From 60f28bd8c0f73fa9c8ab19c4c745be8102734879 Mon Sep 17 00:00:00 2001 From: Ernest Lotter Date: Mon, 2 Sep 2024 14:57:37 +0200 Subject: [PATCH] tests, run-spread: install snapd snap during classic system prepare (#14294) * tests/lib/prepare: install snapd snap for classic systems * run-spread, tests: split out a helper to build the dev build Signed-off-by: Maciej Borzecki * tests/lib/state: save snapd state instead of reset Signed-off-by: Maciej Borzecki * tests/lib/prepare: keep a copy of repacked core snap Signed-off-by: Maciej Borzecki * tests/main/snapd-snap-transition: fix the test to install core before transitioning Signed-off-by: Maciej Borzecki * tests/lib/state: also save core state Signed-off-by: Maciej Borzecki * tests/main/nfs-support: check snap-confine profile for internal parser Signed-off-by: Maciej Borzecki * tests/main/exitcodes: fix the test when using snapd snap Signed-off-by: Maciej Borzecki * tests/main/apparmor-batch-reload: account for apparmor_parser from snapd snap Signed-off-by: Maciej Borzecki * fixup! tests/main/snapd-snap-transition: fix the test to install core before transitioning Signed-off-by: Maciej Borzecki * tests/main/snapd-reexec: adapt to test for snapd in core and snapd snap * tests/main/cifs-home: fix for snapd snapd Signed-off-by: Maciej Borzecki * tests/main/remove-core: fix for snapd snap Signed-off-by: Maciej Borzecki * tests/main/snap-userd-reexec: fix for snapd snap Signed-off-by: Maciej Borzecki * tests/main/snapd-reexec-snapd-snap: fixes for snapd snap Signed-off-by: Maciej Borzecki * tests: account for prompting supported on >= 22.04 with internal apparmor Signed-off-by: Maciej Borzecki * tests/main/snap-seccomp-blocks-tty-injection: TODO for a fix Signed-off-by: Maciej Borzecki * fixup! tests/main/snap-seccomp-blocks-tty-injection: TODO for a fix Signed-off-by: Maciej Borzecki * tests: keep a copy of repacked core snap under $TESTSTMP Signed-off-by: Maciej Borzecki * run-spread: slightly smarter handling of snap build Signed-off-by: Maciej Borzecki * tests/main/mount-ns: update expected mount ns view Signed-off-by: Maciej Borzecki * spread: bump the storage for google:ubuntu-16.04 nodes Signed-off-by: Maciej Borzecki * tests/main/snapd-slow-startup: account for additional snap Signed-off-by: Maciej Borzecki * tests/main/interfaces-many-core-provided: account for snapd snap vendored apparmor Signed-off-by: Maciej Borzecki * tests/main/apparmor-prompting-snapd-startup: account for vendored apparmor on 22.04 Signed-off-by: Maciej Borzecki * tests/lib/prepare: build snapd snap on ARM only Signed-off-by: Maciej Borzecki * tests/main/debug-execution: update to account for snapd snap Signed-off-by: Maciej Borzecki * tests/lib/prepare: clean up after snapcraft and lxd Signed-off-by: Maciej Borzecki * tests: review improvements * tests/main/interfaces-snap-interfaces-requests-control: disable on debian-sid Debian Sid kernel seems to support prompting, but it appears to be non-functional. Signed-off-by: Maciej Borzecki * tests/build-test-snapd-snap: find tweaks Signed-off-by: Maciej Borzecki * tests/main/exitcodes: check we mocked at least 2 commands Signed-off-by: Maciej Borzecki --------- Signed-off-by: Maciej Borzecki Co-authored-by: Maciej Borzecki --- run-spread | 42 ++++---- spread.yaml | 2 +- tests/build-test-snapd-snap | 31 ++++++ tests/lib/prepare.sh | 46 ++++++++- tests/lib/state.sh | 5 +- tests/main/apparmor-batch-reload/task.yaml | 6 +- .../apparmor-prompting-flag-restart/task.yaml | 4 +- .../task.yaml | 4 +- tests/main/cifs-home/task.yaml | 6 +- tests/main/debug-execution/task.yaml | 23 ++--- tests/main/exitcodes/task.yaml | 16 ++- .../interfaces-many-core-provided/task.yaml | 6 +- .../task.yaml | 4 +- .../task.yaml | 8 +- .../google.ubuntu-18.04-64/HOST.expected.txt | 9 +- .../PER-SNAP-16.expected.txt | 22 +++-- .../PER-SNAP-18.expected.txt | 26 ++--- .../PER-SNAP-C7.expected.txt | 9 +- .../PER-USER-16.expected.txt | 22 +++-- .../PER-USER-18.expected.txt | 26 ++--- .../PER-USER-C7.expected.txt | 9 +- tests/main/nfs-support/task.yaml | 6 +- tests/main/remove-core/task.yaml | 30 +++--- .../task.yaml | 2 +- tests/main/snap-userd-reexec/task.yaml | 20 ++-- tests/main/snapd-reexec-snapd-snap/task.yaml | 11 ++- tests/main/snapd-reexec/task.yaml | 99 ++++++++++++------- tests/main/snapd-slow-startup/task.yaml | 6 +- tests/main/snapd-snap-transition/task.yaml | 10 +- 29 files changed, 335 insertions(+), 175 deletions(-) create mode 100755 tests/build-test-snapd-snap diff --git a/run-spread b/run-spread index 4ad2a07b331..4e02b943eb4 100755 --- a/run-spread +++ b/run-spread @@ -1,25 +1,33 @@ #!/bin/bash -# check dependencies -if ! snap list snapcraft &>/dev/null; then - echo "snapcraft is not installed" - exit 1 -fi +set -e + +need_rebuild=1 -# Clean the snaps created in previous runs -rm -rf built-snap test-build -touch test-build -mkdir built-snap +shopt -s nullglob -rm -f snapd_1337.*.snap -rm -f snapd_1337.*.snap.keep +if [ "$NO_REBUILD" = "1" ]; then + echo "-- $(date) -- requested no snap rebuild" + need_rebuild=0 -# Build snapd snap -snapcraft clean -snapcraft --use-lxd -for snap in snapd_1337.*.snap; do - mv "${snap}" built-snap/"${snap}.keep" -done + # check if we have any snaps built at all + built_snaps=(built-snap/snapd_*.snap.keep) + if (( "${#built_snaps[@]}" > 0 )); then + echo "-- $(date) -- found prebuilt snapd snaps:" + for s in "${built_snaps[@]}"; do + echo "-- $s" + done + else + echo "-- $(date) -- no prebuilt snaps found" + need_rebuild=1 + fi +fi + +if [ "$need_rebuild" = 1 ]; then + echo "-- $(date) -- rebuilding snapd snap" + ./tests/build-test-snapd-snap + echo "-- $(date) -- snapd snap rebuild complete" +fi # Run spread SPREAD_USE_PREBUILT_SNAPD_SNAP=true spread "$@" diff --git a/spread.yaml b/spread.yaml index d77044154a8..90abd1223b9 100644 --- a/spread.yaml +++ b/spread.yaml @@ -123,7 +123,7 @@ backends: workers: 6 - ubuntu-16.04-64: workers: 8 - storage: 12G + storage: 15G - ubuntu-18.04-64: storage: 15G workers: 8 diff --git a/tests/build-test-snapd-snap b/tests/build-test-snapd-snap new file mode 100755 index 00000000000..9483bd27390 --- /dev/null +++ b/tests/build-test-snapd-snap @@ -0,0 +1,31 @@ +#!