~sircmpwn/builds.sr.ht

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDrew DeVault <ddevault@vistarmedia.com>2018-01-03 17:05:59 -0500
committerDrew DeVault <sir@cmpwn.com>2018-01-03 19:04:09 -0500
commitd00328074804973e399b76090d00ba572c3c4a68 (patch)
treef1ea6c6cddfd9adc12fe3064831b2d3a5611dd11
parentbbf45ed070b6a8aaef6a3c4351ba00b72efe46fe (diff)
downloadbuilds.sr.ht-d00328074804973e399b76090d00ba572c3c4a68.tar.xz
Run qemu in docker to improve isolation
The included Dockerfile builds a minimal, statically linked copy of qemu and puts it in an otherwise empty docker container. The build runner now runs its VMs inside of that container. Now there are 3 layers of isolation between build guests and the rest of sr.ht: 1. KVM isolation 2. LXC isolation 3. Build runners are physically separate from the rest of sr.ht and have minimal access to sr.ht resources Still TODO in isolation improvements is the build runner API, which would replace the limited SQL access they have today.
-rw-r--r--buildsrht/runner.py2
-rwxr-xr-ximages/control41
-rw-r--r--images/qemu/Dockerfile77
-rwxr-xr-ximages/qemu/pixman-patches/apply6
-rw-r--r--images/qemu/pixman-patches/float-header-fix.patch16
-rw-r--r--images/qemu/pixman-patches/stacksize-reduction.patch35
-rw-r--r--images/qemu/qemu-patches/0001-elfload-load-PIE-executables-to-right-address.patch89
-rw-r--r--images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-aarch64.patch31
-rw-r--r--images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-ppc64le.patch67
-rw-r--r--images/qemu/qemu-patches/0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch37
-rwxr-xr-ximages/qemu/qemu-patches/apply6
-rw-r--r--images/qemu/qemu-patches/fix-sigevent-and-sigval_t.patch24
-rw-r--r--images/qemu/qemu-patches/fix-sockios-header.patch12
-rw-r--r--images/qemu/qemu-patches/fix-test-crypto-tls-x509-helpers-dont-use-sha1.patch36
-rw-r--r--images/qemu/qemu-patches/fix-test-io-channel-tls-handshake-completion.patch36
-rw-r--r--images/qemu/qemu-patches/fix-test-io-channel-tls-temp-directory.patch36
-rw-r--r--images/qemu/qemu-patches/ignore-signals-33-and-64-to-allow-golang-emulation.patch56
-rw-r--r--images/qemu/qemu-patches/musl-F_SHLCK-and-F_EXLCK.patch19
-rw-r--r--images/qemu/qemu-patches/ncurses.patch13
-rw-r--r--images/qemu/qemu-patches/test-crypto-ivgen-skip-essiv.patch54
-rw-r--r--images/qemu/qemu-patches/xattr_size_max.patch15
21 files changed, 686 insertions, 22 deletions
diff --git a/buildsrht/runner.py b/buildsrht/runner.py
index f1ec0f6..6c03721 100644
--- a/buildsrht/runner.py
+++ b/buildsrht/runner.py
@@ -111,8 +111,6 @@ def run_build(job_id, manifest):
manifest.image, "boot", port
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
time.sleep(5)
- if qemu.poll() != None:
- raise Exception("qemu aborted suspiciously early")
print("Running sanity check")
result = ssh(port, "echo", "hello world", stdout=subprocess.PIPE)
diff --git a/images/control b/images/control
index a5a8743..d63d41e 100755
--- a/images/control
+++ b/images/control
@@ -20,24 +20,24 @@ function guest_ssh() {
ssh $ssh_opts "$@"
}
-function qemu_pid() {
- cat /tmp/qemu-$port.pid
-}
-
function boot() {
port=$1
- qemu-system-x86_64 \
- -m ${MEMORY:-2048} \
- -net nic,model=virtio -net user,hostfwd=tcp::$port-:22 \
- -cpu host \
- -enable-kvm \
- -nographic \
- -drive file="$self/$base/root.img.qcow2",media=disk,snapshot=on,if=virtio \
- -kernel "$self/$base"/$guest_kernel \
- -initrd "$self/$base"/$guest_initrd \
- -append "root=/dev/vda rw console=ttyS0 $cmdline"
- pid=$?
