1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
summary: Ensure that lxd works
details: |
Verifies lxd snap works properly. Ensure we can run things inside lxd
container, we can use snapd inside lxd snd we can run snaps as regular
users. Check that we can run lxd as a snap inside a container to create
a nested container and we can use lxd as a snap inside lxd. Finally
exercise the lxd interface and check that snaps in containers don't
prevent refreshes in the host.
# autopkgtest run only a subset of tests that deals with the integration
# with the distro
backends: [-autopkgtest]
# Only run this on ubuntu 16+, lxd will not work on !ubuntu systems
# currently nor on ubuntu 14.04
systems: [ubuntu-16.04-64, ubuntu-18.04-64, ubuntu-2*, ubuntu-core-*]
# Start before anything else as it can take a really long time.
priority: 1000
# lxd downloads can be quite slow
kill-timeout: 25m
environment:
REFRESH_APP_AWARENESS_OUTER/snapd_cgroup_just_inside: false
REFRESH_APP_AWARENESS_INNER/snapd_cgroup_just_inside: true
REFRESH_APP_AWARENESS_OUTER/snapd_cgroup_just_outside: true
REFRESH_APP_AWARENESS_INNER/snapd_cgroup_just_outside: false
REFRESH_APP_AWARENESS_OUTER/snapd_cgroup_both: true
REFRESH_APP_AWARENESS_INNER/snapd_cgroup_both: true
REFRESH_APP_AWARENESS_OUTER/snapd_cgroup_neither: false
REFRESH_APP_AWARENESS_INNER/snapd_cgroup_neither: false
prepare: |
# using apt here is ok because this test only runs on ubuntu
echo "Remove any installed debs (some images carry them) to ensure we test the snap"
# apt -v to test if apt is usable (its not on ubuntu-core)
if command -v apt && apt -v; then
apt autoremove -y lxd
fi
# Depending on test variant, enable refresh-app-awareness outside to test
# the interaction between lxd and cgroup-based application tracking.
snap set system experimental.refresh-app-awareness=$REFRESH_APP_AWARENESS_OUTER
restore: |
if [[ "$(find "$GOHOME" -name 'snapd_*.deb' | wc -l || echo 0)" -eq 0 ]]; then
exit
fi
for cont_name in my-nesting-ubuntu my-ubuntu; do
lxd.lxc stop $cont_name --force || true
lxd.lxc delete $cont_name || true
done
snap remove --purge lxd
snap remove --purge lxd-demo-server
"$TESTSTOOLS"/lxd-state undo-mount-changes
# unset refresh-app-awareness, this means it's enabled by default.
snap unset system experimental.refresh-app-awareness
# Stop the dbus.service of the user session of the root user. This test
# runs in several configurations, not all of which have this capability.
# Where supported the test code below causes socket activation, through the
# refresh-app-awareness application tracking mechanism built into snap
# run. This session-level dbus daemon is detected as spurious by the
# invariant checker.
systemctl --user stop dbus.service || true
if os.query is-xenial || os.query is-bionic; then
# old system is not doing cleanups
find /sys/fs/cgroup/ -type d -name "snap.*" -prune | while read -r svc; do
rmdir "$svc" || true
done
fi
debug: |
# debug output from lxd
"$TESTSTOOLS"/journal-state get-log -u snap.lxd.daemon.service
execute: |
if [[ "$(find "$GOHOME" -name 'snapd_*.deb' | wc -l || echo 0)" -eq 0 ]]; then
echo "No run lxd test when there are not .deb files built"
exit
fi
echo "Install lxd"
"$TESTSTOOLS"/lxd-state prepare-snap
# The snapd package we build as part of the tests will only run on the
# distro we build on. So we need to launch the right ubuntu version.
# prep two containers, the my-ubuntu normal container and the
# my-nesting-ubuntu nesting container
"$TESTSTOOLS"/lxd-state launch --name my-ubuntu
"$TESTSTOOLS"/lxd-state launch --name my-nesting-ubuntu --params "-c security.nesting=true"
if os.query is-pc-amd64 && lxd.lxc info my-ubuntu | grep "Architecture: i686"; then
echo "LXD spawned 32bit userspace container on a 64bit host, WAT?"
snap info lxd
exit 1
fi
if os.query is-pc-amd64 && lxd.lxc info my-nesting-ubuntu | grep "Architecture: i686"; then
echo "LXD spawned 32bit userspace container on a 64bit host, WAT?"
