From patchwork Mon Jun 21 18:51:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alper Nebi Yasak X-Patchwork-Id: 1495272 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=LqGNJ+Od; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G7zDN1fQbz9sRK for ; Tue, 22 Jun 2021 04:52:35 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 22B9E829B5; Mon, 21 Jun 2021 20:52:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="LqGNJ+Od"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DC9FC829B9; Mon, 21 Jun 2021 20:52:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BE4F2828EB for ; Mon, 21 Jun 2021 20:52:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=alpernebiyasak@gmail.com Received: by mail-ej1-x62d.google.com with SMTP id nb6so30374937ejc.10 for ; Mon, 21 Jun 2021 11:52:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=yAgSheOm1tND1yopX+SDQvzx5ajeKTqlfcYNqQVVW1c=; b=LqGNJ+OdYclQOxNWRXaKnka000240hKe20A+uw7jWD70cTd2z0MrEV2ZNoK/zm4I5Z 19stufnjfrFPIXnhuOloHogMWFYMvVSxT+A9SkNSCXKDyWpzaZw21yRgFD6sYDrbAUSD g3upgsD/zSHBVHxQH/vfOPiTaC2rO+ZX69F0AvA1W5OO0vOn/4TkEi25ApneXCvs0SWX IBtfYISbwBCrgyxn8TTm7ccSiwJQ76OxiX/9dZTEyxtOQi++d0049fqGRWpN6xHvbb39 u8BVkZexj4t92htvFhDUYFaUtT3WNEQiNcKN2VLeqxv2GBil4wgT1bjvvKmdb3reEA++ SiFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yAgSheOm1tND1yopX+SDQvzx5ajeKTqlfcYNqQVVW1c=; b=SGssQXG8wfwQiWFhejYYCeEiEtLpwMuPkLRV+9yUCp4kvbC8d8PPvmPHA31Y8jjbtp AZULAvvoKM2IU3yX0+zDzAU5gkllCRYphM3D24hVgBOds2l7rurTWe/K8qqV9TGSJ2SG /Yx8L0pLYw9zL/IcBU5UQW0NP39UJwgHoTY/37c3BNqdCe2E3QPkAfdsGk5LZETDJhsZ mnA2vbzjotfQ+l3+Ku4RMcgaM34nCw1cpdDKKmmt0rh6/kdRpmmzjMRT9DeCAJwuL+Kw wCRG67KVqM/qlfkH8pjCQddwpSjOD8ZeT8ah8rxuPh0lSoLR/+QzSXa6Y4LUqWXhE42u bPyA== X-Gm-Message-State: AOAM531X2rmdfA4Hvve6KZ2A1WFsr2Goztj7K5lrgJL3qu+cItZ6BxF1 d2j1E3Ay/tZ+C1v1OwpA3oV1ApnGids= X-Google-Smtp-Source: ABdhPJxgLKu7EGNkESQxN80PwvvldJ3UYhYzSia6UDhtIDOnE6najZqZvH4kAC/z8akjErzvu4zaxw== X-Received: by 2002:a17:907:1c13:: with SMTP id nc19mr4330462ejc.204.1624301533239; Mon, 21 Jun 2021 11:52:13 -0700 (PDT) Received: from localhost.localdomain ([178.233.26.119]) by smtp.gmail.com with ESMTPSA id n11sm5205690ejg.43.2021.06.21.11.52.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Jun 2021 11:52:13 -0700 (PDT) From: Alper Nebi Yasak To: u-boot@lists.denx.de Cc: Daniel Schwierzeck , Simon Glass , Bin Meng , AKASHI Takahiro , Heinrich Schuchardt , Marek Vasut , Tom Rini , Alper Nebi Yasak Subject: [PATCH v3 1/3] tools: docker: Install a readable kernel for libguestfs-tools Date: Mon, 21 Jun 2021 21:51:54 +0300 Message-Id: <20210621185156.9108-2-alpernebiyasak@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621185156.9108-1-alpernebiyasak@gmail.com> References: <20210621185156.9108-1-alpernebiyasak@gmail.com> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The filesystem and EFI (capsule and secure boot) test setups try to use guestmount and virt-make-fs respectively to prepare disk images to run tests on. However, these libguestfs tools need a kernel image and fail with the following message (revealed in debug/trace mode) if it can't find one: supermin: failed to find a suitable kernel (host_cpu=x86_64). I looked for kernels in /boot and modules in /lib/modules. If this is a Xen guest, and you only have Xen domU kernels installed, try installing a fullvirt kernel (only for supermin use, you shouldn't boot the Xen guest with it). This failure then causes these tests to be skipped in CIs. Install a kernel package in the Docker