Closed
Conversation
…al#16877) Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Replace the simple 'components: N/M' count with a new section that, for each component, shows output with the same information that tracks display name, version, install date, (revision), installed size and notes. Two notes are used: one for not-installed (to explain the empty fields better) and one for component type other than standard. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
We found that snap enable / snap disable cycle forgets the components of a given snap by erasing them from the state. The component mount points and everything else still exists, but snapd is confused about it. Fix doLinkSnap to retain component information and add a simple unit test. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/debian: remove vendor-specific logic
The code used to have both Debian and Ubuntu vendor checks. Remove the
vendor check and act as if it is built for Debian all the time.
This realistically disables --with-host-arch-32bit-triplet= and a number
of statically-linked packages.
The 32bit triplet is related to support for nvidia userspace driver for
32bit applications. Since this was never supported in Debian, this is
not a regression.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: remove trailing spaces
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: share build tree pruning in snapd.mk
* cmd/snap: rename test-data directory to testdata
Rename cmd/snap/test-data to cmd/snap/testdata to follow Go conventions
and update all references in test files and packaging scripts.
* packaging: remove redundant testdata copying
dh-golang automatically installs testdata directories since version 1.31,
so the manual mkdir and cp commands are no longer needed.
* secboot: rename test-data directory to testdata
Rename secboot/test-data to secboot/testdata to follow Go conventions
and update all references in secboot_sb_test.go.
* cmd/snap-bootstrap/blkid: rename test-data directory to testdata
Rename cmd/snap-bootstrap/blkid/test-data to testdata to follow Go
conventions and update reference in blkid_test.go.
* packaging: refactor trusted account key checks into snapd.mk
Extract the duplicated public-key-sha3-384 checking logic from
debian-sid/rules and ubuntu-16.04/rules into a new reusable
check-trusted-account-keys target in snapd.mk.
The new target:
- Checks snapd, snap-bootstrap, snap-preseed binaries for 2 expected keys
- Checks snap-repair for 3 expected keys (2 common + 1 repair-root)
- Only checks binaries that exist (handles differences between distros)
- Provides clear error messages for debugging
This reduces code duplication and makes it easier to maintain the
security checks across different packaging files.
* packaging: refactor static binary checks into snapd.mk
Extract duplicated static linking verification logic from debian-sid/rules
and ubuntu-16.04/rules into a new reusable check-static-binaries target
in snapd.mk.
The new target verifies that snap-exec, snap-update-ns, and snapctl are
statically linked, as these binaries execute inside mount namespaces and
cannot depend on external libraries.
This matches the approach already used in openSUSE packaging which checks
for 'statically linked|not a dynamic executable' in ldd output.
Benefits:
- Reduces code duplication across packaging files
- Provides clearer error messages when checks fail
- Makes it easier to maintain consistent checks across distributions
* packaging: use check-static-binaries in debian rules
Update debian-sid/rules and ubuntu-16.04/rules to use the new
check-static-binaries target from snapd.mk instead of inline
shell-based ldd checks.
This reduces duplication and provides consistent error reporting.
* packaging/opensuse: use snapd.mk static check
* packaging/debian: generate snapd.defines.mk and pass to snapd.mk targets
* rename install_dummy.go to install_placeholder.go
* packaging/ubuntu: generate snapd.defines.mk and pass to snapd.mk targets
* packaging/fedora: remove manual testdata copying
The testdata directory is now handled automatically by the Go build
system, so manual copying is no longer needed.
* packaging/snapd.mk: clarify prepare-build-tree comment
* packaging/debian: remove redundant nocheck test
* packaging/debian: build snap via snapd.mk
* packaging/snapd.mk: add with_vendor and with_static_pie to vars
These variables were used in snapd.mk but not included in the vars
validation list, which could lead to silent failures if they weren't
defined in snapd.defines.mk.
* packaging/debian: add with_vendor=0 to snapd.defines.mk
Debian builds without using the vendor directory.
