For this add also bridge package, so xenbr0 can be configured with
/etc/network/interfaces.
This allows extracting more logs out of the test system.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
This enables passwordless root login. It's okay for qubes runners, as
they are isolated (even from each other). Is that okay in other places
too?
---
 scripts/alpine-rootfs.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/alpine-rootfs.sh b/scripts/alpine-rootfs.sh
index c999b89..632609b 100755
--- a/scripts/alpine-rootfs.sh
+++ b/scripts/alpine-rootfs.sh
@@ -10,6 +10,8 @@ apk --no-cache upgrade
 
 PKGS=(
     # System
+    bridge
+    dropbear
     libgcc
     openrc
     udev
@@ -62,6 +64,7 @@ rc-update add loopback sysinit
 rc-update add bootmisc boot
 rc-update add devfs sysinit
 rc-update add dmesg sysinit
+rc-update add dropbear boot
 rc-update add hostname boot
 rc-update add hwclock boot
 rc-update add hwdrivers sysinit
@@ -74,6 +77,7 @@ echo "ttyS0" >> /etc/securetty
 echo "hvc0" >> /etc/securetty
 echo "ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100" >> /etc/inittab
 echo "hvc0::respawn:/sbin/getty -L hvc0 115200 vt100" >> /etc/inittab
+echo "DROPBEAR_OPTS=\"-B -R\"" >> /etc/conf.d/dropbear
 echo "rc_verbose=yes" >> /etc/rc.conf
 echo > /etc/modules
 passwd -d "root" root
-- 
git-series 0.9.1

On 23/06/2025 2:46 pm, Marek Marczykowski-Górecki wrote:
> For this add also bridge package, so xenbr0 can be configured with
> /etc/network/interfaces.
> This allows extracting more logs out of the test system.
>
> Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> ---
> This enables passwordless root login. It's okay for qubes runners, as
> they are isolated (even from each other). Is that okay in other places
> too?

It's potentially a problem on a corporate network.

Can't we have each job generate a random password an insert it via the
dom0-rootfs overlay?

Or alternatively have the runner drop a public key in
/root/.ssh/authorised_keys ?

~Andrew

On Mon, Jun 23, 2025 at 02:56:00PM +0100, Andrew Cooper wrote:
> On 23/06/2025 2:46 pm, Marek Marczykowski-Górecki wrote:
> > For this add also bridge package, so xenbr0 can be configured with
> > /etc/network/interfaces.
> > This allows extracting more logs out of the test system.
> >
> > Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> > ---
> > This enables passwordless root login. It's okay for qubes runners, as
> > they are isolated (even from each other). Is that okay in other places
> > too?
> 
> It's potentially a problem on a corporate network.
> 
> Can't we have each job generate a random password an insert it via the
> dom0-rootfs overlay?
> 
> Or alternatively have the runner drop a public key in
> /root/.ssh/authorised_keys ?

That can work, yes. And is preferred to a password, as easier to do
non-interactively.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

On Mon, 23 Jun 2025, Marek Marczykowski-Górecki wrote:
> On Mon, Jun 23, 2025 at 02:56:00PM +0100, Andrew Cooper wrote:
> > On 23/06/2025 2:46 pm, Marek Marczykowski-Górecki wrote:
> > > For this add also bridge package, so xenbr0 can be configured with
> > > /etc/network/interfaces.
> > > This allows extracting more logs out of the test system.
> > >
> > > Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> > > ---
> > > This enables passwordless root login. It's okay for qubes runners, as
> > > they are isolated (even from each other). Is that okay in other places
> > > too?
> > 
> > It's potentially a problem on a corporate network.
> > 
> > Can't we have each job generate a random password an insert it via the
> > dom0-rootfs overlay?
> > 
> > Or alternatively have the runner drop a public key in
> > /root/.ssh/authorised_keys ?
> 
> That can work, yes. And is preferred to a password, as easier to do
> non-interactively.

+1