- echo $pid > /tmp/qemu-$port.pid
+ id=$(docker run -d \
+ -v "$self/$base":/base:ro \
+ --mount type=tmpfs,destination=/var/tmp \
+ --device /dev/kvm \
+ -p 127.0.0.1:$port:$port \
+ qemu /bin/qemu-system-x86_64 \
+ -m ${MEMORY:-2048} \
+ -net nic,model=virtio -net user,hostfwd=tcp::$port-:22 \
+ -cpu host \
+ -enable-kvm \
+ -nographic \
+ -drive file="/base/root.img.qcow2",media=disk,snapshot=on,if=virtio \
+ -kernel /base/$guest_kernel \
+ -initrd /base/$guest_initrd \
+ -append "root=/dev/vda rw console=ttyS0 $cmdline" > /dev/null)
+ echo $id > /tmp/qemu-$port.id
}
function cleanup() {
@@ -45,13 +45,14 @@ function cleanup() {
# Power off
if [ $# == 1 ]
then
- pid=$(qemu_pid)
- if [ "$pid" != "" ]
+ cid=$(cat /tmp/qemu-$port.id)
+ if [ "$cid" != "" ]
then
guest_ssh -p $port build@localhost $poweroff_cmd || true
sleep 2
- kill $pid && sleep 2 || true
- kill -9 $pid && sleep 2 || true
+ docker kill $cid && sleep 2 || true
+ docker kill -s 9 $cid && sleep 2 || true
+ rm /tmp/qemu-$port.id
fi
fi
}
diff --git a/images/qemu/Dockerfile b/images/qemu/Dockerfile
new file mode 100644
index 0000000..b72bf58
--- /dev/null
+++ b/images/qemu/Dockerfile
@@ -0,0 +1,77 @@
+FROM alpine:latest
+
+RUN apk update && apk upgrade && \
+ apk add alsa-lib-dev bison curl curl-dev flex glib-dev glib-static \
+ libaio-dev libcap-dev libcap-ng-dev linux-headers lzo-dev paxmark \
+ texinfo util-linux-dev vde2-dev xfsprogs-dev zlib-dev pixman-dev \
+ xz alpine-sdk
+
+# pixman
+# https://bugs.alpinelinux.org/issues/8376
+RUN curl -O https://www.cairographics.org/releases/pixman-0.34.0.tar.gz \
+ && tar xf pixman-0.34.0.tar.gz
+
+COPY ./pixman-patches /pixman-patches
+
+RUN cd pixman-0.34.0 && /pixman-patches/apply
+
+RUN cd pixman-0.34.0 && ./configure \
+ --prefix=/usr \
+ --enable-static \
+ --disable-openmp \
+ --disable-arm-iwmmxt
+
+RUN cd pixman-0.34.0 && make && make install
+
+# qemu
+RUN curl -O https://download.qemu.org/qemu-2.11.0.tar.xz \
+ && tar xf qemu-2.11.0.tar.xz
+
+COPY ./qemu-patches /qemu-patches
+
+RUN cd qemu-2.11.0 && /qemu-patches/apply && \
+ sed -i 's/^VL_LDFLAGS=$/VL_LDFLAGS=-Wl,-z,execheap/' Makefile.target
+
+RUN cd qemu-2.11.0 && ./configure \
+ --prefix=/ \
+ --static \
+ --audio-drv-list="" \
+ --disable-docs \
+ --disable-debug-info \
+ --disable-bsd-user \
+ --disable-werror \
+ --disable-sdl \
+ --disable-xen \
+ --disable-guest-agent \
+ --disable-modules \
+ --disable-gnutls \
+ --disable-nettle \
+ --disable-gcrypt \
+ --disable-gtk \
+ --disable-vte \
+ --disable-curses \
+ --disable-vnc \
+ --disable-bluez \
+ --disable-hax \
+ --disable-rdma \
+ --disable-spice \
+ --disable-libnfs \
+ --disable-smartcard \
+ --disable-libusb \
+ --disable-glusterfs \
+ --disable-numa \
+ --disable-libssh2 \
+ --disable-tools \
+ --disable-vxhs \
+ --disable-opengl \
+ --disable-linux-user \
+ --disable-virglrenderer \
+ --target-list="x86_64-softmmu"
+
+RUN cd qemu-2.11.0 && make && make install
+
+FROM scratch
+COPY --from=0 /bin/qemu-system-x86_64 /bin/
+COPY --from=0 /share/qemu/ /share/qemu/
+
+CMD ["/bin/qemu-system-x86_64"]
diff --git a/images/qemu/pixman-patches/apply b/images/qemu/pixman-patches/apply
new file mode 100755
index 0000000..9effc50
--- /dev/null
+++ b/images/qemu/pixman-patches/apply
@@ -0,0 +1,6 @@
+#!/bin/sh
+for p in /pixman-patches/*.patch
+do
+ echo "Applying patch $p"
+ patch -p1 < "$p"
+done
diff --git a/images/qemu/pixman-patches/float-header-fix.patch b/images/qemu/pixman-patches/float-header-fix.patch
new file mode 100644
index 0000000..5c151a1
--- /dev/null
+++ b/images/qemu/pixman-patches/float-header-fix.patch
@@ -0,0 +1,16 @@
+--- ./pixman/pixman-private.h.orig
++++ ./pixman/pixman-private.h
+@@ -1,5 +1,3 @@
+-#include <float.h>
+-
+ #ifndef PIXMAN_PRIVATE_H
+ #define PIXMAN_PRIVATE_H
+
+@@ -30,6 +28,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stddef.h>
++#include <float.h>
+
+ #include "pixman-compiler.h"
+
diff --git a/images/qemu/pixman-patches/stacksize-reduction.patch b/images/qemu/pixman-patches/stacksize-reduction.patch
new file mode 100644
index 0000000..38da9b3
--- /dev/null
+++ b/images/qemu/pixman-patches/stacksize-reduction.patch
@@ -0,0 +1,35 @@
+Reduce the stack footprint of pixman's function
+general_composite_rect() which allocates a large buffer
+`stack_scanline_buffer`. Make it `static __thread` instead.
