ci: add bpftool workaround to coverity too

(cherry picked from commit d29f181cf02100c146fc8691a5515a708d06ddbf)
ci: fix workaround about bpftool for codeql
2025-11-20 09:14:46 +01:00 · 2025-10-20 09:14:58 +02:00 · 2025-10-20 09:14:58 +02:00 · 2025-10-20 09:14:58 +02:00 · 2025-10-20 09:14:58 +02:00 · 2025-10-20 09:14:58 +02:00
6 changed files with 89 additions and 7 deletions
--- a/.github/workflows/build-test.sh
+++ b/.github/workflows/build-test.sh
@ -47,6 +47,7 @@ PACKAGES=(
    libxkbcommon-dev
    libxtables-dev
    libzstd-dev
+    linux-tools-generic
    mold
    mount
    net-tools
@ -143,6 +144,12 @@ sudo apt-get -y install "${PACKAGES[@]}"
 pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
 export PATH="$HOME/.local/bin:$PATH"

+# TODO: drop after we switch to ubuntu 26.04
+bpftool_dir=$(dirname "$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)")
+if [ -n "$bpftool_dir" ]; then
+    export PATH="$bpftool_dir:$PATH"
+fi
+
 if [[ -n "$CUSTOM_PYTHON" ]]; then
    # If CUSTOM_PYTHON is set we need to pull jinja2 from pip, as a local interpreter is used
    pip3 install --user --break-system-packages jinja2
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -50,7 +50,14 @@ jobs:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql-config.yml

-    - run: sudo -E .github/workflows/unit-tests.sh SETUP
+    - run: |
+        sudo -E .github/workflows/unit-tests.sh SETUP
+        # TODO: drop after we switch to ubuntu 26.04
+        bpftool_binary=$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)
+        if [ -n "$bpftool_binary" ]; then
+          sudo rm -f /usr/{bin,sbin}/bpftool
+          sudo ln -s "$bpftool_binary" /usr/bin/
+        fi

    - name: Autobuild
      uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -25,6 +25,13 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      # Reuse the setup phase of the unit test script to avoid code duplication
      - name: Install build dependencies
-        run: sudo -E .github/workflows/unit-tests.sh SETUP
+        run: |
+          sudo -E .github/workflows/unit-tests.sh SETUP
+          # TODO: drop after we switch to ubuntu 26.04
+          bpftool_binary=$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)
+          if [ -n "$bpftool_binary" ]; then
+            sudo rm -f /usr/{bin,sbin}/bpftool
+            sudo ln -s "$bpftool_binary" /usr/bin/
+          fi
      - name: Build & upload the results
        run: tools/coverity.sh
--- a/.github/workflows/unit-tests.sh
+++ b/.github/workflows/unit-tests.sh
@ -18,6 +18,7 @@ ADDITIONAL_DEPS=(
    libtss2-dev
    libxkbcommon-dev
    libzstd-dev
+    linux-tools-generic
    python3-libevdev
    python3-pip
    python3-pyelftools
@ -74,6 +75,12 @@ for phase in "${PHASES[@]}"; do
            capsh --drop=all -- -c "stat $PWD/meson.build"
            ;;
        RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE)
+            # TODO: drop after we switch to ubuntu 26.04
+            bpftool_dir=$(dirname "$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)")
+            if [ -n "$bpftool_dir" ]; then
+                export PATH="$bpftool_dir:$PATH"
+            fi
+
            if [[ "$phase" =~ ^RUN_CLANG ]]; then
                export CC=clang
                export CXX=clang++
@ -105,6 +112,12 @@ for phase in "${PHASES[@]}"; do
            TZ=GMT+12 meson test "${MESON_TEST_ARGS[@]}" -C build --print-errorlogs
            ;;
        RUN_ASAN_UBSAN|RUN_GCC_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN_NO_DEPS)
+            # TODO: drop after we switch to ubuntu 26.04
+            bpftool_dir=$(dirname "$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)")
+            if [ -n "$bpftool_dir" ]; then
+                export PATH="$bpftool_dir:$PATH"
+            fi
+
            MESON_ARGS=(--optimization=1)

            if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -5551,11 +5551,11 @@ int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef
         * with the child's PID. */

        if (into_cgroup) {
-                (void) unit_realize_cgroup(u);
+                r = unit_realize_cgroup(u);
+                if (r < 0)
+                        return r;

-                crt = unit_setup_cgroup_runtime(u);
-                if (!crt)
-                        return -ENOMEM;
+                crt = unit_get_cgroup_runtime(u);
        }

        r = safe_fork(name, FORK_REOPEN_LOG|FORK_DEATHSIG_SIGTERM, &pid);
@ -6005,7 +6005,9 @@ int unit_prepare_exec(Unit *u) {

        /* Prepares everything so that we can fork of a process for this unit */

-        (void) unit_realize_cgroup(u);
+        r = unit_realize_cgroup(u);
+        if (r < 0)
+                return r;

