osmith has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ci/+/39355?usp=email ) Change subject: jobs/master,gerrit: use io_uring seccomp profile ...................................................................... jobs/master,gerrit: use io_uring seccomp profile Use the seccomp profile not only in ttcn3 testsuites, but also in master-builds and gerrit-verifications so we can test io_uring there too. CI happened to work without this for libosmocore on build4 because of a specific docker version where io_uring was not yet (fully?) disabled in the default seccomp profile. It did not work without this patch on build5 where we currently have a newer docker version. Related: OS#6405, OS#6186 Related: docker-playground I27567c2a5d9543c3509c316226c082ab950c5ebc Change-Id: I71df7f7eeb79b831fb67d2cda377cf1d0619b93d --- M jobs/gerrit-verifications.yml M jobs/master-builds.yml 2 files changed, 6 insertions(+), 0 deletions(-) Approvals: pespin: Looks good to me, approved Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve diff --git a/jobs/gerrit-verifications.yml b/jobs/gerrit-verifications.yml index 857a944..9691250 100644 --- a/jobs/gerrit-verifications.yml +++ b/jobs/gerrit-verifications.yml @@ -46,11 +46,13 @@ sequential: false # most common build invocation # SYS_PTRACE is needed for ASAN (https://github.com/google/sanitizers/issues/764) + # seccomp profile is needed for io_uring (OS#6405) # Documentation for variables (keep in sync!): # https://osmocom.org/projects/osmocom-servers/wiki/Jenkins_build_verificatio… docker_run: | docker run --rm=true \ --cap-add SYS_PTRACE \ + --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \ -e ASCIIDOC_WARNINGS_CHECK="1" \ -e HOME=/build \ -e JOB_NAME="$JOB_NAME" \ @@ -70,6 +72,7 @@ docker run --rm=true \ --cap-add SYS_PTRACE \ + --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \ -e ASCIIDOC_WARNINGS_CHECK="1" \ -e HOME=/build \ -e JOB_NAME="$JOB_NAME" \ diff --git a/jobs/master-builds.yml b/jobs/master-builds.yml index 69f4b70..969f2c7 100644 --- a/jobs/master-builds.yml +++ b/jobs/master-builds.yml @@ -19,11 +19,13 @@ sequential: false # most common build invocation # SYS_PTRACE is needed for ASAN (https://github.com/google/sanitizers/issues/764) + # seccomp profile is needed for io_uring (OS#6405) # Documentation for variables (keep in sync!): # https://osmocom.org/projects/osmocom-servers/wiki/Jenkins_build_verificatio… docker_run: | docker run --rm=true \ --cap-add SYS_PTRACE \ + --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \ -e ASCIIDOC_WARNINGS_CHECK="1" \ -e HOME=/build \ -e IS_MASTER_BUILD=1 \ @@ -48,6 +50,7 @@ docker run --rm=true \ --cap-add SYS_PTRACE \ + --security-opt seccomp=$HOME/osmo-ci/_docker_playground/seccomp_profile.json \ -e ASCIIDOC_WARNINGS_CHECK="1" \ -e HOME=/build \ -e IS_MASTER_BUILD=1 \ -- To view, visit https://gerrit.osmocom.org/c/osmo-ci/+/39355?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: osmo-ci Gerrit-Branch: master Gerrit-Change-Id: I71df7f7eeb79b831fb67d2cda377cf1d0619b93d Gerrit-Change-Number: 39355 Gerrit-PatchSet: 2 Gerrit-Owner: osmith <osmith(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: neels <nhofmeyr(a)sysmocom.de> Gerrit-Reviewer: osmith <osmith(a)sysmocom.de> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>