* packaging/ubuntu: add with_vendor=1 to snapd.defines.mk
Ubuntu builds use the vendor directory.
* packaging/arch: add with_vendor and with_static_pie to PKGBUILD
- with_vendor=1: Arch builds with Go vendor dependencies
- with_static_pie=0: maintaining the status quo of undefined variable
* packaging/fedora: add with_static_pie to snapd.spec
- with_vendor already uses %{with_bundled} conditional
- with_static_pie=0: maintaining the status quo of undefined variable
* packaging/opensuse: add with_vendor=1 to snapd.spec
- with_vendor=1: openSUSE builds with Go vendor dependencies
* packaging: rename store key variables for clarity
Rename SNAPD_STORE_KEY_1/2 to SNAPD_STORE_ROOT_KEY and
SNAPD_STORE_GENERIC_MODELS_KEY respectively to better reflect
their actual purpose and usage.
* packaging: add snap binary check to check-trusted-account-keys
Add validation for the snap binary in the check-trusted-account-keys
target. The snap binary should also contain exactly 2 trusted keys
(store root key and generic models key).
* packaging: clarify trusted account keys comment
Change 'should be' to 'must be' to better convey that these keys
are required in production builds.
* packaging/opensuse: fix pair of typos
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: move checks for static pie binaries into snapd.mk
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: rename prepare-build-tree to prepare-debian-build-tree
Clarify that this target is specific to Debian builds by renaming it
from the generic prepare-build-tree to prepare-debian-build-tree. Update
all references in snapd.mk and debian-sid/rules.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/fedora: set BASH_XTRACEFD= when calling dnf
DNF closes incoming file descriptors so this didn't work and issued a bunch of noisy warnings.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/fedora: copy sources earlier
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/arch: use snapd.mk for checks
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: add snap-gdbserver-shim to static binaries list
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: explicitly ship testdata in -devel package
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: bump dh-golang to >1.31 for testdata support
For details look for "testdata" in
https://manpages.debian.org/testing/dh-golang/Debian::Debhelper::Buildsystem::golang.3pm.en.html
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: always check snapd and snap keys
Those binaries are always expected so instead of making the test
conditional on binary presence, make it unconditional. This can help
unmask problems that would otherwise be silently ignored.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: use xargs -r to not fail when given no input
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: respect GO111MODULE=off
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: make all the first goal
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: ensure that snap{,d} binary exist before checking keys
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: print errors to stderr
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/ubuntu-16.04: set builddir= in snapd.defines.mk
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging/debian-sid: set builddir= in snapd.defines.mk
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* packaging: pass -e to bash in the container
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* Revert "packaging: bump dh-golang to >1.31 for testdata support"
This reverts commit 5e643e5.
* packaging: retain manual testdata copy for xenial
* packaging: fix copying of debian/ directory
---------
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
…ds (canonical#16881) * tests: add /debug endpoint to fakestore to allow interrupting downloads Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com> * fixup! tests: add /debug endpoint to fakestore to allow interrupting downloads * tests/lib/fakestore/store: add synchronization, add debug reset action Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! tests: add /debug endpoint to fakestore to allow interrupting downloads * tests/lib/fakestore/store: close the connection after exceeding the limit Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! tests/lib/fakestore/store: close the connection after exceeding the limit * tests/lib/fakestore/store: fix race in how the quota is counted Fix a race in consumign and trackign the left quota. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> --------- Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com> Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> Co-authored-by: Maciej Borzecki <maciej.borzecki@canonical.com>
canonical#16896) * github: fix spread-tests.yaml to allow for a large number of artifacts * github: use total count instead of artifact number * github: use total count instead of artifact number also in spread-results-reporter and rerun
…for device initialization (canonical#16903)
is needed in the tests.
…al#16911) Bumps the actions-deps group with 1 update: [actions/github-script](https://github.com/actions/github-script). Updates `actions/github-script` from 8 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v8...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…16897) * github: fail go channels job if no go channels were found * github: write no go channels resolved error on stderr
Kernel stub fails to load initrd with error EFI_OUT_OF_RESOURCES.
