ci: Fix kernel+rootfs.* jobs

The rootfs generation is failing due to issues with the deqp and crosvm build stages. == crosvm == This week, crates.io released the bindgen cargo package at version 0.61.0, but this version could not be installed via `cargo install bindgen ...`, setting the version to the previous one to avoid breaking the Mesa rootfs builds. See also related failed job: https://gitlab.freedesktop.org/gallo/mesa/-/jobs/30046963 == deqp == The deqp build is failing due to the missing archive of an old zlib release version, which was deleted due to a CVE, see zlib 1.2.13 release notes. As the deqp uprev to 1.3.4.0, which contains the fix, was not straightforward, let's only apply the necessary patch to fix zlib source code download link and then remove this indirection in an eventual deqp uprev. Example of a failed kernel+rootfs build job: https://gitlab.freedesktop.org/gallo/mesa/-/jobs/30045324 Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com> Reviewed-by: Yonggang Luo <luoyonggang@gmail.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/19183>
2022-10-19 17:00:45 -03:00 · 2022-10-19 17:00:45 -03:00 · db2c14887b
parent 71dc65ec20
commit db2c14887b
3 changed files with 12 additions and 4 deletions
--- a/.gitlab-ci/container/build-crosvm.sh
+++ b/.gitlab-ci/container/build-crosvm.sh
@ -25,6 +25,7 @@ RUSTFLAGS='-L native=/usr/local/lib' cargo install \
  bindgen \
  -j ${FDO_CI_CONCURRENT:-4} \
  --root /usr/local \
+  --version 0.60.1 \
  $EXTRA_CARGO_ARGS

 RUSTFLAGS='-L native=/usr/local/lib' cargo install \
--- a/.gitlab-ci/container/build-deqp.sh
+++ b/.gitlab-ci/container/build-deqp.sh
@ -12,6 +12,13 @@ git clone \
    /VK-GL-CTS
 pushd /VK-GL-CTS

+# Apply a patch to update zlib link to an available version.
+# vulkan-cts-1.3.3.0 uses zlib 1.2.12 which was removed from zlib server due to
+# a CVE. See https://zlib.net/
+# FIXME: Remove this patch when uprev to 1.3.4.0+
+wget -O- https://github.com/KhronosGroup/VK-GL-CTS/commit/6bb2e7d64261bedb503947b1b251b1eeeb49be73.patch |
+    git am -
+
 # --insecure is due to SSL cert failures hitting sourceforge for zlib and
 # libpng (sigh).  The archives get their checksums checked anyway, and git
 # always goes through ssh or https.
--- a/.gitlab-ci/image-tags.yml
+++ b/.gitlab-ci/image-tags.yml
@ -1,6 +1,6 @@
 variables:
   DEBIAN_X86_BUILD_BASE_IMAGE: "debian/x86_build-base"
-   DEBIAN_BASE_TAG: "2022-10-04-vn-render-server"
+   DEBIAN_BASE_TAG: "2022-10-19-remove-xvmc-dev"

   DEBIAN_X86_BUILD_IMAGE_PATH: "debian/x86_build"
   DEBIAN_BUILD_TAG: "2022-10-18-dx-headers"
@ -11,11 +11,11 @@ variables:
   DEBIAN_X86_TEST_BASE_IMAGE: "debian/x86_test-base"

   DEBIAN_X86_TEST_IMAGE_PATH: "debian/x86_test-gl"
-   DEBIAN_X86_TEST_GL_TAG: "2022-09-29-uprev-dxvk"
-   DEBIAN_X86_TEST_VK_TAG: "2022-09-29-uprev-dxvk"
+   DEBIAN_X86_TEST_GL_TAG: "2022-10-20-bindgen-zlib-cve"
+   DEBIAN_X86_TEST_VK_TAG: "2022-10-20-bindgen-zlib-cve"

   FEDORA_X86_BUILD_TAG: "2022-09-22-python3-ply-2"
-   KERNEL_ROOTFS_TAG: "2022-10-05-uprev-dxvk"
+   KERNEL_ROOTFS_TAG: "2022-10-20-bindgen-zlib-cve"

   WINDOWS_X64_VS_PATH: "windows/x64_vs"
   WINDOWS_X64_VS_TAG: "2022-08-17-bump"