Merge pull request #10394 from anonymouse64/tests/uc20-gadget-cloud-conf-spread

tests/nested: add spread test for uc20 cloud.conf from gadgets

tests/nested/manual/cloud-init-never-used-not-vuln/task.yaml

@@ -95,10 +95,13 @@ execute: |
     echo "Waiting for cloud-init..."
     nested_exec "cloud-init status --wait"
 
-    # TODO: is there a better thing we can wait for here instead? maybe the log
-    # message from snapd directly via journalctl ?
     echo "Waiting for snapd to react to cloud-init"
-    sleep 60
+    for i in $(seq 60); do
+        if nested_exec "journalctl --no-pager -u snapd" | MATCH "Cloud-init reported"; then
+            break
+        fi
+        sleep 1
+    done
 
     # ensure that snapd disabled cloud-init with the cloud-init.disabled file
     echo "Ensuring that snapd restricted cloud-init"

tests/nested/manual/cloud-init-nocloud-not-vuln/task.yaml

@@ -102,10 +102,13 @@ execute: |
     echo "Waiting for cloud-init..."
     nested_exec "cloud-init status --wait"
 
-    # TODO: is there a better thing we can wait for here instead? maybe the log
-    # message from snapd directly via journalctl ?
     echo "Waiting for snapd to react to cloud-init"
-    sleep 60
+    for i in $(seq 60); do
+        if nested_exec "journalctl --no-pager -u snapd" | MATCH "Cloud-init reported"; then
+            break
+        fi
+        sleep 1
+    done
 
     # ensure that snapd restricted cloud-init with the zzzz_snapd.cfg file
     echo "Ensuring that snapd restricted cloud-init"

tests/nested/manual/core20-gadget-cloud-conf/cloud.conf

@@ -0,0 +1,7 @@
+# cloud-config
+datasource_list: [NoCloud]
+users:
+  - name: normal-user
+    sudo: "ALL=(ALL) NOPASSWD:ALL"
+    lock_passwd: false
+    plain_text_passwd: "ubuntu"

tests/nested/manual/core20-gadget-cloud-conf/defaults.yaml

@@ -0,0 +1,6 @@
+defaults:
+  system:
+    refresh:
+      hold: "@HOLD-TIME@"
+    journal:
+      persistent: true

