2022-06-17 12:12:34 +02:00
|
|
|
summary: Check basic core20 and later system functionality
|
2019-12-18 18:19:05 +01:00
|
|
|
|
2023-11-29 20:41:29 +02:00
|
|
|
details: |
|
|
|
|
|
Verify some basic functionalities in ubuntu core (>=20): system
|
|
|
|
|
snaps are present, the system is fully seeded, install a simple
|
|
|
|
|
snap, check boot configuration, symlinks in /var/lib/snapd/snaps,
|
|
|
|
|
snap recovery, loop devices and apparmor after a reboot works
|
|
|
|
|
properly
|
|
|
|
|
|
2022-03-08 09:29:00 +01:00
|
|
|
systems:
|
|
|
|
|
- ubuntu-core-20-*
|
2022-06-17 12:12:34 +02:00
|
|
|
- ubuntu-core-22-*
|
2020-02-06 15:36:30 -06:00
|
|
|
|
2019-12-18 18:19:05 +01:00
|
|
|
execute: |
|
2022-03-08 09:29:00 +01:00
|
|
|
case "$SPREAD_SYSTEM" in
|
|
|
|
|
ubuntu-core-22-*)
|
|
|
|
|
base_snap=core22
|
|
|
|
|
;;
|
|
|
|
|
ubuntu-core-20-*)
|
|
|
|
|
base_snap=core20
|
|
|
|
|
;;
|
|
|
|
|
esac
|
2019-12-18 18:19:05 +01:00
|
|
|
echo "Check that the system snaps are there"
|
2022-03-08 09:29:00 +01:00
|
|
|
snap list "${base_snap}"
|
2020-01-06 17:47:20 +01:00
|
|
|
snap list snapd
|
|
|
|
|
if snap list core; then
|
2019-12-18 18:19:05 +01:00
|
|
|
echo "The old core snap is installed but should not"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Ensure that the system is fully seeded"
|
|
|
|
|
snap changes | MATCH "Done.*Initialize system state"
|
|
|
|
|
|
|
|
|
|
echo "Check that a simple shell snap"
|
2022-03-08 09:29:00 +01:00
|
|
|
if os.query is-core22; then
|
|
|
|
|
snap install --edge "test-snapd-sh-${base_snap}"
|
|
|
|
|
else
|
|
|
|
|
snap install "test-snapd-sh-${base_snap}"
|
|
|
|
|
fi
|
|
|
|
|
"test-snapd-sh-${base_snap}.sh" -c 'echo hello' | MATCH hello
|
2019-12-18 18:19:05 +01:00
|
|
|
|
|
|
|
|
if python3 -m json.tool < /var/lib/snapd/system-key | grep '"build-id": ""'; then
|
|
|
|
|
echo "The build-id of snapd must not be empty."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Ensure passwd/group is available for snaps"
|
2022-03-08 09:29:00 +01:00
|
|
|
"test-snapd-sh-${base_snap}.sh" -c 'cat /var/lib/extrausers/passwd' | MATCH test
|
2020-01-29 09:57:18 +01:00
|
|
|
|
2023-11-29 20:41:29 +02:00
|
|
|
# rpi devices don't use grub
|
|
|
|
|
if ( os.query is-core20 || os.query is-core22 ) && not snap list pi-kernel &>/dev/null; then
|
2020-11-18 05:55:07 -03:00
|
|
|
echo "Ensure extracted kernel.efi exists"
|
2022-05-13 15:11:54 -03:00
|
|
|
kernel_name="$(snaps.name kernel)"
|
2020-11-18 05:55:07 -03:00
|
|
|
test -e /boot/grub/"$kernel_name"*/kernel.efi
|
|
|
|
|
|
|
|
|
|
echo "Ensure kernel.efi is a symlink"
|
|
|
|
|
test -L /boot/grub/kernel.efi
|
|
|
|
|
|
|
|
|
|
echo "Ensure we are using managed boot assets"
|
|
|
|
|
MATCH '# Snapd-Boot-Config-Edition: [0-9]+' < /boot/grub/grub.cfg
|
|
|
|
|
MATCH '# Snapd-Boot-Config-Edition: [0-9]+' < /run/mnt/ubuntu-seed/EFI/ubuntu/grub.cfg
|
2023-11-29 20:41:29 +02:00
|
|
|
else
|
2020-11-18 05:55:07 -03:00
|
|
|
echo "Ensure extracted {kernel,initrd}.img exists"
|
|
|
|
|
test -e /run/mnt/ubuntu-seed/systems/*/kernel/kernel.img
|
|
|
|
|
test -e /run/mnt/ubuntu-seed/systems/*/kernel/initrd.img
|
2023-11-29 20:41:29 +02:00
|
|
|
fi
|
2020-02-06 15:45:52 +01:00
|
|
|
|
2020-11-05 12:09:59 -06:00
|
|
|
echo "Ensure that model was written to ubuntu-boot"
|
|
|
|
|
test -e /run/mnt/ubuntu-boot/device/model
|
|
|
|
|
|
2020-02-06 15:45:52 +01:00
|
|
|
# ensure that our the-tool (and thus our snap-bootstrap ran)
|
2020-06-09 00:28:25 -03:00
|
|
|