* secboot: update to rev 7557d93 for TPM/FDE bug fixes
- Access to the HFSTS registers via the HECI is not possible on systems
that use Intel's High Assurance Platform mode. The startup ACM mirrors
some BootGuard policy settings to a MSR so this can be checked as a
workaround.
- Do not fail preinstall check due to lack of TPM_CAP_AUTH_POLICIES.
* secboot: update to rev 3f8b98c for TPM/FDE bug fixes
- Access to the HFSTS registers via the HECI is not possible on systems
that use Intel's High Assurance Platform mode. The startup ACM mirrors
some BootGuard policy settings to a MSR so this can be checked as a
workaround. This is a partial fix.
- Permit pre-OS application launches from SPI flash in PCR4. Fixes:
- canonical/secboot#509
- FR-12927
- Relax recovery key parsing. Rather than permitting each group of 5 digits
be separated by an optional '-', just permit an arbitrary number of '-' or
whitespace characters instead. Fixes:
- FR-11924
- Do not fail preinstall check due to lack of TPM_CAP_AUTH_POLICIES. Fixes:
- canonical/secboot#408
- The PCR4 and PCR7 checks were relying on the BootCurrent EFI variable to
identify the EV_EFI_BOOT_SERVICES_APPLICATION. Instead, assume that the
first OS-present EV_EFI_BOOT_SERVICES_APPLICATION event that isn't Absolute
is the initial OS loader. Fixes:
- canonical/secboot#517
- canonical/secboot#519
* tests/nested: adapt error message to secboot change
* tests/nested/manual: review improvements
…etection problem (canonical#16913) * release-tools/is-lp-fips-build: attempt to workaround LP FIPS build detection problem Turns out that when the LP snap job publishes the snap to a store using the name provided in the snap configuration, the git repository is cloned to a directory using that same name. This with the snapd-fips job using 'snapd' store name, our detection of a FIPS build job on snapd no longer works. Attempt a workaround, where we check whether the OpenSSL FIPS provider module package - openssl-fips-module-3 is available. It will only be present when the FIPS PPA is added. Related: SNAPDENG-21236 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! release-tools/is-lp-fips-build: attempt to workaround LP FIPS build detection problem --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…nonical#16837) * overlord: refresh certificate-db on boot-base refreshes * overlord: simplify when generation happens, just do it on boot-base refreshes and installs, not on track-switch or cohort changes. This allows the snap.go orchestrator to just always inject it, and we dont need special case handling for remodel tests * tests/core: remove the filter * overlord: review feedback, handle remodelling case in addLinkNewBaseOrKernelTasks where existing installed snap may be the case, fixup tests, simplify a couple of things * tests/core/base-refresh-cert-db: add core26
…of snap/component files (canonical#16841) * overlord/snapstate: leave partial files on failed download Keep the partial files if the download failed. Related: SNAPDENG-36634 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * overlord/snapstate: improve downloads cleanup to handle components and partial files Improve downloads cleanup to keep component files for ones that are present in the state, or referenced by any pending changes. Extend the code to keep track of partially downloaded files (named *.snap.partial or *.comp.partial) and keep the ones that are part of pending changes. Related: SNAPDENG-36634 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * tests/main/proxy-no-core: run on 24.04 Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * overlord/snapstate: make downloads cleanup run periodically, not just on startup Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * fixup! overlord/snapstate: improve downloads cleanup to handle components and partial files * fixup! overlord/snapstate: improve downloads cleanup to handle components and partial files * tests: add test for resuming partial snap downloads Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com> * fixup! tests: add test for resuming partial snap downloads * fixup! tests: add test for resuming partial snap downloads * fixup! tests: add test for resuming partial snap downloads --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> Signed-off-by: Zeyad Gouda <zeyad.gouda@canonical.com> Co-authored-by: Zeyad Gouda <zeyad.gouda@canonical.com>
