ROX-30630: run BPF bootstrap test in CI

With this change, we will start running our integration tests on GCP
hosted VMs, allowing us to have better visibility into what is the
compatibility of our code with different kernel versions. This is
achieved by running a small bootstrap unit test that load our code into
the kernel, exercising the verifier on it.

Author: Molter73

.github/workflows/ci.yml

@@ -150,6 +150,10 @@ jobs:
           base-image: ${{ needs.vars.outputs.image-name }}
           archs: ${{ env.ARCHS }}
 
+  unit-tests:
+    uses: ./.github/workflows/unit-tests.yml
+    secrets: inherit
+
   integration-tests:
     needs:
       - vars

.github/workflows/unit-tests.yml

@@ -0,0 +1,107 @@
+name: Run unit tests
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: The version of fact to be tested (commit SHA or tag)
+        default: ${{ github.head_ref || github.ref_name }}
+        type: string
+      job-tag:
+        description: Additional tag to prevent collision on GCP VM naming
+        type: string
+        default: '-ut'
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        vm:
+          - rhel
+          - rhel-arm64
+          - rhcos
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: fact
+    - uses: actions/checkout@v4
+      with:
+        repository: stackrox/collector
+        path: collector
+        ref: master
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+
+    - name: Authenticate with GCP
+      uses: 'google-github-actions/auth@v2'
+      with:
+        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_COLLECTOR_CI_VM_SVC_ACCT }}'
+
+    - name: Setup GCP
+      uses: 'google-github-actions/setup-gcloud@v2'
+
+    - uses: ./collector/.github/actions/setup-vm-creds
+      with:
+        gcp-ssh-key: ${{ secrets.GCP_SSH_KEY }}
+        gcp-ssh-key-pub: ${{ secrets.GCP_SSH_KEY_PUB }}
+        s390x-ssh-key: ${{ secrets.IBM_CLOUD_S390X_SSH_PRIVATE_KEY }}
+        ppc64le-ssh-key: ${{ secrets.IBM_CLOUD_POWER_SSH_PRIVATE_KEY }}
+        ppc64le-ssh-key-pub: ${{ secrets.IBM_CLOUD_POWER_SSH_PUBLIC_KEY }}
+        s390x-key: ${{ secrets.IBM_CLOUD_S390x_API_KEY }}
+        ppc64le-key: ${{ secrets.IBM_CLOUD_POWER_API_KEY }}
+        redhat-username: ${{ secrets.REDHAT_USERNAME }}
+        redhat-password: ${{ secrets.REDHAT_PASSWORD }}
+        vm-type: ${{ matrix.vm }}
+        job-tag: ${{ inputs.job-tag }}
+        workspace: ${{ github.workspace }}/collector
+
+    - name: Create vars.yml
+      run: |
+        cat << EOF > vars.yml
+        ---
+        job_id: ${JOB_ID}
+        fact:
+          version: ${{ inputs.version }}
+        workdir: ${{ github.workspace }}
+        excluded_vms:
+        # RHEL 8 doesn't handle file creation properly,
+        # need more investigation
+        - rhel-8
+        - rhcos-412-86-202402272018-0-gcp-x86-64
+        # BPF trampolines are only implemented starting with RHEL 10
+        - rhel-9-arm64
+        EOF
+
+    - name: Create Test VMs
+      env:
+        ANSIBLE_CONFIG: "${{ github.workspace }}/collector/ansible/ansible.cfg"
+      run: |
+        ansible-playbook \
+          -i "${GITHUB_WORKSPACE}/collector/ansible/ci" \
+          -e @vars.yml \
+          --tags setup,provision \
+          "${GITHUB_WORKSPACE}/collector/ansible/integration-tests.yml"
+
+    - name: Run the tests
+      run: |
+        ansible-playbook \
+          -i "${GITHUB_WORKSPACE}/collector/ansible/ci" \
+          -e @vars.yml \
+          "${GITHUB_WORKSPACE}/fact/ansible/run-unit-tests.yml"
+
+    - name: Teardown VMs
+      if: always()
+      run: |
+        make -C "./collector/ansible" destroy-vms
+
+    - name: Store artifacts
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.vm }}-unit-test-logs
+        path: |
+          ${{ github.workspace }}/unit-test-*.log
+        if-no-files-found: ignore

