Gitlab &mdash; csantosb https://infosec.press/csantosb/tag:Gitlab Random thoughts Wed, 13 May 2026 23:20:10 +0000 ci (gitlab/hub) https://infosec.press/csantosb/ci-gitlab-hub <![CDATA[img br/ Remote #ci is the way to go in #modernhw digital design testing. In this #ciseries, let’s see it in practice with some detail using two of the most popular forges out there. !--more-- br/ Gitlab The gitlab #gitforge includes tones of features. Among these, a facility called the container registry, which stores per project container images. Guix pack allows the creation of custom #reproductible environments as images. In particular, it is possible to create a docker image out of our manifest and channels files with br/ guix time-machine -C channels.scm -- pack --compression=xz --save-provenance -f docker -m manifest.scm Check the documentation for options. br/ Remember that there are obviously alternative methods to produce docker images. The point on using guix resides on its reproducibility capabilities: you’ll be able to create a new, identical docker image, out of the manifest and channels files at any point in time. Even more: you’ll have the capacity to retrieve your manifest file out of the binary image in case your manifest file gets lost. br/ Then, this image must be loaded into the local docker store with br/ docker load < IMAGE and renamed to something meaningful br/ docker tag IMAGE:latest gitlab-registry.whatever.fr/domain/group/NAME:TAG go remote img br/ Finally, pushed to the remote container registry of your project with br/ docker push gitlab-registry.whatever.fr/domain/group/NAME:TAG At this point, you have an environment where you’ll run your tests using gitlab's ci features. You’ll set up your gitlab’s runners and manifest files to use this container to execute your jobs. br/ As an alternative, you could use a ssh executor running on your own fast and powerful hardware resources (dedicated machine, shared cluster, etc.). In this case, you’d rather produce an apptainer container image with: br/ guix time-machine -C channels.scm -- pack -f squashfs ... scp this container file to your computing resources and call it from the #gitlab runner. br/ Github The github is probably the most popular #gitforge out there. It follows a similar to #gitlab in its conception (pull requests and merge requests, you catch the idea ?). It also includes a container registry, and the set of features if offers may be exchanged with ease with any other #gitforge following the same paradigm. No need to go into more details. br/ There is a couple of interesting tips about using #github, though. It happens more usually than not that users encounter frequently problems of #reproducibility when using container images hosted on ghcr.io, the hosting service for user images. These images are usually employed for running #ci testing pipelines, and they usually break as upstream changes happen: updates, image definition changes, image packages upgrades, etc. If you read my dependencies hell post, this should ring a bell. br/ What can be done about in what concerns #modernhw ? Well, we have #guix. Let’s try a differente approach: building an image locally, and pushing it to #github registry. Let’s see how. br/ in practice An example repository shows tha way to proceed. Its contents allow to create a docker container image to be hosted remotely. It includes all that’s necessary to perform remote #ci testing of a #modernhw #vhdl design. br/ docker pull ghcr.io/csantosb/hdl docker images # check $ID docker run -ti $ID bash It includes a couple of #plaintext files to produce a #deterministic container. First, the channels.scm file with the list of guix chanels to use to pull packages from. Then, a manifest.scm, with the list of packages to be install within the container. br/ The image container may be build with br/ image=$(guix time-machine --channels=channels.scm -- \ pack -f docker \ -S /bin=bin \ --save-provenance \ -m manifest.scm) At this point, it is to be load to the docker store with br/ docker load < $image docker images Now it is time to tag the image br/ docker tag IMID ghcr.io/USER/REPO:RELEASE and login to ghcr.io br/ docker login -u USER -p PASSWORD ghcr.io Finally, the image is to be push remotely br/ docker push ghcr.io/USER/HDL:RELEASE test You’ll may test this image using the neorv32 project, for example, with: br/ docker pull ghcr.io/csantosb/hdl docker run -ti ID bash git clone --depth=1 https://github.com/stnolting/neorv32 cd neorv32 git clone --depth=1 https://github.com/stnolting/neorv32-vunit test cd test rm -rf neorv32 ln -sf ../../neorv32 neorv32 python3 sim/run.py --ci-mode -v `]]> img
Remote #ci is the way to go in #modernhw digital design testing. In this #ciseries, let’s see it in practice with some detail using two of the most popular forges out there.