+
+--- a/pixman/pixman-general.c 2015-12-27 21:37:37.000000000 +0100
++++ b/pixman/pixman-general.c 2016-05-05 12:24:47.346661080 +0200
+@@ -128,8 +128,8 @@
+ pixman_composite_info_t *info)
+ {
+ PIXMAN_COMPOSITE_ARGS (info);
+- uint8_t stack_scanline_buffer[3 * SCANLINE_BUFFER_LENGTH];
+- uint8_t *scanline_buffer = (uint8_t *) stack_scanline_buffer;
++ static __thread uint8_t static_scanline_buffer[3 * SCANLINE_BUFFER_LENGTH];
++ uint8_t *scanline_buffer = (uint8_t *) static_scanline_buffer;
+ uint8_t *src_buffer, *mask_buffer, *dest_buffer;
+ pixman_iter_t src_iter, mask_iter, dest_iter;
+ pixman_combine_32_func_t compose;
+@@ -158,7 +158,7 @@
+ if (width <= 0 || _pixman_multiply_overflows_int (width, Bpp * 3))
+ return;
+
+- if (width * Bpp * 3 > sizeof (stack_scanline_buffer) - 15 * 3)
++ if (width * Bpp * 3 > sizeof (static_scanline_buffer) - 15 * 3)
+ {
+ scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 15 * 3);
+
+@@ -232,7 +232,7 @@
+ if (dest_iter.fini)
+ dest_iter.fini (&dest_iter);
+
+- if (scanline_buffer != (uint8_t *) stack_scanline_buffer)
++ if (scanline_buffer != (uint8_t *) static_scanline_buffer)
+ free (scanline_buffer);
+ }
+
diff --git a/images/qemu/qemu-patches/0001-elfload-load-PIE-executables-to-right-address.patch b/images/qemu/qemu-patches/0001-elfload-load-PIE-executables-to-right-address.patch
new file mode 100644
index 0000000..1cf0c2b
--- /dev/null
+++ b/images/qemu/qemu-patches/0001-elfload-load-PIE-executables-to-right-address.patch
@@ -0,0 +1,89 @@
+From 6818f32f74981d9bccec8afbab37c42b50ab58be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 4 Jul 2013 15:50:36 +0300
+Subject: [RFC PATCH] elfload: load PIE executables to right address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PIE images are ET_DYN images. Check first for pinterp_name to make
+sure the main executable always is loaded to correct place.
+
+See below for current behaviour of PIE executables:
+
+Reserved 0x7f000000 bytes of guest address space
+host mmap_min_addr=0x1000
+guest_base 0x7f7cb41d5000
+start end size prot
+0037f400-003fe400 0007f000 r-x
+003fe400-003ff400 00001000 ---
+003ff400-003fe400 fffff000 rw-
+003fe400-003ff400 00001000 ---
+003ff400-003ffc00 00000800 rw-
+003ffc00-003fec00 fffff000 r-x
+003fec00-003ffc00 00001000 ---
+003ffc00-0007f000 ffc7f400 rw-
+start_brk 0x00000000
+end_code 0x7eff7ac0
+start_code 0x7eff7000
+start_data 0x7efffac0
+end_data 0x7efffc18
+start_stack 0x7eff6dc8
+brk 0x7efffc34
+entry 0x7e799b30
+00000000-00005000 ---p 00000000 00:00 0
+00005000-00015000 rw-p 00000000 00:00 0
+00015000-7e77d000 ---p 00000000 00:00 0
+7e77d000-7e7ec000 r-xp 00000000 68:03 14326298 /lib/libc.so
+7e7ec000-7e7f3000 ---p 00000000 00:00 0
+7e7f3000-7e7f4000 rw-p 0006e000 68:03 14326298 /lib/libc.so
+7e7f4000-7e7f6000 rw-p 00000000 00:00 0
+7e7f6000-7e7f7000 ---p 00000000 00:00 0
+7e7f7000-7eff7000 rw-p 00000000 00:00 0
+7eff7000-7eff8000 r-xp 00000000 68:03 9731305 /usr/bin/brk
+7eff8000-7efff000 ---p 00000000 00:00 0
+7e7f7000-7eff7000 rw-p 00000000 00:00 0 [stack]
+
+Showing how the main binary got loaded to wrong place.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+I assume pinterp_name is only ever set for the main executable.
