Mirrors/curl
0
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-01-18 17:21:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c07a7f6bf82f8f9aa59d189573378e494439164a
curl/.circleci/config.yml
Viktor Szakats c07a7f6bf8 runtests: detect bad libssh differently for test 1459 (fixing CircleCI libssh job) 
test 1459 "SFTP with corrupted known_hosts" was seen failing in the past.
To fix it, the test was automatically disabled when detecting libssh
0.9.3 or older, as in the curl CircleCI job, running on Ubuntu 20.04.
This work for a long time, until bumping the CircleCI runner to Ubuntu
22.04 (to have OpenSSL 3), where the test was running again, and failing
with the isssue seen in the past.

- Test skipped with Ubuntu 20.04 (libssh 0.9.3):
  https://app.circleci.com/pipelines/github/curl/curl/16445/workflows/7f198763-e0b0-4037-9245-4c4b40ab8726/jobs/155164
- Failure seen with Ubuntu 22.04 (libssh 0.9.6):
  https://app.circleci.com/pipelines/github/curl/curl/16452/workflows/b817a808-0fd4-40b0-8eb0-d064926efe12/jobs/155206?invite=true#step-107-211709_45
- Failure seen with Ubuntu 24.04 (libssh 0.10.6):
  https://app.circleci.com/pipelines/github/curl/curl/16455/workflows/86c631f1-3c5f-4438-b398-3df2bdab5d20/jobs/155218

Turns out the issue issue isn't libssh 0.9.3 itself, but
a CircleCI-specific default configuration in `/etc/ssh/ssh_config`:
```
# BEGIN ANSIBLE MANAGED BLOCK
Host *
StrictHostKeyChecking no     <------ this particular line
HashKnownHosts no
SendEnv LANG LC_*
# END ANSIBLE MANAGED BLOCK
```

libssh will consult configuration files on hard-coded default system
locations and alter its behavior based on settings found in them.

This libssh behavior is present in all supported versions:
5a2abd34ce
https://gitlab.com/libssh/libssh-mirror/-/tags/libssh-0.9.0

It means the existing disable logic based on libssh version worked by
coincidence, and what needs to be checked is these configurations
to decide if it's safe to run the test. Another, simpler option is
to also accept the result code 67, though in that case the test
wouldn't actually test what we want, but would pass anyway.

With the old `oldlibssh` workaround deleted, and the problematic setting
manually overridden (`StrictHostKeyChecking yes`):
- CircleCI Ubuntu 20.04 passes with 1459 enabled:
  https://app.circleci.com/pipelines/github/curl/curl/16483/workflows/87a9f389-76a2-4a32-acde-c0b411a4c842/jobs/155302
- CircleCI Ubuntu 22.04 does too:
  https://app.circleci.com/pipelines/github/curl/curl/16483/workflows/87a9f389-76a2-4a32-acde-c0b411a4c842/jobs/155303

To fix, replace the `runtests` `oldlibssh` detection logic to parse
libssh config files (instead of checking for libssh version) and disable
test 1459 based on that. Notice the detection is making a light attempt
to parse these files, and does not implement most config file features
(such as includes, quoted values and `=` operator.)

The new runtests workaround tests OK with the:
- default CircleCI configuration, disabling 1459 automatically.
- a sudoless configuration fix, with 1459 run successfully.
  Also keep setting this option in CircleCI jobs.
- a sudo configuration fix, with 1459 run successfully.
Ref: https://app.circleci.com/pipelines/github/curl/curl/16492/workflows/56f39335-97ba-412c-9a9b-3d662694375a

GHA jobs are not affected and they work fine, with 1459 running successfully
before and after this patch.

It's possible the libssh API offers ways to control config file use
and/or set the strict host checking option programatically. Maybe
to enable in debug mode (albeit CircleCI job are not debug-enabled),
or offer an option for them. It may be something for a future patch.