Gitlab

The gitlab #gitforge includes tones of features. Among these, a facility called the container registry, which stores per project container images. Guix pack allows the creation of custom #reproductible environments as images. In particular, it is possible to create a docker image out of our manifest and channels files with 

guix time-machine -C channels.scm -- pack --compression=xz --save-provenance -f docker -m manifest.scm

Check the documentation for options.
Remember that there are obviously alternative methods to produce docker images. The point on using guix resides on its reproducibility capabilities: you’ll be able to create a new, identical docker image, out of the manifest and channels files at any point in time. Even more: you’ll have the capacity to retrieve your manifest file out of the binary image in case your manifest file gets lost.
Then, this image must be loaded into the local docker store with 

docker load < IMAGE

and renamed to something meaningful 

docker tag IMAGE:latest gitlab-registry.whatever.fr/domain/group/NAME:TAG

go remote

img
Finally, pushed to the remote container registry of your project with 

docker push gitlab-registry.whatever.fr/domain/group/NAME:TAG

At this point, you have an environment where you’ll run your tests using gitlab's ci features. You’ll set up your gitlab’s runners and manifest files to use this container to execute your jobs.
As an alternative, you could use a ssh executor running on your own fast and powerful hardware resources (dedicated machine, shared cluster, etc.). In this case, you’d rather produce an apptainer container image with: 

guix time-machine -C channels.scm -- pack -f squashfs ...

scp this container file to your computing resources and call it from the #gitlab runner.

Github

The github is probably the most popular #gitforge out there. It follows a similar to #gitlab in its conception (pull requests and merge requests, you catch the idea ?). It also includes a container registry, and the set of features if offers may be exchanged with ease with any other #gitforge following the same paradigm. No need to go into more details.
There is a couple of interesting tips about using #github, though. It happens more usually than not that users encounter frequently problems of #reproducibility when using container images hosted on ghcr.io, the hosting service for user images. These images are usually employed for running #ci testing pipelines, and they usually break as upstream changes happen: updates, image definition changes, image packages upgrades, etc. If you read my dependencies hell post, this should ring a bell.
What can be done about in what concerns #modernhw ? Well, we have #guix. Let’s try a differente approach: building an image locally, and pushing it to #github registry. Let’s see how.

in practice

An example repository shows tha way to proceed. Its contents allow to create a docker container image to be hosted remotely. It includes all that’s necessary to perform remote #ci testing of a #modernhw #vhdl design. 

docker pull ghcr.io/csantosb/hdl
docker images # check $ID
docker run -ti $ID bash

It includes a couple of #plaintext files to produce a #deterministic container. First, the channels.scm file with the list of guix chanels to use to pull packages from. Then, a manifest.scm, with the list of packages to be install within the container.
The image container may be build with 

image=$(guix time-machine --channels=channels.scm -- \
             pack -f docker \
             -S /bin=bin \
             --save-provenance \
             -m manifest.scm)

At this point, it is to be load to the docker store with 

docker load < $image
# docker images

Now it is time to tag the image 

docker tag IMID ghcr.io/USER/REPO:RELEASE

and login to ghcr.io 

docker login -u USER -p PASSWORD ghcr.io

Finally, the image is to be push remotely 

docker push ghcr.io/USER/HDL:RELEASE

test

You’ll may test this image using the neorv32 project, for example, with: 