…ple snaps and components (canonical#16869) * daemon, snap, o/snapstate: update snap.AlreadyInstalledError to multiple snaps and components * o/snapstate: fix formating * o/snapstate: improve test coverage for changes * daemon, snap, o/snapstate: update AlreadyInstalledError.Error and implement error.Is for AlreadyInstalledError * daemon, snap: make sliceEquals independent of order and sort map keys before iteration * snap: add tests for Error and Is methods on AlreadyInstalledError * o/snapstate, snap: fixups * o/snapstate, snap: fixups * o/snapstate, snap: make slicesEqual compatible with slices.Equal and sort comps/snaps before creating AlreadyInstalledError * snap: sort components after assembling them in AlreadyInstalledError.Error * o/snapstate: collect already installed snaps to include them all in AlreadyInstalledError * many: use helper functions to generate AlreadyInstalledError with sorted snaps and components * snap: check that length of Components is the same for AlreadyInstalledError.Is * daemon, snap: update tests to use constructors for AlreadyInstalledError * snap: fix typo * daemon: fix formatting * daemon, snap: return pointer to AlreadyInstalledError from constructors
…anonical#16892) * o/i/apparmorprompting: improve unit test reliability on slow systems Signed-off-by: Oliver Calder <oliver.calder@canonical.com> * fixup! o/i/apparmorprompting: improve unit test reliability on slow systems Signed-off-by: Oliver Calder <oliver.calder@canonical.com> * o/i/apparmorprompting: use HostScaledTimeout for slow concurrent test Signed-off-by: Oliver Calder <oliver.calder@canonical.com> * fixup! o/i/apparmorprompting: use HostScaledTimeout for slow concurrent test Signed-off-by: Oliver Calder <oliver.calder@canonical.com> --------- Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…6821) * tests: new releasing test on real hardware with secboot enabled * tests: new tests to validated resealing on real hardware This change adds a new test to validate resealing feature in real hardware with tpm and secure-boot enabled. So far it is being validated in uc20 and uc22 as there are not available uc24 in the lab with secboot and which allows provisioning a new image for the test. Is is also included a new env var which indicates the systems hasn't be reset to run a new test. This is to avoid issues when resetting and making the execution faster on slow devices. * make the test manual to avoid execuion on vms * Fix shellcheck * Adding a comment about the backend and systems used * Chack kernel and snapd versions after reboot * Updated the env var name used to skip resets * Just reboot when the systems is waiting for this * remove exit used for testing * Support early refreshes * add missing en var for fde backend * removing SNAPD_SKIP_STATE_RESET * Make sure the auto-refresh is cancelled * restore deleted reset
…#16887) * tests: add spread tests for snap remove impacted by mounts * .woke: ignore test file due to slave mount propagation name * tests: parallelize all tests using variants * tests: make variant names more descriptive * tests: adapt test variant management * tests: fix static check error
…6547) This PR implements the dispatch-mgmt-messages task. This task handles both sequenced & unsequenced tasks. Unsequenced messages get dispatched immediately. Sequenced messages are dispatched in order, starting from where the sequence left off, and subsequent messages are chained via task dependencies. Sequences are tracked in an LRU cache (max size 256). When capacity is exceeded, the least recently used sequence is evicted and its earliest pending message gets a rejection response queued.
* ci: Execute rest_api_test tests in codeconv The tests in the rest_api_test.go file require dbus-launcher, available in dbus-x11. If that binary isn't available, the tests are skipped. A clear proof of this is the Codeconv checks, which show that the code in rest_api.go isn't being checked, even when there are tests that cover it. This patch fixes this. * Add dbus-launch check in run-checks
The package retore logic fail due to distro upgrade. Since this test will be run in isolation, the logic is not needed anyway and can be skipped.
Owner
Author
|
@copilot resolve the merge conflicts in this pull request |
maykathm
force-pushed
the
tmp-distro
branch
5 times, most recently
from
ff4837e to
8548ee4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for helping us make a better snapd!
Have you signed the license agreement and read the contribution guide?