The copyright of the auto-generated grub_{recovery,}_cfg_assets.go
file is generated from the current date. This leads to a dirty build
when the year changes. This commit hardcodes the copyright year
to 2022.
Once there is a better go build system (or we use something like
meson) we can re-introduce this because then the generated files
will be no longer in git.
This commit fixes the issue that the detection of TPM key sealing
does not take into account if the system is already has the lockout
auth attribute set. If this is the case an install will not be
successful but currently this is detected very late.
Note that lockoutAuthSet() is exactly the same 5 lines of code like
https://github.com/snapcore/secboot/pull/220/files
Once we can use secboot master this can be removed and
`secboot.LockoutAuthSet()` can be used instead.
* devicestate: take tpm provision mode into account when checking for encryption
* devicestate: tweak MockSecbootCheckTPMKeySealingSupported() usage and tests
* secboot: improve test coverage for CheckTPMKeySealingSupported()
* secboot: use LockoutAuthSet from secboot
* devicestate: more mode->tpmMode
When we were aborting a kernel installation before a reboot happened,
a proper clean-up of left-overs was not happening. To fix that, make
sure that current kernels in modeenv is always set appropriately and
also make sure that the try-kernel.efi symbolic link used by the grub
bootloader is removed.
In some cases we were keeping mounts from removed layouts, because we
were not identifying properly the mounts that we wanted to keep, as we
used mountpoint as key for the reuse map used in neededChanges, while
there are corner cases when we mount more that once on a given
mountpoint. This can happen when, say, we have a layout for /dir/sd1
and another one for /dir/sd2/sd3, being the case that /dir/sd1 and
/dir/sd2/sd3 do not exist (but their parent dirs do exist) - /dir/sd2
will be one of the bind mounted directories of the tmpfs that is
created in /dir to have a layout on /dir/sd1, while at the same time a
tmpfs will be mounted in /dir/sd2 so we can have a layout in
/dir/sd2/sd3. So /dir/sd2 is used twice with different filesystem
types (none and tmpfs).
To prevent this, use as key in the reuse map dir+fstype. As we make
sure that mimics are created only once per directory, we should only
have one entry per dir+fstype, being fstype either none or tmpfs.
In the future we should clean-up mountpoints before performing
changes, but that is a bigger change and anyway this fix is needed for
mount namespaces already created by older snapd versions.
* o/snapstate: During seeding, UpdateWithDeviceContext will fail with a conflict error describing that it is too early to update snaps, as we have not been seeded. Handle this and log that it was not possible, but do not return an error as this will break seeding, also do not return a state.Retry in this case as this will result in an infinite loop which will halt seeding.
* o/snapstate: review feedback
Check on ChangeKind instead
* o/snapstate: review feedback
improve error messages.
* o/snapstate: check for entire error string
When a NotSnapError is returned right now there is no context
provided what went wrong. This makes debugging issues difficult
when the user just reports:
```
2022-11-23T14:47:57Z ERROR "/var/lib/snapd/snaps/.local-install-130452292" is not a snap or snapdir
```
This commit creates a constructor `snap.NewNotSnapErrorWithContext()`
that provides some context like:
```
cannot process snap or snapdir: open non-existing-file: no such file or directory
cannot process snap or snapdir: directory "empty-dir" is empty
cannot process snap or snapdir: directory "invalid-dir" is invalid
cannot process snap or snapdir: file "not-snap" is invalid header [110 111 116 45 97 45 115 110 97 112])
```
In case a bad try kernel was in the disk (i.e. by just a simple
dangling symlink try-kernel.efi), we entered a boot loop. Avoid that.
* tests: add test that checks that there is no boot loop
when we have a dangling try-kernel.efi symlink.
* boot: return status when asking for kernel revisions
Return status when asking for kernel revisions even if there is no try
kernel. It will still be useful. Also, add some clarifying comments to
genericInitramfsSelectSnap.
* boot: clarify comments and traces
* boot: add test for bad try status with no try kernel
* cmd/snap-bootstrap: adapt error string in tests
Due to changes in bootstate.
This commit adds code to deal with the issue that the time may
we widely off when snapd tries to register the serial. For devices
without a RTC the date maybe so much in the past that the SSL
certificats are not valid yet. To fix this the following changes are
made:
* httputil: add `CertExpiredOrNotValidYet()` helper
This helper can be used to check if the error is that the
certificate is expired or not yet not valid. This is useful
to detect situations like when the time has not yet been
syncronized from a NTP sources.
* devicestate: retry serial acquire on time based certificate errors
When the serial assertion cannot be acquired because the certificate
of the remote system is expired or not yet valid then the most
likely reason for this is that the system clock is off. This case
is now treated in the similar to no network errors, i.e. snapd
will retry to acquire the serial and will only go into the a slow backoff
mode. This helps with the issue that on systems without a RTC
when the device comes up and the NTP sync is slow the serial
is (re)tried 3 times and then it goes into a very long backoff
(as defined in DeviceManager.ensureOperationalShouldBackoff()).
A gradual backoff is still used to not overwhelm the servers and
it is only tried for a bit more than 2048s because that is the maxium
time it takes for timesyncd to wait before trying a NTP sync.
Run systemctl daemon-reload before rebooting from install mode to run
mode in cases where the gadget snap has an install-device hook, so as to
account for any potential side-effects of that install-device hook.
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
* devicestate: move daemon-reload earlier (thanks to Samuele)
* devicestate: tweak tests
* devicestate: surface error if InstallDeviceHook cannot be obtained
* devicestate: drop error prefix in doRestartSystemToRunMode()
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Adds a 'held' note to a snap's notes in the 'snap list' output. It only
displays the note if the hold is placed by the user (not a gating snap)
on that specific snap (not an all-snaps hold) and it hasn't expired yet.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Shellcheck's unreachable code warnings are a bit over-zealous in that
they log a warning for each unreachable line instead of block. We also
sometimes leave unreachable code that is meant to be re-enabled later.
Finally, we can't disable this for specific spread tests (because
shellcheck file-wide disables must be the next non-empty line after a #!
directive), so we'd have to add a disable for each line. Therefore,
disabling for the whole project seems reasonable given the constraints
and that we sometimes leave code to be re-enabled after an exit 0.
This also removes an exit in tools/boot-state which was harmless but
unnecessary because the function invoked before always exits.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
The return code being captured was that of the "echo" and not the
command being tested. This wasn't noticed because although the
error code check echoed an error message, it didn't fail the test.
This was presumably because the command's output would also fail if
the error code was wrong but that wasn't the case because the code was
taken from the wrong command.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
