[PATCH for-4.22 0/4] CI: Disentangle hardware runner containers

[PATCH for-4.22 0/4] CI: Disentangle hardware runner containers

[Andrew Cooper]

... and fix archlinux as I happened to get around to it.

There's a query on patch 3 which affects how we proceed.

Andrew Cooper (4):
  CI: Fixes to containerize
  CI: Rename xenial-xilinx to xilinx-hw-runner
  CI: Introduce new qubes-hw-runner.dockerfile
  CI: Rework the archlinux container

 .../build/alpine/qubes-hw-runner.dockerfile   | 21 ++++++++
 .../build/archlinux/current-x86_64.dockerfile | 33 ++++++++++++
 automation/build/archlinux/current.dockerfile | 53 -------------------
 .../build/ubuntu/xenial-xilinx.dockerfile     | 27 ----------
 .../build/ubuntu/xilinx-hw-runner.dockerfile  | 32 +++++++++++
 automation/gitlab-ci/build.yaml               |  8 +--
 automation/gitlab-ci/containers.yaml          |  4 +-
 automation/gitlab-ci/test.yaml                |  6 +--
 automation/scripts/containerize               |  9 ++--
 9 files changed, 99 insertions(+), 94 deletions(-)
 create mode 100644 automation/build/alpine/qubes-hw-runner.dockerfile
 create mode 100644 automation/build/archlinux/current-x86_64.dockerfile
 delete mode 100644 automation/build/archlinux/current.dockerfile
 delete mode 100644 automation/build/ubuntu/xenial-xilinx.dockerfile
 create mode 100644 automation/build/ubuntu/xilinx-hw-runner.dockerfile

-- 
2.39.5

[PATCH 1/4] CI: Fixes to containerize

[Andrew Cooper]

These were missed from prior changes.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Doug Goldstein <cardoe@cardoe.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
---
 automation/scripts/containerize | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/automation/scripts/containerize b/automation/scripts/containerize
index 8bd2a847aac0..70494645e09f 100755
--- a/automation/scripts/containerize
+++ b/automation/scripts/containerize
@@ -27,8 +27,7 @@ case "_${CONTAINER}" in
     _alpine) CONTAINER="${BASE}/alpine:3.18" ;;
     _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;;
     _archlinux|_arch) CONTAINER="${BASE}/archlinux:current" ;;
-    _centos7) CONTAINER="${BASE}/centos:7" ;;
-    _fedora) CONTAINER="${BASE}/fedora:41-x86_64";;
+    _fedora) CONTAINER="${BASE}/fedora:43-x86_64";;
     _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;;
     _bookworm-ppc64le) CONTAINER="${BASE}/debian:12-ppc64le" ;;
     _trixie-ppc64le) CONTAINER="${BASE}/debian:13-ppc64le" ;;
@@ -42,13 +41,13 @@ case "_${CONTAINER}" in
     _bookworm-arm64v8) CONTAINER="${BASE}/debian:12-arm64v8" ;;
     _bookworm-cppcheck) CONTAINER="${BASE}/debian:12-arm64v8-cppcheck" ;;
     _trixie-arm64v8) CONTAINER="${BASE}/debian:13-arm64v8" ;;
-    _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-15.6-x86_64" ;;
+    _opensuse-leap|_leap) CONTAINER="${BASE}/opensuse:leap-16.0-x86_64" ;;
     _opensuse-tumbleweed|_tumbleweed) CONTAINER="${BASE}/opensuse:tumbleweed-x86_64" ;;
-    _xenial) CONTAINER="${BASE}/ubuntu:16.04-x86_64" ;;
     _bionic) CONTAINER="${BASE}/ubuntu:18.04-x86_64" ;;
     _focal)  CONTAINER="${BASE}/ubuntu:20.04-x86_64" ;;
     _jammy)  CONTAINER="${BASE}/ubuntu:22.04-x86_64" ;;
     _noble)  CONTAINER="${BASE}/ubuntu:24.04-x86_64" ;;
+    _resolute) CONTAINER="${BASE}/ubuntu:26.04-x86_64" ;;
 esac
 
 # Use this variable to control whether root should be used
-- 
2.39.5

[PATCH 2/4] CI: Rename xenial-xilinx to xilinx-hw-runner

[Andrew Cooper]

The container is tied to the runner, not a version of Ubuntu.  Intentionally
give it a generic name so it need not change in the future.

