From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202508 header.b=KrnhRdKK;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id B8F065A026F
	for <passt-dev@passt.top>; Wed, 24 Sep 2025 05:44:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202508; t=1758685447;
	bh=ETqrcNN3czuQbEoAgwZ5UlE55OltfUOtXHGii4ROqKk=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=KrnhRdKKL2ruwBtzqblqC3zS+QUcv7COp6oTxEX4U+b85SLDbkKIHmvMyoWSSsoH1
	 4iUuKcE3ii+ZM7CHNS3YPQskvRlbHnvXvc4ORYCLTBKGfqtoz7TORTXmQUtpT1sNUf
	 eHr4ywYqMbVu54bAgS5zvIXey9RC1bhD5Nkvjbk9qkRGV7BEoPDSaodGxL+i9YhR8c
	 reYpKYJGL1LBvwB/cjkXwok334LURp1NlGqlgUSWg01Bm4ggu54yf5t8SuFUSCUviq
	 n71BwDoOyCXItX+hFURTqJpa0tCNMwoNUfHSJOcHCWThTBySUs78Sw1Tdh46CiTBhz
	 xTcLhoglkTRpw==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4cWjPz3yxPz4wCN; Wed, 24 Sep 2025 13:44:07 +1000 (AEST)
Date: Wed, 24 Sep 2025 13:44:02 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Yumei Huang <yuhuang@redhat.com>
Subject: Re: [PATCH] test: Update README.md
Message-ID: <aNNpAlvQut02K3bb@zatzit>
References: <20250919014329.6007-1-yuhuang@redhat.com>
 <20250919115822.4e3aab21@elisabeth>
 <CANsz47mhkYkTy6LUK3OsAwC_8pf6Ed8RPR6gBLFig0ZC7vZJYA@mail.gmail.com>
 <20250922220338.49013fce@elisabeth>
 <CANsz47=+VOeYNYuLOD3TdhQiO_5q1b9od0Ef6xNGUSrthocXSg@mail.gmail.com>
 <20250923123213.61ddd9d5@elisabeth>
 <CANsz47nh4J-wSru8y+bQP0g+wRp-udX_-dOoQTNWsr7sBJQe0w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="15/cqtwVlE7in6SU"
Content-Disposition: inline
In-Reply-To: <CANsz47nh4J-wSru8y+bQP0g+wRp-udX_-dOoQTNWsr7sBJQe0w@mail.gmail.com>
Message-ID-Hash: GIACRWKD7MMNRRMW3DXRXVYJL6TRUZ4C
X-Message-ID-Hash: GIACRWKD7MMNRRMW3DXRXVYJL6TRUZ4C
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aNNpAlvQut02K3bb@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/GIACRWKD7MMNRRMW3DXRXVYJL6TRUZ4C/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--15/cqtwVlE7in6SU
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 24, 2025 at 09:58:57AM +0800, Yumei Huang wrote:
> On Tue, Sep 23, 2025 at 6:32=E2=80=AFPM Stefano Brivio <sbrivio@redhat.co=
m> wrote:
> >
> > On Tue, 23 Sep 2025 14:36:41 +0800
> > Yumei Huang <yuhuang@redhat.com> wrote:
> >
> > > On Tue, Sep 23, 2025 at 4:03=E2=80=AFAM Stefano Brivio <sbrivio@redha=
t.com> wrote:
> > > >
> > > > On Mon, 22 Sep 2025 11:03:23 +0800
> > > > Yumei Huang <yuhuang@redhat.com> wrote:
> > > >
> > > > > On Fri, Sep 19, 2025 at 5:58=E2=80=AFPM Stefano Brivio <sbrivio@r=
edhat.com> wrote:
> > > > > >
> > > > > > On Fri, 19 Sep 2025 09:43:29 +0800
> > > > > > Yumei Huang <yuhuang@redhat.com> wrote:
> > > > > >
> > > > > > > Signed-off-by: Yumei Huang <yuhuang@redhat.com>
> > > > > > > ---
> > > > > > >  test/README.md | 31 +++++++++++++++++++++++++++++--
> > > > > > >  1 file changed, 29 insertions(+), 2 deletions(-)
> > > > > > >
> > > > > > > diff --git a/test/README.md b/test/README.md
> > > > > > > index 91ca603..e3e9d37 100644
> > > > > > > --- a/test/README.md
> > > > > > > +++ b/test/README.md
> > > > > > > @@ -32,7 +32,7 @@ Example for Debian, and possibly most Debia=
n-based distributions:
> > > > > > >      git go iperf3 isc-dhcp-common jq libgpgme-dev libseccomp=
-dev linux-cpupower
> > > > > > >      lm-sensors lz4 netavark netcat-openbsd psmisc qemu-efi-a=
arch64
> > > > > > >      qemu-system-arm qemu-system-misc qemu-system-ppc qemu-sy=
stem-x86
> > > > > > > -    qemu-system-x86 sipcalc socat strace tmux uidmap valgrind
> > > > > > > +    sipcalc socat strace tmux uidmap valgrind
> > > > > > >
> > > > > > >  NOTE: the tests need a qemu version >=3D 7.2, or one that co=
ntains commit
> > > > > > >  13c6be96618c ("net: stream: add unix socket"): this change i=
ntroduces support
> > > > > > > @@ -81,7 +81,12 @@ The following additional packages are comm=
only needed:
> > > > > > >
> > > > > > >  ## Regular test
> > > > > > >
> > > > > > > -Just issue:
> > > > > > > +Before running the tests, you need to prepare the required a=
ssets:
> > > > > > > +
> > > > > > > +    cd test
> > > > > > > +    make assets
> > > > > > > +
> > > > > > > +Then issue:
> > > > > > >
> > > > > > >      ./run
> > > > > > >
> > > > > > > @@ -91,6 +96,28 @@ variable settings: DEBUG=3D1 enables debug=
ging messages, TRACE=3D1 enables tracing
> > > > > > >
> > > > > > >      PCAP=3D1 TRACE=3D1 ./run
> > > > > > >
> > > > > > > +**Note:**
> > > > > > > +
> > > > > > > +* It's recommended to run the commands as a non-root user.
