From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: using sudo?, Re: [PATCH v2 8/8] test/py: efi_secboot: add test for intermediate certificates
Date: Thu, 9 Jul 2020 14:33:49 +0900 [thread overview]
Message-ID: <20200709053349.GA13985@laputa> (raw)
In-Reply-To: <20200709031526.GT1306@bill-the-cat>
Tom,
On Wed, Jul 08, 2020 at 11:15:26PM -0400, Tom Rini wrote:
> On Thu, Jul 09, 2020 at 09:58:03AM +0900, AKASHI Takahiro wrote:
>
> > Hi Tom,
> >
> > I'd like to make sure of your policy about usage of "sudo" on CI.
> > Do you think that we should always avoid using "sudo" in testing?
> >
> > I remember that you had allowed us to run sudo in (python)
> > test scripts on Travis CI when I requested this (for FAT filesystem?).
>
> So, the best practices at this time are to have the code try and use
> guestmount (or similar tools) when possible and fall back to sudo, as
> Ubuntu breaks guestmount (and similar tools) by default.
See the commands log (on my ubuntu 19.10) below:
===8<===
<< try 1 >>
tmp$ mkdir tmpdir
tmp$ virt-make-fs -t vfat -s +1M --partition=gpt ./tmpdir tmp.img
libguestfs: error: /usr/bin/supermin exited with error status 1.
To see full error messages you may need to enable debugging.
Do:
export LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1
and run the command again. For further information, read:
http://libguestfs.org/guestfs-faq.1.html#debugging-libguestfs
You can also run 'libguestfs-test-tool' and post the *complete* output
into a bug report or message to the libguestfs mailing list.
<< try 2 >>
tmp$ LIBGUESTFS_DEBUG=1 virt-make-fs -t vfat -s +1M --partition=gpt ./tmpdir tmp.img
...
supermin: kernel: kernel_version 5.3.0-62-generic
supermin: kernel: modpath /lib/modules/5.3.0-62-generic
cp: cannot open '/boot/vmlinuz-5.3.0-62-generic' for reading: Permission denied
supermin: cp -p '/boot/vmlinuz-5.3.0-62-generic' '/var/tmp/.guestfs-1000/appliance.d.op62psoy/kernel': command failed, see earlier errors
libguestfs: error: /usr/bin/supermin exited with error status 1, see debug messages above
...
<< try 3 >>
tmp$ sudo chmod a+rw /boot/vmlinuz-5.3.0-62-generic
tmp$ LIBGUESTFS_DEBUG=1 virt-make-fs -t vfat -s +1M --partition=gpt ./tmpdir tmp.img
...
tmp$ ls -l tmp.img
-rw-r--r-- 1 akashi akashi 1341440 Jul 9 13:50 tmp.img
===>8===
As you can see, virt-make-fs will fail on *standard* ubuntu.
You have to change the permission of the current kernel's binary.
While I can't make sure, we will have the same issue with guestmount
as it will also create a minimum virtual machine before execution.
What does it mean?
You must change the permission every time when you re-install the OS
or re-bump the kernel version. Obviously, I can't do that from my own
test script (without sudo).
So if you don't have any way (or workaround) to deal with it,
libguestfs-tools or guestmount cannot be a solution here.
-Takahiro Akashi
> --
> Tom
next prev parent reply other threads:[~2020-07-09 5:33 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 5:26 [PATCH v2 0/8] efi_loader: secure boot: support intermediate certificates in signature AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 1/8] lib: rsa: export rsa_verify_with_pkey() AKASHI Takahiro
2020-07-07 10:06 ` Heinrich Schuchardt
2020-06-16 5:26 ` [PATCH v2 2/8] lib: crypto: add public_key_verify_signature() AKASHI Takahiro
2020-07-07 10:04 ` Heinrich Schuchardt
2020-07-08 6:21 ` AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 3/8] lib: crypto: enable x509_check_for_self_signed() AKASHI Takahiro
2020-07-07 10:02 ` Heinrich Schuchardt
2020-07-08 6:24 ` AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 4/8] lib: crypto: import pkcs7_verify.c from linux AKASHI Takahiro
2020-07-07 10:27 ` Heinrich Schuchardt
2020-07-08 6:30 ` AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 5/8] lib: crypto: add pkcs7_digest() AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 6/8] lib: crypto: export and enhance pkcs7_verify_one() AKASHI Takahiro
2020-07-07 10:32 ` Heinrich Schuchardt
2020-07-08 6:37 ` AKASHI Takahiro
2020-06-16 5:26 ` [PATCH v2 7/8] efi_loader: signature: rework for intermediate certificates support AKASHI Takahiro
2020-07-07 10:33 ` Heinrich Schuchardt
2020-06-16 5:26 ` [PATCH v2 8/8] test/py: efi_secboot: add test for intermediate certificates AKASHI Takahiro
2020-07-07 10:42 ` Heinrich Schuchardt
2020-07-08 6:39 ` AKASHI Takahiro
2020-07-09 0:58 ` using sudo?, " AKASHI Takahiro
2020-07-09 3:15 ` Tom Rini
2020-07-09 5:33 ` AKASHI Takahiro [this message]
2020-07-09 12:34 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200709053349.GA13985@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox