1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
summary: Check that `snap run` runs
details: |
Verifies the `snap run` command and its parameters. Check
the parameter --strace can be used and the traced information
is correct. Also checks the --trace-exec and --debug-log parameters.
systems:
# strace does not support _newselect on s390x
# (https://github.com/strace/strace/issues/57)
- -*-s390x
environment:
STRACE_STATIC_CHANNEL: candidate
prepare: |
tests.exec is-skipped && exit 0
"$TESTSTOOLS"/snaps-state install-local basic-run
"$TESTSTOOLS"/snaps-state install-local test-snapd-sh
debug: |
tests.exec is-skipped && exit 0
cat stderr || true
execute: |
tests.exec is-skipped && exit 0
echo "Running a trivial command causes no DENIED messages"
test-snapd-sh.sh -c 'echo hello'
if os.query is-arch-linux && [ "$SNAP_REEXEC" != "1" ]; then
dmesg | grep DENIED > arch-denied.log
# due to Go 1.25 poking /proc/self/mountinfo we get a denial from
# snap-exec which executes under the profile of test-snapd-sh which looks like this (all in one line):
# [ 1698.601327] audit: type=1400 audit(1757424814.280:2967): apparmor="DENIED"
# operation="open" class="file" profile="snap.test-snapd-sh.sh"
# name="/proc/162399/mountinfo" pid=162399 comm="snap-exec"
# requested_mask="r" denied_mask="r" fsuid=0 ouid=0
MATCH 'apparmor="DENIED" operation="open" .* name="/proc/[0-9]+/mountinfo" .* comm="snap-exec"' < arch-denied.log
test "$(wc -l < arch-denied.log)" = "1"
else
dmesg | not grep DENIED
fi
echo "Test that snap run use environments"
basic-run.echo-data | MATCH ^/var/snap
if command -v gdb; then
echo "Test snap run --gdb works"
echo "c" | snap run --gdb test-snapd-sh.sh -c 'echo hello' > stdout
MATCH 'Continuing.' < stdout
MATCH hello < stdout
fi
# the strace on 14.04 is too old
if os.query is-trusty; then
snap install strace-static --channel="${STRACE_STATIC_CHANNEL}"
fi
# the strace on opensuse is too old
if os.query is-opensuse && ! os.query is-opensuse tumbleweed; then
snap install strace-static --channel="${STRACE_STATIC_CHANNEL}"
fi
# install the snap if no system strace is found
if ! command -v strace; then
snap install strace-static --channel="${STRACE_STATIC_CHANNEL}"
fi
echo "Test snap --strace invalid works"
if snap run --strace="invalid" test-snapd-sh.sh -c 'echo hello' 2>stderr ; then
echo "snap run with an invalid strace option should fail but it did not"
exit 1
fi
MATCH "Cannot find executable 'invalid'" < stderr || MATCH "Can't stat 'invalid': No such file or directory" < stderr
if os.query is-arch-linux || os.query is-opensuse tumbleweed; then
# Arch linux and Opensuse tumbleweed run the mainline kernel, strace
# (with event filter or not) *may* randomly get stuck on the kernel
# side, see:
# - proposed patch: https://lore.kernel.org/patchwork/patch/719314/
# - snap-exec & strace stuck: https://paste.ubuntu.com/p/8nVzj8Sqfq/
echo "SKIP further tests due to know kernel/strace problems"
exit 0
fi
# XXX: any tests that execute strace should be added below this point
# When trace logging on activated for snap commands, trace-level messages
# will appear in snap command output, which is unexpected for this test.
# This variable is used to skip those checks where necessary.
SKIP_NO_EXTRA_MSG_CHECKS=false
if [ -n "$SNAPD_TRACE" ] && [ -n "$SNAPD_JSON_LOGGING" ] && [ -n "$SNAP_LOG_TO_JOURNAL" ]; then
SKIP_NO_EXTRA_MSG_CHECKS=true
fi
echo "Test snap run --strace"
snap run --strace test-snapd-sh.sh -c 'echo hello-world' >stdout 2>stderr
MATCH hello-world < stdout
MATCH 'write\(1, \"hello-world\\n\",' < stderr
if grep "snap-confine" stderr && [ "$SKIP_NO_EXTRA_MSG_CHECKS" = "false" ]; then
echo "the snap-confine calls should be filtered out, something is wrong
cat stderr"
exit 1
fi
echo "Test snap run --strace with options works"
snap run --strace="-V" test-snapd-sh.sh -c 'echo hello-world' >stdout 2>stderr
MATCH "strace -- version" < stdout
# We don't want to test for an empty stderr should there be unrelated errors with
# strace. Instead we look for a keyword
if [ "$SKIP_NO_EXTRA_MSG_CHECKS" = "false" ]; then
NOMATCH 'exec' < stderr
fi
snap run --trace-exec test-snapd-sh.sh -c 'echo hello' 2> stderr
MATCH "Slowest [0-9]+ exec calls during snap run" < stderr
MATCH " [0-9.]+s .*/snap-exec" < stderr
MATCH " [0-9.]+s .*/snap-confine" < stderr
MATCH "Total time: [0-9.]+s" < stderr
snapd.tool exec snap-discard-ns test-snapd-sh
snap run --debug-log test-snapd-sh.sh -c 'echo hello' 2> stderr
if [ "$SKIP_NO_EXTRA_MSG_CHECKS" = "true" ]; then
# If logging to journal is active, then grab the entires in the journal for snap
# and add them to the head of the stderr output
mv stderr tmp
"$TESTSTOOLS"/journal-state get-log --no-pager | grep -oP 'snap\[\d+\]: \K.*' > stderr
cat tmp >> stderr
fi
MATCH -- '-- snap startup .*"stage".*"time"' < stderr
if ! os.query is-trusty ; then
"$PROJECT_PATH"/debug-tools/startup-timings stderr > startup.out
MATCH 'snap to snap-confine' < startup.out
MATCH 'snap-confine enter' < startup.out
MATCH 'snap-confine mount namespace start' < startup.out
MATCH 'snap-confine mount namespace finish' < startup.out
MATCH 'snap-exec to app' < startup.out
MATCH 'approx. total: [0-9.]+s' < startup.out
fi
|
