File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (178 lines) | stat: -rw-r--r-- 6,462 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
 
summary: Check that kernel command line options work

details: |
  This test checks that the system options that affect the kernel
  command line options work as expected.

systems: [ubuntu-2*]

environment:
  # use tpm + secure boot to get full disk encryption, this is explicitly needed
  # for grade: secured
  NESTED_ENABLE_TPM: true
  NESTED_ENABLE_SECURE_BOOT: true

  # use snapd from the spread run so that we have testkeys trusted in the snapd
  # run
  NESTED_BUILD_SNAPD_FROM_CURRENT: true

  # don't use cloud-init from the seed, as we use it from the gadget so it
  # can work for non-dangerous models
  NESTED_USE_CLOUD_INIT: false

  # sign all the snaps we build for the image with fakestore
  NESTED_SIGN_SNAPS_FAKESTORE: true

  # two variants, for signed and secured grades
  MODEL_GRADE/dangerous: dangerous
  MODEL_GRADE/signed: signed

  NESTED_CUSTOM_MODEL: $TESTSLIB/assertions/developer1-{VERSION}-${MODEL_GRADE}.model

  # for the fake store
  NESTED_FAKESTORE_BLOB_DIR: $(pwd)/fake-store-blobdir
  NESTED_UBUNTU_IMAGE_SNAPPY_FORCE_SAS_URL: http://localhost:11028

  # unset this otherwise ubuntu-image complains about overriding the channel for
  # a model with grade higher than dangerous when building the image
  NESTED_CORE_CHANNEL: ""

prepare: |
  if [ "$TRUST_TEST_KEYS" = "false" ]; then
      echo "This test needs test keys to be trusted"
      exit
  fi

  #shellcheck source=tests/lib/nested.sh
  . "$TESTSLIB/nested.sh"

  # setup the fakestore, but don't use it for our snapd here on the host VM, so
  # tear down the staging_store immediately afterwards so that only the SAS is 
  # running and our snapd is not pointed at it, ubuntu-image is the only thing 
  # that actually needs to use the fakestore, and we will manually point it at
  # the fakestore below using NESTED_UBUNTU_IMAGE_SNAPPY_FORCE_SAS_URL
  "$TESTSTOOLS"/store-state setup-fake-store "$NESTED_FAKESTORE_BLOB_DIR"
  "$TESTSTOOLS"/store-state teardown-staging-store

  echo Expose the needed assertions through the fakestore
  cp "$TESTSLIB"/assertions/developer1.account "$NESTED_FAKESTORE_BLOB_DIR/asserts"
  cp "$TESTSLIB"/assertions/developer1.account-key "$NESTED_FAKESTORE_BLOB_DIR/asserts"

  # modify and repack gadget snap to add a defaults section and use our own
  # prepare-device hook to use the fakedevicesvc

  # Get the snakeoil key and cert for signing gadget assets (shim)
  KEY_NAME=$(tests.nested download snakeoil-key)
  SNAKEOIL_KEY="$PWD/$KEY_NAME.key"
  SNAKEOIL_CERT="$PWD/$KEY_NAME.pem"

  # Get the nested system version
  VERSION="$(tests.nested show version)"

  snap download --basename=pc --channel="$VERSION/edge" pc
  unsquashfs -d pc-gadget pc.snap

  # delay all refreshes for a week from now, as otherwise refreshes for our 
  # snaps (which are asserted by the testrootorg authority-id) may happen, which
  # will break things because the signing keys won't match, etc. and 
  # specifically snap-bootstrap in the kernel snap from the store won't trust
  # the seed keys to unlock the encrypted data partition in the initramfs
  sed defaults.yaml -e "s/@HOLD-TIME@/$(date --date="next week" +%Y-%m-%dT%H:%M:%S%:z)/" >> \
    pc-gadget/meta/gadget.yaml

  # install the cloud.conf
  cp cloud.conf pc-gadget/cloud.conf

  # copy the prepare-device hook to use our fakedevicesvc
  mkdir -p pc-gadget/meta/hooks/
  cp prepare-device pc-gadget/meta/hooks/