+Quick grep would indicate that this is indeed the case.
+
+ linux-user/elfload.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+index ddef23e..d6e00cd 100644
+--- a/linux-user/elfload.c
++++ b/linux-user/elfload.c
+@@ -1660,7 +1660,12 @@ static void load_elf_image(const char *image_name, int image_fd,
+ }
+
+ load_addr = loaddr;
+- if (ehdr->e_type == ET_DYN) {
++ if (pinterp_name != NULL) {
++ /* This is the main executable. Make sure that the low
++ address does not conflict with MMAP_MIN_ADDR or the
++ QEMU application itself. */
++ probe_guest_base(image_name, loaddr, hiaddr);
++ } else if (ehdr->e_type == ET_DYN) {
+ /* The image indicates that it can be loaded anywhere. Find a
+ location that can hold the memory space required. If the
+ image is pre-linked, LOADDR will be non-zero. Since we do
+@@ -1672,11 +1677,6 @@ static void load_elf_image(const char *image_name, int image_fd,
+ if (load_addr == -1) {
+ goto exit_perror;
+ }
+- } else if (pinterp_name != NULL) {
+- /* This is the main executable. Make sure that the low
+- address does not conflict with MMAP_MIN_ADDR or the
+- QEMU application itself. */
+- probe_guest_base(image_name, loaddr, hiaddr);
+ }
+ load_bias = load_addr - loaddr;
+
+--
+1.8.3.2
+
diff --git a/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-aarch64.patch b/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-aarch64.patch
new file mode 100644
index 0000000..1bbae7d
--- /dev/null
+++ b/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-aarch64.patch
@@ -0,0 +1,31 @@
+From 806cb2ed28a16cf2894fabef034347f426f1d04e Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Thu, 15 Dec 2016 11:53:07 +0100
+Subject: [PATCH] linux-user: fix build with musl on aarch64
+
+Use the standard uint64_t instead of internal __u64.
+
+This fixes compiler error with musl libc on aarch64:
+.../qemu-2.7.0/linux-user/host/aarch64/hostdep.h:28:5:
+error: unknown type name '__u64'
+ __u64 *pcreg = &uc->uc_mcontext.pc;
+ ^~~~~
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ linux-user/host/aarch64/hostdep.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux-user/host/aarch64/hostdep.h b/linux-user/host/aarch64/hostdep.h
+index 64f75cef49..6fd6e36b2a 100644
+--- a/linux-user/host/aarch64/hostdep.h
++++ b/linux-user/host/aarch64/hostdep.h
+@@ -25,7 +25,7 @@ extern char safe_syscall_end[];
+ static inline void rewind_if_in_safe_syscall(void *puc)
+ {
+ ucontext_t *uc = puc;
+- __u64 *pcreg = &uc->uc_mcontext.pc;
++ uint64_t *pcreg = &uc->uc_mcontext.pc;
+
+ if (*pcreg > (uintptr_t)safe_syscall_start
+ && *pcreg < (uintptr_t)safe_syscall_end) {
diff --git a/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-ppc64le.patch b/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-ppc64le.patch
new file mode 100644
index 0000000..a013809
--- /dev/null
+++ b/images/qemu/qemu-patches/0001-linux-user-fix-build-with-musl-on-ppc64le.patch
@@ -0,0 +1,67 @@
+--- a/linux-user/host/ppc64/hostdep.h
++++ b/linux-user/host/ppc64/hostdep.h
+@@ -25,7 +25,11 @@
+ static inline void rewind_if_in_safe_syscall(void *puc)
+ {
+ ucontext_t *uc = puc;
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+ unsigned long *pcreg = &uc->uc_mcontext.gp_regs[PT_NIP];
++#else // Musl
++ unsigned long *pcreg = &uc->uc_mcontext.gp_regs[32];
++#endif
+
+ if (*pcreg > (uintptr_t)safe_syscall_start
+ && *pcreg < (uintptr_t)safe_syscall_end) {
+--- a/user-exec.c
++++ a/user-exec.c
+@@ -228,6 +228,7 @@
+ */
+ #ifdef linux
+ /* All Registers access - only for local access */
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+ #define REG_sig(reg_name, context) \
+ ((context)->uc_mcontext.regs->reg_name)
+ /* Gpr Registers access */
+@@ -245,15 +246,42 @@
+ /* Condition register */
+ #define CR_sig(context) REG_sig(ccr, context)
+
++#else // Musl
++#define REG_sig(reg_num, context) \
++ ((context)->uc_mcontext.gp_regs[reg_num])
++/* Gpr Registers access */
++#define GPR_sig(reg_num, context) REG_sig(gpr[reg_num], context)
++/* Program counter */
++#define IAR_sig(context) REG_sig(32, context)
