diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/tools/docker | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/tools/docker')
| -rw-r--r-- | testing/web-platform/tests/tools/docker/.bashrc | 4 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/Dockerfile | 110 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/README.md | 16 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/__init__.py | 0 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/commands.json | 25 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/frontend.py | 141 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/requirements.txt | 2 | ||||
| -rwxr-xr-x | testing/web-platform/tests/tools/docker/retry.py | 56 | ||||
| -rw-r--r-- | testing/web-platform/tests/tools/docker/seccomp.json | 798 | ||||
| -rwxr-xr-x | testing/web-platform/tests/tools/docker/start.sh | 29 |
10 files changed, 1181 insertions, 0 deletions
diff --git a/testing/web-platform/tests/tools/docker/.bashrc b/testing/web-platform/tests/tools/docker/.bashrc new file mode 100644 index 0000000000..bbe03c489a --- /dev/null +++ b/testing/web-platform/tests/tools/docker/.bashrc @@ -0,0 +1,4 @@ +function xvfb_start() { + GEOMETRY="$SCREEN_WIDTH""x""$SCREEN_HEIGHT""x""$SCREEN_DEPTH" + xvfb-run --server-args="-screen 0 $GEOMETRY -ac +extension RANDR" $@ +} diff --git a/testing/web-platform/tests/tools/docker/Dockerfile b/testing/web-platform/tests/tools/docker/Dockerfile new file mode 100644 index 0000000000..73db146999 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/Dockerfile @@ -0,0 +1,110 @@ +FROM ubuntu:20.04 + +# No interactive frontend during docker build +ENV DEBIAN_FRONTEND=noninteractive \ + DEBCONF_NONINTERACTIVE_SEEN=true + +# General requirements not in the base image +RUN apt-get -qqy update \ + && apt-get -qqy install \ + bridge-utils \ + bzip2 \ + ca-certificates \ + curl \ + dbus-x11 \ + earlyoom \ + fluxbox \ + gdebi \ + git \ + glib-networking-services \ + gstreamer1.0-plugins-bad \ + gstreamer1.0-gl \ + libosmesa6-dev \ + libproxy1-plugin-webkit \ + libvirt-daemon-system \ + libvirt-clients \ + libunwind8 \ + libxcb-shape0-dev \ + locales \ + openjdk-8-jre-headless \ + pulseaudio \ + python3 \ + python3-dev \ + python3-pip \ + software-properties-common \ + qemu-kvm \ + tzdata \ + sudo \ + unzip \ + wget \ + xvfb + +# Ensure all Python versions are available +RUN apt-add-repository -y ppa:deadsnakes/ppa + +# Ensure a `python` binary exists +RUN apt-get -qqy update \ + && apt-get install -qqy python-is-python3 + +# Installing just the deps of firefox and chrome is moderately tricky, so +# just install the default versions of them, and some extra deps we happen +# to know that chrome requires + +RUN apt-get -qqy install \ + firefox \ + libnss3-tools \ + fonts-liberation \ + indicator-application \ + libappindicator1 \ + libappindicator3-1 \ + libdbusmenu-gtk3-4 \ + libindicator3-7 \ + libindicator7 + +RUN apt-get -y autoremove + +RUN pip install --upgrade pip +RUN pip install virtualenv + +ENV TZ "UTC" +RUN echo "${TZ}" > /etc/timezone \ + && dpkg-reconfigure --frontend noninteractive tzdata + +# Set the locale +RUN locale-gen en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANGUAGE en_US:en +ENV LC_ALL en_US.UTF-8 + +RUN useradd test \ + --shell /bin/bash \ + --create-home \ + && usermod -a -G sudo test \ + && usermod -a -G libvirt test \ + && usermod -a -G libvirt-qemu test \ + && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \ + && echo 'test:secret' | chpasswd + +ENV SCREEN_WIDTH 1280 +ENV SCREEN_HEIGHT 1024 +ENV SCREEN_DEPTH 24 +ENV DISPLAY :99.0 + +USER test + +WORKDIR /home/test + +# Remove information on how to use sudo on login +RUN sudo echo "" + +RUN mkdir -p /home/test/artifacts +RUN mkdir -p /home/test/bin + +ENV PATH="/home/test/bin:/home/test/.local/bin:${PATH}" + +WORKDIR /home/test/ + +COPY .bashrc /home/test/.bashrc + +COPY start.sh /home/test/start.sh +COPY retry.py /home/test/bin/retry diff --git a/testing/web-platform/tests/tools/docker/README.md b/testing/web-platform/tests/tools/docker/README.md new file mode 100644 index 0000000000..bc98d19861 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/README.md @@ -0,0 +1,16 @@ +This docker images is used for testing Chrome, Firefox, WebKitGTK and running +other tasks on Taskcluster. When any of the files in this directory change, the +images must be updated as well. Doing this requires you be part of the +'webplatformtests' organization on Docker Hub; ping @foolip or @jpchase +if you are not a member. + +The tag for a new docker image is of the form +`webplatformtests/wpt:{current-version + 0.01}` + +To update the docker image: + +* Update the following Taskcluster configurations to use the new image: + - `.taskcluster.yml` (the decision task) + - `tools/ci/tc/tasks/test.yml` (all the other tasks) + +* Run `wpt docker-push` diff --git a/testing/web-platform/tests/tools/docker/__init__.py b/testing/web-platform/tests/tools/docker/__init__.py new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/__init__.py diff --git