Infrastructure | Run CI containers with --cap-add SYS_PTRACE (#370)



Title: GitLab

Michael Catanzaro created an issue #370:

For the past couple of months, we've needed privileged runners to run tests with asan. It seems to be a regression caused by changes to the container system the CI runs in. It means that contributors who are not members of the GNOME project are unable to run CI for any projects that use asan, because such projects have to use CI tags to ensure they run only on privileged runners, and we have no privileged runners available to non-GNOME members. This is very frustrating because it means I have to manually clone each contributor's repo, check out the source branch, and push it to the upstream repo in order to trigger a CI run.

@ptomato and I are both getting rather fed up. Apparently gjs and glib-networking are the only projects that are using asan CI currently, which is very concerning because asan is really required to be confident in the safety of our code. Ideally every GNOME project would run tests under asan, but requiring privileged runners discourages that.

Note that asan does not require any special privileges on normal desktop systems. This problem is specific to our CI runners because asan requires ptrace and docker does not allow ptrace. StackOverflow says it can be fixed by using docker run .... --cap-add SYS_PTRACE. Can we try that?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]