        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
        if (crt && crt->reset_accounting) {
--- a/test/units/TEST-19-CGROUP.abort-on-cgroup-creation-failure.sh
+++ b/test/units/TEST-19-CGROUP.abort-on-cgroup-creation-failure.sh
@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -ex
+set -o pipefail
+
+# Test that the service is not invoked if the cgroup cannot be created.
+
+# It seems openSUSE kernel (at least kernel-default-6.16.8-1.1.x86_64.rpm) has a
+# bag in kernel oom killer or clone3 syscall, and spawning executor on a cgroup
+# with too small MemoryMax= triggers infinite loop of OOM kill, and posix_spawn()
+# will never return, and the service manager will stuck.
+####
+# [  119.776797] systemd invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0
+# [  119.776859] CPU: 1 UID: 0 PID: 1472 Comm: systemd Not tainted 6.16.8-1-default #1 PREEMPT(voluntary) openSUSE Tumbleweed  6c85865973e4ae641870ed68afe8933a6986c974
+# [  119.776865] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
+# [  119.776867] Call Trace:
+# (snip)
+# [  119.778126] Out of memory and no killable processes...
+####
+# On other distributions, the oom killer is triggered, but clone3 immediately
+# fails with ENOMEM, and such problematic loop does not happen.
+. /etc/os-release
+if [[ "$ID" =~ opensuse ]]; then
+    echo "Skipping cgroup test with too small MemoryMax= setting on openSUSE."
+    exit 0
+fi
+
+cat >/run/systemd/system/testslice.slice <<EOF
+[Slice]
+MemoryMax=1
+EOF
+
+cat >/run/systemd/system/testservice.service <<EOF
+[Service]
+Type=oneshot
+ExecStart=cat /proc/self/cgroup
+Slice=testslice.slice
+EOF
+
+systemctl daemon-reload
+(! systemctl start testservice.service)
+
+rm /run/systemd/system/testslice.slice
+rm /run/systemd/system/testservice.service
+
+exit 0
Author	SHA1	Message	Date
Luca Boccassi	c2678480a7	ci: add bpftool workaround to coverity too (cherry picked from commit d29f181cf02100c146fc8691a5515a708d06ddbf)	2025-10-20 09:14:58 +02:00
Yu Watanabe	e1c382a53c	ci: fix workaround about bpftool for codeql Follow-up for e9fd2bbfffc5c2c7cd1ea0a288d5435fc15e387f. (cherry picked from commit a6836cfa0bdf1bb1fcf05686c5af3f2b5ad97f6b)	2025-10-20 09:14:58 +02:00
Luca Boccassi	257f0f8697	ci: add bpftool workaround to codeql job too (cherry picked from commit e9fd2bbfffc5c2c7cd1ea0a288d5435fc15e387f)	2025-10-20 09:14:58 +02:00
Luca Boccassi	30c2834e11	ci: re-enable bpf-framework option for build and unit test jobs Use the same trickery we do in the package build and search for the actual bpftool binary. For the CI job any one we find is good enough. When we switch all jobs to 26.04 we can drop all of this. This reverts commit cc814110af7a453db898ea2990a0281616d5ceff. (cherry picked from commit 3b11139c0db9dd0a37b0493a8d2ad5f531a92344)	2025-10-20 09:14:58 +02:00
Daan De Meyer	279465a212	ci: Disable bpf-framework option for build and unit test jobs /usr/sbin/bpftool is completely broken inside containers on Ubuntu which makes meson blow up so disable the bpf-framework stuff to avoid the issue. TODO: Drop when we move off Ubuntu Noble as this will be fixed in the next Ubuntu LTS release. (cherry picked from commit cc814110af7a453db898ea2990a0281616d5ceff)	2025-10-20 09:14:58 +02:00
Yu Watanabe	a7b0eb032c	core/unit: fail earlier before spawning executor when we failed to realize cgroup Before 23ac08115af83e3a0a937fa207fc52511aba2ffa, even if we failed to create the cgroup for a unit, a cgroup runtime object for the cgroup is created with the cgroup path. Hence, the creation of cgroup is failed, execution of the unit will fail in posix_spawn_wrapper() and logged something like the following: ``` systemd[1]: testservice.service: Failed to create cgroup /testslice.slice/testservice.service: Cannot allocate memory systemd[1]: testservice.service: Failed to spawn executor: No such file or directory systemd[1]: testservice.service: Failed to spawn 'start' task: No such file or directory systemd[1]: testservice.service: Failed with result 'resources'. systemd[1]: Failed to start testservice.service. ``` However, after the commit, when we failed to create the cgroup, a cgroup runtime object is not created, hence NULL will be assigned to ExecParameters.cgroup_path in unit_set_exec_params(). Hence, the unit process will be invoked in the init.scope. ``` systemd[1]: testservice.service: Failed to create cgroup /testslice.slice/testservice.service: Cannot allocate memory systemd[1]: Starting testservice.service... cat[1094]: 0::/init.scope systemd[1]: testservice.service: Deactivated successfully. systemd[1]: Finished testservice.service. ``` where the test service calls 'cat /proc/self/cgroup'. To fix the issue, let's fail earlier when we failed to create cgroup. Follow-up for 23ac08115af83e3a0a937fa207fc52511aba2ffa (v258). (cherry picked from commit 8b4ee3d68d2e70d9a396b74d155eab3b11763311)	2025-10-20 09:14:58 +02:00