File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (167 lines) | stat: -rw-r--r-- 6,753 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
summary: Ensure that the network-control interface works.

details: |
    The network-control interface allows a snap to configure networking.

    A snap which defines the network-control plug must be shown in the
    interfaces list. The plug must not be auto-connected on install and, as
    usual, must be able to be reconnected.

    A snap declaring a plug on this interface must be able to modify the network
    configuration and ask for its status, the test sets up a network service,
    gets information about it (read capability) and creates an arp entry (write
    capability).

# ubuntu-14.04: systemd-run not supported
# ubuntu-core-16-32: cannot install snap base "core20"
# ubuntu-core-18-32: cannot install snap base "core20"
systems: [-fedora-*, -opensuse-*, -ubuntu-14.04*, -ubuntu-core-16-32, -ubuntu-core-18-32]

environment:
    PORT: 8081
    SERVICE_NAME: "test-service"
    ARP_ENTRY_ADDR: "30.30.30.30"

prepare: |
    echo "Given a snap declaring a plug on the network-control interface is installed"
    "$TESTSTOOLS"/snaps-state install-local network-control-consumer

    echo "And a network service is up"
    # shellcheck source=tests/lib/network.sh
    . "$TESTSLIB"/network.sh
    make_network_service "$SERVICE_NAME" "$PORT"

restore: |
    #shellcheck source=tests/lib/network.sh
    . "$TESTSLIB/network.sh"

    systemctl stop "$SERVICE_NAME"

    ip netns delete test-ns || true
    ip link delete veth0 || true
    umount /run/netns || true

execute: |
    #shellcheck source=tests/lib/network.sh
    . "$TESTSLIB/network.sh"

    echo "Then the plug disconnected by default"
    snap interfaces -i network-control | MATCH "^- +network-control-consumer:network-control$"

    echo "When the plug is connected"
    snap connect network-control-consumer:network-control

    echo "Then the snap command can query network status information"
    network-control-consumer.cmd ss -lnt | MATCH "LISTEN.*:$PORT"

    echo "And DNS information"
    case "$SPREAD_SYSTEM" in
    centos-*|debian-*|arch-linux-*|amazon-linux-*)
        # echo no systemd-resolved in those images
        ;;
    *)
        network-control-consumer.cmd resolvectl | MATCH "DNS Server"
        ;;
    esac

    if [ "$(snap debug confinement)" = strict ] ; then
        echo "When the plug is disconnected"
        snap disconnect network-control-consumer:network-control

        echo "Then the snap command can not query network status information"
        if network-control-consumer.cmd ss -lnt 2>net-query.output; then
            echo "Expected error caling command with disconnected plug"
            exit 1
        fi
        MATCH "Permission denied" < net-query.output
    fi

    echo "When the plug is connected"
    snap connect network-control-consumer:network-control

    echo "When the plug is connected"
    snap connect network-control-consumer:network-control

    echo "A network namespace can be created"
    network-control-consumer.cmd ip netns add test-ns
    ip netns list | MATCH test-ns
    echo "Listed"
    network-control-consumer.cmd ip netns list | MATCH test-ns
    echo "And removed"
    network-control-consumer.cmd ip netns delete test-ns

    # re-add to continue with the test
    network-control-consumer.cmd ip netns add test-ns

    echo "And a veth interface can be added to the namespace"

    ip link add veth0 type veth peer name veth1
    ip link list | MATCH "veth0.*veth1"

    network-control-consumer.cmd ip link set veth1 netns test-ns

    ip link list | MATCH "veth0"
    ip link list | NOMATCH "veth1"

    echo "And a command can be executed in the context of the namespace"
    network-control-consumer.cmd ip netns exec test-ns ip link list | MATCH "veth1"

    echo "Then the snap command can modify the network configuration"
    network-control-consumer.cmd ip neigh add "$ARP_ENTRY_ADDR" lladdr aa:aa:aa:aa:aa:aa dev veth0

    # the entry becomes visible
    ip neigh show dev veth0 | MATCH "aa:aa:aa:aa:aa:aa"

    # xdp is only support by apparmor in 20.04+
    if [ "$(snap debug confinement)" = strict ] && ! os.query is-xenial && ! os.query is-bionic && ! os.query is-core16 && ! os.query is-core18; then
        echo "Check that AF_XDP can be used"
        network-control-consumer.cmd python3 -c 'import socket; AF_XDP=44; socket.socket(AF_XDP, socket.SOCK_RAW)'
    fi

    if [ "$(snap debug confinement)" = strict ] ; then
        echo "And the policy has the ptrace suppression rule"
        MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.network-control-consumer.cmd

        echo "When the plug is disconnected"
        snap disconnect network-control-consumer:network-control

        echo "Then the snap command can not modify the network configuration"
        if network-control-consumer.cmd ip neigh del "$ARP_ENTRY_ADDR" lladdr aa:aa:aa:aa:aa:aa dev veth0 2>net-command.output; then
                echo "Expected error calling command with disconnected plug"
                exit 1
        fi
        MATCH "Permission denied" < net-command.output

        echo "The snap is not able to create a network namespace"
        if network-control-consumer.cmd ip netns add test-ns-2 2>ns-create.output; then
            echo "Expected error calling ns create command with disconnected plug"
        fi
        MATCH "Permission denied" < ns-create.output

        echo "And the snap can't add a veth interface to an existing namespace"
        # first, move veth1 back to the root namespace
        ip netns exec test-ns ip link set veth1 netns 1
        if network-control-consumer.cmd ip link set veth1 netns test-ns 2>ns-move.output; then
            echo "Expected error trying to move veth to network namespace with disconnected plug"
            exit 1
        fi
        MATCH "Permission denied" < ns-move.output


        echo "And the snap can't execute a command in the context of the namespace"
        if network-control-consumer.cmd ip netns exec test-ns ip link list 2>ns-exec.output; then
            echo "Expected error trying to execute command in a network namespace context with disconnected plug"
            exit 1
        fi
        MATCH "Permission denied" < ns-exec.output


        echo "And AF_XDP can no longer be used"
        if [ "$(snap debug confinement)" = strict ] && ! os.query is-xenial && ! os.query is-bionic && ! os.query is-core16 && ! os.query is-core18; then
            if network-control-consumer.cmd python3 -c 'import socket; AF_XDP=44; socket.socket(AF_XDP, socket.SOCK_RAW)' 2> python-af-xdp.output; then
                echo "Expected error trying to open AF_XDP socket"
                exit 1
            fi
            MATCH "Permission denied" < python-af-xdp.output
        fi
    fi