a/testing/web-platform/tests/tools/docker/commands.json b/testing/web-platform/tests/tools/docker/commands.json new file mode 100644 index 0000000000..eb6d7c9d82 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/commands.json @@ -0,0 +1,25 @@ +{ + "docker-run": { + "path": "frontend.py", + "script": "run", + "parser": "parser_run", + "help": "Run wpt docker image", + "virtualenv": false + }, + "docker-build": { + "path": "frontend.py", + "script": "build", + "help": "Build wpt docker image", + "virtualenv": false + }, + "docker-push": { + "path": "frontend.py", + "script": "push", + "parser": "parser_push", + "help": "Build and push wpt docker image", + "virtualenv": true, + "requirements": [ + "requirements.txt" + ] + } +} diff --git a/testing/web-platform/tests/tools/docker/frontend.py b/testing/web-platform/tests/tools/docker/frontend.py new file mode 100644 index 0000000000..6ee2d20633 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/frontend.py @@ -0,0 +1,141 @@ +# mypy: allow-untyped-defs + +import argparse +import logging +import os +import re +import subprocess +import sys + +here = os.path.abspath(os.path.dirname(__file__)) +wpt_root = os.path.abspath(os.path.join(here, os.pardir, os.pardir)) + +logger = logging.getLogger() + + +def build(tag="wpt:local", *args, **kwargs): + subprocess.check_call(["docker", + "build", + "--pull", + "--tag", tag, + here]) + + +def parser_push(): + parser = argparse.ArgumentParser() + parser.add_argument("--tag", action="store", + help="Tag to use (default is taken from .taskcluster.yml)") + parser.add_argument("--force", action="store_true", + help="Ignore warnings and push anyway") + return parser + + +def walk_yaml(root, target): + rv = [] + if isinstance(root, list): + for value in root: + if isinstance(value, (dict, list)): + rv.extend(walk_yaml(value, target)) + elif isinstance(root, dict): + for key, value in root.items(): + if isinstance(value, (dict, list)): + rv.extend(walk_yaml(value, target)) + elif key == target: + rv.append(value) + return rv + + +def read_image_name(): + import yaml + with open(os.path.join(wpt_root, ".taskcluster.yml")) as f: + taskcluster_data = yaml.safe_load(f) + taskcluster_values = set(walk_yaml(taskcluster_data, "image")) + with open(os.path.join(wpt_root, "tools", "ci", "tc", "tasks", "test.yml")) as f: + test_data = yaml.safe_load(f) + tests_value = test_data["components"]["wpt-base"]["image"] + return taskcluster_values, tests_value + + +def lookup_tag(tag): + import requests + org, repo_version = tag.split("/", 1) + repo, version = repo_version.rsplit(":", 1) + resp = requests.get("https://hub.docker.com/v2/repositories/%s/%s/tags/%s" % + (org, repo, version)) + if resp.status_code == 200: + return True + if resp.status_code == 404: + return False + resp.raise_for_status() + + +def push(venv, tag=None, force=False, *args, **kwargs): + taskcluster_tags, tests_tag = read_image_name() + + taskcluster_tag = taskcluster_tags.pop() + + error_log = logger.warning if force else logger.error + if len(taskcluster_tags) != 0 or tests_tag != taskcluster_tag: + error_log("Image names in .taskcluster.yml and tools/ci/tc/tasks/test.yml " + "don't match.") + if not force: + sys.exit(1) + if tag is not None and tag != taskcluster_tag: + error_log("Supplied tag doesn't match .taskcluster.yml or " + "tools/ci/tc/tasks/test.yml; remember to update before pushing") + if not force: + sys.exit(1) + if tag is None: + logger.info("Using tag %s from .taskcluster.yml" % taskcluster_tag) + tag = taskcluster_tag + + tag_re = re.compile(r"webplatformtests/wpt:\d\.\d+") + if not tag_re.match(tag): + error_log("Tag doesn't match expected format webplatformtests/wpt:0.x") + if not force: + sys.exit(1) + + if lookup_tag(tag): + # No override for this case + logger.critical("Tag %s already exists" % tag) + sys.exit(1) + + build(tag) + subprocess.check_call(["docker", + "push", + tag]) + + +def parser_run(): + parser = argparse.ArgumentParser() + parser.add_argument("--rebuild", action="store_true", help="Force rebuild of image") + parser.add_argument("--checkout", action="store", + help="Revision to checkout in the image. " + "If this is not supplied we mount the wpt checkout on the host as " + "/home/test/web-platform-tests/") + parser.add_argument("--privileged", action="store_true", + help="Run the image in priviledged mode (required for emulators)") + parser.add_argument("--tag", action="store", default="wpt:local", + help="Docker image tag to use (default wpt:local)") + return parser + + +def run(*args, **kwargs): + if kwargs["rebuild"]: + build() + + args = ["docker", "run"] + args.extend(["--security-opt", "seccomp:%s" % + os.path.join(wpt_root, "tools", "docker", "seccomp.json")]) + if kwargs["privileged"]: + args.append("--privileged") + if kwargs["checkout"]: + args.extend(["--env", "REF==%s" % kwargs["checkout"]]) + else: + args.extend(["--mount", + "type=bind,source=%s,target=/home/test/web-platform-tests" % wpt_root]) + args.extend(["-it", kwargs["tag"]]) + + proc = subprocess.Popen(args) + proc.wait() + return proc.returncode diff --git a/testing/web-platform/tests/tools/docker/requirements.txt b/testing/web-platform/tests/tools/docker/requirements.txt new file mode 100644 index 0000000000..fee00749e8 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/requirements.txt @@ -0,0 +1,2 @@ +pyyaml==6.0 +requests==2.30.0 diff --git a/testing/web-platform/tests/tools/docker/retry.py b/testing/web-platform/tests/tools/docker/retry.py new file mode 100755 index 0000000000..8ecf5874fe --- /dev/null +++ b/testing/web-platform/tests/tools/docker/retry.