diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index ec489f0..1207acb 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -23,7 +23,9 @@ jobs: id: ${{ github.event.number }} - name: Do DCO check run: | - docker run --rm -v "$GITHUB_WORKSPACE:/work:ro" \ + docker run --rm --security-opt apparmor=unconfined \ + --security-opt seccomp=unconfined \ + -v "$GITHUB_WORKSPACE:/work:ro" \ --env "BASE_REF=$GITHUB_BASE_REF" \ "dco-check-${{ github.event.number }}" - name: Cleanup temporary docker image diff --git a/.github/workflows/docker-images/yocto-builder/Dockerfile b/.github/workflows/docker-images/yocto-builder/Dockerfile index 87221b9..728b473 100644 --- a/.github/workflows/docker-images/yocto-builder/Dockerfile +++ b/.github/workflows/docker-images/yocto-builder/Dockerfile @@ -2,20 +2,21 @@ # # SPDX-License-Identifier: MIT -FROM ubuntu:20.04 +FROM ubuntu:22.04 ARG DEBIAN_FRONTEND="noninteractive" -RUN apt-get update -qq +RUN apt-get update -q -y RUN apt-get install -y eatmydata # Yocto/OE build host dependencies # Keep this in sync with -# https://git.yoctoproject.org/poky/tree/documentation/poky.yaml +# https://git.yoctoproject.org/poky/tree/documentation/poky.yaml.in +# https://git.yoctoproject.org/poky/tree/documentation/tools/host_packages_scripts/ubuntu_essential.sh RUN eatmydata apt-get install -qq -y \ - gawk wget git diffstat unzip texinfo gcc build-essential chrpath \ - socat cpio python3 python3-pip python3-pexpect xz-utils debianutils \ - iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \ - pylint3 xterm python3-subunit mesa-common-dev zstd liblz4-tool + build-essential chrpath cpio debianutils diffstat file gawk gcc \ + git iputils-ping libacl1 liblz4-tool locales python3 python3-git \ + python3-jinja2 python3-pexpect python3-pip python3-subunit socat \ + texinfo unzip wget xz-utils zstd # en_US.UTF-8 is required by the build system RUN eatmydata apt-get install -qq -y locales \ @@ -29,6 +30,9 @@ RUN eatmydata apt-get clean && rm -rf /var/lib/apt/lists/* RUN echo "dash dash/sh boolean false" | debconf-set-selections \ && dpkg-reconfigure dash +# Fix the resource exhaustion problem on the build infrastructure +RUN echo 'vm.max_map_count = 4048576' >> /etc/sysctl.conf + # Run under normal user called 'ci' RUN useradd --create-home --uid 1000 --shell /usr/bin/bash ci USER ci diff --git a/.github/workflows/yocto-builds.yml b/.github/workflows/yocto-builds.yml index 408d25e..87b009b 100644 --- a/.github/workflows/yocto-builds.yml +++ b/.github/workflows/yocto-builds.yml @@ -66,7 +66,8 @@ jobs: if: steps.changed-files-specific.outputs.any_changed == 'true' - name: Build the image run: | - docker run --rm \ + docker run --rm --security-opt apparmor=unconfined \ + --security-opt seccomp=unconfined \ -v "$GITHUB_WORKSPACE:/work:ro" \ -v "$DL_DIR:$DL_DIR:rw" \ -v "$SSTATE_DIR:$SSTATE_DIR:rw" \ @@ -76,6 +77,7 @@ jobs: --env "IMAGE=${{ matrix.image }}" \ --env "DL_DIR=$DL_DIR" \ --env "SSTATE_DIR=$SSTATE_DIR" \ + --ulimit "nofile=1024:1048576" \ "yocto-builder-${{ github.event.number }}" \ /entrypoint-build.sh if: steps.changed-files-specific.outputs.any_changed == 'true' diff --git a/.github/workflows/yocto-layer.yml b/.github/workflows/yocto-layer.yml index fa11815..555241b 100644 --- a/.github/workflows/yocto-layer.yml +++ b/.github/workflows/yocto-layer.yml @@ -42,7 +42,8 @@ jobs: if: steps.changed-files-specific.outputs.any_changed == 'true' - name: Run yocto-check-layer run: | - docker run --rm -v "$GITHUB_WORKSPACE:/work:ro" \ + docker run --rm --security-opt apparmor=unconfined \ + -v "$GITHUB_WORKSPACE:/work:ro" \ --env "BASE_REF=$GITHUB_BASE_REF" \ "yocto-builder-${{ github.event.number }}" \ /entrypoint-yocto-check-layer.sh