Merged
Conversation
* github: add store user and password secrets to workflow * tests: add skip conditions to spread tasks and correct env variable name * github: add secrets inheritance to scheduled workflows
…nonical#16316) * tests: skip kernel-base-gadget tests when running beta validation When we run edge/beta validation the pc snap is asserted, so these tests needs to be skipped. In the ci the pc kernel is unasserted so these tests shouldn't be skipped. * skip interfaces-checkbox-support for veta validation This is skipped also because in external backend the plz-run binary is not built during prepare * Migrate the tests to the new skip format * Update tests/main/interfaces-checkbox-support/task.yaml Co-authored-by: Katie May <katie.m.may@protonmail.com> --------- Co-authored-by: Katie May <katie.m.may@protonmail.com>
) * tests: Migreate tests.exec is-skipped to new skip format This change migrates all the used of `tests.exec is-skipped && exit 0` to the new skip format. Also are removed other usages when it was required skip the whole crossdistro and smoke test suites. * Update tests/main/cloud-init/task.yaml Co-authored-by: Oliver Calder <oliver@calder.dev> * Update tests/main/interfaces-snap-interfaces-requests-control/task.yaml Co-authored-by: Oliver Calder <oliver@calder.dev> * Update tests/main/cloud-init/task.yaml Co-authored-by: Oliver Calder <oliver@calder.dev> * Fixes addressing review comments * Cloud init now executed in arm uc * fix shell check --------- Co-authored-by: Oliver Calder <oliver@calder.dev>
…ce content visibility (canonical#16497) * tests/main/layout-content-refresh-connect-hoks: verify mount namespace content visibility Verify the content of a mount namespace observed by plug side connect hooks during a refresh of a content provider snap. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! tests/main/layout-content-refresh-connect-hoks: verify mount namespace content visibility --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
ernestl
added
Needs Samuele review
olivercalder
reviewed
Feb 2, 2026
Member
olivercalder
left a comment
olivercalder
left a comment
There was a problem hiding this comment.
Small comment about the FDE note
ernestl
force-pushed
the
prepare-release-2.74.1
branch
from
839eeea to
fe95931
Compare
olivercalder
requested changes
Feb 2, 2026
Member
olivercalder
left a comment
olivercalder
left a comment
There was a problem hiding this comment.
Requesting changes to make sure the description for the FDE bug gets eyes
ernestl
force-pushed
the
prepare-release-2.74.1
branch
from
fe95931 to
a4b3782
Compare
ernestl
added
the
Auto rerun spread
* tests: fix interfaces-block-devices when fde is used This fix allows to run interfaces-block-devices test when ubuntu-data partition is encripted. * Update tests/main/interfaces-block-devices/task.yaml Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com> * Update tests/main/interfaces-block-devices/task.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update tests/main/interfaces-block-devices/task.yaml Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com> --------- Co-authored-by: Maciej Borzecki <maciek.borzecki@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
cloud-init-local.services fails, but the machine still works. However the error is set. So for now we should ignore it until it is fixed on cloud-init.