++/* Machine State Register (Supervisor) */
++#define MSR_sig(context) REG_sig(33, context)
++/* Count register */
++#define CTR_sig(context) REG_sig(35, context)
++/* User's integer exception register */
++#define XER_sig(context) REG_sig(37, context)
++/* Link register */
++#define LR_sig(context) REG_sig(36, context)
++/* Condition register */
++#define CR_sig(context) REG_sig(38, context)
++#endif
++
++
+ /* Float Registers access */
+ #define FLOAT_sig(reg_num, context) \
+ (((double *)((char *)((context)->uc_mcontext.regs + 48 * 4)))[reg_num])
+ #define FPSCR_sig(context) \
+ (*(int *)((char *)((context)->uc_mcontext.regs + (48 + 32 * 2) * 4)))
+ /* Exception Registers access */
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+ #define DAR_sig(context) REG_sig(dar, context)
+ #define DSISR_sig(context) REG_sig(dsisr, context)
+ #define TRAP_sig(context) REG_sig(trap, context)
++#else // Musl
++#define DAR_sig(context) REG_sig(41, context)
++#define DSISR_sig(context) REG_sig(42, context)
++#define TRAP_sig(context) REG_sig(40, context)
++#endif
++
+ #endif /* linux */
+
+ #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
diff --git a/images/qemu/qemu-patches/0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch b/images/qemu/qemu-patches/0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
new file mode 100644
index 0000000..7ea1dba
--- /dev/null
+++ b/images/qemu/qemu-patches/0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
@@ -0,0 +1,37 @@
+From 3e231fa7a2dc66e2ef06ac44f4f719b08fc0c67e Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Tue, 29 Apr 2014 15:51:31 +0200
+Subject: [PATCH 6/6] linux-user/signal.c: define __SIGRTMIN/MAX for non-GNU
+ platforms
+
+The __SIGRTMIN and __SIGRTMAX are glibc internals and are not available
+on all platforms, so we define those if they are missing.
+
+This is needed for musl libc.
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ linux-user/signal.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/linux-user/signal.c b/linux-user/signal.c
+index 7d6246f..6019dbb 100644
+--- a/linux-user/signal.c
++++ b/linux-user/signal.c
+@@ -32,6 +32,13 @@
+
+ //#define DEBUG_SIGNAL
+
++#ifndef __SIGRTMIN
++#define __SIGRTMIN 32
++#endif
++#ifndef __SIGRTMAX
++#define __SIGRTMAX (NSIG-1)
++#endif
++
+ static struct target_sigaltstack target_sigaltstack_used = {
+ .ss_sp = 0,
+ .ss_size = 0,
+--
+1.9.2
+
diff --git a/images/qemu/qemu-patches/apply b/images/qemu/qemu-patches/apply
new file mode 100755
index 0000000..5987418
--- /dev/null
+++ b/images/qemu/qemu-patches/apply
@@ -0,0 +1,6 @@
+#!/bin/sh
+for p in /qemu-patches/*.patch
+do
+ echo "Applying patch $p"
+ patch -p1 < "$p"
+done
diff --git a/images/qemu/qemu-patches/fix-sigevent-and-sigval_t.patch b/images/qemu/qemu-patches/fix-sigevent-and-sigval_t.patch
new file mode 100644
index 0000000..1f99eac
--- /dev/null
+++ b/images/qemu/qemu-patches/fix-sigevent-and-sigval_t.patch
@@ -0,0 +1,24 @@
+--- qemu-2.2.1/linux-user/syscall.c.orig 2015-04-10 07:10:06.305662505 +0000
++++ qemu-2.2.1/linux-user/syscall.c 2015-04-10 07:36:53.801871968 +0000
+@@ -5020,9 +5020,20 @@
+ return 0;
+ }
+
+-static inline abi_long target_to_host_sigevent(struct sigevent *host_sevp,
++struct host_sigevent {
++ union sigval sigev_value;
++ int sigev_signo;
++ int sigev_notify;
++ union {
++ int _pad[64-sizeof(int) * 2 + sizeof(union sigval)];
++ int _tid;
++ } _sigev_un;
++};
++
++static inline abi_long target_to_host_sigevent(struct sigevent *sevp,
+ abi_ulong target_addr)
+ {
++ struct host_sigevent *host_sevp = (struct host_sigevent *) sevp;
+ struct target_sigevent *target_sevp;
+
+ if (!lock_user_struct(VERIFY_READ, target_sevp, target_addr, 1)) {
diff --git a/images/qemu/qemu-patches/fix-sockios-header.patch b/images/qemu/qemu-patches/fix-sockios-header.patch
new file mode 100644
index 0000000..e74b719
--- /dev/null
+++ b/images/qemu/qemu-patches/fix-sockios-header.patch
@@ -0,0 +1,12 @@
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 43d0562..afa0ac4 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
