Xen project Mailing List

Re: [PATCH] CI: workaround broken selinux+docker interaction in yocto

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Mon, 22 Jul 2024 19:38:11 +0200

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Mon, 22 Jul 2024 17:38:33 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jul 22, 2024 at 06:16:51PM +0100, Andrew Cooper wrote: > On 20/07/2024 1:15 am, Marek Marczykowski-Górecki wrote: > > `cp --preserve=xattr` doesn't work in docker when SELinux is enabled. It > > tries to set the "security.selinux" xattr, but SELinux (or overlay fs?) > > denies it. > > Workaround it by skipping selinux.selinux xattr copying. > > > > Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > > --- > > Tested here: > > https://gitlab.com/xen-project/people/marmarek/xen/-/jobs/7386198058 > > > > But since yocto container fails to build, it isn't exactly easy to apply > > this patch... > > "kirkstone" branch of meta-virtualization seems to target Xen 4.15 and > > 4.16, so it isn't exactly surprising it fails to build with 4.19. > > Why is the external version of Xen relevant to rebuilding the container ? I think it tries to build xen_git.bb, which fetches "master" branch, and this fails to build with its current state. > Or is it that kirkstone has updated since the container was last built? > > I'm not familiar with yocto, and a quick glance at the docs haven't > helped... > > ~Andrew > > > > > I tried also bumping yocto version to scarthgap (which supposedly should > > have updated pygrub patch), but that fails to build for me too, with a > > different error: > > > > ERROR: Layer 'filesystems-layer' depends on layer 'networking-layer', > > but this layer is not enabled in your configuration > > ERROR: Parse failure with the specified layer added, exiting. > > ... > > ERROR: Nothing PROVIDES 'xen-image-minimal'. Close matches: > > core-image-minimal > > core-image-minimal-dev > > Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4309 > > targets, 101 skipped, 0 masked, 0 errors. In the meantime I've solved this issue by reordering layers in build-yocto.sh (meta-networking before meta-filesystems). But then, ran out of disk space (40GB wasn't enough) and hasn't retried yet... > > --- > > automation/build/yocto/yocto.dockerfile.in | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/automation/build/yocto/yocto.dockerfile.in > > b/automation/build/yocto/yocto.dockerfile.in > > index fbaa4e191caa..600db7bf4d19 100644 > > --- a/automation/build/yocto/yocto.dockerfile.in > > +++ b/automation/build/yocto/yocto.dockerfile.in > > @@ -68,6 +68,10 @@ RUN locale-gen en_US.UTF-8 && update-locale > > LC_ALL=en_US.UTF-8 \ > > ENV LANG en_US.UTF-8 > > ENV LC_ALL en_US.UTF-8 > > > > +# Workaround `cp --preserve=xattr` not working in docker when SELinux is > > +# enabled > > +RUN echo "security.selinux skip" >> /etc/xattr.conf > > + > > # Create a user for the build (we don't want to build as root). > > ENV USER_NAME docker-build > > ARG host_uid=1000 > -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.