containers so the CIs can run these tests with libguestfs tools again (assuming the container is run with necessary host devices and privileges). As this kernel would be only used for virtualization, we can use the kernel package specialized for that. On Ubuntu systems kernel images are not readable by non-root users, so explicitly add read permissions with chmod as well. Signed-off-by: Alper Nebi Yasak Acked-by: Heinrich Schuchardt --- Changes in v3: - Only set /boot/vmlinu* as readable. Changes in v2: - Add tag "Acked-by: Heinrich Schuchardt " tools/docker/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile index d2f0074ee8a6..579df82b56e7 100644 --- a/tools/docker/Dockerfile +++ b/tools/docker/Dockerfile @@ -71,6 +71,7 @@ RUN apt-get update && apt-get install -y \ libssl-dev \ libudev-dev \ libusb-1.0-0-dev \ + linux-image-kvm \ lzma-alone \ lzop \ mount \ @@ -99,6 +100,9 @@ RUN apt-get update && apt-get install -y \ zip \ && rm -rf /var/lib/apt/lists/* +# Make kernels readable for libguestfs tools to work correctly +RUN chmod +r /boot/vmlinu* + # Manually install libmpfr4 for the toolchains RUN wget http://mirrors.kernel.org/ubuntu/pool/main/m/mpfr4/libmpfr4_3.1.4-1_amd64.deb && dpkg -i libmpfr4_3.1.4-1_amd64.deb && rm libmpfr4_3.1.4-1_amd64.deb From patchwork Mon Jun 21 18:51:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alper Nebi Yasak X-Patchwork-Id: 1495273 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=mtN98IvE; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G7zDY74QTz9sRN for ; Tue, 22 Jun 2021 04:52:45 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9725D829C8; Mon, 21 Jun 2021 20:52:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="mtN98IvE"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 29B95829BE; Mon, 21 Jun 2021 20:52:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AAEE6829B5 for ; Mon, 21 Jun 2021 20:52:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=alpernebiyasak@gmail.com Received: by mail-ej1-x631.google.com with SMTP id hq39so3446110ejc.5 for ; Mon, 21 Jun 2021 11:52:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eKP7kNC951TZYJAYCxEp4ZyiupnmiJAdAnVss6ISk5I=; b=mtN98IvE1ukAvR9OgHYpVXVORr0L7FCPnXcg2UCljohu8BAM7SRzZadjdHD30k1NCK 9T6Q4dBtipG3/PReW2qW/hhAY1XaauWuJ+DvD/Id77Ag704XZBN3uTervjZarhStk0sw 2dU0vhKPQTnpmRpd5ixj87ZMSaPjyU+65PTPgjMQECvqraHAf0PkxIY0/5M6kiz9TQ6r h2PM8Xmg1UiSO4gBJ8+1scF0QqmK/oMeLDPhPRvltKcfirmscPf5QGphnMhiXKzdbACw jfLYI8bXNNhKBDxIzTRSbFJ0t3DqCv1rFP5L5sHIg1xCQ05Q8fX6pc96xvajBAIF20nk BItw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eKP7kNC951TZYJAYCxEp4ZyiupnmiJAdAnVss6ISk5I=; b=kVUQhA3qZq5Zw9XdEC7EZlpuOTMkZp1sDnDGUBskO3MUS6rjASG6jXS8U9sQp4fp1W cPvQOAKoPpvCg7I5YbBom0+NGv9oByLOSBxqnmA60msDDIYTVhE7YXEuYnp41gIR1u9U ylV+HzFTCSR7MB/+l1ZT1w6Oks5yfftyJvHIHWSwaZhYDXkGn98GNdGdPlS9IrTNc0hS gDqfgY6wSKi/lQYNFhAxOCNNSqBK2xcaKJ+U2ymHkzQhH/W1LMI6KuCBf3XRuxmlBj8Q W2ctyhSOVQfJ1MWQvJhMqA7xsAJeuhZQ5CQixxOB6dRVwLxvuMAjH86yFr6O/xJZF/Nj g29g== X-Gm-Message-State: AOAM5314twxG0aCmf6rEBMMSzcrJzHif8DR9aSVJHYNQdyNhjKfbAkWf vn36ItNIJIorJhFAOGFfNsgqgSL5yMM= X-Google-Smtp-Source: ABdhPJxdLT1sfT3bHs+BEZiMfNRRnETLHa0uGaZjYfpC5WmLps+Q/29Pyy4i39TLiJ+D/Epdb7j02g== X-Received: by 2002:a17:906:f0a:: with SMTP id z10mr27098122eji.115.1624301536158; Mon, 21 Jun 2021 11:52:16 -0700 (PDT) Received: from localhost.localdomain ([178.233.26.119]) by smtp.gmail.com with ESMTPSA id n11sm5205690ejg.43.2021.06.21.11.52.