# for external backend the initramfs is not rebuilt
|
2020-02-06 15:45:52 +01:00
|
|
|
echo "Check that we booted with the rebuilt initramfs in the kernel snap"
|
2024-03-05 13:51:21 +02:00
|
|
|
if [ "$SPREAD_BACKEND" != "external" ] && [ "$SPREAD_BACKEND" != "testflinger" ]; then
|
2020-06-09 00:28:25 -03:00
|
|
|
test -e /writable/system-data/the-tool-ran
|
|
|
|
|
fi
|
2020-04-03 11:50:22 +02:00
|
|
|
|
2020-05-07 11:27:30 +02:00
|
|
|
# ensure we handled cloud-init, either we have:
|
|
|
|
|
# a) cloud init is disabled
|
|
|
|
|
# b) there was a cloud.cfg.d override (e.g. MAAS), then we must have more
|
|
|
|
|
# files in writable than in the core20 snap. The core20 content and the
|
|
|
|
|
# extra config will be merged
|
2022-12-14 10:18:18 +00:00
|
|
|
test -e /writable/system-data/etc/cloud/cloud-init.disabled || [ "$(find /writable/system-data/etc/cloud/cloud.cfg.d/ | wc -l)" -gt "$(find /snap/"${base_snap}"/current/etc/cloud/cloud.cfg.d/ | wc -l)" ]
|
2020-05-07 11:27:30 +02:00
|
|
|
|
snap/squashfs: also symlink snap Install with uc20 seed snap dir layout (#8711)
This ensures that during install/recover mode we use symlinks in /var/lib/snapd/snaps to /var/lib/snapd/seed/systems//snaps, and that makebootable will still copy the full snap file to /run/mnt/ubuntu-data/... such that the initramfs and run mode see a normal snap file. Note that we specifically don't want the initramfs to use symlinks from ubuntu-data to ubuntu-seed because this is not trusted, this is enforced by passing a new InstallOptions to Container.Install with a MustNostCrossDevices flag.
This was prompted by https://bugs.launchpad.net/snapd/+bug/1878647 because there, the tmpfs we mount for ubuntu-data/writable is only 205M, and all the kernel and base snaps are over 205M and so the install runs out of space to copy the snap files onto the tmpfs and eventually snapd tries to uninstall itself during first-boot.
This fixes https://bugs.launchpad.net/snapd/+bug/1878647
* boot/makebootable: if kernel,base snaps are symlinks, follow symlink
This ensures that if we switch setup during install/recover mode to use symlinks
in /var/lib/snapd/snaps to /var/lib/snapd/seed/systems/<label>/snaps, that
makebootable will still copy the full snap file to /run/mnt/ubuntu-data/...
such that the initramfs and run mode see a normal snap file.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap/squashfs: fix creating symlinks when snap is in uc20 seed system snaps dir
During uc20 install and recover modes, we will have a tmpfs as our writable
partition and as such we don't really want or need to make a full copy of the
snap files into /var/lib/snapd/snaps, and can make do with a symlink instead.
However, during uc20 install and recover modes the snap files from the seed dir
will be of the form /var/lib/snapd/seed/systems<label>/snaps/<name>.snap and so
the previous logic to install it was wrong, as the <name>.snap would not be a
direct child of /var/lib/snapd/seed, and instead needs to check that it is just
prefixed with /var/lib/snapd/seed somewhere.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap/many: support InstallOptions + MustCopy for Install()
This will allow us from snapstate to decide how a snap file should be installed,
if it should be symlinked or if it should be always copied, etc. Eventually we
should also introduce logic to snapstate to decide if it should be linked to
remove the overlayfs specific logic from here where it is kind of awkward to
see.
Also add tests for the squashfs and snapstate implementations.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* overlord/snapstate: always copy files when seeding in uc20 run mode
This prevents us from inadventently installing symlinks from ubuntu-data to
ubuntu-seed, which would be insecure in the full disk encryption case because
an attacker could modify ubuntu-seed and after the disk is unlocked on
ubuntu-data and the system starts running, the snap from ubuntu-seed would be
mounted.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap: rename MustCopy to MustNotCrossDevices for InstallOptions
This option is really about security and ensuring that when we install a snap
that installation does not cross device/trust boundaries, i.e. on UC20 from
ubuntu-data (trusted) to ubuntu-seed (untrusted), so rename the option to better
reflect this.
Also, refactor the implementation to allow hard-links if MustNotCrossDevices is
true, as by definition hard-links cannot cross devices/filesystems, and really
should only limit symlinks.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap/snapdir: un-support MustNotCrossDevices in Install() for now
It's unclear what we want this implementation to look like, so for now just drop
it. `snap try` may be less secure on UC20 as a result, but that shouldn't be
happening on production devices anyways.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/core/basic20: also test that no symlinks were created during seeding
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/core/seed-base-symlinks: disable for UC20 permanently, adjust comment
We don't have symlinks from ubuntu-data /var/lib/snapd/snaps to ubuntu-seed at
/var/lib/snapd/seed by design on UC20 run mode.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/core: fix spread tests adjustments
* squashfs: drop TODO:UC20 more likely to confuse than get ever addressed
Co-authored-by: Samuele Pedroni <pedronis@lucediurna.net>
2020-05-26 04:06:08 -05:00
|
|
|
# ensure that we have no symlinks from /var/lib/snapd/snaps to
|
|
|
|
|
# /var/lib/snapd/seed
|
|
|
|
|
for sn in /var/lib/snapd/snaps/*.snap ; do
|
|
|
|
|
if [[ -L $sn ]]; then
|
|
|
|
|
echo "snap $sn is a symlink but should not be"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
done
|
2020-07-16 13:41:20 +02:00
|
|
|
|
2022-02-10 15:59:45 -06:00
|
|
|
# ensure that disk-mapping.json is created - we check the format of this
|
|
|
|
|
# file in unit tests and in uc20-create-partitions so we don't check
|
|
|
|
|
# anything here, just that the file exists
|
|
|
|
|
test -e /var/lib/snapd/device/disk-mapping.json
|
2022-02-17 10:31:38 -06:00
|
|
|
# ubuntu-save has it too
|
|
|
|
|
test -e /run/mnt/ubuntu-save/device/disk-mapping.json
|
2022-02-10 15:59:45 -06:00
|
|
|
|
2020-07-16 13:41:20 +02:00
|
|
|
# ensure the "snap recovery" command works
|
2020-09-15 13:50:07 -03:00
|
|
|
MODEL="$(snap model --verbose | grep '^model' | awk '{ print $2 }')"
|
2020-09-16 14:02:21 -03:00
|
|
|
BRAND_ID="$(snap model --verbose | grep '^brand-id:' | awk '{print $2}')"
|
|
|
|
|
if [ "$(snap known account "username=$BRAND_ID" | grep '^validation:' | awk '{print $2}')" != "unproven" ]; then
|
2022-04-26 14:59:56 +02:00
|
|
|
BRAND_ID="$BRAND_ID\*\*"
|
2020-09-15 21:11:20 -03:00
|
|
|
fi
|
2020-09-16 14:02:21 -03:00
|
|
|
snap recovery --unicode=never | MATCH "[0-9]+ +$BRAND_ID +$MODEL +current"
|
2021-04-12 09:17:57 +02:00
|
|
|
|
|
|
|
|
# check that we have a boot-flags file
|
|
|
|
|
test -f /run/snapd/boot-flags
|
2021-11-29 17:01:30 +01:00
|
|
|
|
|
|
|
|
# make sure that loop devices created by snap-bootstrap initramfs-mounts for snaps are readonly
|
|
|
|
|
for mount in /run/mnt/base /run/mnt/kernel; do
|
|
|
|
|
mountpoint "${mount}"
|
|
|
|
|
loop="$(findmnt -o source "${mount}" -n)"
|
|
|
|
|
echo "${loop}" | MATCH "/dev/loop[0-9]+"
|
|
|
|
|
losetup -O ro -n --raw "${loop}" | MATCH "1"
|
|
|
|
|
done
|
2023-07-03 21:33:27 +09:30
|
|
|
|
|
|
|
|
# ensure apparmor works, see LP: 2024637
|
|
|
|
|
systemctl status apparmor.service
|
|
|
|
|
|
|
|
|
|
# reboot to double check that apparmor still works after the reboot
|
|
|
|
|
# (LP: 2024637)
|
|
|
|
|
if [ "$SPREAD_REBOOT" = 0 ]; then
|
|
|
|
|
REBOOT
|
|
|
|
|
fi
|
