token2/snapd
0
0
Fork 0
mirror of https://github.com/token2/snapd.git synced 2026-03-13 11:15:47 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
release/2.60
snapd/tests/core/basic20plus/task.yaml
Alex Murray 2d78693a5b sandbox/apparmor: don't let vendored apparmor conflict with system (#12909) 
* sandbox/apparmor: don't let vendored apparmor conflict with system

Don't enable the vendored apparmor if the system installed apparmor will try and
load policy that would be generated by the vendored apparmor and hence may
conflict with that by using newer features not supported by the system installed
apparmor (LP: 2024637)

Signed-off-by: Alex Murray <alex.murray@canonical.com>

* apparmor: add unit testing for SystemAppArmorLoadsSnapPolicy()

* tests: add test that checks regression in lp-2024637

* apparmor: only log non ENOENT errors in systemAppArmorLoadsSnapPolicy

* tests: fix snapd-snap test on 14.04-18.04

This commit will skip apparmor vendor testing if /lib/apparmor/functions
still references /var/lib/snapd/apparmor/.

See LP:2024637

* tests: fix typo in snapd-snap test

Signed-off-by: Alex Murray <alex.murray@canonical.com>

* i/apparmor: allow read of /lib/apparmor/functions in snap-update-ns

Snapd at startup will inspect this file now to ensure that the
vendored apparmor can be used. So the snap-update-ns profile
also needs to get updated as this happens during an early init().

---------

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
2023-07-03 14:07:33 +02:00

123 lines
4.4 KiB
YAML
Raw Permalink Blame History

summary: Check basic core20 and later system functionality
systems:
- ubuntu-core-20-*
- ubuntu-core-22-*
execute: |
case "$SPREAD_SYSTEM" in
ubuntu-core-22-*)
base_snap=core22
;;
ubuntu-core-20-*)
base_snap=core20
;;
esac
echo "Check that the system snaps are there"
snap list "${base_snap}"
snap list snapd
if snap list core; then
echo "The old core snap is installed but should not"
exit 1
fi
echo "Ensure that the system is fully seeded"
snap changes | MATCH "Done.*Initialize system state"
echo "Check that a simple shell snap"
if os.query is-core22; then
snap install --edge "test-snapd-sh-${base_snap}"
else
snap install "test-snapd-sh-${base_snap}"
fi
"test-snapd-sh-${base_snap}.sh" -c 'echo hello' | MATCH hello
if python3 -m json.tool < /var/lib/snapd/system-key | grep '"build-id": ""'; then
echo "The build-id of snapd must not be empty."
exit 1
fi
echo "Ensure passwd/group is available for snaps"
"test-snapd-sh-${base_snap}.sh" -c 'cat /var/lib/extrausers/passwd' | MATCH test
case "$SPREAD_SYSTEM" in
ubuntu-core-20-64|ubuntu-core-22-64|ubuntu-core-22-arm-64)
echo "Ensure extracted kernel.efi exists"
kernel_name="$(snaps.name kernel)"
test -e /boot/grub/"$kernel_name"*/kernel.efi
echo "Ensure kernel.efi is a symlink"
test -L /boot/grub/kernel.efi
echo "Ensure we are using managed boot assets"
MATCH '# Snapd-Boot-Config-Edition: [0-9]+' < /boot/grub/grub.cfg
MATCH '# Snapd-Boot-Config-Edition: [0-9]+' < /run/mnt/ubuntu-seed/EFI/ubuntu/grub.cfg
;;
*)
echo "Ensure extracted {kernel,initrd}.img exists"
test -e /run/mnt/ubuntu-seed/systems/*/kernel/kernel.img
test -e /run/mnt/ubuntu-seed/systems/*/kernel/initrd.img
;;
esac
echo "Ensure that model was written to ubuntu-boot"
test -e /run/mnt/ubuntu-boot/device/model
# ensure that our the-tool (and thus our snap-bootstrap ran)
# for external backend the initramfs is not rebuilt
echo "Check that we booted with the rebuilt initramfs in the kernel snap"
if [ "$SPREAD_BACKEND" != "external" ]; then
test -e /writable/system-data/the-tool-ran
fi
# ensure we handled cloud-init, either we have:
# a) cloud init is disabled
# b) there was a cloud.cfg.d override (e.g. MAAS), then we must have more
# files in writable than in the core20 snap. The core20 content and the
# extra config will be merged
test -e /writable/system-data/etc/cloud/cloud-init.disabled || [ "$(find /writable/system-data/etc/cloud/cloud.cfg.d/ | wc -l)" -gt "$(find /snap/"${base_snap}"/current/etc/cloud/cloud.cfg.d/ | wc -l)" ]
# ensure that we have no symlinks from /var/lib/snapd/snaps to
# /var/lib/snapd/seed
for sn in /var/lib/snapd/snaps/*.snap ; do
if [[ -L $sn ]]; then
echo "snap $sn is a symlink but should not be"
exit 1
fi
done
# ensure that disk-mapping.json is created - we check the format of this
# file in unit tests and in uc20-create-partitions so we don't check
# anything here, just that the file exists
test -e /var/lib/snapd/device/disk-mapping.json
# ubuntu-save has it too
test -e /run/mnt/ubuntu-save/device/disk-mapping.json
# ensure the "snap recovery" command works
MODEL="$(snap model --verbose | grep '^model' | awk '{ print $2 }')"
BRAND_ID="$(snap model --verbose | grep '^brand-id:' | awk '{print $2}')"
if [ "$(snap known account "username=$BRAND_ID" | grep '^validation:' | awk '{print $2}')" != "unproven" ]; then
BRAND_ID="$BRAND_ID\*\*"
fi
snap recovery --unicode=never | MATCH "[0-9]+ +$BRAND_ID +$MODEL +current"
# check that we have a boot-flags file
test -f /run/snapd/boot-flags
# make sure that loop devices created by snap-bootstrap initramfs-mounts for snaps are readonly
for mount in /run/mnt/base /run/mnt/kernel; do
mountpoint "${mount}"
loop="$(findmnt -o source "${mount}" -n)"
echo "${loop}" | MATCH "/dev/loop[0-9]+"
losetup -O ro -n --raw "${loop}" | MATCH "1"
done
# ensure apparmor works, see LP: 2024637
systemctl status apparmor.service
# reboot to double check that apparmor still works after the reboot
# (LP: 2024637)
if [ "$SPREAD_REBOOT" = 0 ]; then
REBOOT
fi
Reference in New Issue View Git Blame Copy Permalink