/bin/bash -e + +shopt -s nullglob + +# check dependencies +if ! snap list snapcraft >/dev/null; then + echo "snapcraft is not installed" + exit 1 +fi + +# Clean the snaps created in previous runs +rm -rfv built-snap + +find . -name 'snapd_1337.*.snap' -delete -print +find . -name 'snapd_1337.*.snap.keep' -delete -print + +touch test-build +mkdir -p built-snap + +# Build snapd snap +if [ -z "$SNAPCRAFT_NO_CLEAN" ]; then + snapcraft --verbose clean +fi + +snapcraft --verbose + +for snap_file in snapd_1337.*.snap; do + mv "${snap_file}" built-snap/"${snap_file}.keep" +done + +rm -fv test-build diff --git a/tests/lib/prepare.sh b/tests/lib/prepare.sh index 0c026c463de..287911cab4e 100755 --- a/tests/lib/prepare.sh +++ b/tests/lib/prepare.sh @@ -154,7 +154,12 @@ setup_experimental_features() { fi } +# update_core_snap_for_classic_reexec modifies the core snap for snapd re-exec +# by injecting binaries from the installed snapd deb built from our modified code. +# $1: directory where updated core snap should be copied (optional) update_core_snap_for_classic_reexec() { + local target_dir="${1-}" + # it is possible to disable this to test that snapd (the deb) works # fine with whatever is in the core snap if [ "$MODIFY_CORE_SNAP_FOR_REEXEC" != "1" ]; then @@ -230,6 +235,12 @@ update_core_snap_for_classic_reexec() { chmod --reference="${snap}.orig" "$snap" rm -rf squashfs-root + # make a copy for later use + if [ -n "$target_dir" ]; then + mkdir -p "$target_dir" + cp -av "$snap" "$target_dir/" + fi + # Now mount the new core snap, first discarding the old mount namespace snapd.tool exec snap-discard-ns core mount "$snap" "$core" @@ -386,6 +397,22 @@ prepare_classic() { fi done + # Install snapd snap to ensure re-exec to snapd snap instead of snapd in core. + # This also prevents snapd from automatically installing snapd snap as + # prerequisite for installing any non-base snap introduced in PR#14173. + if snap list snapd ; then + snap snap info snapd + echo "Error: not expecting snapd snap to be installed" + exit 1 + else + build_dir="$WORK_DIR/snapd_snap_for_classic" + rm -rf "$build_dir" + mkdir -p "$build_dir" + build_snapd_snap "$build_dir" + snap install --dangerous "$build_dir/"snapd_*.snap + fi + snap list snapd + setup_systemd_snapd_overrides if [ "$REMOTE_STORE" = staging ]; then @@ -424,7 +451,8 @@ prepare_classic() { snap list | grep core systemctl stop snapd.{service,socket} - update_core_snap_for_classic_reexec + # repack and also make a side copy of the core snap + update_core_snap_for_classic_reexec "$TESTSTMP/core_snap" systemctl start snapd.{service,socket} prepare_reexec_override @@ -472,6 +500,10 @@ cleanup_snapcraft() { snap remove --purge lxd || true "$TESTSTOOLS"/lxd-state undo-mount-changes snap remove --purge snapcraft || true + # TODO there should be some smarter cleanup helper which removes all snaps + # in the right order + # base snap of both lxd and snapcraft + snap remove --purge core22 || true } run_snapcraft() { @@ -502,8 +534,20 @@ build_snapd_snap() { cp "${PROJECT_PATH}/built-snap"/snapd_1337.*.snap.keep "${snapd_snap_cache}/snapd_from_ci.snap" fi else + # This is not reliable across classic releases so only allow on + # ARM variants as a special case since we cannot cross build + # snapd snap for ARM right now + case "$SPREAD_SYSTEM" in + *-arm-*) + ;; + *) + echo "system $SPREAD_SYSTEM should use a prebuilt snapd snapd" + exit 1 + ;; + esac [ -d "${TARGET}" ] || mkdir -p "${TARGET}" chmod -R go+r "${PROJECT_PATH}/tests" + # TODO: run_snapcraft does not currently guarantee or check the required version for building snapd run_snapcraft --use-lxd --verbosity quiet --output="snapd_from_snapcraft.snap" mv "${PROJECT_PATH}"/snapd_from_snapcraft.snap "${snapd_snap_cache}" fi diff --git a/tests/lib/state.sh b/tests/lib/state.sh index a7c2517c795..56ee50c448f 100755 --- a/tests/lib/state.sh +++ b/tests/lib/state.sh @@ -51,13 +51,16 @@ save_snapd_state() { done snapd_env="/etc/environment" snapd_service_env=$(ls -d /etc/systemd/system/snapd.*.d || true) - snap_confine_profiles="$(ls /etc/apparmor.d/snap.core.* || true)" + snap_confine_profiles="$(ls /etc/apparmor.d/snap.snapd.* || true)" # shellcheck disable=SC2086 tar cf "$SNAPD_STATE_FILE" \ /var/lib/snapd \ /var/cache/snapd \ "$SNAP_MOUNT_DIR" \ + /etc/systemd/system/"$escaped_snap_mount_dir"-*snapd*.mount \ + /etc/systemd/system/snapd.mounts.target.wants/"$escaped_snap_mount_dir"-*snapd*.mount \ + /etc/systemd/system/multi-user.target.wants/"$escaped_snap_mount_dir"-*snapd*.mount \ /etc/systemd/system/"$escaped_snap_mount_dir"-*core*.mount \ /etc/systemd/system/snapd.mounts.target.wants/"$escaped_snap_mount_dir"-*core*.mount \ /etc/systemd/system/multi-user.target.wants/"$escaped_snap_mount_dir"-*core*.mount \ diff --git a/tests/main/apparmor-batch-reload/task.yaml b/tests/main/apparmor-batch-reload/task.yaml index 54e3f88268b..d0c6c9ab7a8 100644 --- a/tests/main/apparmor-batch-reload/task.yaml +++ b/tests/main/apparmor-batch-reload/task.yaml @@ -41,8 +41,10 @@ execute: | echo "Update system key" printf '{"version":1}' > /var/lib/snapd/system-key - echo "Replace apparmor parser with a broken one" - cp -f bin/apparmor_parser.fake /sbin/apparmor_parser + # snapd will execute the vendored apparmor-parser from the snapd snap + echo "Replace apparmor parser from the snapd snap with a broken one" + mount -o bind bin/apparmor_parser.fake /snap/snapd/current/usr/lib/snapd/apparmor_parser + tests.cleanup defer umount /snap/snapd/current/usr/lib/snapd/apparmor_parser # remove all apparmor cached profiles so we can check they are recreated rm -f $AA_CACHE/snap* $AA_CACHE/*/snap* diff --git a/tests/main/apparmor-prompting-flag-restart/task.yaml b/tests/main/apparmor-prompting-flag-restart/task.yaml index 4f2ff97deda..c345976fe28 100644 --- a/tests/main/apparmor-prompting-flag-restart/task.yaml +++ b/tests/main/apparmor-prompting-flag-restart/task.yaml @@ -106,9 +106,9 @@ execute: | fi echo "Enable prompting via snap client where possible" - if os.query is-core || os.query is-ubuntu-lt 24.04; then + if os.query is-core || os.query is-ubuntu-lt 22.04; then # prompting is disabled on Ubuntu Core - # TODO on releases < 24.04 we need the snapd snap for testing + # on releases < 22.04 