+ #include <linux/icmp.h>
+ #include <linux/icmpv6.h>
+ #include <linux/errqueue.h>
++#include <linux/sockios.h>
+ #include "qemu-common.h"
+ #ifdef CONFIG_TIMERFD
+ #include <sys/timerfd.h>
diff --git a/images/qemu/qemu-patches/fix-test-crypto-tls-x509-helpers-dont-use-sha1.patch b/images/qemu/qemu-patches/fix-test-crypto-tls-x509-helpers-dont-use-sha1.patch
new file mode 100644
index 0000000..6c56d7f
--- /dev/null
+++ b/images/qemu/qemu-patches/fix-test-crypto-tls-x509-helpers-dont-use-sha1.patch
@@ -0,0 +1,36 @@
+From 23c1595b0297e6ca8f37559af6f0b8533aa1fd99 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 29 Aug 2017 17:03:30 +0100
+Subject: [PATCH] crypto: fix test cert generation to not use SHA1 algorithm
+
+GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.
+Unfortunately the gnutls_x509_crt_sign() method we are
+using to create certificates in the test suite is fixed
+to always use SHA1. We must switch to a different method
+and explicitly ask for SHA256.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Patch-Source: https://src.fedoraproject.org/rpms/qemu/blob/master/f/1016-crypto-fix-test-cert-generation-to-not-use-SHA1-algo.patch
+---
+ tests/crypto-tls-x509-helpers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
+index 64073d3bd3..173d4e28fb 100644
+--- a/tests/crypto-tls-x509-helpers.c
++++ b/tests/crypto-tls-x509-helpers.c
+@@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
+ * If no 'ca' is set then we are self signing
+ * the cert. This is done for the root CA certs
+ */
+- err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);
++ err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,
++ GNUTLS_DIG_SHA256, 0);
+ if (err < 0) {
+ g_critical("Failed to sign certificate %s",
+ gnutls_strerror(err));
+--
+2.13.5
+
diff --git a/images/qemu/qemu-patches/fix-test-io-channel-tls-handshake-completion.patch b/images/qemu/qemu-patches/fix-test-io-channel-tls-handshake-completion.patch
new file mode 100644
index 0000000..552e177
--- /dev/null
+++ b/images/qemu/qemu-patches/fix-test-io-channel-tls-handshake-completion.patch
@@ -0,0 +1,36 @@
+From 689ed13e73bdb5a5ca3366524475e3065fae854a Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 29 Aug 2017 17:04:52 +0100
+Subject: [PATCH] io: fix check for handshake completion in TLS test
+
+The TLS I/O channel test had mistakenly used && instead
+of || when checking for handshake completion. As a
+result it could terminate the handshake process before
+it had actually completed. This was harmless before but
+changes in GNUTLS 3.6.0 exposed this bug and caused the
+test suite to fail.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Patch-Source: https://src.fedoraproject.org/rpms/qemu/blob/master/f/1017-io-fix-check-for-handshake-completion-in-TLS-test.patch
+---
+ tests/test-io-channel-tls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c
+index ff96877323..a210d01ba5 100644
+--- a/tests/test-io-channel-tls.c
++++ b/tests/test-io-channel-tls.c
+@@ -218,7 +218,7 @@ static void test_io_channel_tls(const void *opaque)
+ mainloop = g_main_context_default();
+ do {
+ g_main_context_iteration(mainloop, TRUE);
+- } while (!clientHandshake.finished &&
++ } while (!clientHandshake.finished ||
+ !serverHandshake.finished);
+
+ g_assert(clientHandshake.failed == data->expectClientFail);
+--
+2.13.5
+
diff --git a/images/qemu/qemu-patches/fix-test-io-channel-tls-temp-directory.patch b/images/qemu/qemu-patches/fix-test-io-channel-tls-temp-directory.patch
new file mode 100644
index 0000000..283f85a
--- /dev/null
+++ b/images/qemu/qemu-patches/fix-test-io-channel-tls-temp-directory.patch
@@ -0,0 +1,36 @@
+From d4adf9675801cd90e66ecfcd6a54ca1abc5a6698 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Fri, 21 Jul 2017 12:47:39 +0100
+Subject: [PATCH] io: fix temp directory used by test-io-channel-tls test
+
+The test-io-channel-tls test was mistakenly using two of the
+same directories as test-crypto-tlssession. This causes a
+sporadic failure when using make -j$BIGNUM.
