tests/ci: add SU_CMD for privilege escalation only when necessary
AbandonedPublic
Actions

Authored by guest-svmhdvn on Jul 14 2025, 3:05 PM.

Details

Reviewers

lwhsu

Summary

This patch allows us to run the ci-buildworld and ci-buildkernel targets
as NON_ROOT.

In the future, when we are able to build a release image as NON_ROOT,
this can be further improved by removing SU_CMD from the ci-buildimage
target.

This also implements the following minor fixes:

Add a .WAIT directive before ci-extractmeta to avoid racing with the ci-runtest target. This fixes the issue where ci-extractmeta runs immediately upon running 'make ci'
Cleanup as many temporary files as possible after they are no longer needed.

Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

guest-svmhdvn created this revision.Jul 14 2025, 3:05 PM

Herald added a subscriber: imp. · View Herald TranscriptJul 14 2025, 3:05 PM

guest-svmhdvn requested review of this revision.Jul 14 2025, 3:05 PM

Harbormaster completed remote builds in B65421: Diff 158478.Jul 14 2025, 3:05 PM

guest-svmhdvn added a parent revision: D51306: tests/ci: add KYUA_TEST_FILTERS to allow user to select specific tests.Jul 14 2025, 3:15 PM

guest-svmhdvn added a child revision: D51308: tests/ci: style: canonicalize, sort, and multiline kmods/pkgs.

I don't think this is correct. Or the descriptions are correct. This will eventually require root privileges for the entire thing. This should be changed from the freebsd ci rc script like while starting the kyua test.

Rebased in v2.

This should be changed from the freebsd ci rc script like while starting the kyua test

Just to clarify, this isn't related to the kyua test or rc script at all. It is just to allow a developer to run make ci from a non-privileged normal user, similar to how it works in the Ports collection if you were to run make install from a normal user. A developer can control which privilege escalation command they'd like to use, such as SU_CMD='doas sh -c' for me with security/doas.

This also helps control (and make visible) how much root is necessary while building or running the ci target. Once we are able to buildimage without root, this will help remove one more step that doesn't need root.

lwhsu added a reviewer: lwhsu.Jul 16 2025, 3:16 PM

Narrowed down SU_CMD usage to only those exact commands that need it, rather than an entire make invocation. I will also be moving this patch to the top of the stack.

guest-svmhdvn removed a child revision: D51308: tests/ci: style: canonicalize, sort, and multiline kmods/pkgs.Jul 16 2025, 7:37 PM

guest-svmhdvn edited parent revisions, added: D51309: tests/ci: add missing kmods and pkgs to unskip tests; removed: D51306: tests/ci: add KYUA_TEST_FILTERS to allow user to select specific tests.

Upon further testing, I am closing this for now and will revisit this change later. For some reason, running the CI test suite with this change causes a large chunk of the sbin/ping test suite to fail with ping: ssend socket: operation not permitted. I think it has something to do with the make distribution or make installworld step being run as non-root.

This patch is not necessary right now; however, I will cherry-pick the .WAIT fix into a new review and submit that as part of the stack.

Revision Contents
Changeset List

Path

Size

tests/

ci/

Makefile

52 lines

Diff 158637

View Options

tests/ci: add SU_CMD for privilege escalation only when necessaryAbandonedPublicActions