From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=caEg300W; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 114D05A0271 for ; Wed, 24 Sep 2025 10:46:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1758703598; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4YJBZpTllc4eAhArRESNXksEAiRy0kFZ3W3WQSoPq3U=; b=caEg300WGramrZn4p4mSFhhIGiq21zZ3qEAntZKhXYxE7M8M0xEnNhFE0m5m3kN2WrcKXV 1rTL/v1BPbQdbKXj54PYDzOPEvLeWser3rJZIEUN4aQO5vPJ260Rot9RywWxgmd5KIEmVk 01QPgHKQFARSJY/tlt5HlEiBtltZyS0= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-471-ac_9Mr_-PQ2nJ6cQxpagOQ-1; Wed, 24 Sep 2025 04:46:37 -0400 X-MC-Unique: ac_9Mr_-PQ2nJ6cQxpagOQ-1 X-Mimecast-MFC-AGG-ID: ac_9Mr_-PQ2nJ6cQxpagOQ_1758703596 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-3f030846a41so2926806f8f.2 for ; Wed, 24 Sep 2025 01:46:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758703596; x=1759308396; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ssjv5Xktzfd1fQRS9aJxXBsEKSuwuHmtb+qAiE/pbnI=; b=TJf6U7SYOIfVbEWzaFD8kvKtxH2Im0dl9jhEFM0R5JZuzcvNrcGscgHGv2ONNcDxPF cCVmb8ogJSal66cvKn/gM6c7soBqYKYp1HSAp5alipTBRMGhfvejo0ivwuI4PUc7M5DY LRqGE+OE5koh23GGZMxsNxVUzKv26zoWPIwk6D5GOJjkS5gxjukaxBK2MNLyITWe1jL/ 05zlVMGAuI/2KZ7uA3VQ6KST6CZUjKvuZ2gO7uoj70rX/1z+kEbFm3NxHmjWJPGkTMZI 5ZdLyzkHC7wEWG46+XjaiNbfIld6I08GtSJJpW9LdxZz+PoKnfoLqQpSN5pI0g/SYnWh kK0g== X-Gm-Message-State: AOJu0YyeF9ZgeGCqAYbiHEZB4NyKuq5JS20ExAgLgETNh/3qMjHZvLPF a0vUQEQF3+Sh5q6UJBRtBE9iT0OJnmZ602zpS9hgGfFAJd7NEd1WxbIMbYVqHWd64gBHzTloLAb 7czvdS6PZLkVjK0qyGZpEe7MjcNNLQf8DvdbE/SgyZb4PYOXSNCt+JA== X-Gm-Gg: ASbGncuEJr6gUowHlvCCK+rCWojamhuDmk17YlNKNdrlabH5ZjQwfkSw9C/eAmeAizV EVy+coQxHEtFwUROVcdHI+AzKWA/WtOnlM2uP6fADMZ5dKhTRdPy2gGp9BW20O+QgjbSOSRnwgs cIEvfXoIwJ0r/J5JSJc/JT1oALSzloFiGCf0e0jbR96KulT48kg4GTNgO6OawnZl63aMJINgtmj Sq7OfdDPpfBNr9yKko9wIL6F/B5bz/W7JFKSnk++WHIaRkh3u9+i+iLzZApc6R48kMvnz4JTFkR kx5+w759G0Fye1FkIAIUEeKI1M/3nMt681pKBL92Ukp0N7BundVBhBUk4MefJ00gSaiO X-Received: by 2002:a05:6000:288d:b0:3ee:1294:4780 with SMTP id ffacd0b85a97d-405c9a01f40mr3410144f8f.30.1758703595518; Wed, 24 Sep 2025 01:46:35 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGs0ukIfqEwwB/C/WG6XwkRkf/nqyW8/mN4OVMzL2m94Oe8IFKqvhQ++Vq7nuQhinEDFxqd6Q== X-Received: by 2002:a05:6000:288d:b0:3ee:1294:4780 with SMTP id ffacd0b85a97d-405c9a01f40mr3410114f8f.30.1758703594680; Wed, 24 Sep 2025 01:46:34 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4034d67d3fcsm7571910f8f.47.2025.09.24.01.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 01:46:34 -0700 (PDT) Date: Wed, 24 Sep 2025 10:46:32 +0200 From: Stefano Brivio To: Yumei Huang Subject: Re: [PATCH] test: Update README.md Message-ID: <20250924104632.75b3f5a8@elisabeth> In-Reply-To: References: <20250919014329.6007-1-yuhuang@redhat.com> <20250919115822.4e3aab21@elisabeth> <20250922220338.49013fce@elisabeth> <20250923123213.61ddd9d5@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 109OqkQq4S77fRRp6dB5iec-7vl4bTdsVL-NHJ7C1y0_1758703596 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: QIIXF57DQ62VQUT3S3T7CHUYCX35NNCM X-Message-ID-Hash: QIIXF57DQ62VQUT3S3T7CHUYCX35NNCM X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, david@gibson.dropbear.id.au, "Richard W.M. Jones" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: [Cc'ing Rich... Rich, see my first question below] On Wed, 24 Sep 2025 09:58:57 +0800 Yumei Huang wrote: > On Tue, Sep 23, 2025 at 6:32=E2=80=AFPM Stefano Brivio wrote: > > > > On Tue, 23 