Re: [PATCH test-artifacts v3 03/13] Add debian rootfs artifact

["Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>]

[-- Attachment #1: Type: text/plain, Size: 3250 bytes --]

On Wed, Apr 15, 2026 at 11:50:38AM +0000, Anthony PERARD wrote:
> I'm commenting on changes I found in the branch used by the pipeline
> linked in the cover leter, since there's no copy on the mailing list of
> the patch :-( (overzealous spam filter).
> 
> > diff --git a/scripts/debian-rootfs.sh b/scripts/debian-rootfs.sh
> > new file mode 100755
> > index 000000000000..7cb8a96e39c0
> > --- /dev/null
> > +++ b/scripts/debian-rootfs.sh
> ...
> > +PKGS=(
> > +    # System
> > +    bridge-utils
> > +    dropbear
> > +    udev
> > +    systemd-sysv
> > +    iproute2
> > +    inetutils-ping
> > +    util-linux
> > +    cpio
> 
> Is `cpio` going to be used in dom0? The alpine rootfs don't have it.

Alpine does have it, via busybox. That said, I don't see it used in any
current test.

> > +# don't need persistent logging, avoid journal flush service
> > +rmdir var/log/journal
> 
> I think this would better be done with:
> 
>     cat >> /etc/systemd/journald.conf.d/storage.conf <<EOF
>     [Journal]
>     Storage=volatile
>     EOF
> 
> because I think systemd intend to change the behavior in future release,
> and we are more explicit with a config file.

+1 

> > +# Create rootfs
> > +cd /
> > +{
> > +    PATHS="bin etc home init lib lib64 mnt opt root sbin srv tmp usr var"
> > +    find $PATHS -print0
> > +    echo -ne "dev\0proc\0run\0sys\0"
> > +} | cpio -0 -H newc -o | gzip > "${COPYDIR}/rootfs.cpio.gz"
> 
> You should add "-R0:0" to the `cpio` command, like we do for the alpine
> rootfs.

Hm, I'm not sure if that's a good idea. There are a few intentionally
non-root files in Debian. Right now that is:

-rw-r-----   1 root     42            496 Apr  1 01:08 etc/gshadow
-rw-r-----   1 root     42            564 Apr  1 01:08 etc/shadow
-rw-r-----   1 root     42            444 Apr  1 01:08 etc/gshadow-
-rw-r-----   1 root     42            565 Apr  1 01:08 etc/shadow-
-rwxr-sr-x   1 root     42          31256 Apr 19  2025 usr/bin/expiry
-rwxr-sr-x   1 root     42         113848 Apr 19  2025 usr/bin/chage
-rwsr-xr--   1 root     printadm    51272 Mar  8  2025 usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwxr-sr-x   1 root     42          43256 Jun 29  2025 usr/sbin/unix_chkpwd
drwxr-xr-x   2 systemd- systemd-        0 Apr  1 01:08 var/lib/systemd/network
drwxr-xr-x   2 42       root            0 Apr  1 01:07 var/lib/apt/lists/auxfiles
drwx------   2 42       root            0 Apr  1 01:07 var/lib/apt/lists/partial
drwxrwsr-x   2 root     mem             0 Sep  8  2025 var/mail
-rw-rw-r--   1 root     43              0 Sep  8  2025 var/log/wtmp
-rw-rw-r--   1 root     43              0 Sep  8  2025 var/log/lastlog
-rw-rw----   1 root     43              0 Sep  8  2025 var/log/btmp
-rw-r-----   1 root     adm         31508 Apr  1 01:08 var/log/apt/term.log
drwx------   2 42       root            0 Apr  1 01:08 var/cache/apt/archives/partial

While it _might_ not explode right now if we reset it to root, it may
cause issues in the future (for example APT likes to run downloads as
unprivileged user, with write access only to
/var/lib/apt/lists/partial).

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]