> > > > > > > +  Due to [Bug 967509](https://bugzilla.redhat.com/show_bug.c=
gi?id=3D967509),
> > > > > > > +  if you switch users with `su` or `sudo`, the directory `/r=
un/user/ID` may
> > > > > > > +  not be created. In that case, `XDG_RUNTIME_DIR` will incor=
rectly point to
> > > > > > > +  `/run/user/0` instead of `/run/user/ID`, which can cause e=
rror.
> > > > > >
> > > > > > Thanks for the research, I wasn't aware of that, and recently s=
pent
> > > > > > quite some time figuring that out (for other reasons):
> > > > > >
> > > > > >   https://issues.redhat.com/browse/RHEL-70222
> > > > > >
> > > > > > in that case, XDG_RUNTIME_DIR was simply not set. Things were w=
orking
> > > > > > with 'machinectl shell' instead.
> > > > > >
> > > > > > At the same time: running this whole stuff as root sounds rathe=
r crazy,
> > > > > > unless it's a throw-away VMs with absolutely nothing important =
on it.
> > > > > >
> > > > > > That is, regardless of the issue with XDG_RUNTIME_DIR. I would =
maybe
> > > > > > make the wording stronger, something like:
> > > > > >
> > > > > > * Don't run the tests as root, it's not needed!
> > > > > > * If you really need to, note that ...
> > > > > >
> > > > > > > +  **Workaround:** Log out and log back in as the intended us=
er to ensure the
> > > > > > > +  correct runtime directory is set up.
> > > > > >
> > > > > > We could also suggest 'machinectl shell' if it's really needed =
for
> > > > > > whatever reason.
> > > > >
> > > > > I'm not sure how 'machinectl shell' works here. The error happens=
 when
> > > > > running 'make assets',
> > > > > which calls 'prepare-distro-img.sh' script, which calls 'virsh ed=
it'.
> > > >
> > > > Ah, I didn't know! So this is actually similar to
> > > > https://issues.redhat.com/browse/RHEL-70222.
> > > >
> > > > > If we run 'make assets' with root, the error is like this:
> > > > >
> > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qc=
ow2
> > > > > libguestfs: error: could not create appliance through libvirt.
> > > > > Original error from libvirt: Cannot access storage file
> > > > > '/home/test/passt/test/prepared-debian-8.11.0-openstack-amd64.qco=
w2'
> > > > > (as uid:107, gid:107): Permission denied [code=3D38 int1=3D13]
> > > > >
> > > > > If we switch to a non-root user via 'su', the error is like this:
> > > > >
> > > > > ./prepare-distro-img.sh prepared-debian-8.11.0-openstack-amd64.qc=
ow2
> > > > > libvirt: XML-RPC error : Cannot create user runtime directory
> > > > > '/run/user/0/libvirt': Permission denied
> > > > > libguestfs: error: could not connect to libvirt (URI =3D
> > > > > qemu:///session): Cannot create user runtime directory
> > > > > '/run/user/0/libvirt': Permission denied [code=3D38 int1=3D13]
> > > > > make: *** [Makefile:115: prepared-debian-8.11.0-openstack-amd64.q=
cow2] Error 1
> > > > >
> > > > > Do you mean to run 'make assets' with 'machinectl shell'? What's =
the
> > > > > exact cmd here? I tried this, seems not work.
> > > > >
> > > > >     # machinectl shell --uid=3D$(id -u pat) .host
> > > > > /home/test/passt/test/make assets
> > > > >     Connected to the local host. Press ^] three times within 1s t=
o exit session.
> > > > >
> > > > >     Connection to the local host terminated.
> > > >
> > > > No, I mean using 'machinectl shell' instead of 'su' (it's intended =
as a
> > > > replacement), that is:
> > > >
> > > >     $ machinectl shell
> > > >     # make assets
> > > >
> > > > ...because that one will set XDG_RUNTIME_DIR.
> > >
> > > Yes, 'machinectl shell' will solve the issue when switching to a
> > > non-root user via su. But it doesn't solve the issue when running
> > > 'make assets' as root. They are actually different issues as above.
