1 files changed, 645 insertions, 0 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..ae4ac0b
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,645 @@
+image: $CI_REGISTRY/knot/knot-resolver/ci/debian-stable:knot-2.7
+
+variables:
+  DEBIAN_FRONTEND: noninteractive
+  LC_ALL: C.UTF-8
+  GIT_SUBMODULE_STRATEGY: recursive
+  GIT_STRATEGY: clone # sometimes unclean submodule dirs otherwise
+  PREFIX: $CI_PROJECT_DIR/.local
+  LD_LIBRARY_PATH: $CI_PROJECT_DIR/.local/lib
+  RESPDIFF_PRIORITY: 5
+  RESPDIFF_COUNT: 1
+  RESPDIFF_FORCE: 0
+  RESPERF_FORCE: 0
+
+stages:
+  - build
+  - test
+  - coverage
+  - extended
+  - deploy
+
+.build: &build
+  variables:
+    CFLAGS: -ggdb
+  stage: build
+  except:
+    - master
+  script:
+    - rm daemon/lua/kres-gen.lua
+    - make -k all
+    - STATUS="$(git status --untracked-files=normal --porcelain)"
+    - test -n "${STATUS}" && echo "${STATUS}" && echo "Build + install made working tree dirty, did you forget to update something?" && exit 2
+    - make install
+  artifacts:
+    untracked: true
+  tags:
+    - docker
+    - linux
+    - amd64
+
+build:linux:amd64:
+  <<: *build
+
+
+build:asan:linux:amd64:
+  <<: *build
+  variables:
+    CFLAGS: -ggdb3 -O0 -fsanitize=address -fno-omit-frame-pointer
+
+lint:pedantic:
+  stage: test  # could be in build already, but let's not block the test stage if this fails
+  dependencies: []  # do not download build artifacts
+  except:
+    - master
+  image: $CI_REGISTRY/knot/knot-resolver/ci/debian-unstable:knot-2.7  # newer Debian for newer compilers
+  variables:
+    CFLAGS: -Werror -Wall -Wpedantic -ggdb -std=gnu11
+  script:
+    - make -k all
+    - make clean
+    - make -k all CC=clang CXX=clang++ \
+        CFLAGS="$CFLAGS -Wno-newline-eof -Wno-gnu-zero-variadic-macro-arguments -Wno-gnu-folding-constant"
+  tags:
+    - docker
+    - linux
+    - amd64
+
+srpm:
+  stage: build
+  except:
+    - master
+  allow_failure: true  # don't block testing pipeline in case of failure
+  image: $CI_REGISTRY/knot/knot-resolver/ci/fedora
+  script:
+    - scripts/make-srpm.sh
+  artifacts:
+    when: always
+    expire_in: '1 week'
+    paths:
+      - "*.src.rpm"
+  tags:
+    - docker
+    - linux
+    - amd64
+
+lint:lua:
+  stage: test
+  except:
+    - master
+  dependencies: []  # do not download build artifacts
+  script:
+    - make lint-lua
+  tags:
+    - docker
+
+lint:c:
+  stage: test
+  except:
+    - master
+  image: $CI_REGISTRY/knot/knot-resolver/ci/debian-unstable:knot-2.7  # newer Debian for newer Clang
+  dependencies: []  # do not download build artifacts
+  script:
+    - make lint-c CLANG_TIDY="clang-tidy -quiet"
+  tags:
+    - docker
+
+lint:clang-scan-build:
+  stage: test
+  except:
+    - master
+  image: $CI_REGISTRY/knot/knot-resolver/ci/debian-unstable:knot-2.7  # newer Debian for newer Clang
+  dependencies: []  # do not download build artifacts
+  script:
+    - MAKEFLAGS="-k -j$(nproc)" SCAN_BUILD="scan-build -o scan-results --status-bugs -no-failure-reports" ./tests/clang_scan_build.sh make || true
+    - test "$(ls scan-results/*/report-*.html | wc -l)" = 6 # we have this many errors ATM :-)
+  artifacts:
+    when: on_failure
+    expire_in: '1 day'
+    paths:
+      - scan-results
+  tags:
+    - docker
+
+test:linux:amd64:
+  stage: test
+  except:
+    - master
+  script:
+    # recompile everything otherwise lcov will bark because Git files will be "newer" than gcda files
+    # this is caused by interaction between Git approach to timestamps and Gitlab artifacts
+    - git clean -xdf
+    - make
+    - MAKEFLAGS="--jobs $(nproc)" make -k check
+    - MAKEFLAGS="--jobs $(nproc)" test "${COVERAGE:-0}" -eq 1 && make coverage-c COVERAGE_STAGE=gcov-check || echo "code coverage skipped"
+  dependencies: []
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - ./*.info
+  tags:
+    - docker
+    - linux
+    - amd64
+
+
+docker:build:
+  stage: test
+  image: docker:latest
+  except:
+    - master
+  tags:
+    - dind
+  dependencies: []
+  variables:
+    DOCKER_IMAGE_NAME: knot-resolver-test:${CI_COMMIT_SHA}
+  script:
+    - docker build --no-cache -t ${DOCKER_IMAGE_NAME} .