docker pull ghcr.io/csantosb/hdl
docker run -ti ID bash
git clone --depth=1 https://github.com/stnolting/neorv32
cd neorv32
git clone --depth=1 https://github.com/stnolting/neorv32-vunit test
cd test
rm -rf neorv32
ln -sf ../../neorv32 neorv32
python3 sim/run.py --ci-mode -v
]]> https://infosec.press/csantosb/ci-gitlab-hub Wed, 11 Dec 2024 12:50:04 +0000 git forges https://infosec.press/csantosb/git-forges <![CDATA[img br/ Using #git is not the whole picture on #modernhw version control landscape. Git is great when one decides to locally follow changes, take diffs, create branches and so on. When it comes to collaboration with other people or to create a community around a common project, the need for extra tooling arises, and it becomes evident that git alone is not enough. A #gitforge fills this gap. !--more-- br/ Git bare repositories are a means of sharing the local git history remotely. Bares doesn’t show the worktree, as they are used solely as a common exchange place. This might be a remote server accessible through ssh, for example. Several different users may collaborate this way, provided they agree on a common workflow. Bares are more than enough for some needs. A front end on top of it may help to get an overview of what is going on and to take a look at branches, users and the like. All it takes to make this workflow useful is a little management, as git was designed with a fully distributed architecture in mind. Check the docs for more details. br/ Now, this approach is a bit too bare bones for most people. On top of bare git repositories, some decided to add extra functionality to ease using git remotely, calling for contributors attracted by buttons, colors, menus and most generally, being used to web frontends. Web forges include all usual suspects (project creation and configutation, markup rendering, user account and authorizations, project overview, etc.), as well as more advanced features (continuous integration, #ci, for testing and deployment with git hooks, wikis, code linters, built in actions, issue tracking, etc.). They abstract the use of git showing diffs, logs, issues threads, etc. As any other web gui tool, they come with its own set of inconvenients in what concern user freedom. br/ Popular examples are all around. #Gitlab may be deployed as a custom (not federated) instance, and is commonly found in research and public institutions; codeberg, based on forgejo, is a great example of how to deploy a lightweight #freesoftware instance of a collaborative forge (and the promise to federate on the fediverse). Many others exist, which more or less features, bells and whistles. You always have the choice. br/ sourcehut #Sourcehut, as a collaborative platform, deserves special attention. It departs from mainstream forges, following a different paradigm based on the most robust, distributed and flexible technology at our hands since decades, plain text #email. Git, since its origins, includes a close integration with email, as they both share a distributed philosophy, avoiding central point of failure silos (surprising how mosft git forges tend to concentrate in silos). Sourcehut core architecture is based on mail exchange, patches and #maillists, which turns out to be a much more flexible approach than that of what most forges propose. Their concept of project goes well beyond that of usual workflows, integrating nicely git with email, wikis, bug trackers and build features. They’re still in an alpha stage, so expect the best still to come. br/]]> img
Using #git is not the whole picture on #modernhw version control landscape. Git is great when one decides to locally follow changes, take diffs, create branches and so on. When it comes to collaboration with other people or to create a community around a common project, the need for extra tooling arises, and it becomes evident that git alone is not enough. A #gitforge fills this gap.
Git bare repositories are a means of sharing the local git history remotely. Bares doesn’t show the worktree, as they are used solely as a common exchange place. This might be a remote server accessible through ssh, for example. Several different users may collaborate this way, provided they agree on a common workflow. Bares are more than enough for some needs. A front end on top of it may help to get an overview of what is going on and to take a look at branches, users and the like. All it takes to make this workflow useful is a little management, as git was designed with a fully distributed architecture in mind. Check the docs for more details.
Now, this approach is a bit too bare bones for most people. On top of bare git repositories, some decided to add extra functionality to ease using git remotely, calling for contributors attracted by buttons, colors, menus and most generally, being used to web frontends. Web forges include all usual suspects (project creation and configutation, markup rendering, user account and authorizations, project overview, etc.), as well as more advanced features (continuous integration, #ci, for testing and deployment with git hooks, wikis, code linters, built in actions, issue tracking, etc.). They abstract the use of git showing diffs, logs, issues threads, etc. As any other web gui tool, they come with its own set of inconvenients in what concern user freedom.
Popular examples are all around. #Gitlab may be deployed as a custom (not federated) instance, and is commonly found in research and public institutions; codeberg, based on forgejo, is a great example of how to deploy a lightweight #freesoftware instance of a collaborative forge (and the promise to federate on the fediverse). Many others exist, which more or less features, bells and whistles. You always have the choice.

sourcehut

#Sourcehut, as a collaborative platform, deserves special attention. It departs from mainstream forges, following a different paradigm based on the most robust, distributed and flexible technology at our hands since decades, plain text #email. Git, since its origins, includes a close integration with email, as they both share a distributed philosophy, avoiding central point of failure silos (surprising how mosft git forges tend to concentrate in silos). Sourcehut core architecture is based on mail exchange, patches and #maillists, which turns out to be a much more flexible approach than that of what most forges propose. Their concept of project goes well beyond that of usual workflows, integrating nicely git with email, wikis, bug trackers and build features. They’re still in an alpha stage, so expect the best still to come.

]]> https://infosec.press/csantosb/git-forges Sun, 08 Dec 2024 22:36:11 +0000