[XS] Change in osmo-ci[master]: jobs/master,gerrit: use io_uring seccomp profile - gerrit-log

16 Jan 2025

osmith has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ci/+/39355?usp=email )
Change subject: jobs/master,gerrit: use io_uring seccomp profile
......................................................................
jobs/master,gerrit: use io_uring seccomp profile
Use the seccomp profile not only in ttcn3 testsuites, but also in
master-builds and gerrit-verifications so we can test io_uring there
too.
CI happened to work without this for libosmocore on build4 because of a
specific docker version where io_uring was not yet (fully?) disabled in
the default seccomp profile. It did not work without this patch on
build5 where we currently have a newer docker version.
Related: OS#6405, OS#6186
Related: docker-playground I27567c2a5d9543c3509c316226c082ab950c5ebc
Change-Id: I71df7f7eeb79b831fb67d2cda377cf1d0619b93d
---
M jobs/gerrit-verifications.yml
M jobs/master-builds.yml
2 files changed, 6 insertions(+), 0 deletions(-)
Approvals:
  pespin: Looks good to me, approved
  Jenkins Builder: Verified
  laforge: Looks good to me, but someone else must approve

diff --git a/jobs/gerrit-verifications.yml b/jobs/gerrit-verifications.yml
index 857a944..9691250 100644
--- a/jobs/gerrit-verifications.yml
+++ b/jobs/gerrit-verifications.yml
@@ -46,11 +46,13 @@
     sequential: false
     # most common build invocation
     # SYS_PTRACE is needed for ASAN (https://github.com/google/sanitizers/issues/764)
+    # seccomp profile is needed for io_uring (OS#6405)
     # Documentation for variables (keep in sync!):
     # https://osmocom.org/projects/osmocom-servers/wiki/Jenkins_build_verification...
     docker_run: |
             docker run --rm=true \
               --cap-add SYS_PTRACE \
+              --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \
               -e ASCIIDOC_WARNINGS_CHECK="1" \
               -e HOME=/build \
               -e JOB_NAME="$JOB_NAME" \
@@ -70,6 +72,7 @@
docker run --rm=true \
               --cap-add SYS_PTRACE \
+              --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \
               -e ASCIIDOC_WARNINGS_CHECK="1" \
               -e HOME=/build \
               -e JOB_NAME="$JOB_NAME" \
diff --git a/jobs/master-builds.yml b/jobs/master-builds.yml
index 69f4b70..969f2c7 100644
--- a/jobs/master-builds.yml
+++ b/jobs/master-builds.yml
@@ -19,11 +19,13 @@
     sequential: false
     # most common build invocation
     # SYS_PTRACE is needed for ASAN (https://github.com/google/sanitizers/issues/764)
+    # seccomp profile is needed for io_uring (OS#6405)
     # Documentation for variables (keep in sync!):
     # https://osmocom.org/projects/osmocom-servers/wiki/Jenkins_build_verification...
     docker_run: |
             docker run --rm=true \
               --cap-add SYS_PTRACE \
+              --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \
               -e ASCIIDOC_WARNINGS_CHECK="1" \
               -e HOME=/build \
               -e IS_MASTER_BUILD=1 \
@@ -48,6 +50,7 @@
docker run --rm=true \
               --cap-add SYS_PTRACE \
+              --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \
               -e ASCIIDOC_WARNINGS_CHECK="1" \
               -e HOME=/build \
               -e IS_MASTER_BUILD=1 \
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-ci/+/39355?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: osmo-ci
Gerrit-Branch: master
Gerrit-Change-Id: I71df7f7eeb79b831fb67d2cda377cf1d0619b93d
Gerrit-Change-Number: 39355
Gerrit-PatchSet: 2
Gerrit-Owner: osmith osmith@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge laforge@osmocom.org
Gerrit-Reviewer: neels nhofmeyr@sysmocom.de
Gerrit-Reviewer: osmith osmith@sysmocom.de
Gerrit-Reviewer: pespin pespin@sysmocom.de



    