Re: [PATCH] test: Update README.md

[Yumei Huang <yuhuang@redhat.com>]

On Wed, Sep 24, 2025 at 11:44 AM David Gibson
<david@gibson.dropbear.id.au> wrote:
>
> On Wed, Sep 24, 2025 at 09:58:57AM +0800, Yumei Huang wrote:
> > On Tue, Sep 23, 2025 at 6:32 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> > >
> > > On Tue, 23 Sep 2025 14:36:41 +0800
> > > Yumei Huang <yuhuang@redhat.com> wrote:
> > >
> > > > On Tue, Sep 23, 2025 at 4:03 AM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > > >
> > > > > On Mon, 22 Sep 2025 11:03:23 +0800
> > > > > Yumei Huang <yuhuang@redhat.com> wrote:
> > > > >
> > > > > > On Fri, Sep 19, 2025 at 5:58 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > > > > >
> > > > > > > On Fri, 19 Sep 2025 09:43:29 +0800
> > > > > > > Yumei Huang <yuhuang@redhat.com> wrote:
> > > > > > >
> > > > > > > > Signed-off-by: Yumei Huang <yuhuang@redhat.com>
> > > > > > > > ---
> > > > > > > >  test/README.md | 31 +++++++++++++++++++++++++++++--
> > > > > > > >  1 file changed, 29 insertions(+), 2 deletions(-)
> > > > > > > >
> > > > > > > > diff --git a/test/README.md b/test/README.md
> > > > > > > > index 91ca603..e3e9d37 100644
> > > > > > > > --- a/test/README.md
> > > > > > > > +++ b/test/README.md
> > > > > > > > @@ -32,7 +32,7 @@ Example for Debian, and possibly most Debian-based distributions:
> > > > > > > >      git go iperf3 isc-dhcp-common jq libgpgme-dev libseccomp-dev linux-cpupower
> > > > > > > >      lm-sensors lz4 netavark netcat-openbsd psmisc qemu-efi-aarch64
> > > > > > > >      qemu-system-arm qemu-system-misc qemu-system-ppc qemu-system-x86
> > > > > > > > -    qemu-system-x86 sipcalc socat strace tmux uidmap valgrind
> > > > > > > > +    sipcalc socat strace tmux uidmap valgrind
> > > > > > > >
> > > > > > > >  NOTE: the tests need a qemu version >= 7.2, or one that contains commit
> > > > > > > >  13c6be96618c ("net: stream: add unix socket"): this change introduces support
> > > > > > > > @@ -81,7 +81,12 @@ The following additional packages are commonly needed:
> > > > > > > >
> > > > > > > >  ## Regular test
> > > > > > > >
> > > > > > > > -Just issue:
> > > > > > > > +Before running the tests, you need to prepare the required assets:
> > > > > > > > +
> > > > > > > > +    cd test
> > > > > > > > +    make assets
> > > > > > > > +
> > > > > > > > +Then issue:
> > > > > > > >
> > > > > > > >      ./run
> > > > > > > >
> > > > > > > > @@ -91,6 +96,28 @@ variable settings: DEBUG=1 enables debugging messages, TRACE=1 enables tracing
> > > > > > > >
> > > > > > > >      PCAP=1 TRACE=1 ./run
> > > > > > > >
> > > > > > > > +**Note:**
> > > > > > > > +
> > > > > > > > +* It's recommended to run the commands as a non-root user.
> > > > > > > > +  Due to [Bug 967509](https://bugzilla.redhat.com/show_bug.cgi?id=967509),
> > > > > > > > +  if you switch users with `su` or `sudo`, the directory `/run/user/ID` may
> > > > > > > > +  not be created. In that case, `XDG_RUNTIME_DIR` will incorrectly point to
> > > > > > > > +  `/run/user/0` instead of `/run/user/ID`, which can cause error.
> > > > > > >
> > > > > > > Thanks for the research, I wasn't aware of that, and recently spent
> > > > > > > quite some time figuring that out (for other reasons):
> > > > > > >
> > > > > > >   https://issues.redhat.com/browse/RHEL-70222
> > > > > > >
> > > > > > > in that case, XDG_RUNTIME_DIR was simply not set. Things were working
> > > > > > > with 'machinectl shell' instead.
> > > > > > >
> > > > > > > At the same time: running this whole stuff as root sounds rather crazy,
> > > > > > > unless it's a throw-away VMs with absolutely nothing important on it.
> > > > > > >
> > > > > > > That is, regardless of the issue with XDG_RUNTIME_DIR. I would maybe
> > > > > > > make the wording stronger, something like:
> > > > > > >
> > > > > > > * Don't run the tests as root, it's not needed!
> > > > > > > * If you really need to, note that ...
> > > > > > >
> > > > > > > > +  **Workaround:** Log out and log back in as the intended user to ensure the
> > > > > > > > +  correct runtime directory is set up.
> > > > > > >
> > > > > > > We could also suggest 'machinectl shell' if it's really needed for
> > > > > > > whatever reason.
> > > > > >
> > > > > > I'm not sure how 'machinectl shell' works here. The error happens when
> > > > > > running 'make assets',
> > > > > > which calls 'prepare-distro-img.sh' script, which calls 'virsh edit'.
> > > > >
> > > > > Ah, I didn't know! So this is actually similar to
> > > > > https://issues.redhat.com/browse/RHEL-70222.
> > > > >
> > > > > > If we run 'make assets' with root, the error is like this:
> > > > > >
> > > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qcow2
> > > > > > libguestfs: error: could not create appliance through libvirt.
> > > > > > Original error from libvirt: Cannot access storage file
> > > > > > '/home/test/passt/test/prepared-debian-8.11.0-openstack-amd64.qcow2'
> > > > > > (as uid:107, gid:107): Permission denied [code=38 int1=13]
> > > > > >
> > > > > > If we switch to a non-root user via 'su', the error is like this:
> > > > > >
> > > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qcow2
> > > > > > libvirt: XML-RPC error : Cannot create user runtime directory
> > > > > > '/run/user/0/libvirt': Permission denied
> > > > > > libguestfs: error: could not connect to libvirt (URI =
> > > > > > qemu:///session): Cannot create user runtime directory
> > > > > > '/run/user/0/libvirt': Permission denied [code=38 int1=13]
> > > > > > make: *** [Makefile:115: prepared-debian-8.11.0-openstack-amd64.qcow2] Error 1
> > > > > >
> > > > > > Do you mean to run 'make assets' with 'machinectl shell'? What's the
> > > > > > exact cmd here? I tried this, seems not work.
> > > > > >
> > > > > >     # machinectl shell --uid=$(id -u pat) .host
> > > > > > /home/test/passt/test/make assets
> > > > > >     Connected to the local host. Press ^] three times within 1s to exit session.
> > > > > >
> > > > > >     Connection to the local host terminated.
> > > > >
> > > > > No, I mean using 'machinectl shell' instead of 'su' (it's intended as a
> > > > > replacement), that is:
> > > > >
> > > > >     $ machinectl shell
> > > > >     # make assets
> > > > >
> > > > > ...because that one will set XDG_RUNTIME_DIR.
> > > >
> > > > Yes, 'machinectl shell' will solve the issue when switching to a
> > > > non-root user via su. But it doesn't solve the issue when running
> > > > 'make assets' as root. They are actually different issues as above.
> > >
> > > Can one need specify a XDG_RUNTIME_DIR that actually exists, maybe?
> > > Does that work?
> >
> > I guess I need to clarify the issues more clearly.
> >
> > a) If we login the system with the non-root user, `/run/user/ID` is
> > created and XDG_RUNTIME_DIR is pointing to that correctly. So 'make
> > assets' works well.
> >
> > b) If we login the system with root, then switch to a non-root user
> > via 'su', 'make assets' fails due to Bug 967509. XDG_RUNTIME_DIR is
> > not reset and points to /run/user/(ID of the previous user), which is
> > /run/user/0.
> >
> >     libguestfs: error: could not connect to libvirt (URI =
> > qemu:///session): Cannot create user runtime directory
> > '/run/user/0/libvirt': Permission denied [code=38 int1=13]
> >
> > Switching the user with 'machinectl shell --uid=$user' can solve the issue.
> >
> > c) If we run 'make assets' as root, (no matter we just login with
> > root, or switch to root via su or machinectl shell), 'make assets'
> > always fails with a different error.
> >
> >     libguestfs: error: could not create appliance through libvirt.
> > Original error from libvirt: Cannot access storage file
> > '/home/pat/tmp/t5-passt/test/prepared-debian-10-nocloud-amd64.qcow2'
> > (as uid:107, gid:107): Permission denied [code=38 int1=13]
> >
> > The XDG_RUNTIME_DIR is no longer an issue, since root can access every
> > directory under /run/user. I guess the problem here is that we just
> > can't run 'virsh edit' as root.
>
> I'm guessing the problem here is that something in the libguestfs -> libvirt
> -> whatever chain is dropping capabilities, so it no longer has
> permission to everything.  Or if the home directory there is mounted
> via NFS or something, there can be root doesn't actually have
> permission to everything.