Sep 2025 14:36:41 +0800 > > Yumei Huang wrote: > > =20 > > > On Tue, Sep 23, 2025 at 4:03=E2=80=AFAM Stefano Brivio wrote: =20 > > > > > > > > On Mon, 22 Sep 2025 11:03:23 +0800 > > > > Yumei Huang wrote: > > > > =20 > > > > > On Fri, Sep 19, 2025 at 5:58=E2=80=AFPM Stefano Brivio wrote: =20 > > > > > > > > > > > > On Fri, 19 Sep 2025 09:43:29 +0800 > > > > > > Yumei Huang wrote: > > > > > > =20 > > > > > > > Signed-off-by: Yumei Huang > > > > > > > --- > > > > > > > test/README.md | 31 +++++++++++++++++++++++++++++-- > > > > > > > 1 file changed, 29 insertions(+), 2 deletions(-) > > > > > > > > > > > > > > diff --git a/test/README.md b/test/README.md > > > > > > > index 91ca603..e3e9d37 100644 > > > > > > > --- a/test/README.md > > > > > > > +++ b/test/README.md > > > > > > > @@ -32,7 +32,7 @@ Example for Debian, and possibly most Debia= n-based distributions: > > > > > > > git go iperf3 isc-dhcp-common jq libgpgme-dev libseccomp= -dev linux-cpupower > > > > > > > lm-sensors lz4 netavark netcat-openbsd psmisc qemu-efi-a= arch64 > > > > > > > qemu-system-arm qemu-system-misc qemu-system-ppc qemu-sy= stem-x86 > > > > > > > - qemu-system-x86 sipcalc socat strace tmux uidmap valgrin= d > > > > > > > + sipcalc socat strace tmux uidmap valgrind > > > > > > > > > > > > > > NOTE: the tests need a qemu version >=3D 7.2, or one that co= ntains commit > > > > > > > 13c6be96618c ("net: stream: add unix socket"): this change i= ntroduces support > > > > > > > @@ -81,7 +81,12 @@ The following additional packages are comm= only needed: > > > > > > > > > > > > > > ## Regular test > > > > > > > > > > > > > > -Just issue: > > > > > > > +Before running the tests, you need to prepare the required a= ssets: > > > > > > > + > > > > > > > + cd test > > > > > > > + make assets > > > > > > > + > > > > > > > +Then issue: > > > > > > > > > > > > > > ./run > > > > > > > > > > > > > > @@ -91,6 +96,28 @@ variable settings: DEBUG=3D1 enables debug= ging messages, TRACE=3D1 enables tracing > > > > > > > > > > > > > > PCAP=3D1 TRACE=3D1 ./run > > > > > > > > > > > > > > +**Note:** > > > > > > > + > > > > > > > +* It's recommended to run the commands as a non-root user. > > > > > > > + Due to [Bug 967509](https://bugzilla.redhat.com/show_bug.c= gi?id=3D967509), > > > > > > > + if you switch users with `su` or `sudo`, the directory `/r= un/user/ID` may > > > > > > > + not be created. In that case, `XDG_RUNTIME_DIR` will incor= rectly point to > > > > > > > + `/run/user/0` instead of `/run/user/ID`, which can cause e= rror. =20 > > > > > > > > > > > > Thanks for the research, I wasn't aware of that, and recently s= pent > > > > > > quite some time figuring that out (for other reasons): > > > > > > > > > > > > https://issues.redhat.com/browse/RHEL-70222 > > > > > > > > > > > > in that case, XDG_RUNTIME_DIR was simply not set. Things were w= orking > > > > > > with 'machinectl shell' instead. > > > > > > > > > > > > At the same time: running this whole stuff as root sounds rathe= r crazy, > > > > > > unless it's a throw-away VMs with absolutely nothing important = on it. > > > > > > > > > > > > That is, regardless of the issue with XDG_RUNTIME_DIR. I would = maybe > > > > > > make the wording stronger, something like: > > > > > > > > > > > > * Don't run the tests as root, it's not needed! > > > > > > * If you really need to, note that ... > > > > > > =20 > > > > > > > + **Workaround:** Log out and log back in as the intended us= er to ensure the > > > > > > > + correct runtime directory is set up. =20 > > > > > > > > > > > > We could also suggest 'machinectl shell' if it's really needed = for > > > > > > whatever reason. =20 > > > > > > > > > > I'm not sure how 'machinectl shell' works here. The error happens= when > > > > > running 'make assets', > > > > > which calls 'prepare-distro-img.sh' script, which calls 'virsh ed= it'. =20 > > > > > > > > Ah, I didn't know! So this is actually similar to > > > > https://issues.redhat.com/browse/RHEL-70222. > > > > =20 > > > > > If we run 'make assets' with root, the error is like this: > > > > > > > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qc= ow2 > > > > > libguestfs: error: could not create appliance through libvirt. > > > > > Original error from libvirt: Cannot access storage file > > > > > '/home/test/passt/test/prepared-debian-8.11.0-openstack-amd64.qco= w2' > > > > > (as uid:107, gid:107): Permission denied [code=3D38 int1=3D13] > > > > > > > > > > If we switch to a non-root user via 'su', the error is like this: > > > > > > > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qc= ow2 > > > > > libvirt: XML-RPC error : Cannot create user runtime directory > > > > > '/run/user/0/libvirt': Permission denied > > > > > libguestfs: error: could not connect to libvirt (URI =3D > > > > > qemu:///session): Cannot create user runtime directory > > > > > '/run/user/0/libvirt': Permission denied [code=3D38 int1=3D13] > > > > > make: *** [Makefile:115: prepared-debian-8.11.0-openstack-amd64.q= cow2] Error 1 > > > > > > > > > > Do you mean to run 'make assets' with 'machinectl shell'? What's = the > > > > > exact cmd here? I tried this, seems not work. > > > > > > > > > > # machinectl shell --uid=3D$(id -u pat) .host > > > > > /home/test/passt/test/make assets > > > > > Connected to the local host. Press ^] three times within 1s t= o exit session. > > > > > > > > > > Connection to the local host terminated. =20 > > > > > > > > No, I mean using 'machinectl shell' instead of 'su' (it's intended = as a > > > > replacement), that is: > > > > > > > > $ machinectl shell > > > > # make assets > > > > > > > > ...because that one will set XDG_RUNTIME_DIR. =20 > > > > > > Yes, 'machinectl shell' will solve the issue when switching to a > > > non-root user via su. But it doesn't solve the issue when running > > > 'make assets' as root. They are actually different issues as above. = =20 > > > > Can one need specify a XDG_RUNTIME_DIR that actually exists, maybe? > > Does that work? =20 >=20 > I guess I need to clarify the issues more clearly. >=20 > a) If we login the system with the non-root user, `/run/user/ID` is > created and XDG_RUNTIME_DIR is pointing to that correctly. So 'make > assets' works well. >=20 > b) If we login the system with root, then switch to a non-root user > via 'su', 'make assets' fails due to Bug 967509. XDG_RUNTIME_DIR is > not reset and points to /run/user/(ID of the previous user), which is > /run/user/0. >=20 > libguestfs: error: could not connect to libvirt (URI =3D > qemu:///session): Cannot create user runtime directory > '/run/user/0/libvirt': Permission denied [code=3D38 int1=3D13] >=20 > Switching the user with 'machinectl shell --uid=3D$user' can solve the is= sue. >=20 > c) If we run 'make assets' as root, (no matter we just login with > root, or switch to root via su or machinectl shell), 'make assets' > always fails with a different error. >=20 > libguestfs: error: could not create appliance through libvirt. > Original error from libvirt: Cannot access storage file > '/home/pat/tmp/t5-passt/test/prepared-debian-10-nocloud-amd64.qcow2' > (as uid:107, gid:107): Permission denied [code=3D38 int1=3D13] Ah, look, UID 107 is usually QEMU on Fedora / RHEL, so libguestfs is switching to that. But it shouldn't, because then it won't be able to access the images you downloaded as root. Rich, do you know why it happens? > The XDG_RUNTIME_DIR is no longer an issue, since root can access every > directory under /run/user. I guess the problem here is that we just > can't run 'virsh edit' as root. Wait, it's not 'virsh edit', it's 'virt-edit', and it's not true that you can't run it as root. We had explicit reports from libguestfs (virt-edit is part of it, and it now uses passt to provide networking to the temporary VMs it uses to edit guest images) being run as root, and passt breaking that in the past. We need to support that because virtual machine images might be owned by root if the virtual machines they belong to can't run unprivileged. Breaking operation as root is actually pretty bad for security in that case, since it encourages / forces users to make those images accessible to other users. See: https://issues.redhat.com/browse/RHEL-36045 45b8632dcc0e ("conf: Don't lecture user about starting us as root") c9b241346569 ("conf, passt, tap: Open socket and PID files before switchi= ng UID/GID"). > > > Maybe we can just put it like: > > > > > > Running the commands as root is just not allowed. If you login > > > the system with root, don't use su to switch users due to [Bug > > > 967509](https://bugzilla.redhat.com/show_bug.cgi?id=3D967509). Log ou= t > > > and log back in as the intended user, or use 'machinectl shell > > > --uid=3D$user'. > > > > > > What do you think? =20 > > > > Well, it's free software, so "not allowed" doesn't really mean much. > > > > I would simply warn users that it's a bad idea and it's not needed, > > something like my previous proposal: > > > > * Don't run the tests as root, it's not needed! > > * If you really need to, note that ... > > > > and then just list the workaround that actually works. > > > > I think the most typical need for running things as root is that you > > don't actually have other users (it happens with some VM images or > > in embedded systems), so 'machinectl shell --uid=3D$user' won't really > > help there. =20 >=20 > Well, I have to admit that I usually do everything with root on my > test machines. And I don't see a solution/workaround to fix the issue > when running 'make assets' as root as c). It's not so important for our tests, but it would be good to know why it breaks, in general. > The workaround proposed is > just for those who login with root and switch to a non-root user to > run the tests. >=20 > > > > Maybe just mention setting XDG_RUNTIME_DIR to whatever is appropriate > > (does /tmp work?)