[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] CI: Switch the alpine containers to be non-root

Testing on staging-4.19 is hitting a reliable failure, caused by alpine/3.18
being a root build container, but debian/12-x86_64 being a non-root test
container.  Specifically, the test container can't copy XEN_PAGING_DIR and
XEN_DUMP_DIR (both 700) from the build root in order to construct the initrd.

staging-4.20 and later do not repack the initrd in this way, so are not
affected.

Switch both alpine containers to being non-root.  This is still slightly
fragile, but better than depending on using root containers for both.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
CC: Jan Beulich <JBeulich@xxxxxxxx>

The only less fragile option I can think of would be to backport the initrd
CPIO optimisations.  I backported it from 4.21 to 4.20, and can't remember if
there was a blocking reason on 4.19, or simply that it would be a lot of work.

I've rebuilt these containers in 
registry.gitlab.com/xen-project/people/andyhhp/xen

Runs using this registry:
  staging:
    https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2031831044
  staging-4.19:
    https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2031832855

(There will be a delay until these can run fully.  The CPPCheck container
takes an unreasonable amount of time to rebuild, and it's holding up a couple
of others.)
---
 automation/build/alpine/3.18-arm64v8.dockerfile | 16 ++++++++--------
 automation/build/alpine/3.18.dockerfile         | 16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/automation/build/alpine/3.18-arm64v8.dockerfile 
b/automation/build/alpine/3.18-arm64v8.dockerfile
index b8482d5bf43f..360da8281054 100644
--- a/automation/build/alpine/3.18-arm64v8.dockerfile
+++ b/automation/build/alpine/3.18-arm64v8.dockerfile
@@ -3,13 +3,10 @@ FROM --platform=linux/arm64/v8 alpine:3.18
 LABEL maintainer.name="The Xen Project" \
       maintainer.email="xen-devel@xxxxxxxxxxxxxxxxxxxx"
 
-ENV USER root
-
-RUN mkdir /build
-WORKDIR /build
-
-# build depends
-RUN apk --no-cache add \
+RUN adduser -S user && \
+  mkdir /build && \
+  # build depends
+  apk --no-cache add \
   \
   # xen build deps
   argp-standalone \
@@ -48,4 +45,7 @@ RUN apk --no-cache add \
   # qubes test deps
   openssh-client \
   fakeroot \
-  expect \
+  expect
+
+USER user
+WORKDIR /build
diff --git a/automation/build/alpine/3.18.dockerfile 
b/automation/build/alpine/3.18.dockerfile
index 263e9e90d888..4ccbe8e5c1b3 100644
--- a/automation/build/alpine/3.18.dockerfile
+++ b/automation/build/alpine/3.18.dockerfile
@@ -3,13 +3,10 @@ FROM --platform=linux/amd64 alpine:3.18
 LABEL maintainer.name="The Xen Project" \
       maintainer.email="xen-devel@xxxxxxxxxxxxxxxxxxxx"
 
-ENV USER root
-
-RUN mkdir /build
-WORKDIR /build
-
-# build depends
-RUN apk --no-cache add \
+RUN adduser -S user && \
+  mkdir /build && \
+  # build depends
+  apk --no-cache add \
   \
   # xen build deps
   argp-standalone \
@@ -49,4 +46,7 @@ RUN apk --no-cache add \
   ninja \
   pixman-dev \
   # livepatch-tools deps
-  elfutils-dev \
+  elfutils-dev
+
+USER user
+WORKDIR /build
-- 
2.39.5

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.