+    - echo "quit()" | docker run -i ${DOCKER_IMAGE_NAME}
+  after_script:  # remove dangling images to avoid running out of disk space
+    - docker rmi ${DOCKER_IMAGE_NAME}
+    - docker rmi $(docker images -f "dangling=true" -q)
+
+
+installcheck:linux:amd64:
+  stage: test
+  except:
+    - master
+  script:
+    # recompile everything otherwise lcov will bark because Git files will be "newer" than gcda files
+    # this is caused by interaction between Git approach to timestamps and Gitlab artifacts
+    - git clean -xdf
+    - make install
+    - MAKEFLAGS="--jobs $(nproc) --keep-going" make -k installcheck
+    - MAKEFLAGS="--jobs $(nproc)" test "${COVERAGE:-0}" -eq 1 && make coverage-c coverage-lua COVERAGE_STAGE=gcov-installcheck || echo "code coverage skipped"
+  dependencies: []
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - ./*.info
+  tags:
+    - docker
+    - linux
+    - amd64
+
+doc:
+  stage: test
+  except:
+    - master
+  script:
+    - SPHINXFLAGS="-W" make doc
+  dependencies: []
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - ./doc/*
+  tags:
+    - docker
+
+deckard:linux:amd64:
+  stage: test
+  except:
+    refs:
+      - master
+    variables:
+      # prevent unstable test from cancelling nightly OBS build
+      - $SKIP_DECKARD == "1"
+  variables:
+    TMPDIR: $CI_PROJECT_DIR
+  script:
+    - DECKARDFLAGS="-n $(nproc)" PATH="$PREFIX/sbin:$PATH" make check-integration
+  # these errors are side-effect of Git way of handling file timestamps
+    - MAKEFLAGS="--jobs $(nproc)" test "${COVERAGE:-0}" -eq 1 && make coverage-c coverage-lua COVERAGE_STAGE=gcov-deckard 2>&1 | grep -vE '(source file is newer than notes file)|(the message is displayed only once per source file)' || echo "code coverage skipped"
+  dependencies:
+    - build:linux:amd64
+  artifacts:
+    when: always
+    paths:
+      - ./*.info
+      - tmpdeckard*
+    expire_in: 1 week
+  tags:
+    - docker
+    - linux
+    - amd64
+
+installcheck:valgrind:linux:amd64:
+  stage: test
+  except:
+    - master
+  script:
+    - DEBUGGER="valgrind --leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp" make -k installcheck
+  dependencies:
+    - build:linux:amd64
+  tags:
+    - docker
+    - linux
+    - amd64
+
+osx:build:
+  stage: test
+  except:
+    - master
+  script:
+    - ci/travis.py ${CI_COMMIT_REF_NAME}
+  dependencies: []
+  tags:
+    - docker
+
+
+# temporarily disabled - we need to fix issues first
+#deckard:linux:amd64:valgrind:
+#  stage: test
+#  script:
+#    # TODO: valgrind missing parameter --error-exitcode=1 to fail make on error
+#    - cd tests/deckard && DAEMON=valgrind ADDITIONAL="--leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp $PREFIX/sbin/kresd -f 1" MAKEFLAGS="-j $(nproc) --keep-going" make
+#  artifacts:
+#    when: on_failure
+#    expire_in: 1 week
+#    paths:
+#      - tmpdeckard*
+#  dependencies:
+#    - build:linux:amd64
+#  tags:
+#    - docker
+#    - linux
+#    - amd64
+
+
+test:linux:amd64:valgrind:
+  stage: test
+  except:
+    - master
+  variables:
+    TMPDIR: $CI_PROJECT_DIR
+  script:
+    - DEBUGGER="valgrind --error-exitcode=1 --leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp" make -k check
+  dependencies:
+    - build:linux:amd64
+  tags:
+    - docker
+    - linux
+    - amd64
+
+pytests:lint:
+  stage: test
+  dependencies: []
+  except:
+    - master
+  script:
+    - ./ci/pytests/lint.sh
+  tags:
+    - docker
+    - linux
+    - amd64
+
+pytests:run:
+  stage: test
+  dependencies:
+    - build:asan:linux:amd64
+  except:
+    - master
+  script:
+    - pushd tests/pytests/rehandshake
+    - make all
+    - popd
+    - PATH="$PREFIX/sbin:$PATH" ./ci/pytests/run.sh &> pytests.log.txt
+  after_script:
+    - tail -1 pytests.log.txt
+    - echo "See pytests.html or pytests.log.txt for full report."