Follow-up to 23540923e1 #8622
Follow-up to 4b01a57c95 #8548
Follow-up to bdc664a640 #8490
Follow-up to 7c140f6b2d #8444

Ref: 6d9c5c91b9 #19549

Closes #19557
2025-11-16 23:28:44 +01:00

205 lines
5.3 KiB
YAML
Raw Blame History

#***************************************************************************
# _ _ ____ _
# Project ___| | | | _ \| |
# / __| | | | |_) | |
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at https://curl.se/docs/copyright.html.
#
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
# copies of the Software, and permit persons to whom the Software is
# furnished to do so, under the terms of the COPYING file.
#
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
# KIND, either express or implied.
#
# SPDX-License-Identifier: curl
#
###########################################################################
# View these jobs in the browser: https://app.circleci.com/pipelines/github/curl/curl
# Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/configuration-reference/
version: 2.1
commands:
install-cares:
steps:
- run:
command: |
sudo apt-get update && sudo apt-get install -y libc-ares-dev
install-libssh:
steps:
- run:
command: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update && sudo apt-get install -y libssh-dev
install-deps:
steps:
- run:
command: |
sudo apt-get update && sudo apt-get install -y libpsl-dev libbrotli-dev libzstd-dev zlib1g-dev python3-pip
python3 -m venv ~/venv
~/venv/bin/pip --disable-pip-version-check --no-input --no-cache-dir install --progress-bar off --prefer-binary -r tests/requirements.txt
configure:
steps:
- run:
command: |
autoreconf -fi
./configure --disable-dependency-tracking --enable-option-checking=fatal --enable-unity --enable-werror --enable-warnings \
--with-openssl \
|| { tail -1000 config.log; false; }
configure-no-proxy:
steps:
- run:
command: |
autoreconf -fi
./configure --disable-dependency-tracking --enable-option-checking=fatal --enable-unity --enable-werror \
--with-openssl --disable-proxy \
|| { tail -1000 config.log; false; }
configure-libssh:
steps:
- run:
command: |
autoreconf -fi
./configure --disable-dependency-tracking --enable-option-checking=fatal --enable-unity --enable-werror --enable-warnings \
--with-openssl --with-libssh \
|| { tail -1000 config.log; false; }
configure-cares:
steps:
- run:
command: |
autoreconf -fi
./configure --disable-dependency-tracking --enable-option-checking=fatal --enable-unity --enable-werror --enable-warnings \
--with-openssl --enable-ares \
|| { tail -1000 config.log; false; }
configure-cares-debug:
steps:
- run:
command: |
autoreconf -fi
./configure --disable-dependency-tracking --enable-option-checking=fatal --enable-unity --enable-werror --enable-debug \
--with-openssl --enable-ares \
|| { tail -1000 config.log; false; }
build:
steps:
- run: make -j3 V=1
- run: src/curl --disable --version
- run: make -j3 V=1 examples
test:
steps:
- run:
command: |
source ~/venv/bin/activate
# Revert a CircleCI-specific local setting that makes test 1459
# return 67 (CURLE_LOGIN_DENIED) instead of the
# expected 60 (CURLE_PEER_FAILED_VERIFICATION).
echo 'StrictHostKeyChecking yes' >> ~/.ssh/config
make -j3 V=1 test-ci TFLAGS='-j14'
executors:
ubuntu:
machine:
image: ubuntu-2204:2025.09.1
jobs:
basic:
executor: ubuntu
steps:
- checkout
- install-deps
- configure
- build
- test
no-proxy:
executor: ubuntu
steps:
- checkout
- install-deps
- configure-no-proxy
- build
- test
cares:
executor: ubuntu
steps:
- checkout
- install-deps
- install-cares
- configure-cares
- build
- test
libssh:
executor: ubuntu
steps:
- checkout
- install-deps
- install-libssh
- configure-libssh
- build
- test
arm:
machine:
image: ubuntu-2204:2025.09.1
resource_class: arm.medium
steps:
- checkout
- install-deps
- configure
- build
- test
arm-cares:
machine:
image: ubuntu-2204:2025.09.1
resource_class: arm.medium
steps:
- checkout
- install-deps
- install-cares
- configure-cares-debug
- build
- test
workflows:
x86-openssl:
jobs:
- basic
openssl-c-ares:
jobs:
- cares
openssl-libssh:
jobs:
- libssh
openssl-no-proxy:
jobs:
- no-proxy
arm-openssl:
jobs:
- arm
arm-openssl-c-ares:
jobs:
- arm-cares
Reference in New Issue View Git Blame Copy Permalink