Apply standard cleanup to the dockerfile, except that it must continue to be a
root container to drive real hardware.  Explicitly install ca-certificates to
compensate for --no-install-recommends.

No practical change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Doug Goldstein <cardoe@cardoe.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
---
 .../build/ubuntu/xenial-xilinx.dockerfile     | 27 ----------------
 .../build/ubuntu/xilinx-hw-runner.dockerfile  | 32 +++++++++++++++++++
 automation/gitlab-ci/test.yaml                |  4 +--
 3 files changed, 34 insertions(+), 29 deletions(-)
 delete mode 100644 automation/build/ubuntu/xenial-xilinx.dockerfile
 create mode 100644 automation/build/ubuntu/xilinx-hw-runner.dockerfile

diff --git a/automation/build/ubuntu/xenial-xilinx.dockerfile b/automation/build/ubuntu/xenial-xilinx.dockerfile
deleted file mode 100644
index 6107d8b7711f..000000000000
--- a/automation/build/ubuntu/xenial-xilinx.dockerfile
+++ /dev/null
@@ -1,27 +0,0 @@
-# syntax=docker/dockerfile:1
-FROM --platform=linux/amd64 ubuntu:16.04
-LABEL maintainer.name="The Xen Project " \
-      maintainer.email="xen-devel@lists.xenproject.org"
-
-ENV DEBIAN_FRONTEND=noninteractive
-ENV USER root
-
-RUN mkdir /build
-WORKDIR /build
-
-# board bringup depends
-RUN apt-get update && \
-    apt-get --quiet --yes install \
-        snmp \
-        snmp-mibs-downloader \
-        u-boot-tools \
-        device-tree-compiler \
-        cpio \
-        git \
-        gzip \
-        file \
-        expect \
-        && \
-        apt-get autoremove -y && \
-        apt-get clean && \
-        rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
diff --git a/automation/build/ubuntu/xilinx-hw-runner.dockerfile b/automation/build/ubuntu/xilinx-hw-runner.dockerfile
new file mode 100644
index 000000000000..1855b11af354
--- /dev/null
+++ b/automation/build/ubuntu/xilinx-hw-runner.dockerfile
@@ -0,0 +1,32 @@
+# syntax=docker/dockerfile:1
+FROM --platform=linux/amd64 ubuntu:16.04
+LABEL maintainer.name="The Xen Project"
+LABEL maintainer.email="xen-devel@lists.xenproject.org"
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN <<EOF
+#!/bin/bash
+    set -e
+
+    apt-get update
+
+    DEPS=(
+        ca-certificates
+        cpio
+        device-tree-compiler
+        expect
+        file
+        git
+        gzip
+        snmp
+        snmp-mibs-downloader
+        u-boot-tools
+    )
+
+    apt-get -y --no-install-recommends install "${DEPS[@]}"
+    rm -rf /var/lib/apt/lists/*
+EOF
+
+USER root
+WORKDIR /build
diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
index 1722800c1541..89760b24e63a 100644
--- a/automation/gitlab-ci/test.yaml
+++ b/automation/gitlab-ci/test.yaml
@@ -105,7 +105,7 @@
 .xilinx-arm64:
   extends: .test-jobs-common
   variables:
-    CONTAINER: ubuntu:xenial-xilinx
+    CONTAINER: ubuntu:xilinx-hw-runner
     LOGFILE: qemu-smoke-xilinx.log
     TEST_TIMEOUT_OVERRIDE: 120
   artifacts:
@@ -124,7 +124,7 @@
 .xilinx-x86_64:
   extends: .test-jobs-common
   variables:
-    CONTAINER: ubuntu:xenial-xilinx
+    CONTAINER: ubuntu:xilinx-hw-runner
     LOGFILE: xilinx-smoke-x86_64.log
     XEN_CMD_CONSOLE: "console=com2 com2=57600,8n1,0x2F8,4"
     TEST_BOARD: "crater"
-- 
2.39.5

[PATCH 3/4] CI: Introduce new qubes-hw-runner.dockerfile

[Andrew Cooper]

We want to make the build containers be non-root, but the hardware runner
needs to continue being root.  Split it out into a dedicated container.
Intentionally give it a generic name so it need not change in the future.

