Xen project Mailing List

Re: [PATCH 1/5] CI: Adjust test needs[] to ensure binaries/ is non-root

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: "Orzel, Michal" <michal.orzel@xxxxxxx>

Date: Mon, 11 May 2026 11:06:49 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VNNpEWZNOWj8GR5qhCHhoPedjD2cb6cMhr+uoI5xJQk=; b=GQpRDaJ8LSStkaIs0+IS2gS2vOzMMx+8gbanx5pTutEqPbvF/hZ/nb4V8LfMioKFDdRxgK/IePVdayAFBCT6BY4zq/MLVK+i+0nuGQfcAS/W2ezN0mLdLup2luGZ1g6jBULABfcpvJhTawDGjuON4WYIbdAP+3y4oE8BURIufSveZFEyI9CBMe1PGImLz5uYLzIzzkYLVC8v0q+Aeucn0NV0hLwduLYuOdQa1SBbCkdIMIetaIyX484eD4DAsn8lqBgchQIr5vOw6JGxLDJ0diWBH9yKDyFmShJ2WnDEf9mc1gllKc0dwLnHICPMlUOEI9AfmFR2ZZhRzD+aGfKwQQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LV72yy0hazOjRNm5VBVJnAF/5Ghg1GGwn3xNG4YtRqSjEPwOm2diXdOXCdomDCI5orZiWSSdT1yt0DEDGzL2dvptSs6SmHgJ5Ahgfz+rjnOC50T+GQskfHoIgzkKPqrzUaZYwaTm7N09OGYAKZooni6MyYikS1Gi5SJAgyU86fFKRgzToLhbjDA/V9FglYX4w+bB7yM3Zp1TsTkInb+w583h2cCVHUFoDXgDDzxpuXKMOFQV3XhfEQeZMDyCCYqUrK8PjSO3dX95/qDq6xAig4fv86f9jj4JCkrBbDUKZ/bpTlfZAdcB/IbTa2uQrCSt389kV7RpsIX687vLbXhkfQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>

Delivery-date: Mon, 11 May 2026 09:07:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11-May-26 11:03, Andrew Cooper wrote: > On 11/05/2026 7:16 am, Orzel, Michal wrote: >> >> On 08-May-26 23:29, Andrew Cooper wrote: >>> The binaries/ directory is a composition from the artefacts, and also used >>> as >>> a working directory for most of the tests. If the very first artefact is >>> from >>> a root container, then the test must also be a root container to use it as a >>> working directory. >>> >>> For arm64, the existing linux-arm64 artefact suffices. For arm32, pull in >>> the >>> microcode-x86 artefact as it's the smallest available. This bodge can be >>> removed when all build containers have become non-root. >>> >>> For the qemu-xtf-dom0less-arm64-*-xen-version jobs, use *arm64-test-needs >>> ahead of alpine-3.18-gcc-* (as it's a root container), and to deduplicate >>> the *-export dependency. >>> >>> This will allow us to change containers to being non-root one at a time, >>> rather than all in one go. >>> >>> No functional change. >>> >>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >>> --- >>> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx> >>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> >>> CC: Michal Orzel <michal.orzel@xxxxxxx> >>> CC: Doug Goldstein <cardoe@xxxxxxxxxx> >>> >>> We should also stop using binaries/ as a working directory for the tests, >>> but >>> that gets very complicated very quickly and I don't have time to do it at >>> this >>> juncture. >>> --- >>> automation/gitlab-ci/test.yaml | 10 ++++++++-- >>> 1 file changed, 8 insertions(+), 2 deletions(-) >>> >>> diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml >>> index 8770c523e228..517af1732437 100644 >>> --- a/automation/gitlab-ci/test.yaml >>> +++ b/automation/gitlab-ci/test.yaml >>> @@ -15,6 +15,12 @@ >>> - qemu-system-aarch64-6.0.0-arm64-export >>> >>> .arm32-test-needs: &arm32-test-needs >>> + # Bodge to ensure binaries/ is non-root. Can be any artefact which comes >>> + # from a non-root container, and microcode-x86 is the smallest. Remove >>> when >>> + # all build containers have become non-root. >>> + - project: $ARTIFACTS_REPO >>> + job: microcode-x86 >>> + ref: $ARTIFACTS_BRANCH >> I don't see it being removed in this series even though the containers are >> non-root. > > Correct. The Alpine container still being root is discussed in the > commit message, and is why ... > >> >>> - qemu-system-aarch64-6.0.0-arm32-export >>> >>> .x86-64-test-needs: &x86-64-test-needs >>> @@ -569,16 +575,16 @@ qemu-xtf-dom0less-arm64-gcc-hyp-xen-version: >>> script: >>> - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1 >>> | tee ${LOGFILE} >>> needs: >>> + - *arm64-test-needs > > ... why use here is ahead of ... > > >> This also pulls in Linux image and rootfs which XTF tests don't need. I think >> it's much better for a test to list the actual list of its dependencies. >> Otherwise you are asking user/developer to dig into the yaml. >> >> ~Michal >> >>> - alpine-3.18-gcc-arm64 >>> - - qemu-system-aarch64-6.0.0-arm64-export > > ... the alpine inclusion here. > > This can get reverted once the alpine container is split/reworked, but > not before. Ok, so once the Alpine container is reworked, we will get back to proper dependencies list. In that case: Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx> ~Michal

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.