[1.3] ci fixes (ssh-keygen and criu version bumps for almalinux 8 and fedora) #4737
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 6e5ffb7) Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit b48dd65) Signed-off-by: Kir Kolyshkin <[email protected]>
Those are no longer needed with shellcheck v0.10.0 (possibly with an earlier version, too, but I am too lazy to check that). While at it, fix a typo in the comment. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit af386d1) Signed-off-by: Kir Kolyshkin <[email protected]>
1. There is no need to have -p option in mkdir here, since /home/rootless was already created by useradd above. 2. When there is no -p, there is no need to suppress the shellcheck warning (which looked like this): > In script/setup_host_fedora.sh line 21: > mkdir -m 0700 -p /home/rootless/.ssh > ^-- SC2174 (warning): When used with -p, -m only applies to the deepest directory. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit a76a136) Signed-off-by: Kir Kolyshkin <[email protected]>
This makes the code more robust and allows to remove the "shellcheck disable=SC2086" annotation. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 8e653e4) Signed-off-by: Kir Kolyshkin <[email protected]>
This is the version available from Fedora 41. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit d31e6b8) Signed-off-by: Kir Kolyshkin <[email protected]>
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu inability to freeze a cgroup. This was worked around in criu [1], but obviously we can't rely on a distro vendor to update the package. Let's use a copr (thanks to Adrian Reber!) [1]: checkpoint-restore/criu#2545 Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit b520f75) Signed-off-by: Kir Kolyshkin <[email protected]>
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# id -Z
ls -ld /root
# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
Saving key "/root/rootless.key" failed: Permission denied
The audit.log shows:
> type=AVC msg=audit(1744834995.352:546): avc: denied { dac_override } for pid=13471 comm="ssh-keygen" capability=1 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
A workaround is to use /root/.ssh directory instead of just /root.
While at it, let's unify rootless user and key setup into a single place.
Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 87ae2f8)
Signed-off-by: Kir Kolyshkin <[email protected]>
Merged
kolyshkin
requested review from
AkihiroSuda and
rata
and removed request for
AkihiroSuda
|
Fedora is still failing related to CRIU: |
Fedora is fixed separately in #4736 (which is also need to be backported, maybe I'll shove it in here). |
This comment was marked as outdated.
This comment was marked as outdated.
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2], which is currently only available in updates-testing. Add a kludge to install newer criu if necessary to fix CI. This will not be needed in ~2 weeks once the new package is promoted to updates. [1]: checkpoint-restore/criu#2650 [2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17 Signed-off-by: Kir Kolyshkin <[email protected]> (cherry picked from commit 3e3e048) Signed-off-by: Kir Kolyshkin <[email protected]>
kolyshkin
changed the title
I need more coffee but can't have any as it's almost 8pm here. Of course I haven't added it. Added now, fingers crossed. |
This comment was marked as outdated.
This comment was marked as outdated.
|
Fedora is fixed now. |
AkihiroSuda
approved these changes
Apr 23, 2025
lifubang
approved these changes
Apr 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a backport of
to release-1.3 branch. Original description follows.
(from #4670)
High level overview:
(from #4728)
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu inability to freeze a cgroup. This was worked around in criu (Freeze fixes and v1 kludges checkpoint-restore/criu#2545), but obviously we can't rely on a distro vendor to update the package.
Let's use a copr (thanks to @adrianreber!)
Fixes: #4273
ssh-keygen stopped working in AlmaLinux 8, fix this as well (see commit for details).
Fixes: #4731
(from #4736)
Package criu-4.1-1 has a known bug 1 which is fixed in criu-4.1-2 2,
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.
This will not be needed in ~2 weeks once the new package is promoted to
updates.