> >
> > Can one need specify a XDG_RUNTIME_DIR that actually exists, maybe?
> > Does that work?
>=20
> I guess I need to clarify the issues more clearly.
>=20
> a) If we login the system with the non-root user, `/run/user/ID` is
> created and XDG_RUNTIME_DIR is pointing to that correctly. So 'make
> assets' works well.
>=20
> b) If we login the system with root, then switch to a non-root user
> via 'su', 'make assets' fails due to Bug 967509. XDG_RUNTIME_DIR is
> not reset and points to /run/user/(ID of the previous user), which is
> /run/user/0.
>=20
>     libguestfs: error: could not connect to libvirt (URI =3D
> qemu:///session): Cannot create user runtime directory
> '/run/user/0/libvirt': Permission denied [code=3D38 int1=3D13]
>=20
> Switching the user with 'machinectl shell --uid=3D$user' can solve the is=
sue.
>=20
> c) If we run 'make assets' as root, (no matter we just login with
> root, or switch to root via su or machinectl shell), 'make assets'
> always fails with a different error.
>=20
>     libguestfs: error: could not create appliance through libvirt.
> Original error from libvirt: Cannot access storage file
> '/home/pat/tmp/t5-passt/test/prepared-debian-10-nocloud-amd64.qcow2'
> (as uid:107, gid:107): Permission denied [code=3D38 int1=3D13]
>=20
> The XDG_RUNTIME_DIR is no longer an issue, since root can access every
> directory under /run/user. I guess the problem here is that we just
> can't run 'virsh edit' as root.

I'm guessing the problem here is that something in the libguestfs -> libvirt
-> whatever chain is dropping capabilities, so it no longer has
permission to everything.  Or if the home directory there is mounted
via NFS or something, there can be root doesn't actually have
permission to everything.

> >
> > > Maybe we can just put it like:
> > >
> > >     Running the commands as root is just not allowed.  If you login
> > > the system with root, don't use su to switch users due to [Bug
> > > 967509](https://bugzilla.redhat.com/show_bug.cgi?id=3D967509). Log out
> > > and log back in as the intended user, or use 'machinectl shell
> > > --uid=3D$user'.
> > >
> > > What do you think?
> >
> > Well, it's free software, so "not allowed" doesn't really mean much.
> >
> > I would simply warn users that it's a bad idea and it's not needed,
> > something like my previous proposal:
> >
> >   * Don't run the tests as root, it's not needed!
> >   * If you really need to, note that ...
> >
> > and then just list the workaround that actually works.
> >
> > I think the most typical need for running things as root is that you
> > don't actually have other users (it happens with some VM images or
> > in embedded systems), so 'machinectl shell --uid=3D$user' won't really
> > help there.
>=20
> Well, I have to admit that I usually do everything with root on my
> test machines. And I don't see a solution/workaround to fix the issue
> when running 'make assets' as root as c). The workaround proposed is
> just for those who login with root and switch to a non-root user to
> run the tests.

For many sorts of tests on throwaway machines, that's pretty
reasonable.  Testing passt we specifically want to test that it
operates as non-root, so I'd suggest you tweak your procedures for
grabbing a test machine so that you routinely create a user.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--15/cqtwVlE7in6SU
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjTaQEACgkQzQJF27ox
2GeHpQ/8CCgAvk42VX3TIhu2o61HVoCPXZKTxAYzWz0Bei0lj3NkE2ZaHkOxcD6E
+Nficfx1O06gejuck+ulwK8++yVjmYdrYG4gqBs4f6rBmfxZYkofQQvrFkekXsie
E5rbJ0gOZw4BWO5Ly1rwS39om62q+DNT5NHN3iVxU3PbE+MBDt4sy8z5f7AAGEy3
rjJyIPHPMJ3ilw7I5T04Xcnd2bDkfO44DnTZifUJBQCChuVzRjIaboAhiY3jgn5+
Sg6OsYzN4wmFtJkbddgpoLAB1fCYpmK50mv56c70E/faD9lyjWEf3yVD+EtzwYIs
oGbOc24jAjLBjVbUked05LxuawI2QnbJ7k2Yd/dBGpOI/pi9CmeergNCpIVQTdfg
reMOPy14KeT1rJlUTMv4hfPvC23oPwM5pGi1QHcNI/ghSEG/laTost+IsAqR7cYS
FD1hOB/YLdoLvSyi/q1UFHx0LNiYGPqP9i6WoQjH2cyJVO/zD/PEj1sKHJ1oGcQq
50WNgOpcdVnVT13PNAiS3MKw8wEiDDpBmuz6QbR/yUNsjeZiwmDwspWMa/FcnT1J
8dV9onxb6KpacGjpqMyQbuztIwKfpgvutRT0vNt7oSP6sLvbIWdwtiDHcFas0o/v
Y8u0bYcqljs/O1gc8nPzweLZjhiSfh9AMc6d/nbqvqCgoG+3rNA=
=6YiH
-----END PGP SIGNATURE-----

--15/cqtwVlE7in6SU--