[PATCH v2 0/3] Fix CIs skipping filesystem, EFI secure boot and EFI capsule tests
Alper Nebi Yasak
alpernebiyasak at gmail.com
Sun Jun 13 16:07:27 CEST 2021
After my previous patch to fix filesystem tests  was merged, I
noticed the GitLab CI was still skipping them and wanted to figure out
why. In short: libguestfs tools (virt-make-fs, guestmount) fail because
they need an installed kernel and the host /dev/fuse device, loop mounts
need the host /dev/loop* devices, and mounting filesystems (loop and
guestmount) fails because Docker containers need extra permissions to
mount devices normally disabled for host security.
Patch #1 is meant to install a kernel into the container image that
libguestfs can use, but the image will need to be regenerated manually.
Patch #2 makes virt-make-fs work, which should make these EFI tests run
again. But guestmount doesn't work with this much because it needs more
permissions to actually mount a filesystem.
Patch #3 makes mounting filesystems and loop devices work, which should
make the filesystem tests run again. This is separate from patch #2
because the parts using guestmount can theoretically be rewritten to use
guestfish which would make the filesystem tests work without this patch,
and giving mount permissions to the container processes seem to be
insecure. So, this patch can be dropped if you think the impact isn't
Similar changes to patch #2, #3 should be applicable to the GitLab CI
and probably necessary to get the same effect, but I don't think its
configuration is accessible to me.
Changes in v2:
- Always pass in /dev/fuse to Azure's docker run invocation.
- Drop patch to install kernel in CI scripts
Alper Nebi Yasak (3):
tools: docker: Install a readable kernel for libguestfs-tools
Azure: Add fuse device for test.py tests
Azure: Add loop devices and CAP_SYS_ADMIN for sandbox test.py tests
.azure-pipelines.yml | 17 ++++++++++++++++-
tools/docker/Dockerfile | 4 ++++
2 files changed, 20 insertions(+), 1 deletion(-)
More information about the U-Boot