the kernel does not support prompting not snap set system experimental.apparmor-prompting=true >& err.out if os.query is-core ; then MATCH "cannot enable prompting feature as it is not supported on Ubuntu Core systems" < err.out diff --git a/tests/main/apparmor-prompting-snapd-startup/task.yaml b/tests/main/apparmor-prompting-snapd-startup/task.yaml index 6560eb2a007..f995d34daa0 100644 --- a/tests/main/apparmor-prompting-snapd-startup/task.yaml +++ b/tests/main/apparmor-prompting-snapd-startup/task.yaml @@ -24,8 +24,8 @@ execute: | echo '{"rules":[{"id":"0000000000000002","timestamp":"2004-10-20T14:05:08.901174186-05:00","user":1000,"snap":"shellcheck","interface":"home","constraints":{"path-pattern":"/home/test/Projects/**","permissions":["read"]},"outcome":"allow","lifespan":"forever","expiration":"0001-01-01T00:00:00Z"},{"id":"0000000000000003","timestamp":"2004-10-20T16:47:32.138415627-05:00","user":1000,"snap":"firefox","interface":"home","constraints":{"path-pattern":"/home/test/Downloads/**","permissions":["read","write"]},"outcome":"allow","lifespan":"timespan","expiration":"2005-04-08T00:00:00Z"}]}' | tee "$RULES_PATH" # Prompting is disabled everywhere but the Ubuntu systems - # TODO: on Ubuntu releases < 24.04 we need the snapd snap for testing - if ! os.query is-ubuntu || os.query is-ubuntu-lt 24.04 || os.query is-core ; then + # on releases < 22.04 the kernel does not support prompting + if ! os.query is-ubuntu || os.query is-ubuntu-lt 22.04 || os.query is-core ; then not snap set system experimental.apparmor-prompting=true >& err.out if os.query is-core; then # there is a more specific error on Ubuntu Core diff --git a/tests/main/cifs-home/task.yaml b/tests/main/cifs-home/task.yaml index d6cbe96237b..e5af1546b97 100644 --- a/tests/main/cifs-home/task.yaml +++ b/tests/main/cifs-home/task.yaml @@ -57,7 +57,9 @@ prepare: | # Later on, restart snapd and ensure that nfs/cifs workaround is gone. # This cleanup handler is registered before we mount the cifs file system. if [ "$(snap debug confinement)" = strict ]; then - tests.cleanup defer test ! -e /var/lib/snapd/apparmor/snap-confine/nfs-support + # we're testing on Ubuntu where we know that reexec is active and we use + # an internal apparmor userspace stack + tests.cleanup defer test ! -e /var/lib/snapd/apparmor/snap-confine.internal/nfs-support fi tests.cleanup defer systemctl restart snapd.service tests.cleanup defer systemctl reset-failed snapd.service snapd.socket @@ -87,7 +89,7 @@ prepare: | systemctl reset-failed snapd.service snapd.socket systemctl restart snapd.service if [ "$(snap debug confinement)" = strict ]; then - MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine/nfs-support + MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine.internal/nfs-support MATCH 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug fi diff --git a/tests/main/debug-execution/task.yaml b/tests/main/debug-execution/task.yaml index 618cad14c5b..064da5df086 100644 --- a/tests/main/debug-execution/task.yaml +++ b/tests/main/debug-execution/task.yaml @@ -74,9 +74,7 @@ execute: | MATCH 'is-reexec-enabled: true' < snap-default.out MATCH 'is-reexec-explicitly-enabled: false' < snap-default.out MATCH 'is-reexecd: true' < snap-default.out - # TODO: once snapd snap lands the output wlll be different: - # MATCH 'self-exe: /snap/snapd/.*/usr/bin/snap' < snap-default.out - MATCH 'self-exe: /snap/core/.*/usr/bin/snap' < snap-default.out + MATCH 'self-exe: /snap/snapd/.*/usr/bin/snap' < snap-default.out echo "Checking without reeexec scenario" MATCH 'distro-supports-reexec: true' < snap-no-reexec.out @@ -86,25 +84,20 @@ execute: | MATCH 'self-exe: /usr/bin/snap' < snap-no-reexec.out echo "Checking AppArmor" - # TODO: once snapd snap lands, this will use internal parser - # MATCH 'apparmor-parser: /snap/snapd/.*/usr/lib/snapd/apparmor_parser' < snap-apparmor-default.out - # MATCH 'internal: true' < snap-apparmor-default.out + MATCH 'apparmor-parser: /snap/snapd/.*/usr/lib/snapd/apparmor_parser' < snap-apparmor-default.out + MATCH 'apparmor-parser-command: /snap/snapd/.*/apparmor_parser --config-file /snap/snapd/.*/usr/lib/snapd/apparmor/parser.conf --base /snap/snapd/.*/usr/lib/snapd/apparmor\.d --policy-features /snap/snapd/.*/usr/lib/snapd/apparmor\.d/abi/4\.0' < snap-apparmor-default.out + MATCH 'internal: true' < snap-apparmor-default.out + if os.query is-xenial || os.query is-bionic; then # Ubuntu < 20.04 does not have usr-merge - MATCH 'apparmor-parser: /sbin/apparmor_parser' < snap-apparmor-default.out - MATCH 'internal: false' < snap-apparmor-default.out MATCH 'apparmor-parser: /sbin/apparmor_parser' < snap-apparmor-no-reexec.out MATCH 'internal: false' < snap-apparmor-no-reexec.out else - MATCH 'apparmor-parser: /usr/sbin/apparmor_parser' < snap-apparmor-default.out - MATCH 'internal: false' < snap-apparmor-default.out MATCH 'apparmor-parser: /usr/sbin/apparmor_parser' < snap-apparmor-no-reexec.out MATCH 'internal: false' < snap-apparmor-no-reexec.out fi - # TODO: once snapd snap lands, this will use snap-update-ns from - # snapd snap - MATCH 'snap-update-ns: /snap/core/.*/usr/lib/snapd/snap-update-ns' < snap-uns-default.out + MATCH 'snap-update-ns: /snap/snapd/.*/usr/lib/snapd/snap-update-ns' < snap-uns-default.out ;; *) echo "Checking default scenario" @@ -134,12 +127,12 @@ execute: | opensuse-*) # snap mount dir is /snap MATCH 'is-reexecd: true' < snap-yes-reexec.out - MATCH 'self-exe: /snap/core/.*/usr/bin/snap' < snap-yes-reexec.out + MATCH 'self-exe: /snap/snapd/.*/usr/bin/snap' < snap-yes-reexec.out ;; amazon-linux-*) # has /snap -> /var/lib/snapd symlink MATCH 'is-reexecd: true' < snap-yes-reexec.out - MATCH 'self-exe: /var/lib/snapd/snap/core/.*/usr/bin/snap' < snap-yes-reexec.out + MATCH 'self-exe: /var/lib/snapd/snap/snapd/.