[PATCH kdevops 0/4] kdevops: make trixie default

[PATCH kdevops 0/4] kdevops: make trixie default

[Luis Chamberlain]

Debian lacks its own directory index which can be used for guestfs. They
should add one, though as support in kdevops shows, only a few minor things
are needed, and since kdevops has figured out what those things are, it should
be easy to use virt-builder on the backend on daily debian images for any
release but in particular for debian 13 (trixie) which kdevops cares about
a lot since we use it heavily for automated tests.

I recently noted also that as we're ramping up kdevops kernel-CI integration
with Meta's kernel-patch-daemon [0] for patchwork, we *want* to really get
a squeeky clean experience for using debian testing. Development on that
front has shown github likes to pretend that Ubuntu is the center of
the Linux testing universe and because that it makes using github actions using
github runners simply useless for kernel hacking [1]. To this end we need to
start drawing up security policies to allow us to use and leverage any Linux
distribution a developer prefers to use, for us to leverage a secure way to use
self-hosted runners.

To reduce bringup make debian trixie the default. This should reduce many
bringup times. Although debian trixie hasn't been default for a while, many
systems we've been testing for XFS testing / sysbench have been leveraging
debian 13 with an upgrade when CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST
is enabled (debian host on trixie, /etc/apt/sources.list detected to be a local
mirror, and guest is debian 12), and so in practice we've already have been
testing trixie for a while now.

This just makes bringup faster.

But debian maintainers:  could we please see if perhaps debian can leverage our
findings to host official debian guestfs virt-builder images? kdevops shows
what's needed to be done using existing images.

[0] https://github.com/facebookincubator/kernel-patches-daemon
[1] https://lore.kernel.org/kdevops/CAB=NE6VKWSkv1JZ_Z2LKq4o7+JBkKc6u8Wa1zxxBnGHOG4BgjA@mail.gmail.com/T/#u

Luis Chamberlain (4):
  guestfs: make trixie generic image the default
  guestfs: fix uefi boot for debian trixie
  guestfs: fix trixie bringup
  guestfs: make debian trixie default

 kconfigs/Kconfig.guestfs                      | 16 +++++++++---
 .../gen_nodes/templates/guestfs_q35.j2.xml    |  2 +-
 scripts/bringup_guestfs.sh                    | 25 +++++++++++++++++++
 workflows/linux/Kconfig                       |  2 +-
 4 files changed, 40 insertions(+), 5 deletions(-)

-- 
2.43.0

[PATCH kdevops 1/4] guestfs: make trixie generic image the default

[Luis Chamberlain]

The cloud image lacks 9p fs support so can't be used for
kernel hacking on kdevops unless you don't want to use 9p fs..
So while at it codify all this by disabling bootlinux 9p support
if the user selects that image.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 kconfigs/Kconfig.guestfs | 14 ++++++++++++--
 workflows/linux/Kconfig  |  2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs
index 742781abcddc..da2f5e3961d7 100644
--- a/kconfigs/Kconfig.guestfs
+++ b/kconfigs/Kconfig.guestfs
@@ -10,6 +10,9 @@ config GUESTFS_REQUIRES_UEFI
 	bool
 	output yaml
 
+config GUESTFS_LACKS_9P
+	bool
+
 config GUESTFS_CUSTOM_RAW_IMAGE_URL
 	depends on GUESTFS_HAS_CUSTOM_RAW_IMAGE
 	depends on GUESTFS_HAS_CUSTOM_RAW_IMAGE_URL
@@ -111,19 +114,26 @@ if GUESTFS_DEBIAN_TRIXIE
 
 choice
 	prompt "Debian trixie flavor"
-	default GUESTFS_DEBIAN_TRIXIE_GENERIC_CLOUD_AMD64
+	default GUESTFS_DEBIAN_TRIXIE_GENERIC_AMD64
 
 config GUESTFS_DEBIAN_TRIXIE_GENERIC_AMD64
 	bool "debian-13-generic-amd64-daily"
 	help
 	  Should run in any environment using cloud-init, for e.g. OpenStack,
-	  DigitalOcean and also on bare metal.
+	  DigitalOcean and also on bare metal. This is the image you should
+	  try to use and stick to for kernel testing.
 
