Xen project Mailing List

Re: [PATCH 4/5] CI: Add a Debian 13 (Trixie) arm64 container

To: "Orzel, Michal" <michal.orzel@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 29 May 2026 16:20:47 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2dnrB7eKLSIFUkA1dWLEGhOfnILge1wkUC5oMTYLxxM=; b=O8GpEPlaIIBmdRzG0vLWCaKNlAfMw4maHsa6EmRZCRjmJRmXVK0AybM1FDzLXlJcUWMyEGDDBrI/C1KPLQlImib9PbXrsMtz/gvaZNvcLt1V5UrKTIYyXf6amXEmBcek7m7v/oKCUa2Elyi16fDISZlkg2JHas8drnYtFbpBTbRDJHaxTHeOszLVWzDUOTTXSuA5MGH4X3FJPi7Iqe9XB0GufQ1cXEP5BC0nipuJN7rcDhLLKiLyD3uNMzN1od5ElJ/sLUKcOkE13f5ODZCiJbHzLyrpNMkGPIy7lQZlmlT5eThKOlzK9QoVYsrvUUgx0fpoOlH1HMY/SnZ/F4uLKw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aRGefmLQnLXP4FcH5LFkbUOB6+YDGFP9KZDR6MvBG8OqYtstNEfHe2UvkY15IlbieGqooxPxD+WkcMjF5vysGsFGLZkx837wkbbQdvjToqm0YuZdIxhsL/ZyKUmxIPRtjS4Ay3UWjEgFH4gH80Ok2rbeh1iZK829inT7VtyCUbnIY8kuEXxL7jtE1MBodx+O2VfQO3vGGrOpZUXKWQgC89KSQxziVIKFIrt5Bf3Q2ysQlAqda7mDZz6Sw4WRWR9y1vpha+iVPM81DAaFKaQjUVuSJARqyYuQUcJzYKJxlU+5lDHzOEmCmKSXFdVb3zeHh25vd69i+0FCfoVBs0ASsw==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>