+  artifacts:
+    when: always
+    expire_in: 1 week
+    paths:
+      - pytest*
+  tags:
+    - docker
+    - linux
+    - amd64
+
+pytests:extended:
+  stage: extended
+  dependencies:
+    - build:asan:linux:amd64
+  except:
+    - master
+  script:
+    - PATH="$PREFIX/sbin:$PATH" ./ci/pytests/run-extended.sh
+  tags:
+    - docker
+    - linux
+    - amd64
+
+
+.respdiff:  &respdiff
+  stage: extended
+  dependencies: []
+  only:  # trigger job only in repos under our control
+    - branches@knot/knot-resolver
+    - branches@knot/knot-resolver-security
+  except:
+    - master
+  script:
+    - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPDIFF_FORCE -gt 0 || exit 0
+    - export LABEL=gl$(date +%s)
+    - export COMMITDIR="/var/tmp/respdiff-jobs/$(git rev-parse --short HEAD)-$LABEL"
+    - export TESTDIR="$COMMITDIR/$RESPDIFF_TEST"
+    - ln -s $COMMITDIR respdiff_commitdir
+    - >
+      sudo -u respdiff /var/opt/respdiff/contrib/job_manager/submit.py -w
+      -p $RESPDIFF_PRIORITY
+      -c $RESPDIFF_COUNT
+      $(sudo -u respdiff /var/opt/respdiff/contrib/job_manager/create.py
+      "$(git rev-parse --short HEAD)" -l $LABEL -t $RESPDIFF_TEST
+      --respdiff-stats /var/tmp/respdiff-jobs/ref_current/*_${RESPDIFF_TEST}_stats.json)
+    - for f in $TESTDIR/*.json; do test -s "$f" || (cat $TESTDIR/*stderr*; exit 1); done
+    - sudo -u respdiff /var/opt/respdiff/contrib/job_manager/plot_ref.sh $TESTDIR/.. /var/tmp/respdiff-jobs/ref_current $RESPDIFF_TEST
+  after_script:
+    - 'cp -t . respdiff_commitdir/$RESPDIFF_TEST/j* ||:'
+    - 'cp -t . respdiff_commitdir/*$RESPDIFF_TEST*.png ||:'
+  artifacts:
+    when: always
+    expire_in: 1 week
+    paths:
+      - ./j*
+      - ./*.png
+  tags:
+    - respdiff
+
+respdiff:fwd-tls6-kresd.udp6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.fwd-tls6-kresd.udp6.j256
+
+respdiff:fwd-udp6-kresd.udp6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.fwd-udp6-kresd.udp6.j384
+
+respdiff:iter.udp6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.iter.udp6.j384
+
+respdiff:iter.tls6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.iter.tls6.j384
+
+respdiff:fwd-udp6-unbound.udp6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.fwd-udp6-unbound.udp6.j256
+
+respdiff:fwd-udp6-unbound.tcp6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.fwd-udp6-unbound.tcp6.j256
+
+respdiff:fwd-udp6-unbound.tls6:
+  <<: *respdiff
+  variables:
+    RESPDIFF_TEST: shortlist.fwd-udp6-unbound.tls6.j256
+
+
+respdiff:iter:udp:linux:amd64:
+  stage: test
+  except:
+    - master
+  script:
+    - source <(./scripts/coverage_env.sh "$(pwd)" "$(pwd)/coverage.stats/respdiff" "iter/udp" --export)
+    - ulimit -n "$(ulimit -Hn)" # applies only for kresd ATM
+    - ./ci/respdiff/start-resolvers.sh
+    - ./ci/respdiff/run-respdiff-tests.sh udp
+    - cat results/respdiff.txt
+    - echo 'test if mismatch rate < 1.0 %'
+    - grep -q '^target disagrees.*0\.[0-9][0-9] %' results/respdiff.txt
+    - killall --wait kresd
+    - MAKEFLAGS="--jobs $(nproc)" test "${COVERAGE:-0}" -eq 1 && make coverage-c coverage-lua COVERAGE_STAGE=gcov-respdiff-iter-udp | grep -vE '(source file is newer than notes file)|(the message is displayed only once per source file)' || echo "code coverage skipped"
