Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run GHA CI with multiple OpenSSL versions #87977

Closed
tiran opened this issue Apr 12, 2021 · 6 comments
Closed

Run GHA CI with multiple OpenSSL versions #87977

tiran opened this issue Apr 12, 2021 · 6 comments
Assignees
@tiran
Labels
3.8 only security fixes 3.9 only security fixes 3.10 only security fixes tests Tests in the Lib/test dir topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Apr 12, 2021

BPO 43811
Nosy @tiran, @miss-islington
PRs
  • bpo-43811: Test multiple OpenSSL versions on GHA #25360
  • [3.9] bpo-43811: Test multiple OpenSSL versions on GHA (GH-25360) #25391
  • [3.8] bpo-43811: Test multiple OpenSSL versions on GHA (GH-25360) #25392
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-19.20:10:18.774>
created_at = <Date 2021-04-12.08:38:07.789>
labels = ['expert-SSL', 'type-bug', '3.8', '3.9', '3.10', 'tests']
title = 'Run GHA CI with multiple OpenSSL versions'
updated_at = <Date 2021-04-19.20:10:18.773>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-04-19.20:10:18.773>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-19.20:10:18.774>
closer = 'christian.heimes'
components = ['Tests', 'SSL']
creation = <Date 2021-04-12.08:38:07.789>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 43811
keywords = ['patch']
message_count = 6.0
messages = ['390825', '390830', '390932', '390980', '390989', '390992']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'miss-islington']
pr_nums = ['25360', '25391', '25392']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue43811'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']
    @tiran
    Copy link
    Member Author

    tiran commented Apr 12, 2021

    CI only tests one OpenSSL version, but Python supports multiple versions of OpenSSL. OpenSSL 1.0.2, 1.1.0, 1.1.1, and 3.0.0 have different APIs and behave differently. We should run minimal tests with all major OpenSSL versions to ensure that Python compiles and works with supported versions.

    This will slow down CI a bit. I figured out how to include ccache to speed up compilation a lot. With populated ccache configure + make takes less than 30 seconds instead of 90 seconds.

    I also noticed that GHA action configuration compiles Python with custom OpenSSL but fails to set rpath / LD_LIBRARY_PATH. I think this means that we compile with custom OpenSSL but actual tests use OSS' OpenSSL libraries.

    @tiran tiran added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes labels Apr 12, 2021
    @tiran tiran self-assigned this Apr 12, 2021
    @tiran tiran added tests Tests in the Lib/test dir topic-SSL type-bug An unexpected behavior, bug, or error 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes labels Apr 12, 2021
    @tiran tiran self-assigned this Apr 12, 2021
    @tiran tiran added tests Tests in the Lib/test dir topic-SSL type-bug An unexpected behavior, bug, or error labels Apr 12, 2021
    @tiran
    Copy link
    Member Author

    tiran commented Apr 12, 2021

    Github selects required actions based on the "name" attribute of a job. Therefore I decided to keep the default "Ubuntu" job and moved the additional OpenSSL tests to another job.

    For future reference, my first approach was:

    strategy:
  fail-fast: false
  matrix:
    openssl_ver: [1.1.1k, 1.0.2u, 1.1.0l, 3.0.0-alpha14]
    include:
    - openssl_ver: 1.1.1k
      testmode: 'full'
...
- name: Tests
  run: xvfb-run make buildbottest TESTOPTS="-j4 -uall,-cpu"
  if: ${{ matrix.testmode == 'full' }}
- name: SSL tests
  run: ./python [Lib/test/ssltests.py](https://github.com/python/cpython/blob/main/Lib/test/ssltests.py)
  if: ${{ matrix.testmode != 'full' }}

    @tiran
    Copy link
    Member Author

    tiran commented Apr 13, 2021

    The new checks are only executed when one or more OpenSSL-related files are modified. The checks run a handful of networking and hashing test suites. All SSL checks are optional. This PR also introduces ccache to speed up compilation. In common cases it speeds up configure and compile time from about 90 seconds to less than 30 seconds.

    @miss-islington
    Copy link
    Contributor

    New changeset 8fa1489 by Christian Heimes in branch 'master':
    bpo-43811: Test multiple OpenSSL versions on GHA (GH-25360)
    8fa1489

    @miss-islington
    Copy link
    Contributor

    New changeset 5ce227f by Miss Islington (bot) in branch '3.9':
    [3.9] bpo-43811: Test multiple OpenSSL versions on GHA (GH-25360) (GH-25391)
    5ce227f

    @miss-islington
    Copy link
    Contributor

    New changeset a607815 by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-43811: Test multiple OpenSSL versions on GHA (GH-25360) (GH-25392)
    a607815

    @tiran tiran closed this as completed Apr 19, 2021
    @tiran tiran closed this as completed Apr 19, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.8 only security fixes 3.9 only security fixes 3.10 only security fixes tests Tests in the Lib/test dir topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @tiran @miss-islington