[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/4] CI: Introduce new qubes-hw-runner.dockerfile

On Tue, Jun 09, 2026 at 06:31:01PM +0100, Andrew Cooper wrote:
> We want to make the build containers be non-root, but the hardware runner
> needs to continue being root.  Split it out into a dedicated container.
> Intentionally give it a generic name so it need not change in the future.

I'd rather prefer to keep the alpine version in the container name, so
future container updates can be made without breaking stable branches. I
have a related patch for this at
https://gitlab.com/xen-project/people/marmarek/xen/-/commits/automation-linux?ref_type=heads,
but apparently not posted yet.

> No practical change.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> CC: Michal Orzel <michal.orzel@xxxxxxx>
> CC: Doug Goldstein <cardoe@xxxxxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> CC: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
> 
> I need to backport this patch to all trees (4.18 and later) before
> alpine:3.18-arm64v8 can be converted to be be non-root.

Converted? Since 3.18 is EOL for quite some time already, simply phase
it out slowly.

> In all other cases we've been renaming the containers to bypass this problem,
> but alpine:3.18-arm64v8 is in the correct new form.
> 
> Alternatively, I could see about combining it with the Alpine update (which is
> long overdue and needs doing).

Yeah, this.

> ---
>  .../build/alpine/qubes-hw-runner.dockerfile   | 21 +++++++++++++++++++
>  automation/gitlab-ci/test.yaml                |  2 +-
>  2 files changed, 22 insertions(+), 1 deletion(-)
>  create mode 100644 automation/build/alpine/qubes-hw-runner.dockerfile
> 
> diff --git a/automation/build/alpine/qubes-hw-runner.dockerfile 
> b/automation/build/alpine/qubes-hw-runner.dockerfile
> new file mode 100644
> index 000000000000..0af17c6aabc6
> --- /dev/null
> +++ b/automation/build/alpine/qubes-hw-runner.dockerfile
> @@ -0,0 +1,21 @@
> +# syntax=docker/dockerfile:1
> +FROM --platform=linux/arm64/v8 alpine:3.18
> +LABEL maintainer.name="The Xen Project"
> +LABEL maintainer.email="xen-devel@xxxxxxxxxxxxxxxxxxxx"
> +
> +RUN apk --no-cache add bash
> +
> +RUN <<EOF
> +#!/bin/bash
> +    set -eu
> +
> +    DEPS=(
> +          expect
> +          openssh-client
> +    )
> +
> +    apk add --no-cache "${DEPS[@]}"
> +EOF
> +
> +USER root
> +WORKDIR /build
> diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
> index 89760b24e63a..70bb4bbb3b45 100644
> --- a/automation/gitlab-ci/test.yaml
> +++ b/automation/gitlab-ci/test.yaml
> @@ -145,7 +145,7 @@
>    extends: .test-jobs-common
>    variables:
>      # the test controller runs on RPi4
> -    CONTAINER: alpine:3.18-arm64v8
> +    CONTAINER: alpine:qubes-hw-runner
>      LOGFILE: smoke-test.log
>      PCIDEV: "03:00.0"
>      PCIDEV_INTR: "MSI-X"
> -- 
> 2.39.5
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.