+
+Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Patch-Source: https://src.fedoraproject.org/rpms/qemu/blob/master/f/1018-io-fix-temp-directory-used-by-test-io-channel-tls-te.patch
+---
+ tests/test-io-channel-tls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-io-channel-tls.c b/tests/test-io-channel-tls.c
+index 8eaa208e1b..ff96877323 100644
+--- a/tests/test-io-channel-tls.c
++++ b/tests/test-io-channel-tls.c
+@@ -127,8 +127,8 @@ static void test_io_channel_tls(const void *opaque)
+ /* We'll use this for our fake client-server connection */
+ g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
+
+-#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
+-#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
++#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
++#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
+ mkdir(CLIENT_CERT_DIR, 0700);
+ mkdir(SERVER_CERT_DIR, 0700);
+
+--
+2.13.5
+
diff --git a/images/qemu/qemu-patches/ignore-signals-33-and-64-to-allow-golang-emulation.patch b/images/qemu/qemu-patches/ignore-signals-33-and-64-to-allow-golang-emulation.patch
new file mode 100644
index 0000000..1162542
--- /dev/null
+++ b/images/qemu/qemu-patches/ignore-signals-33-and-64-to-allow-golang-emulation.patch
@@ -0,0 +1,56 @@
+From db186a3f83454268c43fc793a48bc28c41368a6c Mon Sep 17 00:00:00 2001
+From: Petros Angelatos <petrosagg@gmail.com>
+Date: Thu, 3 Mar 2016 23:58:53 -0800
+Subject: [PATCH] linux-user: ignore signals 33 and 64 to allow golang
+ emulation
+
+Signal 33 will always fail. This causes golang crash since
+https://github.com/golang/go/commit/675eb72c285cd0dd44a5f280bb3fa456ddf6de16
+
+As explained in that commit, these signals are very rarely used in a
+way that causes problems, so it's ok-ish to ignore one of them.
+
+Signal 64 will fail because QEMU uses SIGRTMAX for itself. This causes
+golang to crash for versions earlier than
+https://github.com/golang/go/commit/d10675089d74db0408f2432eae3bd89a8e1c2d6a
+
+Since after that commit golang ignores that signal, we also ignore it here to
+allow earlier versions to run as well.
+
+Signed-off-by: Petros Angelatos <petrosagg@gmail.com>
+---
+ linux-user/signal.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/linux-user/signal.c b/linux-user/signal.c
+index 9a4d894..90aca55 100644
+--- a/linux-user/signal.c
++++ b/linux-user/signal.c
+@@ -744,6 +744,27 @@ int do_sigaction(int sig, const struct target_sigaction *act,
+ }
+
+ k = &sigact_table[sig - 1];
++
++ /* This signal will always fail. This causes golang crash since
++ * https://github.com/golang/go/commit/675eb72c285cd0dd44a5f280bb3fa456ddf6de16
++ *
++ * As explained in that commit, these signals are very rarely used in a
++ * way that causes problems, so it's ok-ish to ignore one of them here.
++ */
++ if (sig == 33) {
++ return 0;
++ }
++ /* This signal will fail because QEMU uses SIGRTMAX for itself. This causes
++ * golang to crash for versions earlier than
++ * https://github.com/golang/go/commit/d10675089d74db0408f2432eae3bd89a8e1c2d6a
++ *
++ * Since after that commit golang ignores that signal, we also ignore it here to
++ * allow earlier versions to run as well.
++ */
++ if (sig == 64) {
++ return 0;
++ }
++
+ if (oact) {
+ __put_user(k->_sa_handler, &oact->_sa_handler);
+ __put_user(k->sa_flags, &oact->sa_flags);
diff --git a/images/qemu/qemu-patches/musl-F_SHLCK-and-F_EXLCK.patch b/images/qemu/qemu-patches/musl-F_SHLCK-and-F_EXLCK.patch
new file mode 100644
index 0000000..316819a
--- /dev/null
+++ b/images/qemu/qemu-patches/musl-F_SHLCK-and-F_EXLCK.patch
@@ -0,0 +1,19 @@
+This patch was not upstreamed to qemu as those should probably be
+defined in musl libc.