+  dependencies:
+    - build:asan:linux:amd64
+  artifacts:
+    when: always
+    expire_in: '1 week'
+    paths:
+      - kresd.log.xz
+      - results/*.txt
+      - results/*.png
+      - results/respdiff.db/data.mdb.xz
+      - ./*.info
+  tags:
+    - docker
+    - linux
+    - amd64
+
+
+.resperf:  &resperf
+  stage: extended
+  dependencies: []
+  only:  # trigger job only in repos under our control
+    - branches@knot/knot-resolver
+    - branches@knot/knot-resolver-security
+  except:
+    - master
+  script:
+    - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPERF_FORCE -gt 0 || exit 0
+    - export LABEL=gl$(date +%s)
+    - export COMMITDIR="/var/tmp/respdiff-jobs/$(git rev-parse --short HEAD)-$LABEL"
+    - export TESTDIR="$COMMITDIR/$RESPERF_TEST"
+    - ln -s $COMMITDIR resperf_commitdir
+    - >
+      sudo -u respdiff /var/opt/respdiff/contrib/job_manager/submit.py -w
+      $(sudo -u respdiff /var/opt/respdiff/contrib/job_manager/create.py
+      "$(git rev-parse --short HEAD)" -l $LABEL --asan -t $RESPERF_TEST)
+    - export EXITCODE=$(cat $TESTDIR/j*_exitcode)
+    - if [[ "$EXITCODE" == "0" ]]; then cat $TESTDIR/j*_resperf.txt; else cat $TESTDIR/j*_kresd.docker.txt; fi
+    - exit $EXITCODE
+  after_script:
+    - 'cp -t . resperf_commitdir/$RESPERF_TEST/j* ||:'
+  artifacts:
+    when: always
+    expire_in: 1 week
+    paths:
+      - ./j*
+  tags:
+    - respdiff
+
+resperf:fwd-tls6.udp-asan:
+  <<: *resperf
+  variables:
+    RESPERF_TEST: resperf.fwd-tls6.udp
+
+resperf:fwd-udp6.udp-asan:
+  <<: *resperf
+  variables:
+    RESPERF_TEST: resperf.fwd-udp6.udp
+
+resperf:iter.udp-asan:
+  <<: *resperf
+  variables:
+    RESPERF_TEST: resperf.iter.udp
+
+
+distro:fedora-29:
+  stage: test
+  except:
+    - master
+  image: $CI_REGISTRY/knot/knot-resolver/ci/fedora
+  only:  # trigger job only in repos under our control
+    - branches@knot/knot-resolver
+    - branches@knot/knot-resolver-security
+  dependencies:
+    - srpm
+  script:
+    - mock --no-clean --old-chroot -r fedora-29-x86_64 --rebuild *.src.rpm || (cat /var/lib/mock/fedora-29-x86_64/result/build.log; false)
+  after_script:
+    - mv /var/lib/mock/fedora-29-x86_64/result fedora-29-x86_64
+  artifacts:
+    when: always
+    expire_in: '1 week'
+    paths:
+      - fedora-29-x86_64/
+  tags:
+    - privileged  # mock requires additional capabilities (e.g. mount)
+
+distro:epel-7:
+  stage: test
+  except:
+    - master
+  image: $CI_REGISTRY/knot/knot-resolver/ci/fedora
+  only:  # trigger job only in repos under our control
+    - branches@knot/knot-resolver
+    - branches@knot/knot-resolver-security
+  dependencies:
+    - srpm
+  script:
+    - mock --no-clean --dnf --old-chroot -r epel-7-x86_64 --rebuild *.src.rpm || (cat /var/lib/mock/epel-7-x86_64/result/build.log; false)
+  after_script:
+    - mv /var/lib/mock/epel-7-x86_64/result epel-7-x86_64
+  artifacts:
+    when: always
+    expire_in: '1 week'
+    paths:
+      - epel-7-x86_64/
+  tags:
+    - privileged  # mock require additional capabilities (e.g. mount)
+
+# compute coverage for runs with COVERAGE=1
+coverage:
+  stage: coverage
+  except:
+    - master
+    - branches@knot/knot-resolver-security
+  only:
+    variables:
+      - $COVERAGE == "1"
+  script:
+    - make coverage
+  artifacts:
+    expire_in: '1 week'
+    paths:
+      - coverage
+  coverage: '/lines\.+:\s(\d+.\d+\%)/'
+  dependencies:
+    - build:linux:amd64
+    - test:linux:amd64
+    - installcheck:linux:amd64
+    - deckard:linux:amd64
+    - respdiff:iter:udp:linux:amd64
+  tags:
+    - docker
+    - linux
+    - amd64
+
+# publish coverage only for master branch
+pages:
+  stage: deploy
+  only:
+    refs:
+      - nightly@knot/knot-resolver
+    variables:
+      - $COVERAGE == "1"
+  dependencies:
+    - coverage
+  script:
+    - mv coverage/ public/
+  artifacts:
+    expire_in: '30 days'
+    paths:
+      - public
+
+# trigger obs build for master branch
+obs:devel:
+  stage: deploy
+  only:
+    variables:
+      - $OBS_BUILD == "1"
+    refs:
+      - nightly@knot/knot-resolver
+  dependencies: []
+  script:
+    - scripts/make-archive.sh
+    - scripts/make-distrofiles.sh
+    - echo -e "[general]\napiurl = https://api.opensuse.org\n\n[https://api.opensuse.org]\nuser = CZ-NIC-automation\npass = $OBS_PASSWORD" > /root/.oscrc
+    - scripts/build-in-obs.sh knot-dns-devel  # build against latest development version of knot
+    - scripts/build-in-obs.sh knot-resolver-devel  # build against knot in knot-resolver-latest
+
+pkg:debian:symbols:libkres:
+  variables:
+    LIB_NAME: libkres
+    LIB_ABI: 9
+  stage: deploy
+  only:
+    variables:
+      - $OBS_BUILD == "1"
+    refs:
+      - nightly@knot/knot-resolver
+  except:
+    - master
+  script:
+    - ln -s distro/deb debian
+    - sed -i "s/__VERSION__/99/g" distro/deb/changelog
+    - dpkg-gensymbols -c4 -elib/$LIB_NAME.so.$LIB_ABI -P. -p$LIB_NAME$LIB_ABI
+  allow_failure: true
+  dependencies:
+    - build:linux:amd64
+
+
+# copy snapshot of current master to nightly branch for further processing
+# (this is workaround for missing complex conditions for job limits in Gitlab)
+nightly:copy:
+  stage: deploy
+  only:
+    variables:
+      - $CREATE_NIGHTLY == "1"
+    refs:
+      - master@knot/knot-resolver
+  dependencies: []
+  script:
+    # delete nightly branch
+    - 'curl --request PUT --header "PRIVATE-TOKEN: $GITLAB_API_TOKEN" "https://gitlab.labs.nic.cz/api/v4/projects/147/repository/branches/nightly/unprotect"'
+    - 'curl --request DELETE --header "PRIVATE-TOKEN: $GITLAB_API_TOKEN" "https://gitlab.labs.nic.cz/api/v4/projects/147/repository/branches/nightly"'
+    # recreate nightly branch from current master
+    - 'curl --request POST --header "PRIVATE-TOKEN: $GITLAB_API_TOKEN" "https://gitlab.labs.nic.cz/api/v4/projects/147/repository/branches?branch=nightly&ref=master"'
+    - 'curl --request PUT --header "PRIVATE-TOKEN: $GITLAB_API_TOKEN" "https://gitlab.labs.nic.cz/api/v4/projects/147/repository/branches/nightly/protect"'
+
+
+#arm_build:
+#  image: cznic/armhf-ubuntu:16.04
+#  stage: build
+#  script:
+#    - make -k all
+#  tags:
+#    - docker
+#    - linux
+#    - arm
+
+#arm_test:
+#  image: armv7/armhf-ubuntu:16.04
+#  stage: test
+#  script:
+#    - make -k check
+#  tags:
+#    - docker
+#    - linux
+#    - arm