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Jun 2021 11:52:15 -0700 (PDT) From: Alper Nebi Yasak To: u-boot@lists.denx.de Cc: Daniel Schwierzeck , Simon Glass , Bin Meng , AKASHI Takahiro , Heinrich Schuchardt , Marek Vasut , Tom Rini , Alper Nebi Yasak Subject: [PATCH v3 2/3] Azure: Add fuse device for test.py tests Date: Mon, 21 Jun 2021 21:51:55 +0300 Message-Id: <20210621185156.9108-3-alpernebiyasak@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621185156.9108-1-alpernebiyasak@gmail.com> References: <20210621185156.9108-1-alpernebiyasak@gmail.com> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The EFI secure boot and capsule test setups need to prepare disk images for their tests using virt-make-fs, which requires access to the host fuse device. This is not exposed to the docker container by default and has to be added explicitly. Add it. Signed-off-by: Alper Nebi Yasak --- (no changes since v2) Changes in v2: - Always pass in /dev/fuse to Azure's docker run invocation. .azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 35ab7f30b276..976868dd2eb7 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -318,7 +318,8 @@ jobs: # as sandbox testing need create files like spi flash images, etc. # (TODO: clean up this in the future) chmod 777 . - docker run -v $PWD:$(work_dir) $(ci_runner_image) /bin/bash $(work_dir)/test.sh + # Some tests using libguestfs-tools need the fuse device to run + docker run --device /dev/fuse:/dev/fuse -v $PWD:$(work_dir) $(ci_runner_image) /bin/bash $(work_dir)/test.sh - job: build_the_world displayName: 'Build the World' From patchwork Mon Jun 21 18:51:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alper Nebi Yasak X-Patchwork-Id: 1495274 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=gzTmhwW4; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G7zDm1BDdz9sRK for ; Tue, 22 Jun 2021 04:52:55 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4A40B829E7; Mon, 21 Jun 2021 20:52:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="gzTmhwW4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BD2F7829C8; Mon, 21 Jun 2021 20:52:24 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5D2C2829B9 for ; Mon, 21 Jun 2021 20:52:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=alpernebiyasak@gmail.com Received: by mail-ed1-x532.google.com with SMTP id df12so17906570edb.2 for ; Mon, 21 Jun 2021 11:52:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Zv74EUTei5ChD04Roy8TIdX9e4wVRKnpWDip0/c2TZ8=; b=gzTmhwW4kXQBPk3ZA8Dk5cC6BO4GZxqHofgem5X03APAw9qbBgs4xtVkAGXZ5b08w1 /ppY7bNkHubgAq702Bh+oh0zCziLQ9au/2wVlcmAY4xu1qbK1vRymH5cPBny9d7Q3vB/ ekVROhX5uF/ZExr4h1qhY1lBQxzpYBh1TWWddKSIOaEKpKlESU2PNHJzSiCQ/aLg+KHF 4kYEjCJsanbdVGIun7w2+8oOuLqx1u2iVlv8nTs9AB6wKXvN+vY+5aqY5pztAuBiZquq wFNRQo/Ort9jL5mXFZWjO0PevZxne2jMVpBBbMiRkZHkNDp8+of3fe2ibsMb2ctzkkD6 BhEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Zv74EUTei5ChD04Roy8TIdX9e4wVRKnpWDip0/c2TZ8=; b=dVvCUz7/1uHuS4KbSSE31yMFIeifrhuBcVbVzLhNv9GgcPKNTI4KAgYX76H/LSEdFd 5KVNFv3wIYv81iqz6IIOrySMg3Ol8C9SybV909tqtecA5781RPZeifDf6ovUmdqGQgTu TPsWMIGUosSS7byhiYHcj1f/ecSPv2AD/kJL2kQsPzhOx+8vO2NTHIkUhfGMv1CFn8Xd /IrFUHRPCVjmhpVmiGLe6pRZHe5dVOiy53nO71a/Y987cuPDmzDbVgRTfLFTpjXuZI8B ilpnZQ8oztDTg2Jrqw+U4g7331An8YtDxpF6RB5n3AnYwExfzr5g4msJezVPeHT25ORO U6dA== X-Gm-Message-State: AOAM531aFiA7CLAvGruVxtP4IWzftZieNwAyEWvHBQcvNL7uxke7wjfh MMnEuX7YdyH9gQPRCanJXE0s5ulZOVs= X-Google-Smtp-Source: ABdhPJzo3GuJvWJ9s0zeFKnsPm48+09GSC7Kc6OjOQcvJnh2COu1nkJVCoRgapk/TqvCf4Xzui1QLQ== X-Received: by 2002:a50:bf0f:: with SMTP id f15mr23239295edk.205.1624301539480; Mon, 21 Jun 2021 11:52:19 -0700 (PDT) Received: from localhost.localdomain ([178.233.26.119]) by smtp.gmail.com with ESMTPSA id n11sm5205690ejg.43.2021.06.21.11.52.