*/usr/bin/snap' < snap-yes-reexec.out ;; *) echo "unexpected distro $SPREAD_SYSTEM" diff --git a/tests/main/exitcodes/task.yaml b/tests/main/exitcodes/task.yaml index 9247eb57b02..1595b0f0262 100644 --- a/tests/main/exitcodes/task.yaml +++ b/tests/main/exitcodes/task.yaml @@ -26,10 +26,20 @@ execute: | test "$RET" -eq 64 echo "snap command with broken mksquashfs returns exit code 20" - for b in /usr/bin/mksquashfs /snap/core/current/usr/bin/mksquashfs; do - mount -o bind /bin/false "$b" - tests.cleanup defer umount "$b" + command_found=0 + for b in /usr/bin/mksquashfs /snap/core/current/usr/bin/mksquashfs /snap/snapd/current/usr/bin/mksquashfs; do + if [ -f "$b" ]; then + command_found=$((command_found + 1)) + mount -o bind /bin/false "$b" + tests.cleanup defer umount "$b" + fi done + # make sure we found at least one of the commands + if (( command_found < 2 )); then + echo "should have mocked at least 2 commands" + exit 1 + fi + set +e snap pack "$TESTSLIB/snaps/test-snapd-sh" RET=$? diff --git a/tests/main/interfaces-many-core-provided/task.yaml b/tests/main/interfaces-many-core-provided/task.yaml index 2e5691c37a7..356e866918e 100644 --- a/tests/main/interfaces-many-core-provided/task.yaml +++ b/tests/main/interfaces-many-core-provided/task.yaml @@ -91,9 +91,9 @@ execute: | continue fi - if [ "$plug_iface" = "$CONSUMER_SNAP:qualcomm-ipc-router" ] && ( os.query is-trusty || os.query is-xenial || os.query is-core16) ; then - # the qualcomm-ipc-router interface is known not to work on xenial, - # just check that it cannot be connected and move on + if [ "$plug_iface" = "$CONSUMER_SNAP:qualcomm-ipc-router" ] && ( os.query is-trusty || os.query is-core16) ; then + # the qualcomm-ipc-router interface is known not to work on UC16 + # without snapd, just check that it cannot be connected and move on snap connect "$plug_iface" "$slot_iface" 2>&1 | MATCH "cannot connect plug on system without qipcrtr socket support" continue fi diff --git a/tests/main/interfaces-requests-activates-handlers/task.yaml b/tests/main/interfaces-requests-activates-handlers/task.yaml index abf0b467a0f..14a5254ec0c 100644 --- a/tests/main/interfaces-requests-activates-handlers/task.yaml +++ b/tests/main/interfaces-requests-activates-handlers/task.yaml @@ -19,9 +19,9 @@ restore: | execute: | echo "Enable prompting via snap client where possible" - if os.query is-core || os.query is-ubuntu-lt 24.04; then + if os.query is-core || os.query is-ubuntu-lt 22.04; then # prompting is disabled on Ubuntu Core - # TODO on releases < 24.04 we need the snapd snap for testing + # on releases < 22.04 we need the kernel does not support prompting not snap set system experimental.apparmor-prompting=true >& err.out if os.query is-core ; then MATCH "cannot enable prompting feature as it is not supported on Ubuntu Core systems" < err.out diff --git a/tests/main/interfaces-snap-interfaces-requests-control/task.yaml b/tests/main/interfaces-snap-interfaces-requests-control/task.yaml index 4817a543a82..08704439de1 100644 --- a/tests/main/interfaces-snap-interfaces-requests-control/task.yaml +++ b/tests/main/interfaces-snap-interfaces-requests-control/task.yaml @@ -10,6 +10,10 @@ details: | # TODO: - /v2/interfaces/requests/prompts: to receive and reply to request prompts # TODO: - /v2/interfaces/requests/rules: to view and manage request rules +systems: + # debian-sid: prompting is supposedly supported by the kernel, but doesn't work + - -debian-sid-* + environment: # not all terminals support UTF-8, but Python tries to be smart and attempts # to guess the encoding as if the output would go to the terminal, but in @@ -40,8 +44,8 @@ execute: | echo "Ensure AppArmor Prompting experimental feature can be enabled where possible" # prompting is disabled everywhere but the Ubuntu systems - # TODO on Ubuntu releases < 24.04 we need the snapd snap for testing - if ! os.query is-ubuntu || os.query is-ubuntu-lt 24.04 || os.query is-core ; then + # on Ubuntu releases < 22.04 the kernel does not support prompting + if ! os.query is-ubuntu || os.query is-ubuntu-lt 22.04 || os.query is-core ; then not snap set system experimental.apparmor-prompting=true >& err.out if os.query is-core; then # there is a more specific error on Ubuntu Core diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/HOST.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/HOST.expected.txt index 3cef88cb86e..d6b5c053aa4 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/HOST.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/HOST.expected.txt @@ -15,10 +15,11 @@ +0:+1 / /run/user/0 rw,nosuid,nodev,relatime shared:+1 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /snap/core/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro --1:+9 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw ++0:+1 / /snap/snapd/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop5 ro +-1:+8 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup cgroup rw,blkio diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-16.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-16.expected.txt index ac2e930a3a4..e7df0ce4ee7 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-16.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-16.expected.txt @@ -36,11 +36,12 @@ -2:+0 /snap /snap rw,relatime master:-15 - ext4 /dev/sda1 rw +2:+0 / /snap/core/1 ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro -+0:-4 /srv /srv ro,nodev,relatime master:-4 - squashfs /dev/loop0 ro --1:+13 / /sys rw,nosuid,nodev,noexec,relatime master:+5 - sysfs sysfs rw ++0:+1 / /snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro ++0:-5 /srv /srv ro,nodev,relatime master:-5 - squashfs /dev/loop0 ro +-1:+13 / /sys rw,nosuid,nodev,noexec,relatime master:+6 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime master:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec master:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:+1 - cgroup cgroup rw,blkio @@ -61,7 +62,7 @@ +0:+1 / /sys/kernel/config rw,relatime master:+1 - configfs configfs rw +0:+1 / /sys/kernel/debug rw,relatime master:+1 - debugfs debugfs rw +0:+1 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime master:+1 - securityfs securityfs rw --1:-33 /tmp /tmp rw,relatime master:-40 - ext4 /dev/sda1 rw +-1:-33 /tmp /tmp rw,relatime master:-41 - ext4 /dev/sda1 rw +0:+0 /tmp/snap-private-tmp/snap.test-snapd-mountinfo-core16/tmp /tmp rw,relatime - ext4 /dev/sda1 rw +2:+0 /usr /usr ro,nodev,relatime master:16 - squashfs /dev/loop0 ro -1:+36 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 @@ -80,10 +81,11 @@ +0:+3 / /var/lib/snapd/hostfs/run/user/0 rw,nosuid,nodev,relatime master:15 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /var/lib/snapd/hostfs/snap/core/1 ro,nodev,relatime master:+1 - squashfs /dev/loop0 ro +0:+1 / /var/lib/snapd/hostfs/snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro --2:-4 /var/log /var/log rw,relatime master:-19 - ext4 /dev/sda1 rw ++0:+1 / /var/lib/snapd/hostfs/snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro +-2:-5 /var/log /var/log rw,relatime master:-20 - ext4 /dev/sda1 rw +0:+0 /var/snap /var/snap rw,relatime master:+0 - ext4 /dev/sda1 rw +0:+0 /var/tmp /var/tmp rw,relatime master:+0 - ext4 /dev/sda1 rw +2:+0 /writable /writable ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-18.