Hi Reiner, thanks for your reply!
Reiner Herrmann wrote on 21/06/2022: > Control: severity -1 wishlist > > Hi Paride, > > On Tue, Jun 21, 2022 at 10:30:41PM +0200, Paride Legovini wrote: >> The smoke-tests autopkgtest fails in containers (at least in LXD >> unprivileged containers) as the tests call mknod to create device >> files, and that's not permitted in such environment. > > Is this documented somewhere that mknod is not permitted by autopkgtest > runners other than isolation-machine? > In my opinion using containers does not imply that devices can't get > created, and using isolation-machine does not imply that creating > devices is successful (as they could also be configured nodev or so). > So it seems to be an orthogonal problem to me, that is not really solved > by choosing a different isolation method. Well, as I understand it the difference is made by the container being privileged vs. non-privileged. In a non-privileged container the root user within the container is mapped to non-root outside the container, and therefore can't create device files. By default LXD containers are non-privileged. Unfortunately we don't have an isolation-privileged-container restriction for autopkgtests, we only have isolation-machine, where it can't be that devices can't be created. You could have partitions mounted as nodev, but not /dev, and the autopkgtest failure we're seeing on armhf is: > Error: cannot create /dev/zero device: Operation not permitted However I agree isolation-machine is a big hammer to ensure that devices can be created. > Yes, I moved the failing tests out of the "smoke-tests" set again, in > the hope that it will pass on Ubuntu, while still being sufficient to find > some regressions. > That change is already in 0.9.70-1 (so they are allowed to fail in the > "simple-tests" set, which is marked flaky), but I have no idea why it did > not get picked up by Ubuntu. This I can explain: the Ubuntu package now has a delta, see this diff: https://launchpadlibrarian.net/591990408/firejail_0.9.68-3_0.9.68-3ubuntu1.diff.gz which means that the package won't sync automatically anymore. I think the delta could be removed if the relevant test is declared skip-not-installable. However I don't know how it's going to behave now that firefox is a transisional package installing the snap... > I don't intend to mark additional tests as isolation-machine, as they > are then not getting run on Debian's test runners, where they are passing > and are useful to find regressions. Admittedly I didn't realize this: the Ubuntu testbed systems allow isolated-machine tests. You're perfectly right in not taking my suggestion as-is then. > But it's probably also no longer needed, as the problematic tests are > now in a "flaky" test set, while the remaining ones in the "smoke-tests" > set should run fine also on Ubuntu's runners. I'll take care of merging 0.9.70-1 in Ubuntu, keeping the aforementioned delta. If you end up adding skip-not-installable (or any other workaround for the lack of firefox package on some Ubuntu archs) feel free to ping me and I'll bring the package back in sync, so it will also auto-sync in the future. Thanks! Paride
