1. Patchew
  2. Xen
  3. View series

[PATCH] CI: Switch the alpine containers to be non-root

Andrew Cooper posted 1 patch 3 days, 15 hours ago
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20250910113416.1835988-1-andrew.cooper3@citrix.com
automation/build/alpine/3.18-arm64v8.dockerfile | 16 ++++++++--------
automation/build/alpine/3.18.dockerfile         | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
[PATCH] CI: Switch the alpine containers to be non-root
Posted by Andrew Cooper 3 days, 15 hours ago 
Testing on staging-4.19 is hitting a reliable failure, caused by alpine/3.18
being a root build container, but debian/12-x86_64 being a non-root test
container.  Specifically, the test container can't copy XEN_PAGING_DIR and
XEN_DUMP_DIR (both 700) from the build root in order to construct the initrd.

staging-4.20 and later do not repack the initrd in this way, so are not
affected.

Switch both alpine containers to being non-root.  This is still slightly
fragile, but better than depending on using root containers for both.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Jan Beulich <JBeulich@suse.com>

The only less fragile option I can think of would be to backport the initrd
CPIO optimisations.  I backported it from 4.21 to 4.20, and can't remember if
there was a blocking reason on 4.19, or simply that it would be a lot of work.

I've rebuilt these containers in registry.gitlab.com/xen-project/people/andyhhp/xen

Runs using this registry:
  staging:
    https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2031831044
  staging-4.19:
    https://gitlab.com/xen-project/hardware/xen-staging/-/pipelines/2031832855

(There will be a delay until these can run fully.  The CPPCheck container
takes an unreasonable amount of time to rebuild, and it's holding up a couple
of others.)
---
 automation/build/alpine/3.18-arm64v8.dockerfile | 16 ++++++++--------
 automation/build/alpine/3.18.dockerfile         | 16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/automation/build/alpine/3.18-arm64v8.dockerfile b/automation/build/alpine/3.18-arm64v8.dockerfile
index b8482d5bf43f..360da8281054 100644
--- a/automation/build/alpine/3.18-arm64v8.dockerfile
+++ b/automation/build/alpine/3.18-arm64v8.dockerfile
@@ -3,13 +3,10 @@ FROM --platform=linux/arm64/v8 alpine:3.18
 LABEL maintainer.name="The Xen Project" \
       maintainer.email="xen-devel@lists.xenproject.org"
 
-ENV USER root
-
-RUN mkdir /build
-WORKDIR /build
-
-# build depends
-RUN apk --no-cache add \
+RUN adduser -S user && \
+  mkdir /build && \
+  # build depends
+  apk --no-cache add \
   \
   # xen build deps
   argp-standalone \
@@ -48,4 +45,7 @@ RUN apk --no-cache add \
   # qubes test deps
   openssh-client \
   fakeroot \
-  expect \
+  expect
+
+USER user
+WORKDIR /build
diff --git a/automation/build/alpine/3.18.dockerfile b/automation/build/alpine/3.18.dockerfile
index 263e9e90d888..4ccbe8e5c1b3 100644
--- a/automation/build/alpine/3.18.dockerfile
+++ b/automation/build/alpine/3.18.dockerfile
@@ -3,13 +3,10 @@ FROM --platform=linux/amd64 alpine:3.18
 LABEL maintainer.name="The Xen Project" \
       maintainer.email="xen-devel@lists.xenproject.org"
 
-ENV USER root
-
-RUN mkdir /build
-WORKDIR /build
-
-# build depends
-RUN apk --no-cache add \
+RUN adduser -S user && \
+  mkdir /build && \
+  # build depends
+  apk --no-cache add \
   \
   # xen build deps
   argp-standalone \
@@ -49,4 +46,7 @@ RUN apk --no-cache add \
   ninja \
   pixman-dev \
   # livepatch-tools deps
-  elfutils-dev \
+  elfutils-dev
+
+USER user
+WORKDIR /build
-- 
2.39.5

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.