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-18.expected.txt index 1ce3960c52c..86bde88b673 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-18.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-18.expected.txt @@ -36,12 +36,13 @@ -2:-1 /snap /snap rw,relatime master:-16 - ext4 /dev/sda1 rw +2:+0 / /snap/core/1 ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro -+0:-3 /srv /srv ro,nodev,relatime master:-3 - squashfs /dev/loop1 ro ++0:+1 / /snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro ++0:-4 /srv /srv ro,nodev,relatime master:-4 - squashfs /dev/loop1 ro +0:+0 /stdout /stdout ro,nodev,relatime master:+0 - squashfs /dev/loop1 ro --1:+12 / /sys rw,nosuid,nodev,noexec,relatime master:+4 - sysfs sysfs rw +-1:+12 / /sys rw,nosuid,nodev,noexec,relatime master:+5 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime master:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec master:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:+1 - cgroup cgroup rw,blkio @@ -62,11 +63,11 @@ +0:+1 / /sys/kernel/config rw,relatime master:+1 - configfs configfs rw +0:+1 / /sys/kernel/debug rw,relatime master:+1 - debugfs debugfs rw +0:+1 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime master:+1 - securityfs securityfs rw --1:-33 /tmp /tmp rw,relatime master:-40 - ext4 /dev/sda1 rw +-1:-33 /tmp /tmp rw,relatime master:-41 - ext4 /dev/sda1 rw +0:+0 /tmp/snap-private-tmp/snap.test-snapd-mountinfo-core18/tmp /tmp rw,relatime - ext4 /dev/sda1 rw +2:+1 /usr /usr ro,nodev,relatime master:17 - squashfs /dev/loop1 ro -+0:-1 /usr/lib/snapd /usr/lib/snapd ro,nodev,relatime master:-1 - squashfs /dev/loop0 ro --1:+36 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 ++0:+1 /usr/lib/snapd /usr/lib/snapd ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro +-1:+34 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 +1:-35 /usr/share/gdb/auto-load /usr/share/gdb/auto-load ro,nodev,relatime master:17 - squashfs /dev/loop1 ro -1:+36 / /usr/share/gdb/test rw,relatime - tmpfs tmpfs rw -1:-37 /usr/src /usr/src rw,relatime master:1 - ext4 /dev/sda1 rw @@ -82,10 +83,11 @@ +0:+3 / /var/lib/snapd/hostfs/run/user/0 rw,nosuid,nodev,relatime master:15 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /var/lib/snapd/hostfs/snap/core/1 ro,nodev,relatime master:+1 - squashfs /dev/loop0 ro +0:+1 / /var/lib/snapd/hostfs/snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro --2:-4 /var/log /var/log rw,relatime master:-19 - ext4 /dev/sda1 rw ++0:+1 / /var/lib/snapd/hostfs/snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro +-2:-5 /var/log /var/log rw,relatime master:-20 - ext4 /dev/sda1 rw +0:+0 /var/snap /var/snap rw,relatime master:+0 - ext4 /dev/sda1 rw +0:+0 /var/tmp /var/tmp rw,relatime master:+0 - ext4 /dev/sda1 rw +2:+1 /writable /writable ro,nodev,relatime master:+16 - squashfs /dev/loop1 ro diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-C7.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-C7.expected.txt index 3cef88cb86e..d6b5c053aa4 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-C7.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-SNAP-C7.expected.txt @@ -15,10 +15,11 @@ +0:+1 / /run/user/0 rw,nosuid,nodev,relatime shared:+1 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /snap/core/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro --1:+9 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw ++0:+1 / /snap/snapd/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop5 ro +-1:+8 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup cgroup rw,blkio diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-16.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-16.expected.txt index 68ebec781b2..6c79f152b52 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-16.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-16.expected.txt @@ -36,11 +36,12 @@ -2:+0 /snap /snap rw,relatime master:-15 - ext4 /dev/sda1 rw +2:+0 / /snap/core/1 ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro -+0:-4 /srv /srv ro,nodev,relatime master:-4 - squashfs /dev/loop0 ro --1:+13 / /sys rw,nosuid,nodev,noexec,relatime master:+5 - sysfs sysfs rw ++0:+1 / /snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro ++0:-5 /srv /srv ro,nodev,relatime master:-5 - squashfs /dev/loop0 ro +-1:+13 / /sys rw,nosuid,nodev,noexec,relatime master:+6 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime master:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec master:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:+1 - cgroup cgroup rw,blkio @@ -61,7 +62,7 @@ +0:+1 / /sys/kernel/config rw,relatime master:+1 - configfs configfs rw +0:+1 / /sys/kernel/debug rw,relatime master:+1 - debugfs debugfs rw +0:+1 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime master:+1 - securityfs securityfs rw --1:-33 /tmp /tmp rw,relatime master:-40 - ext4 /dev/sda1 rw +-1:-33 /tmp /tmp rw,relatime master:-41 - ext4 /dev/sda1 rw +0:+0 /tmp/snap-private-tmp/snap.test-snapd-mountinfo-core16/tmp /tmp rw,relatime - ext4 /dev/sda1 rw +2:+0 /usr /usr ro,nodev,relatime master:16 - squashfs /dev/loop0 ro -1:+36 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 @@ -80,10 +81,11 @@ +0:+3 / /var/lib/snapd/hostfs/run/user/0 rw,nosuid,nodev,relatime master:15 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /var/lib/snapd/hostfs/snap/core/1 ro,nodev,relatime master:+1 - squashfs /dev/loop0 ro +0:+1 / /var/lib/snapd/hostfs/snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro --2:-4 /var/log /var/log rw,relatime master:-19 - ext4 /dev/sda1 rw ++0:+1 / /var/lib/snapd/hostfs/snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro +-2:-5 /var/log /var/log rw,relatime master:-20 - ext4 /dev/sda1 rw +0:+0 /var/snap /var/snap rw,relatime master:+0 - ext4 /dev/sda1 rw +0:+0 /var/tmp /var/tmp rw,relatime master:+0 - ext4 /dev/sda1 rw +2:+0 /writable /writable ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-18.