No practical change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Doug Goldstein <cardoe@cardoe.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>

I need to backport this patch to all trees (4.18 and later) before
alpine:3.18-arm64v8 can be converted to be be non-root.

In all other cases we've been renaming the containers to bypass this problem,
but alpine:3.18-arm64v8 is in the correct new form.

Alternatively, I could see about combining it with the Alpine update (which is
long overdue and needs doing).
---
 .../build/alpine/qubes-hw-runner.dockerfile   | 21 +++++++++++++++++++
 automation/gitlab-ci/test.yaml                |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 automation/build/alpine/qubes-hw-runner.dockerfile

diff --git a/automation/build/alpine/qubes-hw-runner.dockerfile b/automation/build/alpine/qubes-hw-runner.dockerfile
new file mode 100644
index 000000000000..0af17c6aabc6
--- /dev/null
+++ b/automation/build/alpine/qubes-hw-runner.dockerfile
@@ -0,0 +1,21 @@
+# syntax=docker/dockerfile:1
+FROM --platform=linux/arm64/v8 alpine:3.18
+LABEL maintainer.name="The Xen Project"
+LABEL maintainer.email="xen-devel@lists.xenproject.org"
+
+RUN apk --no-cache add bash
+
+RUN <<EOF
+#!/bin/bash
+    set -eu
+
+    DEPS=(
+          expect
+          openssh-client
+    )
+
+    apk add --no-cache "${DEPS[@]}"
+EOF
+
+USER root
+WORKDIR /build
diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
index 89760b24e63a..70bb4bbb3b45 100644
--- a/automation/gitlab-ci/test.yaml
+++ b/automation/gitlab-ci/test.yaml
@@ -145,7 +145,7 @@
   extends: .test-jobs-common
   variables:
     # the test controller runs on RPi4
-    CONTAINER: alpine:3.18-arm64v8
+    CONTAINER: alpine:qubes-hw-runner
     LOGFILE: smoke-test.log
     PCIDEV: "03:00.0"
     PCIDEV_INTR: "MSI-X"
-- 
2.39.5

[PATCH 4/4] CI: Rework the archlinux container

[Andrew Cooper]

Rename it to have an x86_64 suffix, updating the build job names and scheduled
rebuild task.

Apply standard cleanups.  Trim the package list down to what is actually
needed.  Archlinux's base-devel contains most libraries, but some of those
packages have never been dependenices for Xen, and a lot are QEMU dependenices
which aren't useful owing to the lack of the ninja package.

This shrinks the container from 533MB to 427MB.

No practical change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Anthony PERARD <anthony.perard@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Michal Orzel <michal.orzel@amd.com>
CC: Doug Goldstein <cardoe@cardoe.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
---
 .../build/archlinux/current-x86_64.dockerfile | 33 ++++++++++++
 automation/build/archlinux/current.dockerfile | 53 -------------------
 automation/gitlab-ci/build.yaml               |  8 +--
 automation/gitlab-ci/containers.yaml          |  4 +-
 automation/scripts/containerize               |  2 +-
 5 files changed, 40 insertions(+), 60 deletions(-)
 create mode 100644 automation/build/archlinux/current-x86_64.dockerfile
 delete mode 100644 automation/build/archlinux/current.dockerfile

