CI: Turn debian/12-x86_64 into a non-root container

[PATCH] CI: Turn debian/12-x86_64 into a non-root container

Posted by Andrew Cooper 2 months, 2 weeks ago

From: Javi Merino <javi.merino@cloud.com>

Since commit 4611ae6fb8f9 ("CI: save toolstack artifact as cpio.gz"), the
various automation/scripts/* no longer need to be root to correctly repack the
initrd for test.

Signed-off-by: Javi Merino <javi.merino@cloud.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Anthony PERARD <anthony.perard@vates.tech>

Xen 4.20 and later uses debian:12-x86_64 and also contains 4611ae6fb8f9 so
this is safe to change generally.
---
 automation/build/debian/12-x86_64.dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/automation/build/debian/12-x86_64.dockerfile b/automation/build/debian/12-x86_64.dockerfile
index e26a19079e38..3cf99c730b61 100644
--- a/automation/build/debian/12-x86_64.dockerfile
+++ b/automation/build/debian/12-x86_64.dockerfile
@@ -9,6 +9,8 @@ RUN <<EOF
 #!/bin/bash
     set -eu
 
+    useradd --create-home user
+
     apt-get update
 
     DEPS=(
@@ -70,5 +72,5 @@ RUN <<EOF
     rm -rf /var/lib/apt/lists*
 EOF
 
-USER root
+USER user
 WORKDIR /build
-- 
2.39.5

Re: [PATCH] CI: Turn debian/12-x86_64 into a non-root container

Posted by Anthony PERARD 2 months, 2 weeks ago

On Tue, Aug 12, 2025 at 05:29:50PM +0100, Andrew Cooper wrote:
> From: Javi Merino <javi.merino@cloud.com>
> 
> Since commit 4611ae6fb8f9 ("CI: save toolstack artifact as cpio.gz"), the
> various automation/scripts/* no longer need to be root to correctly repack the
> initrd for test.
> 
> Signed-off-by: Javi Merino <javi.merino@cloud.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Anthony PERARD <anthony.perard@vates.tech>
> 
> Xen 4.20 and later uses debian:12-x86_64 and also contains 4611ae6fb8f9 so
> this is safe to change generally.

I gave it a try, just to be sure:
    https://gitlab.com/xen-project/people/anthonyper/xen/-/pipelines/1980442689
and staging-4.20:
    https://gitlab.com/xen-project/people/anthonyper/xen/-/pipelines/1980621317

(all the failed build should be because I was lazy and didn't rebuild
all containers or didn't select a subset of the builds. All test passed
or are skipped, which is what I was looking for)

So:
Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>

Thanks,

-- 
Anthony PERARD

Re: [PATCH] CI: Turn debian/12-x86_64 into a non-root container

Posted by Andrew Cooper 2 months, 2 weeks ago

On 12/08/2025 7:55 pm, Anthony PERARD wrote:
> On Tue, Aug 12, 2025 at 05:29:50PM +0100, Andrew Cooper wrote:
>> From: Javi Merino <javi.merino@cloud.com>
>>
>> Since commit 4611ae6fb8f9 ("CI: save toolstack artifact as cpio.gz"), the
>> various automation/scripts/* no longer need to be root to correctly repack the
>> initrd for test.
>>
>> Signed-off-by: Javi Merino <javi.merino@cloud.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Roger Pau Monné <roger.pau@citrix.com>
>> CC: Stefano Stabellini <sstabellini@kernel.org>
>> CC: Anthony PERARD <anthony.perard@vates.tech>
>>
>> Xen 4.20 and later uses debian:12-x86_64 and also contains 4611ae6fb8f9 so
>> this is safe to change generally.
> I gave it a try, just to be sure:
>     https://gitlab.com/xen-project/people/anthonyper/xen/-/pipelines/1980442689
> and staging-4.20:
>     https://gitlab.com/xen-project/people/anthonyper/xen/-/pipelines/1980621317
>
> (all the failed build should be because I was lazy and didn't rebuild
> all containers or didn't select a subset of the builds. All test passed
> or are skipped, which is what I was looking for)
>
> So:
> Reviewed-by: Anthony PERARD <anthony.perard@vates.tech>

Thanks.  I'll commit and deploy this now.

~Andrew