re-use cmlxc workflow, replacing CI with hetzner staging servers with local lxc containers#917
Open
re-use cmlxc workflow, replacing CI with hetzner staging servers with local lxc containers#917
Conversation
hpk42
force-pushed
the
hpk/new-lxc-test
branch
4 times, most recently
from
7ea8cfd to
51b930a
Compare
7 tasks
This was referenced Apr 14, 2026
hpk42
changed the title
hpk42
changed the title
link2xt
reviewed
Apr 15, 2026
missytake
force-pushed
the
hpk/new-lxc-test
branch
from
8677378 to
3ec2c7f
Compare
missytake
approved these changes
Apr 16, 2026
Comment on lines
+45
to
+51
| cmlxc_commands: | | ||
| cmlxc init | ||
| cmlxc deploy-cmdeploy --source ./repo -vv cm0 | ||
| cmlxc test-mini cm0 | ||
| cmlxc test-cmdeploy -vv cm0 | ||
| cmlxc deploy-cmdeploy --source ./repo -vv --ipv4-only cm1 | ||
| cmlxc test-cmdeploy -vv cm0 cm1 |
Contributor
There was a problem hiding this comment.
This is a good start :) I wonder whether the deploys could maybe run concurrently to speed this up a bit - but we should first gather some experience with this new workflow.
Contributor
Author
There was a problem hiding this comment.
tests are generally very fast, it's the deploys that are slow -- they could run concurrently against several hosts but then the option-handling gets more complex. for now it's simpler, and more helpful for logging and debugging any issues, to run things sequentially.
Comment on lines
-32
to
-42
| # save previous acme & dkim state | ||
| rsync -avz root@staging-ipv4.testrun.org:/var/lib/acme acme-ipv4 || true | ||
| rsync -avz root@staging-ipv4.testrun.org:/etc/dkimkeys dkimkeys-ipv4 || true | ||
| # store previous acme & dkim state on ns.testrun.org, if it contains useful certs | ||
| if [ -f dkimkeys-ipv4/dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/ || true; fi | ||
| if [ "$(ls -A acme-ipv4/acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/ || true; fi | ||
| # make sure CAA record isn't set | ||
| scp -o StrictHostKeyChecking=accept-new .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone | ||
| ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone | ||
| ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone | ||
| ssh root@ns.testrun.org systemctl reload nsd |
Contributor
There was a problem hiding this comment.
ngl, I'm going to miss this caching logic a little bit.
j4n
approved these changes
Apr 16, 2026
Contributor
j4n
left a comment
j4n
left a comment
There was a problem hiding this comment.
Looks good, could not test much; I suppose this will mean ci-testing locally and then having a nightly run of the old-fashioned non-local testing?
| @@ -1,15 +1,26 @@ | |||
| name: CI | |||
| name: Run unit-tests and container-based deploy+test verification | |||
Contributor
There was a problem hiding this comment.
Suggested change
| name: Run unit-tests and container-based deploy+test verification | |
| name: CI: unit tests + LXC deploy |
So its always visible in UI
| on: | ||
| pull_request: | ||
| # Triggers when a PR is merged into main or a direct push occurs | ||
| push: |
Contributor
There was a problem hiding this comment.
maybe we should bring back excluding the non-code files:
paths-ignore:
- 'scripts/**'
- '**/README.md'
- 'CHANGELOG.md'
- 'LICENSE'
Contributor
There was a problem hiding this comment.
don't forget doc/** ;)
hpk42
force-pushed
the
hpk/new-lxc-test
branch
3 times, most recently
from
cd9d4df to
096acf3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cmlxc is meanwhile regularly published (via the https://github.com/chatmail/cmlxc repo) via an OIDC-automated github workflow (which means anyone with write rights can create a new release, see README):
https://pypi.org/project/cmlxc/
The chatmail/cmlxc repo also offers a re-usable "lxc-test" workflow that is used here in this PR, to replace the staging-* hetzner host testing with testing against local containers. The "cmlxc" commands executed in the github CI should be possible to run unmodified locally to recreate any problems.
i think it would be sufficient to only daily deploy to "real" servers, maybe laso doing the docker tests there. It is not neccessary for each commit in a PR to cause the whole remote dance and dependency (if something fails in staging, it's not easy to replicate locally).
A sister PR is also in the madmail repo, also re-using the same lxc-test workflow.
sidenote: The "chatmail/cmlxc" is still incrementally developing, although i think i finished the largest refactorings i wanted to do. I'll see to give a sign when i feel the code base is sufficiently stable, and worth a more thorough review. Meanwhile PRs or issue-filing ist welcome.