tests: tests fixes for sru validation #15093
Conversation
sergiocazzolato
force-pushed
the
tests-fixes-sru-validation
branch
from
7f4b7c3 to
d9c9940
Compare
|
Tue Feb 18 20:32:44 UTC 2025 Failures:Preparing:
Restoring:
|
sergiocazzolato
changed the title
| @@ -14,12 +14,18 @@ systems: | |||
| - ubuntu-core-* | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
I think this highlights the problem we discussed during one of the standups, the kernel supports prompting, but the userspace does not, unless reexec is enabled in which case we're using the apparmor userspace vendored in snapd snap. This should likely be considered a bug.
There was a problem hiding this comment.
I don't think it's a bug that can be solved on the snapd side, unless snapd were somehow able to probe whether the system apparmor parser supports prompting.
One solution JJ suggested would be to simply backport a newer apparmor parser to 22.04, which would keep AA support for prompting in alignment between the kernel and parser.
The problem is that in general we can't/don't want to assume that kind of alignment. We can guarantee it on Ubuntu versions, but not other distributions. At the moment, AA kernel patches to support prompting are only in ubuntu kernels, so this would be a successful temporary fix, but I think the only way to know for sure if we can use prompting would be to check the system AA parser for support.
Even then, support could theoretically change after a .deb/.rpm update of the AA parser or kernel (likely due to a bug, but still), so I'm not sure we can have any real guarantees.
| # We are testing on Ubuntu where we know that reexec is active and we | ||
| # use an internal apparmor userspace stack. | ||
| tests.cleanup defer test ! -e /var/lib/snapd/apparmor/snap-confine.internal/nfs-support | ||
| if tests.info is-reexec-in-use; then |
There was a problem hiding this comment.
The problem with 22.04 without re-exec is that the system parser doesn't support prompting, not the kernel; the kernel does support it.
There are existing checks for expected prompting support in the execute sections of the prompting-related tests, and these validate that if we don't expect support, prompting is indeed not supported, so I'd rather integrate this new check into those existing cases, so it's more consistent and we know if/when that support changes (e.g. because of AppArmor parser being backported).
| @@ -14,12 +14,18 @@ systems: | |||
| - ubuntu-core-* | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
I don't think it's a bug that can be solved on the snapd side, unless snapd were somehow able to probe whether the system apparmor parser supports prompting.
One solution JJ suggested would be to simply backport a newer apparmor parser to 22.04, which would keep AA support for prompting in alignment between the kernel and parser.
The problem is that in general we can't/don't want to assume that kind of alignment. We can guarantee it on Ubuntu versions, but not other distributions. At the moment, AA kernel patches to support prompting are only in ubuntu kernels, so this would be a successful temporary fix, but I think the only way to know for sure if we can use prompting would be to check the system AA parser for support.
Even then, support could theoretically change after a .deb/.rpm update of the AA parser or kernel (likely due to a bug, but still), so I'm not sure we can have any real guarantees.
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | ||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | ||
| fi | ||
|
|
There was a problem hiding this comment.
I would rather integrate this into the check in execute: so we can verify that it is unsupported when we expect it to be, and supported otherwise.
| TEST_UID="$(id -u test)" | ||
| echo "outstanding prompts:" | ||
| snap debug api "/v2/interfaces/requests/prompts?user-id=$TEST_UID" || true | ||
| echo "rules:" | ||
| snap debug api "/v2/interfaces/requests/rules?user-id=$TEST_UID" || true | ||
|
|
||
| execute: | | ||
| tests.exec is-skipped && exit 0 | ||
|
|
||
| echo "Precondition check that snapd is active" | ||
| systemctl is-active snapd.service snapd.socket | ||
|
|
There was a problem hiding this comment.
Below,
if ! os.query is-ubuntu || os.query is-core || [ ! -f /sys/kernel/security/apparmor/features/policy/permstable32 ] || NOMATCH 'prompt' < /sys/kernel/security/apparmor/features/policy/permstable32 ; then
becomes
if ! os.query is-ubuntu || os.query is-core || [ ! -f /sys/kernel/security/apparmor/features/policy/permstable32 ] || NOMATCH 'prompt' < /sys/kernel/security/apparmor/features/policy/permstable32 || tests.info is-reexec-in-use && os.query is-ubuntu 22.04 ; then
There was a problem hiding this comment.
so, all the checks to validate that apparmor prompting works in the supported systems and it doesn't in the unsupported will me moved to a new test with just one variant to avoid rechecks.
I'll push a following pr once this is merged.
| @@ -14,12 +14,18 @@ systems: | |||
| - ubuntu-core-* | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |
| tests.exec skip-test "Ubuntu 22.04 AppArmor parser doesn't support prompting" && exit 0 |
There was a problem hiding this comment.
I'd like the check to occur on line 114 though so we can verify that prompting is not supported as expected.
| @@ -11,12 +11,18 @@ systems: | |||
| - ubuntu-2* | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |
| tests.exec skip-test "Ubuntu 22.04 AppArmor parser doesn't support prompting" && exit 0 |
There was a problem hiding this comment.
But I'd also prefer to add this to existing check on line 113 rather than skip the test for this edge case.
| @@ -8,16 +8,24 @@ systems: | |||
| - ubuntu-2* | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |
| tests.exec skip-test "Ubuntu 22.04 AppArmor parser doesn't support prompting" && exit 0 |
There was a problem hiding this comment.
Same here though, I'd rather this check be part of the existing one on line 36.
| @@ -18,10 +18,16 @@ environment: | |||
| PYTHONIOENCODING: utf-8 | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |
| tests.exec skip-test "Ubuntu 22.04 AppArmor parser doesn't support prompting" && exit 0 |
But I would rather do this on line 67 instead
There was a problem hiding this comment.
Only other remaining blocker: #15093 (comment)
There was a problem hiding this comment.
Looks good, pending the final comment fix s/kernel/AppArmor parser/
And good idea to consolidate all the prompting support checks into a dedicated spread test, so all of the prompting behavior checks can just run on the systems for which support is expected and not deal with duplicate checks in each one.
| @@ -74,7 +85,7 @@ execute: | | |||
|
|
|||
| exit 0 | |||
| fi | |||
|
|
|||
| @@ -18,10 +18,16 @@ environment: | |||
| PYTHONIOENCODING: utf-8 | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
Only other remaining blocker: #15093 (comment)
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #15093 +/- ##
==========================================
+ Coverage 78.07% 78.11% +0.04%
==========================================
Files 1182 1174 -8
Lines 157743 157682 -61
==========================================
+ Hits 123154 123179 +25
+ Misses 26943 26859 -84
+ Partials 7646 7644 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -18,10 +18,16 @@ environment: | |||
| PYTHONIOENCODING: utf-8 | |||
|
|
|||
| prepare: | | |||
| if not tests.info is-reexec-in-use && os.query is-ubuntu 22.04; then | |||
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |||
There was a problem hiding this comment.
| tests.exec skip-test "Ubuntu 22.04 kernel doesn't support prompting" && exit 0 | |
| tests.exec skip-test "Ubuntu 22.04 AppArmor parser doesn't support prompting" && exit 0 |
| @@ -74,7 +85,7 @@ execute: | | |||
|
|
|||
| exit 0 | |||
| fi | |||
|
|
|||
These fixes are needed to fix sru validation where the snap snap is not used and we use the snapd deb from proposed instead.
The change include fixes for tests: