paths.Container()
[	common/pkg/paths/user_darwin.go:37 +0x1c
[common/pkg/paths.Data()
[	common/pkg/paths/paths_darwin.go:27 +0x1c
[+] Building 7.8s (2/3)                                                         
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 32B                                        0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest@sha256:c3db40  7.8s
Failed to fire hook: while creating logrus local file hook: user: Current requires cgo or $USER set in environment
[2022-12-28T03:28:27.397693000Z][docker-credential-desktop][F] user: Current requires cgo or $USER set in environment
[common/pkg/paths.Home()
[	common/pkg/paths/paths.go:105 +0x58
[common/pkg/paths.Container()
[	common/pkg/paths/user_darwin.go:37 +0x1c
[common/pkg/paths.Data()
[	common/pkg/paths/paths_darwin.go:27 +0x1c
[+] Building 7.9s (12/12) FINISHED                                              
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 32B                                        0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest@sha256:c3db40  7.8s
 => [1/8] FROM docker.io/bats/bats:latest@sha256:c3db40540a4942497a8c7ca1  0.0s
 => CACHED [2/8] RUN apk --no-cache add ncurses curl jq                    0.0s
 => CACHED [3/8] RUN mkdir -p /usr/local/lib/bats/bats-support     && cur  0.0s
 => CACHED [4/8] RUN mkdir -p /usr/local/lib/bats/bats-assert     && curl  0.0s
 => CACHED [5/8] RUN mkdir -p /usr/local/lib/bats/bats-mock     && curl -  0.0s
 => CACHED [6/8] RUN mkdir -p /usr/local/lib/bats/bats-file      && curl   0.0s
 => CACHED [7/8] RUN if [[ -e /bin/bash ]]; then echo "/bin/bash already   0.0s
 => CACHED [8/8] WORKDIR /plugin                                           0.0s
 => exporting to image                                                     0.0s
 => => exporting layers                                                    0.0s
 => => writing image sha256:f64b45590a88492ba53dcc7c799081108caac7ccdd43c  0.0s
 => => naming to docker.io/library/buildkitef308c8b4d47c47d1abfd80d001c5b  0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them


~~~ :docker: Starting dependencies
$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 up -d --scale tests=0 tests
[+] Running 1/0
 ⠿ Network buildkitef308c8b4d47c47d1abfd80d001c5bc48_default  Created 0.0s


+++ :docker: Running  in service tests
$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 run --name buildkitef308c8b4d47c47d1abfd80d001c5bc48_tests_build_1 --rm tests
test-failure.bats
 ✓ bats intentional failure - expects Not AOK
 ✓ bats-mock should throw error
 ✓ bats intentional failure - alerts error
test-success.bats
 ✓ bats works AOK
 ✓ bats-mock works

5 tests, 0 failures



~~~ Running plugin docker-compose pre-exit hook
$ /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-393153070/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0/hooks/pre-exit

~~~ :docker: Cleaning up after docker-compose
$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 kill
no container to kill
$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 rm --force -v
No stopped containers

$ docker-compose -f docker-compose.yml -p buildkitef308c8b4d47c47d1abfd80d001c5bc48 down --volumes
[+] Running 1/0
 ⠿ Network buildkitef308c8b4d47c47d1abfd80d001c5bc48_default  Removed 0.1s


>>> Command succeeded in 18.326503709s
>>> Build finished in 18.326511167s

Local Testing with docker-compose run --rm tests

➜  buildkite-plugin-tester git:(xmas-2022-updates) docker-compose run --rm tests
WARN[0000] The "BUILDKITE_TAG" variable is not set. Defaulting to a blank string. 
test-failure.bats
 ✓ bats intentional failure - expects Not AOK
 ✓ bats-mock should throw error
 ✓ bats intentional failure - alerts error
test-success.bats
 ✓ bats works AOK
 ✓ bats-mock works

5 tests, 0 failures

[frankpengau]

Sorry, looks like I missed a commit for the no faccessat2 bats/bats image. Re-running the tests now.

[frankpengau]

Local Testing with bk local run

➜  buildkite-plugin-tester git:(xmas-2022-updates) ✗ bk local run
>>> Starting local agent 🤖
>>> Starting build 👟
>>> Executing initial command: buildkite-agent pipeline upload
>>> Executing command step :docker: 🔨

~~~ Preparing plugins
# Plugin "github.com/buildkite-plugins/docker-compose-buildkite-plugin" will be checked out to "/var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-402104290/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0"
# Switching to the temporary plugin directory
$ cd /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-402104290/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-03143097272
$ git clone -v --recursive -- https://github.com/buildkite-plugins/docker-compose-buildkite-plugin .
Cloning into '.'...
POST git-upload-pack (193 bytes)
POST git-upload-pack (gzip 3820 to 1927 bytes)
remote: Enumerating objects: 3676, done.
remote: Counting objects: 100% (856/856), done.
remote: Compressing objects: 100% (338/338), done.
remote: Total 3676 (delta 575), reused 742 (delta 516), pack-reused 2820
Receiving objects: 100% (3676/3676), 901.39 KiB | 300.00 KiB/s, done.
Resolving deltas: 100% (2115/2115), done.
# Checking out `v4.9.0`
$ git checkout -f v4.9.0
Note: switching to 'v4.9.0'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at bf6b5a1 Merge pull request #364 from buildkite-plugins/toote_separator_issue-363
# Moving temporary plugin directory to final location
$ cd /private/var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-build-134158543
$ cd /Users/frank.peng/Repos/experiments/git-forks/buildkite-plugin-tester

~~~ Running plugin docker-compose command hook
$ /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-402104290/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0/hooks/command
2022-12-29 17:10:20 WARN   POST http://127.0.0.1:57394/jobs/3aca7323-43ed-4a81-83d8-577905cf76df/data/exists: 404 (Attempt 1/10 Retrying in 5s)
2022-12-29 17:10:20 FATAL  Failed to see if meta-data exists: POST http://127.0.0.1:57394/jobs/3aca7323-43ed-4a81-83d8-577905cf76df/data/exists: 404

~~~ :docker: Building Docker Compose Service: tests
⚠️ No pre-built image found from a previous 'build' step for this service and config file. Building image...
$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df build --pull tests
[+] Building 1.1s (2/3)                                                         
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 2.25kB                                     0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest-no-faccessat2  1.0s
Failed to fire hook: while creating logrus local file hook: user: Current requires cgo or $USER set in environment
[2022-12-29T06:10:22.905251000Z][docker-credential-desktop][F] user: Current requires cgo or $USER set in environment
[common/pkg/paths.Home()
[	common/pkg/paths/paths.go:105 +0x58
[common/pkg/paths.Container()
[	common/pkg/paths/user_darwin.go:37 +0x1c
[common/pkg/paths.Data()
[	common/pkg/paths/paths_darwin.go:27 +0x1c
[+] Building 1.5s (2/3)                                                         
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 2.25kB                                     0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest-no-faccessat2  1.5s
Failed to fire hook: while creating logrus local file hook: user: Current requires cgo or $USER set in environment
[2022-12-29T06:10:23.321075000Z][docker-credential-desktop][F] user: Current requires cgo or $USER set in environment
[common/pkg/paths.Home()
[	common/pkg/paths/paths.go:105 +0x58
[common/pkg/paths.Container()
[	common/pkg/paths/user_darwin.go:37 +0x1c
[common/pkg/paths.Data()
[	common/pkg/paths/paths_darwin.go:27 +0x1c
[+] Building 6.8s (12/12) FINISHED                                              
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 2.25kB                                     0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker.io/bats/bats:latest-no-faccessat2  1.5s
 => [1/8] FROM docker.io/bats/bats:latest-no-faccessat2@sha256:ab8b147d6f  0.0s
 => CACHED [2/8] RUN apk --no-cache add ncurses curl jq                    0.0s
 => CACHED [3/8] RUN mkdir -p /usr/local/lib/bats/bats-support     && cur  0.0s
 => [4/8] RUN mkdir -p /usr/local/lib/bats/bats-assert     && curl -sSL h  1.7s
 => [5/8] RUN mkdir -p /usr/local/lib/bats/bats-mock     && curl -sSL htt  1.5s
 => [6/8] RUN mkdir -p /usr/local/lib/bats/bats-file      && curl -sSL ht  1.6s
