From 11c71911051281557e44842f211a623ab256948d Mon Sep 17 00:00:00 2001 From: Juliette Pretot Date: Tue, 12 Apr 2022 19:08:01 +0100 Subject: [PATCH] Add working (but messy) config to start qemu KVM inside docker. TODO: clean up --- .devcontainer.json | 3 +++ Dockerfile | 5 +++++ experimental/uefi/app/.cargo/config.toml | 2 +- scripts/docker_run | 1 + scripts/fix_docker_user_and_run | 2 +- third_party/ring/src/rand.rs | 6 +++++- 6 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.devcontainer.json b/.devcontainer.json index a6b6339612e..f26728ef25e 100644 --- a/.devcontainer.json +++ b/.devcontainer.json @@ -23,5 +23,8 @@ // See https://code.visualstudio.com/docs/remote/containers-advanced#_changing-the-default-source-code-mount. "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated", "workspaceFolder": "/workspace", + "runArgs": [ + "--device=/dev/kvm" + ], "containerUser": "docker" } diff --git a/Dockerfile b/Dockerfile index 62dbe9881f7..217d11b7cad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -334,6 +334,11 @@ RUN mkdir --parents ${sccache_dir} \ # By default, sccache uses `~/.cache/sccache` locally: https://github.com/mozilla/sccache#local. +# Getting curl and certificates dependecies. +# We're rate-limiting HTTP requests to 500 kB/s as otherwise we may get timeout errors +# when downloading from snapshot.debian.org. + + ENV RUSTC_WRAPPER sccache # Disable cargo incremental compilation, as it conflicts with sccache: https://github.com/mozilla/sccache#rust diff --git a/experimental/uefi/app/.cargo/config.toml b/experimental/uefi/app/.cargo/config.toml index 33a5210dcce..b25fbccd921 100644 --- a/experimental/uefi/app/.cargo/config.toml +++ b/experimental/uefi/app/.cargo/config.toml @@ -7,7 +7,7 @@ runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_C # Otherwise, (a) the first serial port gets routed to a log, and (b) the second serial gets attached to stdio. [target.'cfg(not(test))'] -runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel" +runner = "qemu-system-x86_64 -enable-kvm -cpu Broadwell-IBRS,vme=on,f16c=on,rdrand=on -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel" [unstable] build-std = ["core", "alloc"] diff --git a/scripts/docker_run b/scripts/docker_run index 1ea32a4cd5f..518369ec0c6 100755 --- a/scripts/docker_run +++ b/scripts/docker_run @@ -48,6 +48,7 @@ docker_run_flags=( # To do that, we map the socket from the host and add the right group '--volume=/var/run/docker.sock:/var/run/docker.sock' "--group-add=$HOST_DOCKER_GID" + "--device=/dev/kvm" ) # Some CI systems (GitHub actions) do not run with an interactive TTY attached. diff --git a/scripts/fix_docker_user_and_run b/scripts/fix_docker_user_and_run index bda09309dfa..2fc3b90001e 100755 --- a/scripts/fix_docker_user_and_run +++ b/scripts/fix_docker_user_and_run @@ -13,5 +13,5 @@ set -o pipefail groupmod --gid="${HOST_GID}" docker usermod --uid="${HOST_UID}" --gid="${HOST_GID}" docker -chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache" +chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache" "/dev/kvm" su docker --session-command="$*" diff --git a/third_party/ring/src/rand.rs b/third_party/ring/src/rand.rs index 4377b0699de..71e4417d5dc 100644 --- a/third_party/ring/src/rand.rs +++ b/third_party/ring/src/rand.rs @@ -452,7 +452,11 @@ mod uefi { static mut OPENSSL_ia32cap_P: [u32; 4]; } const FLAG: u32 = 1 << 30; - unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG } + // Somehow this check continues to require patching, regardless + // of qemu CPU config. :/. That is even though RDRAND is in fact + // available and working. + // unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG } + true } // We must make sure current cpu support `rdrand`