ansible/group_vars/all.yml

@@ -0,0 +1,2 @@
+---
+runtime_command: docker

ansible/group_vars/container_engine_podman.yml

@@ -0,0 +1,2 @@
+---
+runtime_command: podman

ansible/group_vars/platform_rhcos.yml

@@ -0,0 +1,2 @@
+---
+ansible_user: core

ansible/group_vars/platform_rhcos_arm64.yml

@@ -0,0 +1,2 @@
+---
+ansible_user: core

ansible/roles/unit-tests/tasks/docker.yml

@@ -0,0 +1,63 @@
+---
+- name: Start test-runner
+  community.docker.docker_container:
+    name: test-runner
+    image: quay.io/centos/centos:stream9
+    interactive: true
+    cgroupns_mode: host
+    pid_mode: host
+    privileged: true
+  register:
+    test_result
+
+- name: Install dependencies
+  community.docker.docker_container_exec:
+    container: test-runner
+    command: >
+      dnf install --enablerepo=crb -y
+          clang-19.1.7
+          libbpf-devel
+          protobuf-compiler
+          protobuf-devel
+          git
+
+- name: Download rustup
+  community.docker.docker_container_exec:
+    container: test-runner
+    command: curl --tlsv1.2 -sSf https://sh.rustup.rs -o rustup.sh
+
+- name: Make rustup executable
+  community.docker.docker_container_exec:
+    container: test-runner
+    command: chmod +x rustup.sh
+
+- name: Install rust toolchain
+  community.docker.docker_container_exec:
+    container: test-runner
+    command: ./rustup.sh -y --default-toolchain 1.84 --profile minimal
+
+- name: Clone fact repo
+  community.docker.docker_container_exec:
+    container: test-runner
+    command: >
+      git clone -b "{{ fact.version }}"
+          --recurse-submodules
+          https://github.com/stackrox/fact
+  register: clone_res
+
+- name: Run unit tests
+  block:
+    - name: Run unit tests
+      community.docker.docker_container_exec:
+        container: test-runner
+        env:
+          PATH: /root/.cargo/bin:${PATH}
+          FACT_LOGLEVEL: debug
+        chdir: /fact
+        command: cargo test --all-features
+      register: test_result
+
+  always:
+    - name: Dump logs
+      ansible.builtin.include_tasks:
+        file: dump-result.yml

ansible/roles/unit-tests/tasks/dump-result.yml

@@ -0,0 +1,23 @@
+---
+- name: stderr dump
+  ansible.builtin.debug:
+    var: test_result.stderr_lines
+  when: test_result.rc != 0
+
+- name: Test result
+  ansible.builtin.debug:
+    var: test_result.stdout_lines
+  when: test_result.rc != 0
+
+- name: Write stdout to log
+  copy:
+    content: "{{ test_result.stdout }}"
+    dest: "unit-test-{{ vm_config }}-stdout.log"
+  delegate_to: localhost
+
+- name: Write stderr to log
+  copy:
+    content: "{{ test_result.stderr }}"
+    dest: "unit-test-{{ vm_config }}-stderr.log"
+  delegate_to: localhost
+

ansible/roles/unit-tests/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Run unit tests with docker
+  include_tasks: docker.yml
+  when: runtime_command == 'docker'
+
+- name: Run unit tests with podman
+  include_tasks: podman.yml
+  when: runtime_command == 'podman'

ansible/roles/unit-tests/tasks/podman.yml

@@ -0,0 +1,70 @@
+---
+- name: Start test-runner
+  become: true
+  containers.podman.podman_container:
+    name: test-runner
+    image: quay.io/centos/centos:stream9
+    interactive: true
+    cgroupns: host
+    pid_mode: host
+    privileged: true
+  register:
+    test_result
+
+- name: Install dependencies
+  become: true
+  containers.podman.podman_container_exec:
+    name: test-runner
+    command: >
+      dnf install --enablerepo=crb -y
+          clang-19.1.7
+          libbpf-devel
+          protobuf-compiler
+          protobuf-devel
+          git
+
+- name: Download rustup
+  become: true
+  containers.podman.podman_container_exec:
+    name: test-runner
+    command: curl --tlsv1.2 -sSf https://sh.rustup.rs -o rustup.sh
+
+- name: Make rustup executable
+  become: true
+  containers.podman.podman_container_exec:
+    name: test-runner
+    command: chmod +x rustup.sh
+
+- name: Install rust toolchain
+  become: true
+  containers.podman.podman_container_exec:
+    name: test-runner
+    command: ./rustup.sh -y --default-toolchain 1.84 --profile minimal
+
+- name: Clone fact repo
+  become: true
+  containers.podman.podman_container_exec:
+    name: test-runner
+    command: >
+      git clone -b "{{ fact.version }}"
+          --recurse-submodules
+          https://github.com/stackrox/fact
+  register: clone_res
+
+- name: Run unit tests
+  become: true
+  block:
+    - name: Run unit tests
+      containers.podman.podman_container_exec:
+        name: test-runner
+        env:
+          PATH: /root/.cargo/bin:${PATH}
+          FACT_LOGLEVEL: debug
+        workdir: /fact
+        command: cargo test --all-features
+      register: test_result
+
+  always:
+    - name: Dump logs
+      ansible.builtin.include_tasks:
+        file: dump-result.yml