+
+--- ./linux-user/syscall.c.orig
++++ ./linux-user/syscall.c
+@@ -114,6 +114,13 @@
+
+ #include "qemu.h"
+
++#ifndef F_SHLCK
++#define F_SHLCK 8
++#endif
++#ifndef F_EXLCK
++#define F_EXLCK 4
++#endif
++
+ #ifndef CLONE_IO
+ #define CLONE_IO 0x80000000 /* Clone io context */
+ #endif
diff --git a/images/qemu/qemu-patches/ncurses.patch b/images/qemu/qemu-patches/ncurses.patch
new file mode 100644
index 0000000..2e9eb2a
--- /dev/null
+++ b/images/qemu/qemu-patches/ncurses.patch
@@ -0,0 +1,13 @@
+diff --git a/configure b/configure
+index 3770d7c..3fe8281 100755
+--- a/configure
++++ b/configure
+@@ -2928,7 +2928,7 @@ if test "$curses" != "no" ; then
+ curses_inc_list="$($pkg_config --cflags ncurses 2>/dev/null):"
+ curses_lib_list="$($pkg_config --libs ncurses 2>/dev/null):-lpdcurses"
+ else
+- curses_inc_list="$($pkg_config --cflags ncursesw 2>/dev/null):-I/usr/include/ncursesw:"
++ curses_inc_list="-DNCURSES_WIDECHAR=1 $($pkg_config --cflags ncursesw 2>/dev/null):-I/usr/include/ncursesw:"
+ curses_lib_list="$($pkg_config --libs ncursesw 2>/dev/null):-lncursesw:-lcursesw"
+ fi
+ curses_found=no
diff --git a/images/qemu/qemu-patches/test-crypto-ivgen-skip-essiv.patch b/images/qemu/qemu-patches/test-crypto-ivgen-skip-essiv.patch
new file mode 100644
index 0000000..e72f489
--- /dev/null
+++ b/images/qemu/qemu-patches/test-crypto-ivgen-skip-essiv.patch
@@ -0,0 +1,54 @@
+These tests fail with Illegal instruction and I don't have a clue why,
+so skip them for now.
+
+--- a/tests/test-crypto-ivgen.c
++++ b/tests/test-crypto-ivgen.c
+@@ -88,48 +88,6 @@
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+- /* Small */
+- {
+- "/crypto/ivgen/essiv/1",
+- .sector = 0x1,
+- .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+- .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+- .hashalg = QCRYPTO_HASH_ALG_SHA256,
+- .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+- "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+- .nkey = 16,
+- .iv = (const uint8_t *)"\xd4\x83\x71\xb2\xa1\x94\x53\x88"
+- "\x1c\x7a\x2d\06\x2d\x0b\x65\x46",
+- .niv = 16,
+- },
+- /* Big ! */
+- {
+- "/crypto/ivgen/essiv/1f2e3d4c",
+- .sector = 0x1f2e3d4cULL,
+- .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+- .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+- .hashalg = QCRYPTO_HASH_ALG_SHA256,
+- .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+- "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+- .nkey = 16,
+- .iv = (const uint8_t *)"\x5d\x36\x09\x5d\xc6\x9e\x5e\xe9"
+- "\xe3\x02\x8d\xd8\x7a\x3d\xe7\x8f",
+- .niv = 16,
+- },
+- /* No Truncation */
+- {
+- "/crypto/ivgen/essiv/1f2e3d4c5b6a7988",
+- .sector = 0x1f2e3d4c5b6a7988ULL,
+- .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+- .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+- .hashalg = QCRYPTO_HASH_ALG_SHA256,
+- .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+- "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+- .nkey = 16,
+- .iv = (const uint8_t *)"\x58\xbb\x81\x94\x51\x83\x23\x23"
+- "\x7a\x08\x93\xa9\xdc\xd2\xd9\xab",
+- .niv = 16,
+- },
+ };
+
+
diff --git a/images/qemu/qemu-patches/xattr_size_max.patch b/images/qemu/qemu-patches/xattr_size_max.patch
new file mode 100644
index 0000000..1a33cbf
--- /dev/null
+++ b/images/qemu/qemu-patches/xattr_size_max.patch
@@ -0,0 +1,15 @@
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index faebd91..a0f15b6 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -25,6 +25,10 @@
+ #include "trace.h"
+ #include "migration/migration.h"
+
++#ifdef __linux__
++#include <linux/limits.h> /* for XATTR_SIZE_MAX */
++#endif
++
+ int open_fd_hw;
+ int total_open_fd;
+ static int open_fd_rc;