[LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Petr Vorel]

50b3bae29 had to disable Tumbleweed due glibc-2.34 using new syscall
clone3 which is not enabled in Docker seccomp filter [1].

Workaround is to disable Docker seccomp filtering, as we don't need this
protection. This should help to avoid seccomp filtering in the future
for all distros.

[1] https://bugzilla.opensuse.org/show_bug.cgi?id=1190670

Fixes: https://github.com/actions/virtual-environments/issues/4193

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Tested:
https://github.com/pevik/iputils/runs/4020083152?check_suite_focus=true

 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3ffde8c48..55d8f5eb5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -76,6 +76,11 @@ jobs:
               CC: clang
               METADATA: asciidoc-pdf
 
+          - container: "opensuse/tumbleweed"
+            env:
+              CC: gcc
+              METADATA: asciidoctor
+
           - container: "opensuse/leap"
             env:
               CC: gcc
@@ -110,6 +115,7 @@ jobs:
     container:
       image: ${{ matrix.container }}
       env: ${{ matrix.env }}
+      options: --security-opt seccomp=unconfined
 
     steps:
     - name: Show OS
-- 
2.33.1


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Petr Vorel]

Hi,

<snip>
>      container:
>        image: ${{ matrix.container }}
>        env: ${{ matrix.env }}
> +      options: --security-opt seccomp=unconfined
Alternatively 'options: --privileged' could be used (to run privileged
container), IMHO does not matter which of these we take.

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Cyril Hrubis]

Hi!
> >      container:
> >        image: ${{ matrix.container }}
> >        env: ${{ matrix.env }}
> > +      options: --security-opt seccomp=unconfined
> Alternatively 'options: --privileged' could be used (to run privileged
> container), IMHO does not matter which of these we take.

Looking at docker documentation it looks like --privileged disables much
more than just the seccomp filtering. I do not think that this is a good
idea. Let's go with just disabling seccomp for affected distros.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Petr Vorel]

> Hi!
> > >      container:
> > >        image: ${{ matrix.container }}
> > >        env: ${{ matrix.env }}
> > > +      options: --security-opt seccomp=unconfined
> > Alternatively 'options: --privileged' could be used (to run privileged
> > container), IMHO does not matter which of these we take.

> Looking at docker documentation it looks like --privileged disables much
> more than just the seccomp filtering. I do not think that this is a good
> idea. Let's go with just disabling seccomp for affected distros.
IMHO both are ok for just compilation (other projects use it as well for just
CI doing compilation), but sure, let's use the minimum.
FYI this disables seccomp for all machines. Is that ok for you?
IMHO that's not a big deal + we will not have to bother when Fedora also gets
new enough glibc (IMHO problem will periodically occurs on bleeding edge distros
when glibc starts to use new enough syscall).

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Cyril Hrubis]

Hi!
> > Looking at docker documentation it looks like --privileged disables much
> > more than just the seccomp filtering. I do not think that this is a good
> > idea. Let's go with just disabling seccomp for affected distros.
> IMHO both are ok for just compilation (other projects use it as well for just
> CI doing compilation), but sure, let's use the minimum.
> FYI this disables seccomp for all machines. Is that ok for you?
> IMHO that's not a big deal + we will not have to bother when Fedora also gets
> new enough glibc (IMHO problem will periodically occurs on bleeding edge distros
> when glibc starts to use new enough syscall).

Anyways:

Acked-by: Cyril Hrubis <chrubis@suse.cz>

For the original patch that disables seccomp.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/1] CI: Reenable Tumbleweed

[Petr Vorel]

Hi Cyril,

> Hi!
> > > Looking at docker documentation it looks like --privileged disables much
> > > more than just the seccomp filtering. I do not think that this is a good
> > > idea. Let's go with just disabling seccomp for affected distros.
> > IMHO both are ok for just compilation (other projects use it as well for just
> > CI doing compilation), but sure, let's use the minimum.
> > FYI this disables seccomp for all machines. Is that ok for you?
> > IMHO that's not a big deal + we will not have to bother when Fedora also gets
> > new enough glibc (IMHO problem will periodically occurs on bleeding edge distros
> > when glibc starts to use new enough syscall).

> Anyways:

> Acked-by: Cyril Hrubis <chrubis@suse.cz>

> For the original patch that disables seccomp.

Thanks, pushed!

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp