1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# Copyright 2025 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: build-step-template
spec:
templates:
- name: build-step
retryStrategy:
limit: "3"
backoff:
duration: "5m"
inputs:
parameters:
- name: findings
value: "false"
- name: test-name
value: ""
- name: smoke-build
value: "false"
# For some reason, "{{=workflow.parameters.session-id ?? ''}}" didn't work here.
- name: session-id
value: ""
artifacts:
- name: request
path: /tmp/request.json
initContainers:
- name: setup-overlays
image: alpine/git:latest
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
mkdir /data/overlayfs /data/.git
mount -t tmpfs -o size=128M tmpfs /data/overlayfs
mkdir /data/overlayfs/upper /data/overlayfs/work
mount -t overlay overlay -o lowerdir=/kernel-repo,upperdir=/data/overlayfs/upper,workdir=/data/overlayfs/work /data/.git
chmod 0777 /data/.git
git --git-dir=/data/.git --work-tree=/workdir checkout v3.0
chmod -R 0777 /data/.git/logs
chmod -R 0777 /workdir
volumeMounts:
- name: shared-git-repo
mountPath: /data
mountPropagation: Bidirectional
- name: base-kernel-repo
mountPath: /kernel-repo
readOnly: true
- name: workdir
mountPath: /workdir
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
container:
image: ${IMAGE_PREFIX}build-step:${IMAGE_TAG}
imagePullPolicy: IfNotPresent
command: ["/bin/build-step"]
args: [
"--request", "/tmp/request.json",
"--repository", "/workdir",
"--output", "/output",
"--session", "{{inputs.parameters.session-id}}",
"--test_name", "{{inputs.parameters.test-name}}",
"-findings={{inputs.parameters.findings}}",
"-smoke_build={{inputs.parameters.smoke-build}}"
]
resources:
requests:
cpu: 8
memory: 32G
limits:
cpu: 32
memory: 96G
env:
- name: GIT_DIR
value: "/data/.git"
- name: GIT_DISCOVERY_ACROSS_FILESYSTEM
value: "1"
- name: GIT_WORK_TREE
value: "/workdir"
- name: HOME # Otherwise it's failing with "warning: unable to access '/root/.config/git/attributes': Permission denied.".
value: "/home/syzkaller"
volumeMounts:
- name: shared-git-repo
mountPath: /data
- name: base-kernel-repo
mountPath: /kernel-repo
readOnly: true
- name: workdir
mountPath: /workdir
- name: output
mountPath: /output
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"] # We need to mount a loop device during the kernel build.
volumes:
- name: base-kernel-repo
persistentVolumeClaim:
claimName: base-kernel-repo-pv-claim
- name: shared-git-repo
emptyDir:
medium: Memory
- name: workdir
emptyDir: {}
- name: output
emptyDir: {}
outputs:
parameters:
- name: result
valueFrom:
path: /output/result.json
default: ""
artifacts:
- name: kernel
path: /output
optional: true
|
