[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/5] CI: Adjust test needs[] to ensure binaries/ is non-root
- To: "Orzel, Michal" <michal.orzel@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Mon, 11 May 2026 12:09:33 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=haYQnbyMwK0rL7Ngqtt3E/by4BGsY9AHl6NGAth1ZNM=; b=x4Guf0gVXoulGBa7XvZe0kAH9TC3AINKGi7YRB7flVWcb5LzeNE+knX548k0p6ZnDjj9kJHmVKCptjDnNkvleFVfVc0OxmaXx2+QlqEB3lVPYqN/f3DLx/IhUMLKKgMOEFNgZqoX8F7EDobcNXDfYI6OHRuTc77z7RD7e6gl/qHSBpE4Z6lqCorPo8/wDpw5mAeVicFCJBz1HsIqmIlXqrOfFKCZP4V+tID6PorX4jjHTAbOuxRIsZXgxXw/lj8LpOggaCKa5r3gkEpO8af4d0Gjj/IO7/IB7CX91FCR174wwZ1EN7wkm8U9C1sri1RMxGM/g5mfNWkKI1iShDQGiQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Cmkrv8Eu00guOCvJc8N8/iVxkb74sAHwnlgQ5b6NGZxquHTO7/gCtYy3RVrm0LuCkF/BFBKBbwQaNv3qwlboXZ/YLx9GQvIMZiHHzyhbRdvpVM2YKjQBe0HDLsmTjR+Wa9kPzWLQS6UhBeVb13EnxiF8JytBIjxl9pZFhspGnswfRZ6cnWHAtzN5l6YnA2FVGHTb5e1HDyuLmTFcd+G5rcGPZx5px3sZNUZLrMPHkKwXx11CuW+Gu+OkO3LEE/B7XaCacCaogon8QIMpmGdTX0j36gWXF7+a2CloK31kV5LI55xLEz3qvROERHGq79c0n/MZ0GdacDbb59bge6S0IA==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==
- Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>
- Delivery-date: Mon, 11 May 2026 11:09:53 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 11/05/2026 10:06 am, Orzel, Michal wrote:
>
> On 11-May-26 11:03, Andrew Cooper wrote:
>> On 11/05/2026 7:16 am, Orzel, Michal wrote:
>>> On 08-May-26 23:29, Andrew Cooper wrote:
>>>> The binaries/ directory is a composition from the artefacts, and also used
>>>> as
>>>> a working directory for most of the tests. If the very first artefact is
>>>> from
>>>> a root container, then the test must also be a root container to use it as
>>>> a
>>>> working directory.
>>>>
>>>> For arm64, the existing linux-arm64 artefact suffices. For arm32, pull in
>>>> the
>>>> microcode-x86 artefact as it's the smallest available. This bodge can be
>>>> removed when all build containers have become non-root.
>>>>
>>>> For the qemu-xtf-dom0less-arm64-*-xen-version jobs, use *arm64-test-needs
>>>> ahead of alpine-3.18-gcc-* (as it's a root container), and to deduplicate
>>>> the *-export dependency.
>>>>
>>>> This will allow us to change containers to being non-root one at a time,
>>>> rather than all in one go.
>>>>
>>>> No functional change.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>> ---
>>>> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
>>>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
>>>> CC: Michal Orzel <michal.orzel@xxxxxxx>
>>>> CC: Doug Goldstein <cardoe@xxxxxxxxxx>
>>>>
>>>> We should also stop using binaries/ as a working directory for the tests,
>>>> but
>>>> that gets very complicated very quickly and I don't have time to do it at
>>>> this
>>>> juncture.
>>>> ---
>>>> automation/gitlab-ci/test.yaml | 10 ++++++++--
>>>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/automation/gitlab-ci/test.yaml
>>>> b/automation/gitlab-ci/test.yaml
>>>> index 8770c523e228..517af1732437 100644
>>>> --- a/automation/gitlab-ci/test.yaml
>>>> +++ b/automation/gitlab-ci/test.yaml
>>>> @@ -15,6 +15,12 @@
>>>> - qemu-system-aarch64-6.0.0-arm64-export
>>>>
>>>> .arm32-test-needs: &arm32-test-needs
>>>> + # Bodge to ensure binaries/ is non-root. Can be any artefact which
>>>> comes
>>>> + # from a non-root container, and microcode-x86 is the smallest. Remove
>>>> when
>>>> + # all build containers have become non-root.
>>>> + - project: $ARTIFACTS_REPO
>>>> + job: microcode-x86
>>>> + ref: $ARTIFACTS_BRANCH
>>> I don't see it being removed in this series even though the containers are
>>> non-root.
>> Correct. The Alpine container still being root is discussed in the
>> commit message, and is why ...
>>
>>>> - qemu-system-aarch64-6.0.0-arm32-export
>>>>
>>>> .x86-64-test-needs: &x86-64-test-needs
>>>> @@ -569,16 +575,16 @@ qemu-xtf-dom0less-arm64-gcc-hyp-xen-version:
>>>> script:
>>>> - ./automation/scripts/qemu-xtf.sh arm64 mmu64le hyp-xen-version 2>&1
>>>> | tee ${LOGFILE}
>>>> needs:
>>>> + - *arm64-test-needs
>> ... why use here is ahead of ...
>>
>>
>>> This also pulls in Linux image and rootfs which XTF tests don't need. I
>>> think
>>> it's much better for a test to list the actual list of its dependencies.
>>> Otherwise you are asking user/developer to dig into the yaml.
>>>
>>> ~Michal
>>>
>>>> - alpine-3.18-gcc-arm64
>>>> - - qemu-system-aarch64-6.0.0-arm64-export
>> ... the alpine inclusion here.
>>
>> This can get reverted once the alpine container is split/reworked, but
>> not before.
> Ok, so once the Alpine container is reworked, we will get back to proper
> dependencies list.
Yes. I hope to do so for 4.22, but the alpine container needs more
careful work as it's also used by the QubeOS hardware runner environment.
> In that case:
> Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx>
Thankyou.
~Andrew
|