Delivery-date: Fri, 29 May 2026 15:21:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 13/05/2026 11:58 am, Andrew Cooper wrote: > On 13/05/2026 7:32 am, Orzel, Michal wrote: >> On 11-May-26 11:21, Andrew Cooper wrote: >>> On 11/05/2026 7:29 am, Orzel, Michal wrote: >>>> On 08-May-26 23:29, Andrew Cooper wrote: >>>>> Exactly as per the Bookworm container, but additionally with the >>>>> ipxe-qemu and >>>>> qemu-system-aarch64 packages. These will be used to remove the export >>>>> jobs. >>>>> >>>>> Switch qemu-arm{32,64} jobs to use this container. >>>>> >>>>> No functional change. >>>>> >>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >>>>> --- >>>>> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx> >>>>> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> >>>>> CC: Michal Orzel <michal.orzel@xxxxxxx> >>>>> CC: Doug Goldstein <cardoe@xxxxxxxxxx> >>>>> >>>>> We should probably wire up some build tests too, but it's too late on a >>>>> Friday >>>>> for me to be thinking about that for this posting. >>>>> --- >>>>> automation/build/debian/13-arm64v8.dockerfile | 71 +++++++++++++++++++ >>>>> automation/gitlab-ci/test.yaml | 4 +- >>>>> automation/scripts/containerize | 1 + >>>>> 3 files changed, 74 insertions(+), 2 deletions(-) >>>>> create mode 100644 automation/build/debian/13-arm64v8.dockerfile >>>>> >>>>> diff --git a/automation/build/debian/13-arm64v8.dockerfile >>>>> b/automation/build/debian/13-arm64v8.dockerfile >>>>> new file mode 100644 >>>>> index 000000000000..b9062ee8b443 >>>>> --- /dev/null >>>>> +++ b/automation/build/debian/13-arm64v8.dockerfile >>>>> @@ -0,0 +1,71 @@ >>>>> +# syntax=docker/dockerfile:1 >>>>> +FROM --platform=linux/arm64/v8 debian:trixie-slim >>>>> +LABEL maintainer.name="The Xen Project" >>>>> +LABEL maintainer.email="xen-devel@xxxxxxxxxxxxxxxxxxxx" >>>>> + >>>>> +ENV DEBIAN_FRONTEND=noninteractive >>>>> + >>>>> +RUN <<EOF >>>>> +#!/bin/bash >>>>> + set -eu >>>>> + >>>>> + useradd --create-home user >>>>> + >>>>> + apt-get update >>>>> + >>>>> + DEPS=( >>>>> + # Xen >>>>> + bison >>>>> + build-essential >>>>> + checkpolicy >>>>> + flex >>>>> + >>>>> + # Tools (general) >>>>> + ca-certificates >>>>> + cpio >>>>> + git-core >>>>> + pkg-config >>>>> + wget >>>>> + # libxenguest dombuilder >>>>> + libbz2-dev >>>>> + liblzma-dev >>>>> + liblzo2-dev >>>>> + libzstd-dev >>>>> + zlib1g-dev >>>>> + # libacpi >>>>> + acpica-tools >>>>> + # libxl >>>>> + libfdt-dev >>>>> + libjson-c-dev >>>>> + uuid-dev >>>>> + # xentop >>>>> + libncurses5-dev >>>>> + # Python bindings >>>>> + python3-dev >>>>> + python3-setuptools >>>>> + # Golang bindings >>>>> + golang-go >>>>> + # Ocaml bindings/oxenstored >>>>> + ocaml-nox >>>>> + ocaml-findlib >>>> Since this is a container used only for tests, why listing packages >>>> required for >>>> Xen and tools build? >>> I did leave a note about that. >>> >>>>> + >>>>> + # for test phase, qemu-* jobs >>>>> + busybox-static >>>>> + curl >>>>> + device-tree-compiler >>>>> + expect >>>>> + file >>>>> + ipxe-qemu >>>>> + ovmf >>>>> + qemu-system-aarch64 >>>>> + u-boot-qemu >>>>> + u-boot-tools >>>> So after this change, even though you replace debian-12 with debian-13 for >>>> all >>>> the tests, the debian-12 still contains the unneeded packages (i.e. for a >>>> test >>>> phase that it no longer runs). >>> Yes. I can't do this series bisectably without it. Also, in the past >> Ok, I understand the bisectibility problem. > On further thought, I can in principle fix bisectibility by introducing > Trixie first, but that loses the logical sequence of events somewhat. > >>> people have explicitly requested to be able to run the qemu smoke >>> testing from the build container, which is why it's like this and not split. >> Unless it's a rule that every container follows and is documented somewhere I >> don't like this argument. > It was explicitly requested by ARM, and accepted at a time. > > If you'd like to revisit this decision, that's also fine too, but I > don't want to be flip-flopping on it. > > I could: > 1) Make a 13-arm64v8-test.dockerfile containing only the test phase stuff > 2) Switch to this ahead of the 12 cleanup > 3) Do the 12 cleanup without the test phase stuff > > although this makes a new scheme that we haven't used before. > > The one thing to say. It's almost always safe to add packages to an > existing container, but ... > >> My plan then is to do the clean up of Arm containers >> in the future to remove packages not used. > ... you can't remove packages from an existing container. The > containers are shared by all stable branches, and you'll generally break > older branches by doing this. > > Where we have dropped dependences, e.g. ae26101f6bfc, I've commented the > dockerfile so it doesn't get copied forwards into a new container, and > can be dropped when the identified version falls out of stable support. > > a0e29b316 is an example where the containers did get rebuilt after the > version of Xen ceased being tested. > >> It creates more confusion for people >> willing to create their own dockerfiles for testing (or just to see what it >> takes to build e.g. Xen on Arm) than it gives benefits. > That's why the dependencies are grouped and labelled. I do expect > people to be able to figure out the bits they don't need based on the > comments. > >>> Honestly, I was hoping to leave the Trixie update to the ARM >>> maintainers, but despite the Bookworm QEMU (7.2) being newer than the >>> 6.0 in the export jobs, it contains the SYSREG interception bugs which >>> prevents hiding ThumbEE from guests, and breaks all the arm32 testing >>> with a Linux dom0. >> Does it make sense to have both Debian 12 and Debian 13 build/test? Can't we >> have just the latest one? > Build, yes absolutely. You want as wider range of compilers/toolchains > as possible. > > Test, we tend to only do one. For x86 it's the alpine build; for ARM, > it's from the Debian build. > >> All of the remarks above are not something that should prevent this patch >> from >> going in, so: >> Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx> > Thanks, but lets see about the latest proposal first. I'm folding in the following hunk: diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml index 128b5f45cbad..a1acf2e827df 100644 --- a/automation/gitlab-ci/build.yaml +++ b/automation/gitlab-ci/build.yaml @@ -424,6 +424,16 @@ debian-12-arm64-gcc-debug: variables: CONTAINER: debian:12-arm64v8 +debian-13-arm64-gcc: + extends: .gcc-arm64-build + variables: + CONTAINER: debian:13-arm64v8 + +debian-13-arm64-gcc-debug: + extends: .gcc-arm64-build-debug + variables: + CONTAINER: debian:13-arm64v8 + alpine-3.18-gcc-arm64: extends: .gcc-arm64-build <<: *build-test which performs some build testing using this container too. Full resulting pipeline: https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2562180822 ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.