.oniro-ci/containers/bitbake-builder: add support for runqemu

Part of gcc oeself-test is client/server based. It uses qemu vm for
native tests via ssh. The vm is launched by runqemu command which
requires the following changes in the docker image.

* passwordless sudo permission
* package iptables pre-installed

Signed-off-by: Chase Qi <chase.qi@linaro.org>

.oniro-ci/containers/bitbake-builder/Dockerfile

@@ -26,8 +26,8 @@ RUN apt-get update -qq \
 	bash git-repo git-lfs apt-utils build-essential chrpath cpio diffstat \
 	gawk git sudo wget language-pack-en-base time locales python-is-python3 \
 	python3-distutils python3-pip libssl-dev iproute2 iputils-ping curl jq \
-	lz4 zstd \
- && eatmydata apt-get install -qq -y 'ca-certificates=20210119~20.04.2' \
+	lz4 zstd iptables\
+ && eatmydata apt-get install -qq -y 'ca-certificates=20211016~20.04.1' \
  && eatmydata apt-get clean && rm -rf /var/lib/apt/lists/*
 RUN locale-gen
 RUN pip3 install anybadge
@@ -36,7 +36,10 @@ RUN pip3 install anybadge
 RUN echo "dash dash/sh boolean false" | debconf-set-selections \
  && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
 
-RUN useradd --create-home --uid 1000 --shell /usr/bin/bash builder
+RUN useradd --create-home --uid 1000 --shell /usr/bin/bash builder \
+ && usermod -aG sudo builder\
+ && echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+
 COPY --chown=builder:builder .gitconfig /home/builder/.gitconfig
 USER builder
 WORKDIR /home/builder

[Andrei Gherzan]

Can you detail here the need for sudo permissions?

[Stevan Radaković]

@agherzan this has been reiterated many times. Bunch of test cases from various test suites require root for operation. LAVA infra does not necessarily.

[Andrei Gherzan]

I would be interested to know which one we hit this on. @bero do you have any details on this?

[Chase Qi]

In this case, it is runqemu command uses sudo permission to create tun device for the communication between host and vm for vm based gcc testing. I will add a comment in the change.

[Andrei Gherzan]

I see. So it's not about the tests, it's about the virtualization tooling and configuration.

[Chase Qi]

Yes. comment added.

[Andrei Gherzan]

Can you also give me a link to where we use sudo in the CI script?

[Chase Qi]

Not in our CI script. It is in oe-core. oe-selftest framework calls runqemu to lunch VM https://github.com/openembedded/openembedded-core/blob/master/meta/lib/oeqa/utils/qemurunner.py#L164

and runqemu uses sudo to bring up/down network interface https://github.com/openembedded/openembedded-core/blob/master/scripts/runqemu-ifup#L27

[Andrei Gherzan]

Now I remember. Thanks.