diff --git a/automation/build/archlinux/current-x86_64.dockerfile b/automation/build/archlinux/current-x86_64.dockerfile
new file mode 100644
index 000000000000..bbd5fa72d2d6
--- /dev/null
+++ b/automation/build/archlinux/current-x86_64.dockerfile
@@ -0,0 +1,33 @@
+# syntax=docker/dockerfile:1
+FROM --platform=linux/amd64 archlinux:base-devel
+LABEL maintainer.name="The Xen Project"
+LABEL maintainer.email="xen-devel@lists.xenproject.org"
+
+RUN <<EOF
+#!/bin/bash
+    set -eu
+
+    useradd --create-home user
+
+    pacman-key --init
+
+    DEPS=(
+        # Tools (general)
+        git
+        wget
+        # libxenguest dombuilder
+        lzo
+        # libacpi
+        iasl
+        # Python bindings
+        python-setuptools
+        # Golang bindings
+        go
+    )
+
+    pacman -S --refresh --sysupgrade --noconfirm --noprogressbar --needed "${DEPS[@]}"
+    pacman -S --clean --clean
+EOF
+
+USER user
+WORKDIR /build
diff --git a/automation/build/archlinux/current.dockerfile b/automation/build/archlinux/current.dockerfile
deleted file mode 100644
index a25702777204..000000000000
--- a/automation/build/archlinux/current.dockerfile
+++ /dev/null
@@ -1,53 +0,0 @@
-# syntax=docker/dockerfile:1
-FROM --platform=linux/amd64 archlinux:base-devel
-LABEL maintainer.name="The Xen Project" \
-      maintainer.email="xen-devel@lists.xenproject.org"
-
-RUN pacman-key --init
-
-RUN pacman -S --refresh --sysupgrade --noconfirm --noprogressbar --needed \
-        bzip2 \
-        cpio \
-        discount \
-        dtc \
-        e2fsprogs \
-        ghostscript \
-        git \
-        gnutls \
-        go \
-        iasl \
-        inetutils \
-        iproute \
-        libaio \
-        libcacard \
-        libgl \
-        libjpeg-turbo \
-        libnl \
-        libpng \
-        libseccomp \
-        net-tools \
-        nss \
-        perl \
-        pixman \
-        pkgconfig \
-        python \
-        python-setuptools \
-        sdl \
-        sdl2 \
-        spice \
-        spice-protocol \
-        # systemd for Xen < 4.19
-        systemd \
-        transfig \
-        usbredir \
-        wget \
-        xz \
-        yajl \
-        zlib \
-    && yes | pacman -S --clean --clean
-
-ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
-
-RUN useradd --create-home user
-USER user
-WORKDIR /build
diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
index acd4acf13138..9eda40dc6e57 100644
--- a/automation/gitlab-ci/build.yaml
+++ b/automation/gitlab-ci/build.yaml
@@ -523,16 +523,16 @@ alpine-3.18-clang-debug:
   variables:
     CONTAINER: alpine:3.18
 
-archlinux-gcc:
+archlinux-x86_64-gcc:
   extends: .gcc-x86-64-build
   variables:
-    CONTAINER: archlinux:current
+    CONTAINER: archlinux:current-x86_64
   allow_failure: true
 
-archlinux-gcc-debug:
+archlinux-x86_64-gcc-debug:
   extends: .gcc-x86-64-build-debug
   variables:
-    CONTAINER: archlinux:current
+    CONTAINER: archlinux:current-x86_64
   allow_failure: true
 
 debian-12-x86_64-gcc-ibt:
diff --git a/automation/gitlab-ci/containers.yaml b/automation/gitlab-ci/containers.yaml
index 8b702a1d8209..8e1c42a0c5a2 100644
--- a/automation/gitlab-ci/containers.yaml
+++ b/automation/gitlab-ci/containers.yaml
@@ -16,11 +16,11 @@
   after_script:
     - docker logout
 