 => [7/8] RUN if [[ -e /bin/bash ]]; then echo "/bin/bash already exists"  0.3s
 => [8/8] WORKDIR /plugin                                                  0.0s
 => exporting to image                                                     0.0s
 => => exporting layers                                                    0.0s
 => => writing image sha256:8c0d7ada8cef9d5dd5c37244e1f8215dfdb2a3a1a3d97  0.0s
 => => naming to docker.io/library/buildkite3aca732343ed4a8183d8577905cf7  0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them


~~~ :docker: Starting dependencies
$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df up -d --scale tests=0 tests
[+] Running 1/0
 ⠿ Network buildkite3aca732343ed4a8183d8577905cf76df_default  Created 0.0s


+++ :docker: Running  in service tests
$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df run --name buildkite3aca732343ed4a8183d8577905cf76df_tests_build_1 --rm tests
test-failure.bats
 ✓ bats intentional failure - expects Not AOK
 ✓ bats-mock should throw error
 ✓ bats intentional failure - alerts error
test-success.bats
 ✓ bats works AOK
 ✓ bats-mock works

5 tests, 0 failures



~~~ Running plugin docker-compose pre-exit hook
$ /var/folders/g5/gldb9rfd6xv_6s5fh1x4w3840000gp/T/buildkite-plugins-402104290/github-com-buildkite-plugins-docker-compose-buildkite-plugin-v4-9-0/hooks/pre-exit

~~~ :docker: Cleaning up after docker-compose
$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df kill
no container to kill
$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df rm --force -v
No stopped containers

$ docker-compose -f docker-compose.yml -p buildkite3aca732343ed4a8183d8577905cf76df down --volumes
[+] Running 1/0
 ⠿ Network buildkite3aca732343ed4a8183d8577905cf76df_default  Removed 0.1s


>>> Command succeeded in 19.404386959s
>>> Build finished in 19.40439675s

Local Testing with docker-compose run --rm tests

➜  buildkite-plugin-tester git:(xmas-2022-updates) ✗ docker-compose run --rm tests
WARN[0000] The "BUILDKITE_TAG" variable is not set. Defaulting to a blank string. 
test-failure.bats
 ✓ bats intentional failure - expects Not AOK
 ✓ bats-mock should throw error
 ✓ bats intentional failure - alerts error
test-success.bats
 ✓ bats works AOK
 ✓ bats-mock works

5 tests, 0 failures

[toote]

While we are at it, I would also suggest updating bats-mock to the (newly released) 2.1.0 version ;)

[frankpengau]

While we are at it, I would also suggest updating bats-mock to the (newly released) 2.1.0 version ;)

I'll look into it, lols! 🤣

[frankpengau]

Just for the record, upgraded buildkite-plugins/bats-mock from v2.0.1 to v2.1.0 as suggested.

Looking to revert back from:

• (Multi Architecture Image) bats/bats:1.8.2-no-faccessat2@sha256:ed084f4b241c7e43422ff0a1d624a3a9609ef804ac8953449d2da63d6b8246e0
  TO:
• (Linux/AMD64 Architecture Image) bats/bats:1.8.2-no-faccessat2@sha256:ab8b147d6fd604a25872580db473a61d446370af00addfe0a0d8b4394eae0f6b

Reason: Faced with what looks to be a Docker Buildkit error

failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to create LLB definition: rpc error: code = Unknown desc = error getting credentials - err: exit status 1, out: ``

Excerpt of Output for Error:

...
...
[+] Building 2.5s (3/3) FINISHED                                                
 => [internal] load build definition from Dockerfile                       0.0s
 => => transferring dockerfile: 32B                                        0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => ERROR [internal] load metadata for docker.io/bats/bats:1.8.2-no-facce  2.5s
------
 > [internal] load metadata for docker.io/bats/bats:1.8.2-no-faccessat2@sha256:ed084f4b241c7e43422ff0a1d624a3a9609ef804ac8953449d2da63d6b8246e0:

------
failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to create LLB definition: rpc error: code = Unknown desc = error getting credentials - err: exit status 1, out: ``
🚨 Error: The command exited with status 17
^^^ +++
^^^ +++
user command error: The plugin docker-compose command hook exited with status 17
...
...

Although docker build and docker buildx build work and able to build image, but not sure if practical, due to changes that might be required for the build pipeline, when releasing.

[toote]

Just a very minor comment that may only affect me :P

Thanks a lot for all the effort and hard work

[frankpengau]

Should be ready for merge, let me know if you have any other changes in mind. :)