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-18.expected.txt index c87c7740301..f8226dfe7e7 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-18.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-18.expected.txt @@ -36,12 +36,13 @@ -2:-1 /snap /snap rw,relatime master:-16 - ext4 /dev/sda1 rw +2:+0 / /snap/core/1 ro,nodev,relatime master:+15 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro -+0:-3 /srv /srv ro,nodev,relatime master:-3 - squashfs /dev/loop1 ro ++0:+1 / /snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro ++0:-4 /srv /srv ro,nodev,relatime master:-4 - squashfs /dev/loop1 ro +0:+0 /stdout /stdout ro,nodev,relatime master:+0 - squashfs /dev/loop1 ro --1:+12 / /sys rw,nosuid,nodev,noexec,relatime master:+4 - sysfs sysfs rw +-1:+12 / /sys rw,nosuid,nodev,noexec,relatime master:+5 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime master:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec master:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime master:+1 - cgroup cgroup rw,blkio @@ -62,11 +63,11 @@ +0:+1 / /sys/kernel/config rw,relatime master:+1 - configfs configfs rw +0:+1 / /sys/kernel/debug rw,relatime master:+1 - debugfs debugfs rw +0:+1 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime master:+1 - securityfs securityfs rw --1:-33 /tmp /tmp rw,relatime master:-40 - ext4 /dev/sda1 rw +-1:-33 /tmp /tmp rw,relatime master:-41 - ext4 /dev/sda1 rw +0:+0 /tmp/snap-private-tmp/snap.test-snapd-mountinfo-core18/tmp /tmp rw,relatime - ext4 /dev/sda1 rw +2:+1 /usr /usr ro,nodev,relatime master:17 - squashfs /dev/loop1 ro -+0:-1 /usr/lib/snapd /usr/lib/snapd ro,nodev,relatime master:-1 - squashfs /dev/loop0 ro --1:+36 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 ++0:+1 /usr/lib/snapd /usr/lib/snapd ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro +-1:+34 / /usr/share/gdb rw,relatime - tmpfs tmpfs rw,mode=755 +1:-35 /usr/share/gdb/auto-load /usr/share/gdb/auto-load ro,nodev,relatime master:17 - squashfs /dev/loop1 ro -1:+36 / /usr/share/gdb/test rw,relatime - tmpfs tmpfs rw -1:-37 /usr/src /usr/src rw,relatime master:1 - ext4 /dev/sda1 rw @@ -82,10 +83,11 @@ +0:+3 / /var/lib/snapd/hostfs/run/user/0 rw,nosuid,nodev,relatime master:15 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /var/lib/snapd/hostfs/snap/core/1 ro,nodev,relatime master:+1 - squashfs /dev/loop0 ro +0:+1 / /var/lib/snapd/hostfs/snap/core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop1 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro -+0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro --2:-4 /var/log /var/log rw,relatime master:-19 - ext4 /dev/sda1 rw ++0:+1 / /var/lib/snapd/hostfs/snap/snapd/1 ro,nodev,relatime master:+1 - squashfs /dev/loop2 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime master:+1 - squashfs /dev/loop3 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime master:+1 - squashfs /dev/loop4 ro ++0:+1 / /var/lib/snapd/hostfs/snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime master:+1 - squashfs /dev/loop5 ro +-2:-5 /var/log /var/log rw,relatime master:-20 - ext4 /dev/sda1 rw +0:+0 /var/snap /var/snap rw,relatime master:+0 - ext4 /dev/sda1 rw +0:+0 /var/tmp /var/tmp rw,relatime master:+0 - ext4 /dev/sda1 rw +2:+1 /writable /writable ro,nodev,relatime master:+16 - squashfs /dev/loop1 ro diff --git a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-C7.expected.txt b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-C7.expected.txt index 3cef88cb86e..d6b5c053aa4 100644 --- a/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-C7.expected.txt +++ b/tests/main/mount-ns/google.ubuntu-18.04-64/PER-USER-C7.expected.txt @@ -15,10 +15,11 @@ +0:+1 / /run/user/0 rw,nosuid,nodev,relatime shared:+1 - tmpfs tmpfs rw,size=VARIABLE,mode=700 +1:-12 / /snap/core/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop0 ro +0:+1 / /snap/core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop1 ro -+0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro -+0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro -+0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro --1:+9 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw ++0:+1 / /snap/snapd/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop2 ro ++0:+1 / /snap/test-snapd-mountinfo-classic/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop3 ro ++0:+1 / /snap/test-snapd-mountinfo-core16/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop4 ro ++0:+1 / /snap/test-snapd-mountinfo-core18/1 ro,nodev,relatime shared:+1 - squashfs /dev/loop5 ro +-1:+8 / /sys rw,nosuid,nodev,noexec,relatime shared:+1 - sysfs sysfs rw +0:+1 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:+1 - efivarfs efivarfs rw +0:+1 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:+1 - tmpfs tmpfs ro,mode=755 +0:+1 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:+1 - cgroup cgroup rw,blkio diff --git a/tests/main/nfs-support/task.yaml b/tests/main/nfs-support/task.yaml index 6f5267fdcd6..45fea5a1eca 100644 --- a/tests/main/nfs-support/task.yaml +++ b/tests/main/nfs-support/task.yaml @@ -106,14 +106,16 @@ execute: | } ensure_extra_perms() { if [ "$(snap debug confinement)" = strict ]; then - MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine/nfs-support + # we're using the internal apparmor parser + MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine.internal/nfs-support MATCH 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug fi } ensure_normal_perms() { if [ "$(snap debug confinement)" = strict ]; then - test ! -e /var/lib/snapd/apparmor/snap-confine/nfs-support + # we're using the internal apparmor parser + test ! -e /var/lib/snapd/apparmor/snap-confine.internal/nfs-support NOMATCH 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug fi } diff --git