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Jun 2021 11:52:18 -0700 (PDT) From: Alper Nebi Yasak To: u-boot@lists.denx.de Cc: Daniel Schwierzeck , Simon Glass , Bin Meng , AKASHI Takahiro , Heinrich Schuchardt , Marek Vasut , Tom Rini , Alper Nebi Yasak Subject: [PATCH v3 3/3] Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests Date: Mon, 21 Jun 2021 21:51:56 +0300 Message-Id: <20210621185156.9108-4-alpernebiyasak@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621185156.9108-1-alpernebiyasak@gmail.com> References: <20210621185156.9108-1-alpernebiyasak@gmail.com> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The filesystem test setup needs to prepare disk images for its tests, with either guestmount or loop mounts. The former requires access to the host fuse device (added in a previous patch), the latter requires access to host loop devices. Both mounts also need additional privileges since docker's default configuration prevents the containers from mounting filesystems (for host security). Add any available loop devices to the container and try to add as few privileges as possible to run these tests, which narrow down to adding SYS_ADMIN capability and disabling apparmor confinement. However, this much still seems to be insecure enough to let malicious container processes escape as root on the host system [1]. [1] https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ Since the mentioned tests are marked to run only on the sandbox board, add these additional devices and privileges only when testing with that. An alternative to using mounts is modifying the filesystem tests to use virt-make-fs (like some EFI tests do), but it fails to generate a partitionless FAT filesystem image on Debian systems. Other more feasible alternatives are using guestfish or directly using libguestfs Python bindings to create and populate the images, but switching the test setups to these is nontrivial and is left as future work. Signed-off-by: Alper Nebi Yasak --- (no changes since v2) Changes in v2: - Always pass in /dev/fuse to Azure's docker run invocation. - Remove "and some EFI tests" from comment (no longer applies to that block of code). .azure-pipelines.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 976868dd2eb7..e36a27c97d56 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -318,8 +318,22 @@ jobs: # as sandbox testing need create files like spi flash images, etc. # (TODO: clean up this in the future) chmod 777 . + # Filesystem tests need extra docker args to run + set -- + if [[ "${TEST_PY_BD}" == "sandbox" ]]; then + # mount -o loop needs the loop devices + if modprobe loop; then + for d in $(find /dev -maxdepth 1 -name 'loop*'); do + set -- "$@" --device $d:$d + done + fi + # Needed for mount syscall (for guestmount as well) + set -- "$@" --cap-add SYS_ADMIN + # Default apparmor profile denies mounts + set -- "$@" --security-opt apparmor=unconfined + fi # Some tests using libguestfs-tools need the fuse device to run - docker run --device /dev/fuse:/dev/fuse -v $PWD:$(work_dir) $(ci_runner_image) /bin/bash $(work_dir)/test.sh + docker run "$@" --device /dev/fuse:/dev/fuse -v $PWD:$(work_dir) $(ci_runner_image) /bin/bash $(work_dir)/test.sh - job: build_the_world displayName: 'Build the World'