tests/nested/manual/core20-gadget-cloud-conf/task.yaml

@@ -0,0 +1,155 @@
+summary: Test that UC20 can boot with gadget provided cloud.conf for all grades
+
+# TODO: enable similar test for UC18 and UC16 gadgets that use cloud.conf?
+systems: [ubuntu-20.04-64]
+
+environment:
+  # use tpm + secure boot to get full disk encryption, this is explicitly needed
+  # for grade: secured
+  NESTED_ENABLE_TPM: true
+  NESTED_ENABLE_SECURE_BOOT: true
+
+  # use snapd from the spread run so that we have testkeys trusted in the snapd
+  # run
+  NESTED_BUILD_SNAPD_FROM_CURRENT: true
+
+  # don't use cloud-init to create the user, we manually use cloud-init via
+  # the gadget to add a user
+  NESTED_USE_CLOUD_INIT: false
+
+  # sign all the snaps we build for the image with fakestore
+  NESTED_SIGN_SNAPS_FAKESTORE: true
+
+  # use the testrootorg auto-import assertion
+  # TODO: commit the Go code used to create this assertion from the json file
+  NESTED_CUSTOM_AUTO_IMPORT_ASSERTION: $TESTSLIB/assertions/developer1-auto-import.assert
+
+  # three variants, for dangerous, signed, and secured grades
+  MODEL_GRADE/secured: secured
+  MODEL_GRADE/signed: signed
+
+  # TODO: enable after creating an associated auto-import assertion + model
+  # MODEL_GRADE/dangerous: dangerous
+
+  NESTED_CUSTOM_MODEL: $TESTSLIB/assertions/developer1-20-${MODEL_GRADE}.model
+  NESTED_IMAGE_ID: gadget-cloud-conf-testkeys-${MODEL_GRADE}
+
+  # for the fake store
+  NESTED_FAKESTORE_BLOB_DIR: $(pwd)/fake-store-blobdir
+  NESTED_UBUNTU_IMAGE_SNAPPY_FORCE_SAS_URL: http://localhost:11028
+
+  # unset this otherwise ubuntu-image complains about overriding the channel for
+  # a model with grade higher than dangerous when building the image
+  NESTED_CORE_CHANNEL: ""
+
+prepare: |
+  if [ "$TRUST_TEST_KEYS" = "false" ]; then
+      echo "This test needs test keys to be trusted"
+      exit
+  fi
+
+  #shellcheck source=tests/lib/nested.sh
+  . "$TESTSLIB/nested.sh"
+
+  #shellcheck source=tests/lib/store.sh
+  . "$TESTSLIB"/store.sh
+
+  # setup the fakestore, but don't use it for our snapd here on the host VM, so
+  # tear down the staging_store immediately afterwards so that only the SAS is 
+  # running and our snapd is not pointed at it, ubuntu-image is the only thing 
+  # that actually needs to use the fakestore, and we will manually point it at
+  # the fakestore below using NESTED_UBUNTU_IMAGE_SNAPPY_FORCE_SAS_URL
+  setup_fake_store "$NESTED_FAKESTORE_BLOB_DIR"
+  teardown_staging_store
+
+  echo "Expose the needed assertions through the fakestore"
+  cp "$TESTSLIB"/assertions/developer1.account "$NESTED_FAKESTORE_BLOB_DIR/asserts"
+  cp "$TESTSLIB"/assertions/developer1.account-key "$NESTED_FAKESTORE_BLOB_DIR/asserts"
+
+  # modify and repack gadget snap to add a defaults section and use our own
+  # prepare-device hook to use the fakedevicesvc
+  mkdir "$(nested_get_extra_snaps_path)"
+
+  # Get the snakeoil key and cert for signing gadget assets (shim)
+  KEY_NAME=$(nested_get_snakeoil_key)
+  SNAKEOIL_KEY="$PWD/$KEY_NAME.key"
+  SNAKEOIL_CERT="$PWD/$KEY_NAME.pem"
+
+  snap download --basename=pc --channel="20/edge" pc
+  unsquashfs -d pc-gadget pc.snap
+
+  # delay all refreshes for a week from now, as otherwise refreshes for our
+  # snaps (which are asserted by the testrootorg authority-id) may happen, which
+  # will break things because the signing keys won't match, etc. and 
+  # specifically snap-bootstrap in the kernel snap from the store won't trust
+  # the seed keys to unlock the encrypted data partition in the initramfs
+  sed defaults.yaml -e "s/@HOLD-TIME@/$(date --date='next week' +%Y-%m-%dT%H:%M:%S%:z)/" >> \
+    pc-gadget/meta/gadget.yaml
+
+  # install the cloud.conf
+  cp cloud.conf pc-gadget/cloud.conf
+
+  # TODO: enable this bit when things are ready to use a testkeys signed model
+  # assertion
+  # copy the prepare-device hook to use our fakedevicesvc
+  # mkdir -p pc-gadget/meta/hooks/
+  # cp prepare-device pc-gadget/meta/hooks/
+
+  nested_secboot_sign_gadget pc-gadget "$SNAKEOIL_KEY" "$SNAKEOIL_CERT"
+  snap pack pc-gadget/ "$(nested_get_extra_snaps_path)"
+
+  # TODO: enable this when ready, currently serial assertions requests don't 
+  # work with the fakedevicesvc, needs a little bit of work somewhere
+  # start fake device svc
+  # #shellcheck disable=SC2148
+  #  systemd-run --unit fakedevicesvc fakedevicesvc localhost:11029
+
+  "$TESTSTOOLS"/nested-state build-image core
+  # first boot will use seed1 to create the normal-user in addition to the 
+  # system-user assertion
+  "$TESTSTOOLS"/nested-state create-vm core
+
+restore: |
+  if [ "$TRUST_TEST_KEYS" = "false" ]; then
+      echo "This test needs test keys to be trusted"
+      exit
+  fi
+
+  # stop fake device svc
+  # systemctl stop fakedevicesvc
+
+  #shellcheck source=tests/lib/store.sh
+  . "$TESTSLIB"/store.sh
+  teardown_fake_store "$NESTED_FAKESTORE_BLOB_DIR"
+
+execute: |
+  if [ "$TRUST_TEST_KEYS" = "false" ]; then
+      echo "This test needs test keys to be trusted"
+      exit
+  fi
+
+  #shellcheck source=tests/lib/nested.sh
+  . "$TESTSLIB/nested.sh"
+
+  echo "The initial cloud-init user was created"
+  nested_exec "cat /var/lib/extrausers/passwd" | MATCH normal-user
+
+  echo "And we can run things as the normal user"
+  nested_exec_as normal-user ubuntu "sudo true"
+
+  echo "Waiting for snapd to react to cloud-init"
+  for i in $(seq 60); do
+    if nested_exec "journalctl --no-pager -u snapd" | MATCH "Cloud-init reported"; then
+        break
+    fi
+    sleep 1
+  done
+
+  echo "Ensuring that cloud-init got disabled after running"
+  nested_exec "cloud-init status" | MATCH "status: disabled"
+  nested_exec "test -f /etc/cloud/cloud-init.disabled"
+  nested_exec "test -f /etc/cloud/cloud.cfg.d/80_device_gadget.cfg"
+  nested_exec "! test -f /etc/cloud/cloud.cfg.d/zzzz_snapd.cfg"
+
+  # TODO: if we ever decide to leave NoCloud datasources enabled if the source
+  # is the gadget, check that here too

tests/nested/manual/grade-signed-cloud-init-testkeys/task.yaml

@@ -139,10 +139,13 @@ execute: |
   # for now we just don't get a serial assertion which is fine for the purposes
   # of this test
 
-  # TODO: is there a better thing we can wait for here instead? maybe the log
-  # message from snapd directly via journalctl ?
   echo "Waiting for snapd to react to cloud-init"
-  sleep 60
+  for i in $(seq 60); do
+    if nested_exec "journalctl --no-pager -u snapd" | MATCH "Cloud-init reported"; then
+        break
+    fi
+    sleep 1
+  done
 
   echo "Ensuring that cloud-init got disabled after running"
   nested_exec "cloud-init status" | MATCH "status: disabled"