1Docker CI 2========= 3 4For llvmpipe and swrast CI, we run tests in a container containing 5VK-GL-CTS, on the shared GitLab runners provided by `freedesktop 6<http://freedesktop.org>`_ 7 8Software architecture 9--------------------- 10 11The Docker containers are rebuilt using the shell scripts under 12.gitlab-ci/container/ when the FDO\_DISTRIBUTION\_TAG changes in 13.gitlab-ci.yml. The resulting images are around 1 GB, and are 14expected to change approximately weekly (though an individual 15developer working on them may produce many more images while trying to 16come up with a working MR!). 17 18gitlab-runner is a client that polls gitlab.freedesktop.org for 19available jobs, with no inbound networking requirements. Jobs can 20have tags, so we can have DUT-specific jobs that only run on runners 21with that tag marked in the GitLab UI. 22 23Since dEQP takes a long time to run, we mark the job as "parallel" at 24some level, which spawns multiple jobs from one definition, and then 25deqp-runner.sh takes the corresponding fraction of the test list for 26that job. 27 28To reduce dEQP runtime (or avoid tests with unreliable results), a 29deqp-runner.sh invocation can provide a list of tests to skip. If 30your driver is not yet conformant, you can pass a list of expected 31failures, and the job will only fail on tests that aren't listed (look 32at the job's log for which specific tests failed). 33 34DUT requirements 35---------------- 36 37In addition to the general :ref:`CI-farm-expectations`, using 38Docker requires: 39 40* DUTs must have a stable kernel and GPU reset (if applicable). 41 42If the system goes down during a test run, that job will eventually 43time out and fail (default 1 hour). However, if the kernel can't 44reliably reset the GPU on failure, bugs in one MR may leak into 45spurious failures in another MR. This would be an unacceptable impact 46on Mesa developers working on other drivers. 47 48* DUTs must be able to run Docker 49 50The Mesa gitlab-runner based test architecture is built around Docker, 51so that we can cache the Debian package installation and CTS build 52step across multiple test runs. Since the images are large and change 53approximately weekly, the DUTs also need to be running some script to 54prune stale Docker images periodically in order to not run out of disk 55space as we rev those containers (perhaps `this script 56<https://gitlab.com/gitlab-org/gitlab-runner/issues/2980#note_169233611>`_). 57 58Note that Docker doesn't allow containers to be stored on NFS, and 59doesn't allow multiple Docker daemons to interact with the same 60network block device, so you will probably need some sort of physical 61storage on your DUTs. 62 63* DUTs must be public 64 65By including your device in .gitlab-ci.yml, you're effectively letting 66anyone on the internet run code on your device. Docker containers may 67provide some limited protection, but how much you trust that and what 68you do to mitigate hostile access is up to you. 69 70* DUTs must expose the dri device nodes to the containers. 71 72Obviously, to get access to the HW, we need to pass the render node 73through. This is done by adding ``devices = ["/dev/dri"]`` to the 74``runners.docker`` section of /etc/gitlab-runner/config.toml. 75