 config GUESTFS_DEBIAN_TRIXIE_GENERIC_CLOUD_AMD64
 	bool "debian-13-genericcloud-amd64-daily"
 	help
 	  Similar to generic. Should run in any virtualised environment. Is
 	  smaller than generic by excluding drivers for physical hardware.
+	  Note that the 9p client filesystem module will not be available to
+	  you with this image and so you cannot leverage 9p for building
+	  Linux on the host. This image also requires a EFI boot loader
+	  and secure boot is enabled by default which means your custom
+	  kernels will need to be signed and this plumbing is not supported
+	  yet so you are on your own.
 
 config GUESTFS_DEBIAN_TRIXIE_NOCLOUD_AMD64
 	bool "debian-13-nocloud-amd64-daily"
diff --git a/workflows/linux/Kconfig b/workflows/linux/Kconfig
index 8b1dfd3b25c7..b51d8ee3fb3d 100644
--- a/workflows/linux/Kconfig
+++ b/workflows/linux/Kconfig
@@ -38,7 +38,7 @@ endif # HAVE_SUPPORTS_PURE_IOMAP
 
 config BOOTLINUX_9P
 	bool "Use 9p to build Linux"
-	depends on LIBVIRT
+	depends on LIBVIRT && !GUESTFS_LACKS_9P
 	default LIBVIRT
 	help
 	  This will let you choose use 9p to build Linux. What this does is
-- 
2.43.0

[PATCH kdevops 2/4] guestfs: fix uefi boot for debian trixie

[Luis Chamberlain]

When UEFI boot is needed on an image we should disable secure boot
as we're doing kernel hacking and want to make kernel building and
booting fast & furious. Doing kernel signing is tedious for CI testing
of kernels when doing kernel hacking. If folks want to add support
later for it, they can but let's not break kernel hacking. Without
this we fail to boot custom kernels with:

Bad shim signature

The reason is secure boot is enabled.

When readonly is not specified, the guest operating system may be able
to modify the firmware during runtime. This is usually not desirable for
UEFI binaries, so explicitly set readonly='yes' to protect the
integrity of the firmware.

Only debian trixie selects guestfs_requires_uefi so that's the only
distribution we're fixing here. This should not regress anything
otherwise.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
index dd2e7d39097c..adaba9188767 100644
--- a/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
+++ b/playbooks/roles/gen_nodes/templates/guestfs_q35.j2.xml
@@ -6,7 +6,7 @@
 {% if guestfs_requires_uefi %}
   <os firmware='efi'>
      <type arch='x86_64' machine='q35'>hvm</type>
-     <loader secure='yes'/>
+     <loader readonly='yes' secure='no'/>
      <boot dev='hd'/>
   </os>
 {% else %}
-- 
2.43.0

[PATCH kdevops 3/4] guestfs: fix trixie bringup

[Luis Chamberlain]

We have a series of fixups needed to the default generic debian 13
trixie image:

 - kdevops has support for default heuristic when debian is detected
   on the host, and if your host has an /etc/apt/sources.list with
   a hop 1 to the servers, we infer that you are using a local mirror
   for debian. *If* the host and guest match distributions or at
   least we feel confident in the upgrade process (upgrading buster
   to trixie on the guest) then we by default enable leveraging the
   host's sources.list file onto the guest so the guest can also
   save bandwidth. This works nicely. However trixie uses an
   /etc/nsswitch.conf like this:

      files myhostname resolve [!UNAVAIL=return] dns

  This will prevent using dns from finding the 1 hop server on
  /etc/apt/sources.list. To fix this enable dns to be used for
  host son trixie.

 - cloud-init is not used by us and so we should just stop
   it, otherwise we may timeout on some random clout init
   guess work.

