[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Mar 2023 21:55:09 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Doug Goldstein <cardoe@xxxxxxxxxx>
Delivery-date: Mon, 20 Mar 2023 20:55:30 +0000
Feedback-id: i1568416f:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 20, 2023 at 01:41:45PM -0700, Stefano Stabellini wrote:
> On Mon, 20 Mar 2023, Marek Marczykowski-Górecki wrote:
> > On Mon, Mar 20, 2023 at 01:08:42PM -0700, Stefano Stabellini wrote:
> > > On Sat, 18 Mar 2023, Marek Marczykowski-Górecki wrote:
> > > > On Fri, Mar 17, 2023 at 04:10:22PM -0700, Stefano Stabellini wrote:
> > > > > On Fri, 17 Mar 2023, Marek Marczykowski-Górecki wrote:
> > > > > > +fakeroot -s ../fakeroot-save tar xzf ../binaries/initrd.tar.gz
> > > > > 
> > > > > I am a bit confused about it: are you sure you need fakeroot for this?
> > > > > This script is running inside a container as root already? Are you 
> > > > > using
> > > > > Docker on the RPi4 to run this job?
> > > > 
> > > > This is running in a rootless podman container. But even with docker,
> > > > for device files to work (see commit message) it would need to run
> > > > privileged container, which I'd like to avoid.
> > > 
> > > Are you sure? I can run a non-privileged container with device assigned
> > > just fine with Docker and
> > >  
> > >   devices = ["/dev/ttyUSB0:/dev/ttyUSB0"]
> > > 
> > > in the gitlab-runner config.toml.
> > 
> > It isn't about accessing existing devices, it's about creating them
> > (unpacking rootfs which contains static /dev) and then packing it back
> > still having those devices.
> 
> OK for that definitely you don't need a privileged container. A regular
> container comes with "root" by default, but without all the privileges
> that "root" normally allows outside of a container. That is enough (at
> least in my environments) to pack/unpack a rootfs successfully without
> fakeroot. Maybe this is a podman-specific limitation?

It seems so, as rootless podman isn't running commands as root on the
"host", but instead in a separate user namespace.

> If you are curious to try, you should be able to run a simple
> pack/unpack rootfs with Docker (of course without --privileged) without
> issues.

In fact, the same issue happens in docker, if I enable this extra
protection there[1].

[1] https://docs.docker.com/engine/security/userns-remap/

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Stefano Stabellini

References:
- [PATCH 0/2] automation: add another Gitlab-CI test, x86-64 S3 this time
  - From: Marek Marczykowski-Górecki
- [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Marek Marczykowski-Górecki
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Stefano Stabellini
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Marek Marczykowski-Górecki
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Stefano Stabellini
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Marek Marczykowski-Górecki
- Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
  - From: Stefano Stabellini

Prev by Date: Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
Next by Date: Re: [PATCH] xen: Fix host pci for stubdom
Previous by thread: Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
Next by thread: Re: [PATCH 2/2] automation: add a suspend test on an Alder Lake system
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.