  # Sign boot assets
  tests.nested secboot-sign gadget pc-gadget "$SNAKEOIL_KEY" "$SNAKEOIL_CERT"

  # Add a list of allowed kernel arguments
  allow_ls="\nkernel-cmdline:\n  allow:\n"
  for arg in 'extra.val=1' 'extra.flag' 'foo=*'; do
      allow_ls="${allow_ls}    - ${arg}\n"
  done
  printf "%b" "$allow_ls" >> pc-gadget/meta/gadget.yaml

  snap pack pc-gadget/ "$(tests.nested get extra-snaps-path)"
  rm -rf pc-gadget/

  rm -f "$SNAKEOIL_KEY" "$SNAKEOIL_CERT"

  # start fake device svc
  systemd-run --collect --unit fakedevicesvc fakedevicesvc localhost:11029

  tests.nested build-image core
  tests.nested create-vm core

restore: |
  if [ "$TRUST_TEST_KEYS" = "false" ]; then
      echo "This test needs test keys to be trusted"
      exit
  fi

  # stop fake device svc
  systemctl stop fakedevicesvc

  "$TESTSTOOLS"/store-state teardown-fake-store "$NESTED_FAKESTORE_BLOB_DIR"

debug: |
  systemctl status fakedevicesvc || true

execute: |
  if [ "$TRUST_TEST_KEYS" = "false" ]; then
      echo "This test needs test keys to be trusted"
      exit
  fi

  echo "Waiting for the system to be seeded"
  remote.exec "sudo snap wait system seed.loaded"

  echo "Check we have the right model from snap model"
  remote.exec "sudo snap model --verbose" | MATCH "grade:\s+${MODEL_GRADE}"

  echo "Check that gadget kernel command line defaults have been respected"
  remote.exec "sudo cat /proc/cmdline" | MATCH "foo=1 foo=2"
  remote.exec cat /var/lib/snapd/modeenv | MATCH "foo=1 foo=2"

  echo "No errors in snap change 1"
  remote.exec snap change 1 | NOMATCH ERROR

  cmdlineOptDang="extradang.val=1 extradang.flag"
  remoteCmd="sudo snap set system system.kernel.dangerous-cmdline-append=\"$cmdlineOptDang\""
  remote.exec "$remoteCmd"
  if [ "$MODEL_GRADE" = "dangerous" ]; then
      boot_id="$(tests.nested boot-id)"
      echo "Rebooting"
      remote.exec "sudo reboot" || true
      tests.nested wait-for reboot "$boot_id"

      remote.exec "sudo cat /proc/cmdline" | MATCH "$cmdlineOptDang"
  else
      # Check that no change has been created
      snap changes | NOMATCH 'Update kernel command line due to change in system configuration'
      # and that grubenv and modeenv have not changed
      remote.exec cat /var/lib/snapd/modeenv | NOMATCH "$cmdlineOptDang"
      remote.exec cat /boot/grub/grubenv | NOMATCH "$cmdlineOptDang"
  fi

  # Set not allowed values
  cmdlineOpt="extra.val=nope"
  not remote.exec "sudo snap set system system.kernel.cmdline-append=\"$cmdlineOpt\""
  remote.exec snap changes | MATCH 'Error.*Change configuration of "core" snap'
  remote.exec cat /var/lib/snapd/modeenv | NOMATCH "$cmdlineOpt"
  remote.exec cat /boot/grub/grubenv | NOMATCH "$cmdlineOpt"

  # Set allowed values
  cmdlineOpt="extra.val=1 extra.flag foo=bar"
  remote.exec "sudo snap set system system.kernel.cmdline-append=\"$cmdlineOpt\""

  boot_id="$(tests.nested boot-id)"
  echo "Rebooting"
  remote.exec "sudo reboot" || true
  tests.nested wait-for reboot "$boot_id"

  remote.exec "sudo cat /proc/cmdline" | MATCH "$cmdlineOpt"