 - setup locales for LANG=en_US.UTF-8, we can later add variability
   if folks want it

 - restart ssh as in practice I've seen issues on bringup and timeouts

 - Be sure to remove the distro's /etc/apt/sources.list.d/debian.sources
   if CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST is enabled
   (as explained above).

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 scripts/bringup_guestfs.sh | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/scripts/bringup_guestfs.sh b/scripts/bringup_guestfs.sh
index d09ae64dcaea..16bfa7a6c805 100755
--- a/scripts/bringup_guestfs.sh
+++ b/scripts/bringup_guestfs.sh
@@ -233,6 +233,31 @@ firstboot-command systemctl stop ssh
 firstboot-command DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -p low --force openssh-server
 firstboot-command systemctl start ssh
 _EOT
+	# CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST will not work
+	# if etc/nsswitch.conf has a line like this:
+	#
+	# hosts:          files myhostname resolve [!UNAVAIL=return] dns
+	#
+	# We need DNS to be used so virb0 will be used for a DNS request
+	if [[ "$CONFIG_GUESTFS_DEBIAN_TRIXIE" == "y" ]]; then
+		cat <<_EOT >>$cmdfile
+edit /etc/nsswitch.conf:'s/^hosts:.*UNAVAIL=return.*dns/hosts: files myhostname resolve dns/'
+uninstall cloud-init
+write /etc/default/locale:LANG=en_US.UTF-8
+append-line /etc/default/locale:LANGUAGE=en_US:en
+write /etc/locale.gen:en_US.UTF-8 UTF-8
+firstboot-command locale-gen en_US.UTF-8
+firstboot-command update-locale LANG=en_US.UTF-8
+firstboot-command DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -p low --force locales
+firstboot-command systemctl stop ssh
+firstboot-command systemctl start ssh
+_EOT
+		if [[ "$CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST" == "y" ]]; then
+		cat <<_EOT >>$cmdfile
+delete /etc/apt/sources.list.d/debian.sources
+_EOT
+		fi
+	fi
 }
 
 USE_SUDO=""
-- 
2.43.0

[PATCH kdevops 4/4] guestfs: make debian trixie default

[Luis Chamberlain]

kdevops relies on rolling distributions. We've been stuck with
debian12 because that's what the virt-builder servers have and
it's a bit old for our taste in kernel hacking the latest and
greatest kernels.

Since we are now boosting efforts on CI kernel hacking testing,
we want to make bringup as fast as possible, and since the first
thing we typically want is the *latest and greatest* we tend to
sometimes upgrade a system on bringup. Even if we skip that,
buster 12 default is still a bit... old... and so to help speed
up bringup in both cases where we just want the latest debian
testing *or* an updated system, make debian 13 trixie the default
image now that we've fixed it.

Tested with:

make linux
make fstests

And we've been running tests on guests where the host is trixie and the
guest is debian 12 (buster) but then due to the host having a local apt
mirror, we rely on CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST to
do immediately do upgrades from debian 12 --> debian 13. And debian 13
has been tested for many of our workflows including the latest sysbench
workflow.

So all in all, debian trixie has been being tested for a while, it was
just this painful upgrade process we've had to deal with for a long
time.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 kconfigs/Kconfig.guestfs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs
index da2f5e3961d7..a804c8fce2fd 100644
--- a/kconfigs/Kconfig.guestfs
+++ b/kconfigs/Kconfig.guestfs
@@ -83,7 +83,7 @@ if GUESTFS_DEBIAN
 
 choice
 	prompt "Debian version"
-	default GUESTFS_DEBIAN_BUSTER
+	default GUESTFS_DEBIAN_TRIXIE
 
 config GUESTFS_DEBIAN_TRIXIE
 	bool "Debian 13 - Trixie"
-- 
2.43.0

Re: [PATCH kdevops 0/4] kdevops: make trixie default

[Luis Chamberlain]

Merged.

  Luis