qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 20/29] Include qemu/main-loop.h less

From: Markus Armbruster
Subject: Re: [Qemu-devel] [PATCH v3 20/29] Include qemu/main-loop.h less
Date: Sat, 10 Aug 2019 21:34:17 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) 
Alex Bennée <address@hidden> writes:

> Markus Armbruster <address@hidden> writes:
>
>> Philippe Mathieu-Daudé <address@hidden> writes:
>>
>>> On 8/9/19 8:46 AM, Markus Armbruster wrote:
>>>> In my "build everything" tree, changing qemu/main-loop.h triggers a
>>>> recompile of some 5600 out of 6600 objects (not counting tests and
>>>> objects that don't depend on qemu/osdep.h).  It includes block/aio.h,
>>>> which in turn includes qemu/event_notifier.h, qemu/notify.h,
>>>> qemu/processor.h, qemu/qsp.h, qemu/queue.h, qemu/thread-posix.h,
>>>> qemu/thread.h, qemu/timer.h, and a few more.
>>>>
>>>> Include qemu/main-loop.h only where it's needed.  Touching it now
>>>> recompiles only some 1700 objects.  For block/aio.h and
>>>> qemu/event_notifier.h, these numbers drop from 5600 to 2800.  For the
>>>> others, they shrink only slightly.
>>>>
>>>> Signed-off-by: Markus Armbruster <address@hidden>
>>>> ---
>>> [...]
>>>> diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
>>>> index 77f5df59b0..ac18a1184a 100644
>>>> --- a/include/sysemu/sysemu.h
>>>> +++ b/include/sysemu/sysemu.h
>>>> @@ -5,7 +5,6 @@
>>>>  #include "qapi/qapi-types-run-state.h"
>>>>  #include "qemu/timer.h"
>>>>  #include "qemu/notify.h"
>>>> -#include "qemu/main-loop.h"
>>>>  #include "qemu/bitmap.h"
>>>>  #include "qemu/uuid.h"
>>>>  #include "qom/object.h"
>>>
>>> netmap failing again :S
>>>
>>> $ make docker-image-debian-amd64 V=1 DEBUG=1
>>> [...]
>>>   CC      net/netmap.o
>>> net/netmap.c: In function 'netmap_update_fd_handler':
>>> net/netmap.c:109:5: error: implicit declaration of function
>>> 'qemu_set_fd_handler' [-Werror=implicit-function-declaration]
>>>      qemu_set_fd_handler(s->nmd->fd,
>>>      ^~~~~~~~~~~~~~~~~~~
>>> net/netmap.c:109:5: error: nested extern declaration of
>>> 'qemu_set_fd_handler' [-Werror=nested-externs]
>>
>> I managed to lose the fix somehow.
>>
>> I admit I ran "make docker-test-build", realized docker needs root, and
>> went "sod it, cross fingers & send out the patches".
>
> I've sent some patches to make docker-test-build more closely resemble
> what shippable exercises.
>
> As for root you can setup a docker group and do it that way (see the
> docs in docs/devel/testing.rst). It's not recommended for production
> machines as it makes escalation fairly trivial (the daemon itself still
> runs as root).

As Dan Walsh explained in a blog post[*], access to the docker socket is
equivalent to root.  Might be okay on a throwaway or special-purpose
box, but definitely not on my desktop.

The solution the blog post recommends for now is sudo with password,
which I consider only marginally better: instead of leaving the safe
door open, we install a security camera to log access to the safe,
*then* leave the safe door open.  Just in case whoever helps himself to
the contents of the safe is too lazy to help himself to the logs, too.

In the great tradition of throwing security under the bus to get work
done, I set up sudo.  Avoiding NOPASSWD: turns out to be impractical.

Running "make docker-test-build" fails for me on master (v4.1.0-rc4),
details appended.

>                Hopefully Marc's podman support:
>
>   Subject: [PATCH v2 0/5] tests/docker: add podman support
>   Date: Tue,  9 Jul 2019 23:43:25 +0400
>   Message-Id: <address@hidden>
>
> will make these requirements a little less onerous.

Sounds like a much needed upgrade to me.

[...]

[*] 
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/


My failure:

$ make -C bld docker-test-build
make: Entering directory '/work/armbru/qemu/bld'
  BUILD   centos7
make[1]: Entering directory '/work/armbru/qemu/bld'
  GEN     /work/armbru/qemu/bld/docker-src.2019-08-10-07.29.32.8915/qemu.tar
  COPY    RUNNER
    RUN test-build in qemu:centos7
[...]
make[1]: Leaving directory '/work/armbru/qemu/bld'
  BUILD   debian9
  BUILD   debian-amd64
make[1]: Entering directory '/work/armbru/qemu/bld'
  GEN     /work/armbru/qemu/bld/docker-src.2019-08-10-07.30.18.17180/qemu.tar
  COPY    RUNNER
    RUN test-build in qemu:debian-amd64
[...]
install -c -m 0644 /tmp/qemu-test/build/trace-events-all 
"/tmp/qemu-test/build/=destdir/tmp/qemu-test/install/share/qemu/trace-events-all"
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/work/armbru/qemu/tests/docker/docker.py", line 234, in _kill_instances
    return self._do_kill_instances(True)
  File "/work/armbru/qemu/tests/docker/docker.py", line 213, in 
_do_kill_instances
    for i in self._output(cmd).split():
  File "/work/armbru/qemu/tests/docker/docker.py", line 239, in _output
    **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 223, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['sudo', 'docker', 'ps', '-q']' returned non-zero 
exit status 1
Error in sys.exitfunc:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/work/armbru/qemu/tests/docker/docker.py", line 234, in _kill_instances
    return self._do_kill_instances(True)
  File "/work/armbru/qemu/tests/docker/docker.py", line 213, in 
_do_kill_instances
    for i in self._output(cmd).split():
  File "/work/armbru/qemu/tests/docker/docker.py", line 239, in _output
    **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 223, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['sudo', 'docker', 'ps', '-q']' 
returned non-zero exit status 1
    CLEANUP /work/armbru/qemu/bld/docker-src.2019-08-10-07.30.18.17180 
make[1]: Leaving directory '/work/armbru/qemu/bld'
  BUILD   debian-arm64-cross
Traceback (most recent call last):
  File "/work/armbru/qemu/tests/docker/docker.py", line 615, in <module>
    sys.exit(main())
  File "/work/armbru/qemu/tests/docker/docker.py", line 611, in main
    return args.cmdobj.run(args, argv)
  File "/work/armbru/qemu/tests/docker/docker.py", line 366, in run
    dkr = Docker()
  File "/work/armbru/qemu/tests/docker/docker.py", line 193, in __init__
    self._command = _guess_docker_command()
  File "/work/armbru/qemu/tests/docker/docker.py", line 65, in 
_guess_docker_command
    commands_txt)
Exception: Cannot find working docker command. Tried:
  docker
  sudo docker
make: *** [/work/armbru/qemu/tests/docker/Makefile.include:53: 
docker-image-debian-arm64-cross] Error 1
make: Leaving directory '/work/armbru/qemu/bld'

There are a few SELinux gripes in my logs, like this one:

type=AVC msg=audit(1565418107.93:125036): avc:  denied  { module_request } for  
pid=19599 comm="configure" kmod="binfmt-464c" 
scontext=system_u:system_r:container_t:s0:c611,c653 
tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]