? > > =20 > > > > > > > +* SELinux may prevent the tests from running correctly. To a= void this, > > > > > > > + temporarily disable it by running: > > > > > > > + > > > > > > > + setenforce 0 =20 > > > > > > > > > > > > By the way, other than the DHCP client not working on Fedora in= a > > > > > > namespace (which we should really fix, I can look into it if yo= u share > > > > > > the messages you're getting from /var/log/audit/audit.log), did= you hit > > > > > > any other issue with it? > > > > > > =20 > > > > > > > > > > Sure, I will send you a link containing the audit.log. > > > > > BTW, if 'setenforce 1', the tests would get stuck at 'DHCPv6 > > > > > :address'. Looks like an endless loop there. So except the very f= irst > > > > > few tests, other tests haven't been executed. > > > > > > > > > > =3D=3D=3D pasta/dhcp =20 > > > > > DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG= :DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:DEBUG:> =20 > > > > > Interface name > > > > > DEBUG:DEBUG:? [ -n "eno8303" ] > > > > > DEBUG:DEBUG:...passed. > > > > > =20 > > > > > > DHCP: address =20 > > > > > DEBUG:DEBUG:DEBUG:DEBUG:? [ @EMPTY@ =3D 10.72.136.30 ] < failed. > > > > > DEBUG:DEBUG:...failed. > > > > > =20 > > > > > > DHCP: route =20 > > > > > DEBUG:DEBUG:DEBUG:? [ @EMPTY@ =3D 10.72.139.254 ] < failed. > > > > > DEBUG:DEBUG:...failed. > > > > > =20 > > > > > > DHCP: MTU =20 > > > > > DEBUG:DEBUG:? [ 1500 =3D 65520 ] < failed. > > > > > DEBUG:DEBUG:...failed. > > > > > =20 > > > > > > DHCPv6: address =20 > > > > > DEBUG: =20 > > > > > > > > Thanks, so it's the issue David recently mentioned with > > > > dhclient-script(8) being prevented by SELinux from setting up addre= sses > > > > and routes via ip(8), even though it's in a detached namespace and = that > > > > should be allowed. > > > > > > > > We should probably add something like we do in contrib/selinux/past= a.te > > > > to https://github.com/fedora-selinux/selinux-policy: > > > > > > > > roleattribute user_r usernetctl_roles; > > > > role usernetctl_roles types ; > > > > > > > > Now, we can disable SELinux temporarily to run tests, but eventuall= y > > > > we'll want to have tests with DHCP clients in unprivileged setups a= lso > > > > as part of Fedora automated tests, and I'm fairly sure that those r= un > > > > with SELinux in enforcing mode. So we should really fix this. =20 > > > > > > Sure, I will file a ticket for that. =20 > > > > Thanks. Note that it's not a ticket for passt, it's maybe a ticket for > > fedora-selinux, but I'm not sure if it's really helpful to file issues > > there. I guess we should try things out and send a merge request. =20 > > Agree. Let's just disable it temporarily to bypass the issue. Actually, that's not what I meant: I really think we should fix that. I'm just saying that filing tickets there is usually not very helpful. Anyway, noted on my list, let me take care of it, the change itself is kind of trivial. Whether it will be considered / accepted is another story, but I can try at least. > > > > By the way, it would also be interesting to see if, once the test s= uite > > > > gets past this point, you get further messages in audit.log. > > > > > > > > If you do 'setenforce 0', SELinux switches to the so-called "compla= in > > > > mode", and warnings are still logged, but they won't block anything= . > > > > > > > > So, with 'setenforce 0', we can find out from audit.log if we would= hit > > > > further failures. =20 > > > > > > Here is the audit.log: > > > > > > https://privatebin.corp.redhat.com/?49fef5ef2e766c42#Fki5LnD9EGMfDDpm= vFPp1WqGbQPwQk4qQmQbmKugDLxb > > > > > > From what I can see, there is no 'avc: denied' after the dhcp cases.= =20 > > > > [looking at log you attached later] great, I don't see other issues > > either! So it seems to be just that, and then we'll be able to run > > tests on Fedora-like distributions with SELinux enabled. --=20 Stefano