1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
summary: Ensure that the core.proxy.* settings are honored without core
details: |
Snapd provides the core.proxy.* config which can be used to setup the proxy used.
This test verifies that when a proxy config is set, the snapd commands go through
the proxy. In this scenario it is verified that snap install works even without
an installed core (to install core).
# only needs a test on classic
systems: [ubuntu-16.04-64, ubuntu-18.04-64]
prepare: |
# Ensure there is no .partial for the core snap to be resumed, otherwise
# it is not going to use the proxy to download it. The .partial file is
# being automatically restored with the snapd state.
rm -f /var/lib/snapd/snaps/core_*.partial
# Ensure core snap is not available in cache, otherwise it is not going
# to use the proxy to download it.
find /var/lib/snapd/snaps -name "core_*.snap" -printf "%i\n" -delete | \
while read -r inum ; do
find /var/lib/snapd/cache -inum "$inum" -delete
done
systemctl stop snapd.socket snapd.service
rm -rf /var/lib/snapd/state.json
# Unset snapd proxy configuration when it is required
if [ "${SNAPD_USE_PROXY:-}" = true ]; then
mv /etc/systemd/system/snapd.service.d/proxy.conf proxy.conf
cp /etc/environment environment
cp "$SNAPD_WORK_DIR"/environment.bak /etc/environment
systemctl daemon-reload
tests.cleanup defer mv proxy.conf /etc/systemd/system/snapd.service.d/proxy.conf
tests.cleanup defer mv environment /etc/environment
tests.cleanup defer systemctl daemon-reload
else
# only allow test user to connect to http/https
iptables -I OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
iptables -I OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
iptables -I OUTPUT -j ACCEPT -p tcp -m owner --uid-owner "$(id -u test)"
ip6tables -I OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
ip6tables -I OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
ip6tables -I OUTPUT -j ACCEPT -p tcp -m owner --uid-owner "$(id -u test)"
fi
systemctl start snapd.socket snapd.service
restore: |
if [ "${SNAPD_USE_PROXY:-}" != true ]; then
iptables -D OUTPUT -m owner --uid-owner "$(id -u test)" -j ACCEPT -p tcp
iptables -D OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
iptables -D OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
ip6tables -D OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
ip6tables -D OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
ip6tables -D OUTPUT -j ACCEPT -p tcp -m owner --uid-owner "$(id -u test)"
fi
snap set core proxy.https=
systemctl stop tinyproxy || true
execute: |
if ! command -v python3; then
echo "SKIP: need python3"
exit 0
fi
# We need the tiny proxy just when snapd does not connect to the store through a real proxy
PROXY="$HTTPS_PROXY"
if [ "${SNAPD_USE_PROXY:-}" != true ]; then
# run a proxy that can access http/https (via the owner rule)
systemd-run --service-type=notify --uid=test --unit tinyproxy -- python3 "$TESTSLIB/tinyproxy/tinyproxy.py"
tests.systemd wait-for-service -n 30 --state active tinyproxy
PROXY="http://localhost:3128"
fi
echo "Ensure normal install without proxy does not work"
if snap install core; then
echo "without a proxy core install should fail, test broken"
exit 1
fi
echo "Setup proxy config"
snap set core proxy.https="$PROXY"
echo "Ensure that snap install works even without an installed core to install core"
snap install core
if [ "${SNAPD_USE_PROXY:-}" != true ]; then
"$TESTSTOOLS"/journal-state match-log 'CONNECT (.*.cdn.snapcraft.io|.*.cdn.snapcraftcontent.com)' -u tinyproxy
fi
|