-container-archlinux-current:
+container-archlinux-current-x86_64:
   extends:
     - .container-build-tmpl
   variables:
-    CONTAINER: "archlinux:current"
+    CONTAINER: "archlinux:current-x86_64"
 
 container-opensuse-tumbleweed-x86_64:
   extends:
diff --git a/automation/scripts/containerize b/automation/scripts/containerize
index 70494645e09f..f3c2b48b113f 100755
--- a/automation/scripts/containerize
+++ b/automation/scripts/containerize
@@ -26,7 +26,7 @@ BASE="registry.gitlab.com/xen-project/xen"
 case "_${CONTAINER}" in
     _alpine) CONTAINER="${BASE}/alpine:3.18" ;;
     _alpine-arm64v8) CONTAINER="${BASE}/alpine:3.18-arm64v8" ;;
-    _archlinux|_arch) CONTAINER="${BASE}/archlinux:current" ;;
+    _archlinux|_arch) CONTAINER="${BASE}/archlinux-x86_64:current" ;;
     _fedora) CONTAINER="${BASE}/fedora:43-x86_64";;
     _bullseye-ppc64le) CONTAINER="${BASE}/debian:11-ppc64le" ;;
     _bookworm-ppc64le) CONTAINER="${BASE}/debian:12-ppc64le" ;;
-- 
2.39.5

Re: [PATCH 3/4] CI: Introduce new qubes-hw-runner.dockerfile

[Marek Marczykowski-Górecki]

[-- Attachment #1: Type: text/plain, Size: 3124 bytes --]

On Tue, Jun 09, 2026 at 06:31:01PM +0100, Andrew Cooper wrote:
> We want to make the build containers be non-root, but the hardware runner
> needs to continue being root.  Split it out into a dedicated container.
> Intentionally give it a generic name so it need not change in the future.

I'd rather prefer to keep the alpine version in the container name, so
future container updates can be made without breaking stable branches. I
have a related patch for this at
https://gitlab.com/xen-project/people/marmarek/xen/-/commits/automation-linux?ref_type=heads,
but apparently not posted yet.

> No practical change.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Anthony PERARD <anthony.perard@vates.tech>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Michal Orzel <michal.orzel@amd.com>
> CC: Doug Goldstein <cardoe@cardoe.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>
> 
> I need to backport this patch to all trees (4.18 and later) before
> alpine:3.18-arm64v8 can be converted to be be non-root.

Converted? Since 3.18 is EOL for quite some time already, simply phase
it out slowly.

> In all other cases we've been renaming the containers to bypass this problem,
> but alpine:3.18-arm64v8 is in the correct new form.
> 
> Alternatively, I could see about combining it with the Alpine update (which is
> long overdue and needs doing).

Yeah, this.

> ---
>  .../build/alpine/qubes-hw-runner.dockerfile   | 21 +++++++++++++++++++
>  automation/gitlab-ci/test.yaml                |  2 +-
>  2 files changed, 22 insertions(+), 1 deletion(-)
>  create mode 100644 automation/build/alpine/qubes-hw-runner.dockerfile
> 
> diff --git a/automation/build/alpine/qubes-hw-runner.dockerfile b/automation/build/alpine/qubes-hw-runner.dockerfile
> new file mode 100644
> index 000000000000..0af17c6aabc6
> --- /dev/null
> +++ b/automation/build/alpine/qubes-hw-runner.dockerfile
> @@ -0,0 +1,21 @@
> +# syntax=docker/dockerfile:1
> +FROM --platform=linux/arm64/v8 alpine:3.18
> +LABEL maintainer.name="The Xen Project"
> +LABEL maintainer.email="xen-devel@lists.xenproject.org"
> +
> +RUN apk --no-cache add bash
> +
> +RUN <<EOF
> +#!/bin/bash
> +    set -eu
> +
> +    DEPS=(
> +          expect
> +          openssh-client
> +    )
> +
> +    apk add --no-cache "${DEPS[@]}"
> +EOF
> +
> +USER root
> +WORKDIR /build
> diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
> index 89760b24e63a..70bb4bbb3b45 100644
> --- a/automation/gitlab-ci/test.yaml
> +++ b/automation/gitlab-ci/test.yaml
> @@ -145,7 +145,7 @@
>    extends: .test-jobs-common
>    variables:
>      # the test controller runs on RPi4
> -    CONTAINER: alpine:3.18-arm64v8
> +    CONTAINER: alpine:qubes-hw-runner
>      LOGFILE: smoke-test.log
>      PCIDEV: "03:00.0"
>      PCIDEV_INTR: "MSI-X"
> -- 
> 2.39.5
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]