Yeah, probably. The workaround proposed is not for root. That's why I
couldn't proceed with:

    * Don't run the tests as root, it's not needed!
    * If you really need to, note that ...

>
> > >
> > > > Maybe we can just put it like:
> > > >
> > > >     Running the commands as root is just not allowed.  If you login
> > > > the system with root, don't use su to switch users due to [Bug
> > > > 967509](https://bugzilla.redhat.com/show_bug.cgi?id=967509). Log out
> > > > and log back in as the intended user, or use 'machinectl shell
> > > > --uid=$user'.
> > > >
> > > > What do you think?
> > >
> > > Well, it's free software, so "not allowed" doesn't really mean much.
> > >
> > > I would simply warn users that it's a bad idea and it's not needed,
> > > something like my previous proposal:
> > >
> > >   * Don't run the tests as root, it's not needed!
> > >   * If you really need to, note that ...
> > >
> > > and then just list the workaround that actually works.
> > >
> > > I think the most typical need for running things as root is that you
> > > don't actually have other users (it happens with some VM images or
> > > in embedded systems), so 'machinectl shell --uid=$user' won't really
> > > help there.
> >
> > Well, I have to admit that I usually do everything with root on my
> > test machines. And I don't see a solution/workaround to fix the issue
> > when running 'make assets' as root as c). The workaround proposed is
> > just for those who login with root and switch to a non-root user to
> > run the tests.
>
> For many sorts of tests on throwaway machines, that's pretty
> reasonable.  Testing passt we specifically want to test that it
> operates as non-root, so I'd suggest you tweak your procedures for
> grabbing a test machine so that you routinely create a user.
>

Thank you for the suggestion.  I've created a user for my test machine
and login with it every time so I don't hit more permission issues :D

> --
> David Gibson (he or they)       | I'll have my music baroque, and my code
> david AT gibson.dropbear.id.au  | minimalist, thank you, not the other way
>                                 | around.
> http://www.ozlabs.org/~dgibson



-- 
Thanks,

Yumei Huang