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python3 +import argparse +import subprocess +import time +import sys + + +def get_args() -> argparse.ArgumentParser: + parser = argparse.ArgumentParser() + parser.add_argument("--delay", action="store", type=float, default=3, help="Initial delay before retry, in seconds") + parser.add_argument("--count", action="store", type=int, default=5, help="Total number of tries") + parser.add_argument("--factor", action="store", type=float, default=2, help="Exponential backoff factor") + parser.add_argument("cmd", nargs=argparse.REMAINDER) + return parser + + +def log(value: str) -> None: + print(value) + sys.stdout.flush() + + +def main() -> None: + args = get_args().parse_args() + + if not args.cmd: + log("No command supplied") + sys.exit(1) + + retcode = None + + for n in range(args.count): + try: + log("Running %s [try %d/%d]" % (" ".join(args.cmd), (n+1), args.count)) + subprocess.check_call(args.cmd) + except subprocess.CalledProcessError as e: + retcode = e.returncode + else: + log("Command succeeded") + retcode = 0 + break + + if args.factor == 0: + wait_time = (n+1) * args.delay + else: + wait_time = args.factor**n * args.delay + if n < args.count - 1: + log("Command failed, waiting %s seconds to retry" % wait_time) + time.sleep(wait_time) + else: + log("Command failed, out of retries") + + sys.exit(retcode) + + +if __name__ == "__main__": + main() diff --git a/testing/web-platform/tests/tools/docker/seccomp.json b/testing/web-platform/tests/tools/docker/seccomp.json new file mode 100644 index 0000000000..8e8274ce32 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/seccomp.json @@ -0,0 +1,798 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_gettime", + "clock_nanosleep", + "clone", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "io_pgetevents", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedsend", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", + "timer_getoverrun", + "timer_gettime", + "timer_settime", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "unshare", + "utime", + "utimensat", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "minKernel": "4.8" + }, + "excludes": null + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": null + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": null + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": null + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": null + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": null + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": null + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": null + }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": null + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": null, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "reboot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_BOOT" + ] + }, + "excludes": null + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": null + }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": null + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": null + }, + { + "names": [ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": null + }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": null + }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": null + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": null + }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": null + }, + { + "names": [ + "syslog" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYSLOG" + ] + }, + "excludes": null + } + ] +} diff --git a/testing/web-platform/tests/tools/docker/start.sh b/testing/web-platform/tests/tools/docker/start.sh new file mode 100755 index 0000000000..3427670cc9 --- /dev/null +++ b/testing/web-platform/tests/tools/docker/start.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -ex + +REMOTE=${1:-https://github.com/web-platform-tests/wpt} +REF=${2:-master} + +cd ~ + +if [ -e /dev/kvm ]; then + # If kvm is present ensure that the test user can access it + # Ideally this could be done by adding the test user to the + # owning group, but then we need to re-login to evaluate the + # group membership. This chmod doesn't affect the host. + sudo chmod a+rw /dev/kvm +fi + +if [ ! -d web-platform-tests ]; then + mkdir web-platform-tests + cd web-platform-tests + + git init + git remote add origin ${REMOTE} + + # Initially we just fetch 50 commits in order to save several minutes of fetching + retry git fetch --quiet --depth=50 --tags origin ${REF}:task_head + + git checkout --quiet task_head +fi |