many: add target install system checks for passphrase support

[ZeyadYasser]

This PR adds a simple snapd version check that gates passphrase authentication support in the install API based on the target install system.

For passphrase support:

• snapd version must be at least 2.68 (assuming that fde-branch is merged as part of 2.68)
  • This is checked through the snapd info file under usr/lib/snapd/info
• snap-bootstrap version in kernel snap's initrd is from snapd 2.68+
  • This is checked through the snapd info file under snapd-info

Please check SD201 for more details.

[bboozzoo]

The bare map that's passed around without additional context looks slightly weird. I think I'd return a structure here, e.g.

// in overlord/install/install.go

type SystemSnapdVersions struct {
	// SnapdVersion is the version of snapd in a given system
	SnapdVersion string
	// SnapdInitramfsVersion is the version of snapd related component, which participates
	// in the boot process and performs unlocking. Typically snap-bootstrap in the kernel snap.
	SnapdInitramfsVersion string
}

[ZeyadYasser]

I thought of doing this, but loadSystemAndEssentialSnaps expects a list of essential snap types so changing its internals to implicitly add snapd and kernel types could have unintended consequences, also snapd is only expected on UC20+.

I am open to suggestions, just wanted to share my thought process.

[ZeyadYasser]

my bad, this was intended for #14943 (comment), regarding the struct, totally agree, thanks for the suggestion.

[bboozzoo]

can we always attempt to get the info?

Suggested change

	if volumesAuthRequired && systemAndSeeds.Model.Grade() != asserts.ModelGradeUnset {
	if systemAndSeeds.Model.Grade() != asserts.ModelGradeUnset {

[bboozzoo]

actually would it make sense to add the snapd version structure to systemAndEssentialSnaps type and populate it in loadAndMountSystemLabelSnaps() ?

[ZeyadYasser]

As @pedronis explained we don't expect the relevant code paths to only run for UC20+, I embedded the snapd version structure to systemAndEssentialSnaps. Thanks for the suggestion!

[ZeyadYasser]

#14943 (comment)

[codecov]

Codecov Report

Attention: Patch coverage is 78.02198% with 20 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@35ad4ae). Learn more about missing BASE report.
Report is 191 commits behind head on master.

Files with missing lines	Patch %	Lines
overlord/install/install.go	74.28%	6 Missing and 3 partials ⚠️
overlord/devicestate/handlers_install.go	78.94%	4 Missing ⚠️
snap/info.go	75.00%	3 Missing and 1 partial ⚠️
overlord/devicestate/devicemgr.go	85.71%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #14943   +/-   ##
=========================================
  Coverage          ?   78.15%           
=========================================
  Files             ?     1168           
  Lines             ?   157051           
  Branches          ?        0           
=========================================
  Hits              ?   122740           
  Misses            ?    26703           
  Partials          ?     7608           

Flag	Coverage Δ
unittests	78.15% <78.02%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pedronis]

thanks, some comments

[pedronis]

I'm actually not sure we need the check at this point because we wouldn't have made this far if the system is not UC20+

[pedronis]

though it would be interesting to double check what kind of errors /v2/systems/foo gives on UC18/classic system

[ZeyadYasser]

Thank you! I didn't know that UC18 is not even installable through the systems API, and indeed snap prepare-image for a UC18 model doesn't even create the system-seed directory.

[ZeyadYasser]

Removed restriction, Now the snapd versions structure is populated loadAndMountSystemLabelSnaps and embedded inside systemAndEssentialSnaps.

[pedronis]

same here

[pedronis]

can't we avoid this, by adding TypeSnapd to the system load calls in the couple of callers to this?

[ZeyadYasser]

Done

[ZeyadYasser]

Rebased on top of latest fde branch

[pedronis]

thank you

[ZeyadYasser]

Marking blocked until fde branch is merged into master

[bboozzoo]

LGTM

[github-actions]

Mon Feb 10 20:08:10 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13238489160

Failures:

Preparing:

• openstack:debian-12-64:tests/smoke/
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-15.6-64
• openstack:opensuse-15.6-64
• openstack:opensuse-15.6-64
• openstack:opensuse-15.6-64
• openstack:opensuse-15.6-64
• openstack:opensuse-15.6-64

Executing:

• google-nested:ubuntu-24.04-64:tests/nested/manual/remodel-min-size
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
• google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
• google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
• google:ubuntu-25.04-64:tests/main/cgroup-devices-v2

Restoring:

• openstack:debian-12-64:tests/smoke/
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• openstack:opensuse-tumbleweed-64
• google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced

[alfonsosanchezbeato]

LGTM, thanks