snap info lxd
exit 1
fi
for cont_name in my-ubuntu my-nesting-ubuntu; do
echo "Ensure we can run things inside"
lxd.lxc exec $cont_name echo hello | MATCH hello
echo "Push snapd into container"
lxd.lxc file push --quiet prep-snapd-in-lxd.sh "$cont_name/root/"
lxd.lxc file push --quiet "$GOHOME"/snapd_*.deb "$cont_name/root/"
echo "Install snapd in container"
lxd.lxc exec $cont_name -- /root/prep-snapd-in-lxd.sh
lxd.lxc exec $cont_name -- snap set system experimental.refresh-app-awareness=$REFRESH_APP_AWARENESS_INNER
lxd.lxc file push "$(find "$SNAPD_WORK_DIR/snapd_snap" -name 'snapd_*.snap')" "$cont_name"/
lxd.lxc exec $cont_name -- sh -c 'snap install --dangerous /snapd_*.snap'
done
# FIXME: ensure that the kernel running is recent enough, this
# will only work with an up-to-date xenial kernel (4.4.0-78+)
echo "Ensure we can use snapd inside lxd"
lxd.lxc exec my-ubuntu snap install test-snapd-sh
echo "And we can run snaps as regular users, assuming session bus is available"
lxd.lxc exec my-ubuntu -- apt-get update
lxd.lxc exec my-ubuntu -- apt-get install -y dbus-user-session
lxd.lxc exec my-ubuntu -- su -l ubuntu -c "systemctl --user enable dbus.socket"
lxd.lxc exec my-ubuntu -- su -l ubuntu -c "SNAP_CONFINE_DEBUG=yes /snap/bin/test-snapd-sh.sh -c 'echo from-the-inside'" | MATCH from-the-inside
echo "And as root"
lxd.lxc exec my-ubuntu -- test-snapd-sh.sh -c 'echo from-the-inside' | MATCH from-the-inside
echo "We can also remove snaps successfully"
lxd.lxc exec my-ubuntu -- snap remove --purge test-snapd-sh
echo "Sanity check that mount overrides were generated inside the container"
lxd.lxc exec my-ubuntu -- find /var/run/systemd/generator/ -name container.conf | MATCH "/var/run/systemd/generator/snap-core-.*mount.d/container.conf"
# On older LXD, we work around / with private propagation by
# creating a shared /snap mount point with snapd-generator (LP#1668659).
# The unit does not exist in newer LXD images where root is shared.
lxd.lxc exec my-ubuntu -- findmnt / -o PROPAGATION --noheadings | MATCH shared || lxd.lxc exec my-ubuntu -- test -f /var/run/systemd/generator/snap.mount
# Ensure that we can run lxd as a snap inside a container to create a nested
# container
if [ "$SPREAD_SYSTEM" = "ubuntu-16.04-64" ]; then
# related bug: https://bugs.launchpad.net/snapd/+bug/1892468
echo "Not running old xenial combination which lacks proper patches"
exit 0
fi
echo "Ensure we can use lxd as a snap inside lxd"
lxd.lxc exec my-nesting-ubuntu -- apt autoremove -y lxd
lxd.lxc exec my-nesting-ubuntu -- snap install lxd --channel="$LXD_SNAP_CHANNEL"
echo "And we can run lxd containers inside the lxd container"
lxd.lxc exec my-nesting-ubuntu -- snap set lxd waitready.timeout=240
lxd.lxc exec my-nesting-ubuntu -- lxd waitready
lxd.lxc exec my-nesting-ubuntu -- lxd init --auto
# There isn't an official image for noble yet, let's use the community one
REMOTE="$("$TESTSTOOLS"/lxd-state default-remote)"
IMAGE="$("$TESTSTOOLS"/lxd-state default-image)"
lxd.lxc exec my-nesting-ubuntu -- lxd.lxc launch --quiet "$REMOTE:$IMAGE" my-inner-ubuntu --config=user.user-data="$(cat lxd_proxy.yaml)"
lxd.lxc exec my-nesting-ubuntu -- lxd.lxc exec my-inner-ubuntu -- echo "from-the-INSIDE-inside" | MATCH from-the-INSIDE-inside
echo "Install lxd-demo server to exercise the lxd interface"
snap install lxd-demo-server
snap connect lxd-demo-server:lxd lxd:lxd
echo "Check that snaps in containers don't prevent refreshes in the host"
snap pack "$TESTSLIB/snaps/test-snapd-sh"
snap install --dangerous test-snapd-sh_1.0_all.snap
lxc file push test-snapd-sh_1.0_all.snap my-ubuntu/home/sh.snap
lxc exec my-ubuntu -- snap install --dangerous /home/sh.snap
# keep the snap running in the container until we refresh in the host
lxc exec my-ubuntu -- touch /home/test-run
lxc exec my-ubuntu -- sh -c 'test-snapd-sh.sh -c "while [ -e /home/test-run ]; do sleep 1; done"' &
snap install --dangerous test-snapd-sh_1.0_all.snap
# remove the signal file so that the snap exits
lxc exec my-ubuntu -- rm /home/test-run
echo "Check that we error in 'unconfined' lxd containers"
lxd.lxc config show my-ubuntu > conf.yaml
cat <<EOF >> conf.yaml
config:
raw.lxc: |
lxc.apparmor.profile=unconfined
EOF
lxd.lxc stop --force my-ubuntu
lxd.lxc config edit my-ubuntu < conf.yaml
lxd.lxc start my-ubuntu
# shellcheck disable=SC2016
lxd.lxc exec my-ubuntu -- sh -c 'set -x;for i in $(seq 120); do if journalctl -u snapd.service | grep -E "apparmor detected but insufficient permissions to use it"; then break; fi; sleep 1; done'
lxd.lxc exec my-ubuntu -- journalctl -u snapd | MATCH "apparmor detected but insufficient permissions to use it"
|
