Xen project Mailing List

Re: [PATCH] CI: workaround broken selinux+docker interaction in yocto

To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Thu, 25 Jul 2024 17:10:10 -0700 (PDT)

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Fri, 26 Jul 2024 00:10:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Sat, 20 Jul 2024, Marek Marczykowski-Górecki wrote: > `cp --preserve=xattr` doesn't work in docker when SELinux is enabled. It > tries to set the "security.selinux" xattr, but SELinux (or overlay fs?) > denies it. > Workaround it by skipping selinux.selinux xattr copying. > > Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> I tested this patch together with another patch to upgrade Yocto to scarthgap, I'll send that separately. I have already built and pushed the yocto scarthgap containers. > --- > Tested here: > https://gitlab.com/xen-project/people/marmarek/xen/-/jobs/7386198058 > > But since yocto container fails to build, it isn't exactly easy to apply > this patch... > "kirkstone" branch of meta-virtualization seems to target Xen 4.15 and > 4.16, so it isn't exactly surprising it fails to build with 4.19. > > I tried also bumping yocto version to scarthgap (which supposedly should > have updated pygrub patch), but that fails to build for me too, with a > different error: > > ERROR: Layer 'filesystems-layer' depends on layer 'networking-layer', but > this layer is not enabled in your configuration > ERROR: Parse failure with the specified layer added, exiting. > ... > ERROR: Nothing PROVIDES 'xen-image-minimal'. Close matches: > core-image-minimal > core-image-minimal-dev > Parsing of 2472 .bb files complete (0 cached, 2472 parsed). 4309 targets, > 101 skipped, 0 masked, 0 errors. > --- > automation/build/yocto/yocto.dockerfile.in | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/automation/build/yocto/yocto.dockerfile.in > b/automation/build/yocto/yocto.dockerfile.in ~ index fbaa4e191caa..600db7bf4d19 100644 > --- a/automation/build/yocto/yocto.dockerfile.in > +++ b/automation/build/yocto/yocto.dockerfile.in > @@ -68,6 +68,10 @@ RUN locale-gen en_US.UTF-8 && update-locale > LC_ALL=en_US.UTF-8 \ > ENV LANG en_US.UTF-8 > ENV LC_ALL en_US.UTF-8 > > +# Workaround `cp --preserve=xattr` not working in docker when SELinux is > +# enabled > +RUN echo "security.selinux skip" >> /etc/xattr.conf > + > # Create a user for the build (we don't want to build as root). > ENV USER_NAME docker-build > ARG host_uid=1000 > -- > 2.45.2 >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.