blob: 37427cf735339611ef2a7fd89fa1e1075d1ddd0f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# Copyright 2025 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: triage-step-template
spec:
templates:
- name: triage-step
initContainers:
- name: setup-overlays
image: alpine/git:latest
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
mkdir /data/overlayfs /data/.git
mount -t tmpfs -o size=128M tmpfs /data/overlayfs
mkdir /data/overlayfs/upper /data/overlayfs/work
mount -t overlay overlay -o lowerdir=/kernel-repo,upperdir=/data/overlayfs/upper,workdir=/data/overlayfs/work /data/.git
chmod 0777 /data/.git
git --git-dir=/data/.git --work-tree=/workdir checkout v3.0
chmod -R 0777 /data/.git/logs
chmod -R 0777 /workdir
volumeMounts:
- name: shared-git-repo
mountPath: /data
mountPropagation: Bidirectional
- name: base-kernel-repo
mountPath: /kernel-repo
readOnly: true
- name: workdir
mountPath: /workdir
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
container:
image: ${IMAGE_PREFIX}triage-step:${IMAGE_TAG}
imagePullPolicy: IfNotPresent
command: ["/bin/triage-step"]
args: [
"--session", "{{workflow.parameters.session-id}}",
"--repository", "/workdir",
"--verdict", "/output/result.json"
]
resources:
requests:
cpu: 1
memory: 8G
limits:
cpu: 4
memory: 16G
env:
- name: GIT_DIR
value: "/data/.git"
- name: GIT_DISCOVERY_ACROSS_FILESYSTEM
value: "1"
- name: GIT_WORK_TREE
value: "/workdir"
- name: HOME # Otherwise it's failing with "warning: unable to access '/root/.config/git/attributes': Permission denied.".
value: "/home/syzkaller"
volumeMounts:
- name: shared-git-repo
mountPath: /data
- name: base-kernel-repo
mountPath: /kernel-repo
readOnly: true
- name: workdir
mountPath: /workdir
- name: output
mountPath: /output
volumes:
- name: base-kernel-repo
persistentVolumeClaim:
claimName: base-kernel-repo-pv-claim
- name: shared-git-repo
emptyDir:
medium: Memory
- name: workdir
emptyDir: {}
- name: output
emptyDir: {}
outputs:
parameters:
- name: result
valueFrom:
path: /output/result.json
|