a/tests/main/remove-core/task.yaml b/tests/main/remove-core/task.yaml index 06e799f89f0..711ef32ea0c 100644 --- a/tests/main/remove-core/task.yaml +++ b/tests/main/remove-core/task.yaml @@ -13,20 +13,24 @@ details: | systems: [ubuntu-22.04-64] execute: | - # we should not be able to remove the core snap, since the snapd snap is not + # ensure snapd snap is installed + snap list snapd + # and so is the core snap + snap list core + + # we should be able to remove the core snap, since the snapd snap is # installed. - not snap remove core + snap remove core - # make sure that the model does not have 'base' set - snap model --assertion | NOMATCH 'base:' + # there should be no more snaps, so we can remove snapd + snap remove snapd - # enable transitioning to the snapd snap - snap set core experimental.snapd-snap=true - snap debug ensure-state-soon - retry -n 30 snap watch --last=transition-to-snapd-snap - snap list snapd + # TODO the 'old' snapd keeps running, this should be fixed in snapd snap + systemctl restart snapd - # now remove the core snap, since we know that it isn't providing snapd - # anymore. this, in addition to this being a classic system, should allow us - # to remove the core snap. - snap remove core + # now install core + snap install --dangerous "$TESTSTMP"/core_snap/core_*.snap + + # we should be not able to remove the core snap, since only core snap is + # installed now + not snap remove core diff --git a/tests/main/snap-seccomp-blocks-tty-injection/task.yaml b/tests/main/snap-seccomp-blocks-tty-injection/task.yaml index 32a9599e35a..90e932c200d 100644 --- a/tests/main/snap-seccomp-blocks-tty-injection/task.yaml +++ b/tests/main/snap-seccomp-blocks-tty-injection/task.yaml @@ -26,7 +26,7 @@ execute: | # through AppArmor if [ "$(snap debug confinement)" = strict ]; then sed -i 's|^}$| /dev/tty1 rw,\n}|' /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.sh - apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.sh + systemctl restart snapd.apparmor.service fi # For 64bit systems TIOC{STI,LINUX} gets a EPERM because of the diff --git a/tests/main/snap-userd-reexec/task.yaml b/tests/main/snap-userd-reexec/task.yaml index 420869aede4..1c1be3e15a3 100644 --- a/tests/main/snap-userd-reexec/task.yaml +++ b/tests/main/snap-userd-reexec/task.yaml @@ -2,36 +2,36 @@ summary: Check that core refresh will create the userd dbus service file details: | Check that snapd will create the userd dbus service file if - it is missing when the core snap is refreshed. + it is missing when the snapd snap is refreshed. # only run on systems that re-exec systems: [ubuntu-1*, ubuntu-2*, debian-*] environment: - # uploading the core snap triggers OOM + # uploading the snapd snap triggers OOM SNAPD_NO_MEMORY_LIMIT: 1 restore: | - # Remove the local revision of core, if we installed one. + # Remove the local revision of snapd, if we installed one. SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)" - if [ "$(readlink "$SNAP_MOUNT_DIR/core/current")" = x1 ]; then - snap revert core - snap remove --revision=x1 core + if [ "$(readlink "$SNAP_MOUNT_DIR/snapd/current")" = x1 ]; then + snap revert snapd + snap remove --revision=x1 snapd fi execute: | - if [ "$MODIFY_CORE_SNAP_FOR_REEXEC" = 0 ]; then + if [ "$SNAP_REEXEC" = 0 ]; then echo "Reexec is not enabled, exiting..." exit 0 fi - snap list | awk "/^core / {print(\$3)}" > prevBoot + snap list snapd | awk "/^snapd / {print(\$3)}" > prevBoot echo "Ensure service file is created if missing (e.g. on re-exec)" mv /usr/share/dbus-1/services/io.snapcraft.Launcher.service /usr/share/dbus-1/services/io.snapcraft.Launcher.service.orig - echo "Install new core" - snap install --dangerous "/var/lib/snapd/snaps/core_$(cat prevBoot).snap" + echo "Install new snapd" + snap install --dangerous "/var/lib/snapd/snaps/snapd_$(cat prevBoot).snap" echo "Ensure the dbus service file got created" test -f /usr/share/dbus-1/services/io.snapcraft.Launcher.service diff --git a/tests/main/snapd-reexec-snapd-snap/task.yaml b/tests/main/snapd-reexec-snapd-snap/task.yaml index a4d8e901e56..2319b51c185 100644 --- a/tests/main/snapd-reexec-snapd-snap/task.yaml +++ b/tests/main/snapd-reexec-snapd-snap/task.yaml @@ -29,8 +29,15 @@ execute: | exit 0 fi - # Make sure that the snapd snap is not installed - snap info snapd | NOMATCH "^installed:" + # remove all snaps to remove snapd + snap remove core + snap remove snapd + + # TODO the 'old' snapd keeps running, this should be fixed in snapd snap + systemctl restart snapd + + # TODO the test should install the snapd snap we built + snap install --dangerous "$TESTSTMP"/core_snap/core_*.snap echo "Enable installing the snapd snap, this happens automatically" snap set core experimental.snapd-snap=true diff --git a/tests/main/snapd-reexec/task.yaml b/tests/main/snapd-reexec/task.yaml index fb7d91b10bb..c09a1627a2a 100644 --- a/tests/main/snapd-reexec/task.yaml +++ b/tests/main/snapd-reexec/task.yaml @@ -1,12 +1,12 @@ -summary: Test that snapd reexecs itself into core +summary: Test that snapd reexecs itself into core/snapd details: | This test ensures that snapd and the snap cli reexecs themselves into the - core snap under the right conditions. This includes ensuring that snapd + core/snapd snap under the right conditions. This includes ensuring that snapd reexecs itself when SNAP_REEXEC is set, that it does not reexec into older versions of snapd, and that it does not reexec when SNAP_REEXEC is set to 0. - The test also ensures that snapd restarts itself when the core snap is + The test also ensures that snapd restarts itself when the core/snapd snap is refreshed, and that the right snapd is running after the refresh. # Disable for Fedora, openSUSE and Arch as re-exec is not support there yet @@ -15,51 +15,82 @@ systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] environment: # uploading the core snap triggers OOM SNAPD_NO_MEMORY_LIMIT: 1 + SNAPD_SRC/core: "core" + SNAPD_SRC/snapd: "snapd" + +prepare: | + # when testing core remove snapd snap as option for re-exec + if [ "$SNAPD_SRC" == "core" ]; then + systemctl stop snapd.service snapd.socket + # without /snap/snapd/current re-exec to snapd is disabled + mv /snap/snapd/current /snap/snapd/backup + # without .data.snaps.snapd.sequence and .data.snaps.snapd.current="unset" + # snapd is not considered installed and core install will request restart + cp -a /var/lib/snapd/state.json /tmp/backup_state.json + jq 'del(.data.snaps.snapd)' /tmp/backup_state.json > /tmp/modified_state.json + cp /tmp/modified_state.json /var/lib/snapd/state.json && rm /tmp/modified_state.json + systemctl start snapd.service + fi restore: | - # Remove the locale revision of core, if we installed one. SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)" - if [ "$(readlink "$SNAP_MOUNT_DIR/core/current")" = x1 ]; then - snap revert core - snap remove --revision=x1 core + SNAPD_MOUNT_DIR="$SNAP_MOUNT_DIR/$SNAPD_SRC" + # remove the locale revision of the snapd source snap, if we installed one + if [ "$(readlink "$SNAPD_MOUNT_DIR/current")" = x1 ]; then + snap revert $SNAPD_SRC + snap remove --revision=x1 $SNAPD_SRC fi + + systemctl stop snapd.service snapd.socket + # extra cleanup in case something in this test went wrong rm -f /etc/systemd/system/snapd.service.d/no-reexec.conf - systemctl stop snapd.service snapd.socket - if mount|grep "/snap/core/.*/usr/lib/snapd/info"; then - umount "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/info" + if mount|grep "/snap/$SNAPD_SRC/.*/usr/lib/snapd/info"; then + umount "$SNAPD_MOUNT_DIR/current/usr/lib/snapd/info" fi - if mount|grep "/snap/core/.*/usr/lib/snapd/snapd"; then - umount "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snapd" + if mount|grep "/snap/$SNAPD_SRC/.*/usr/lib/snapd/snapd"; then + umount "SNAPD_MOUNT_DIR/current/usr/lib/snapd/snapd" fi rm -f /tmp/old-info + # restore snapd when done testing core + if [ "$SNAPD_SRC" == "core" ]; then + mv /snap/snapd/backup /snap/snapd/current + rm -f /snap/snapd/backup + cp -a /tmp/backup_state.json /var/lib/snapd/state.json + rm -f /tmp/backup_state.json /tmp/modified_state.json + fi + + systemctl start snapd.service + debug: | ls /etc/systemd/system/snapd.service.d cat /etc/systemd/system/snapd.service.d/* execute: | + SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)" + SNAPD_MOUNT_DIR="$SNAP_MOUNT_DIR/$SNAPD_SRC" + if [ "${SNAP_REEXEC:-}" = "0" ]; then echo "skipping test when SNAP_REEXEC is disabled" exit 0 fi echo "Ensure we re-exec by default" - /usr/bin/env SNAPD_DEBUG=1 snap list 2>&1 | MATCH "DEBUG: restarting into" + /usr/bin/env SNAPD_DEBUG=1 snap list 2>&1 | MATCH "DEBUG: restarting into \"$SNAPD_MOUNT_DIR/current/usr/bin/snap\"" echo "Ensure that we do not re-exec into older versions" systemctl stop snapd.service snapd.socket echo "mount something older than our freshly build snapd" echo "VERSION=1.0">/tmp/old-info - SNAP_MOUNT_DIR="$(os.paths snap-mount-dir)" - mount --bind /tmp/old-info "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/info" + mount --bind /tmp/old-info "$SNAPD_MOUNT_DIR/current/usr/lib/snapd/info" systemctl start snapd.service snapd.socket snap list "$TESTSTOOLS"/journal-state match-log 'snap \(at .*\) is older \(.*\) than distribution package' echo "Revert back to normal" systemctl stop snapd.service snapd.socket - umount "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/info" + umount "$SNAPD_MOUNT_DIR/current/usr/lib/snapd/info" echo "Ensure SNAP_REEXEC=0 is honored for snapd" cat > /etc/systemd/system/snapd.service.d/reexec.conf < /tmp/broken-snapd <&1 |MATCH "DEBUG: re-exec disabled by user" + umount "$SNAPD_MOUNT_DIR/current/usr/bin/snap" + + echo "Ensure a snapd source refresh restarts snapd" + prev_src=$(snap list | awk "/^$SNAPD_SRC / {print(\$3)}") + snap install --dangerous "/var/lib/snapd/snaps/${SNAPD_SRC}_${prev_src}.snap" snap change --last=install | MATCH "Requested daemon restart" - echo "Ensure the right snapd (from the new core) is running" - now_core=$(snap list | awk "/^core / {print(\$3)}") - if [ "$now_core" = "$prev_core" ]; then - echo "Test broken $now_core and $prev_core are the same" + echo "Ensure the right snapd (from the new snapd source snap) is running" + now_src=$(snap list | awk "/^$SNAPD_SRC / {print(\$3)}") + if [ "$now_src" = "$prev_src" ]; then + echo "Test broken $now_src and $prev_src are the same" exit 1 fi SNAPD_PATH=$(readlink -f "/proc/$(pidof snapd)/exe") - if [ "$SNAPD_PATH" != "/snap/core/${now_core}/usr/lib/snapd/snapd" ]; then - echo "unexpected $SNAPD_PATH for $now_core snap (previous $prev_core)" + if [ "$SNAPD_PATH" != "/snap/$SNAPD_SRC/${now_src}/usr/lib/snapd/snapd" ]; then + echo "unexpected $SNAPD_PATH for $now_src snap (previous $prev_src)" exit 1 fi diff --git a/tests/main/snapd-slow-startup/task.yaml b/tests/main/snapd-slow-startup/task.yaml index 48470c1954d..c153a7c4a6a 100644 --- a/tests/main/snapd-slow-startup/task.yaml +++ b/tests/main/snapd-slow-startup/task.yaml @@ -26,7 +26,7 @@ execute: | exit 0 fi - # have 6 extra snaps installed, makes 7 with core + # have 6 extra snaps installed, makes 8 with core and snapd snap snap pack "$TESTSLIB"/snaps/basic snap set system experimental.parallel-instances=true for i in $(seq 6); do @@ -43,7 +43,7 @@ execute: | EOF systemctl daemon-reload - # startup timeout will be adjusted by 30s + 7 * 5s and this will succeed + # startup timeout will be adjusted by 30s + 8 * 5s and this will succeed systemctl start snapd.service snapd.socket - "$TESTSTOOLS"/journal-state match-log "adjusting startup timeout by 1m5s" + "$TESTSTOOLS"/journal-state match-log "adjusting startup timeout by 1m10s" diff --git a/tests/main/snapd-snap-transition/task.yaml b/tests/main/snapd-snap-transition/task.yaml index a86b05348c3..bd02f569c02 100644 --- a/tests/main/snapd-snap-transition/task.yaml +++ b/tests/main/snapd-snap-transition/task.yaml @@ -9,7 +9,15 @@ systems: [-ubuntu-core-18-*, -ubuntu-core-2*, -ubuntu-core-16-*] execute: | echo "Ensure no snapd snap is installed" - not snap list snapd + # remove all snaps to remove snapd + snap remove core + # this is only possible when snapd is the only installed snap + snap remove snapd + # we should now be running from the distro package + systemctl restart snapd.service + + # TODO the test should install the snapd snap we built + snap install --dangerous "$TESTSTMP"/core_snap/core_*.snap echo "Enable the snapd snap" snap set core experimental.snapd-snap=true