When snap-confine is used on an kernel older than 5.11 then it will notice the memory lock limit is too low and attempt to raise it. This requires CAP_SYS_RESOURCE that was not granted before. This issue was masked by the interplay of sudo/su/pam/logind also interacting with the limit in ways we did not fully trace. Fixes: https://bugs.launchpad.net/snapd/+bug/2139300 Jira: https://warthogs.atlassian.net/browse/SNAPDENG-36355
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The test runs a snap application with artificially lowered RLIMIT_MEMLOCK to observe that it really works. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
…anonical#16263) * tests: increase the timeout used for arm64 servers in openstack-ext As in arm64 environments it is not supported the hardware acceleration, this is required to have longer timeouts compared to amd64 to deal with long executions. This change is done to avoid kill timeouts building snapd in armhf. * run also in faster machines * update wait-for ssh line
…nonical#16517) Signed-off-by: Lorenzo Medici <lorenzo.medici@canonical.com>
…ap key count to 1000 (canonical#16505) Bump the max element count of the BPF map used to store IDs of allowed/matched devices to 1000. According to LP#2139099 the current limit can be exhausted with ~80VMs with ~500 microceph rbd devices. The snippet below shows memory use of a map allocated with the previous default value (id 14, size 500), and the new default (id 23, size 1000): 14: hash name s_fwupd_refresh flags 0x0 key 9B value 1B max_entries 500 memlock 47712B 23: hash name s_test_snapd_sh flags 0x0 key 9B value 1B max_entries 1000 memlock 91904B Fixes: LP#2139099 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…ng content, layouts and snap refreshes (canonical#16442) * tests/main/layout-content-provider-change: add a test mixing content, layouts and snap refreshes Add a test which should mimic a scenario where a content provider is changed during snap refresh. This should hopefully be close to the scenario occurring for snaps like 'chromium' or 'firefox', where the GNOME runtime may be changed across revisions, and said snaps mix both content and layouts to set up the execution environment. Related: SNAPDENG-36193 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/lib/fakestore: include snap.yaml in action responses Include contents of snap.yaml of the target snap in action endpoint responses. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! tests/main/layout-content-provider-change: add a test mixing content, layouts and snap refreshes * tests/main/system-usernames-snap-scoped: update the test Since fakestore now includes the entirety of snap.yaml the error occurs in an early pre-installation check, rather than in prepare-snap handler. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
ernestl
force-pushed
the
prepare-release-2.74.1
branch
from
11bd015 to
d19b905
Compare
This is needed otherwise cache will see that no update is needed, and booting with old keys would still work until we actually update kernel.
* interfaces/seccomp: allow memfd_secret Allow memfd_secret system call which is generally useful for creating memory regions that have stronger protection than RAM based files created with memfd_create or anonymous mmap() mappings. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/template-memfd: spread test Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…grade-from-release, upgrade/basic (canonical#16555) * tests/main/upgrade-from-release: updated resolute snapd release to 2.74 * tests/upgrade/basic: adapt for snap-confine binary package that was removed from snapd source package
The pidfd_open(2) system call allows obtaining a file descriptor that refers to a process. This is useful for process management and is used by modern applications and libraries. This change adds pidfd_open to the default seccomp template, allowing all snaps to use this syscall. The syscall is placed logically with other process-related syscalls like getpid and getppid. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
A new integration test is included that: - Compiles a C program testing pidfd_open - Creates a test snap using snap pack - Verifies the syscall is allowed by the seccomp profile - Runs on all classic systems (excluding ubuntu-core without gcc) Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Specifically the behavior of non-child process (PID 1) Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
When /etc/apparmod.d/snap.snapd.* does not exist the old logic would do the wrong thing attempt to pack a file with wildcard in the name. Use nullglob to avoid this. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
ernestl
force-pushed
the
prepare-release-2.74.1
branch
from
d19b905 to
3090b54
Compare
github-actions
Bot
added
the
Needs Documentation -auto-
valentindavid
approved these changes
Feb 6, 2026
ernestl
force-pushed
the
prepare-release-2.74.1
branch
from
3090b54 to
fe6aa6f
Compare
Member
Author
Failure analysis
These are known, can be ignored because its Core26 only, which is not important atm.
Known, relates to expired cert, already addressed here: #16567
The remodel tests will be monitored after the fix and acted on if actual issues emerge (which is very unlikely given the changes made here), but we will not hold back this PR for these failures. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DEBEMAIL="Ernest Lotter <ernest.lotter@canonical.com>" release-tools/changelog.py 2.74.1 2138629 NEWS.md
CHERRY PICKED:
Functional fixes:
Test fixes:
LP Bugs: https://launchpad.net/snapd/+milestone/2.74.1
SRU Bug: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629
Jira: https://warthogs.atlassian.net/browse/SNAPDENG-36361
Requires rebase merge