From 9e00322fc5c31957ce3f2d6e43c7a3ea060c19d4 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Fri, 17 Nov 2023 18:15:18 -0500 Subject: [PATCH 01/24] bin/helpers: useful collection of functions Signed-off-by: Simon Deziel --- bin/helpers | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 bin/helpers diff --git a/bin/helpers b/bin/helpers new file mode 100644 index 000000000..7085d17a8 --- /dev/null +++ b/bin/helpers @@ -0,0 +1,82 @@ + +# waitSnapdSeed: wait for snapd to be seeded. +waitSnapdSeed() ( + set +x + for i in $(seq 60); do # Wait up to 60s. + if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then + return 0 # Success. + fi + + sleep 1 + done + + echo "snapd not seeded after ${i}s" + return 1 # Failed. +) + +# waitVMAgent: waits for the VM agent to be running. +waitVMAgent() ( + set +x + vmName="${1}" + for i in $(seq 90); do + if lxc info "${vmName}" | grep -qF 127.0.0.1; then + return 0 # Success. + fi + + sleep 1 + done + + echo "VM ${vmName} agent not running after ${i}s" + return 1 # Failed. +) + + +# install_lxd: install LXD from a specific channel or `latest/edge` if none is provided. +install_lxd() ( + # Wait for snapd seeding + waitSnapdSeed + + snap remove lxd || true + snap install lxd --channel="${LXD_SNAP_CHANNEL:-"latest/edge"}" + snap list lxd + lxd waitready --timeout=300 +) + +# hasNeededAPIExtension: check if LXD supports the needed extension. +hasNeededAPIExtension() ( + needed_extension="${1}" + + lxc info | sed -ne '/^api_extensions:/,/^[^-]/ s/^- //p' | grep -qxF "${needed_extension}" +) + +# runsMinimumKernel: check if the running kernel is at least the minimum version. +runsMinimumKernel() ( + min_version="${1}" + min_major="$(echo "${min_version}" | cut -d. -f1)" + min_minor="$(echo "${min_version}" | cut -d. -f2)" + running_version="$(uname -r | cut -d. -f 1,2)" + running_major="$(echo "${running_version}" | cut -d. -f1)" + running_minor="$(echo "${running_version}" | cut -d. -f2)" + + if [ "${running_major}" -lt "${min_major}" ]; then + return 1 + elif [ "${running_major}" -eq "${min_major}" ] && [ "${running_minor}" -lt "${min_minor}" ]; then + return 1 + fi + return 0 +) + +# cleanup: report if the test passed or not and return the appropriate return code. +cleanup() { + echo "" + if [ "${FAIL}" = "1" ]; then + echo "Test failed" + exit 1 + fi + + echo "Test passed" + exit 0 +} + +FAIL=1 +trap cleanup EXIT HUP INT TERM From a95f43377d1ef5ddc428ccfc577e9ebe27a4a8fe Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Fri, 17 Nov 2023 18:14:23 -0500 Subject: [PATCH 02/24] bin/openstack-run: inject helpers into test script Signed-off-by: Simon Deziel --- bin/openstack-run | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/bin/openstack-run b/bin/openstack-run index 41498d9e1..cb3a8794d 100755 --- a/bin/openstack-run +++ b/bin/openstack-run @@ -15,8 +15,9 @@ fi serie="${1}" kernel="${2}" script="${3}" -test_name="$(basename "${script}")" shift 3 +_script="$(mktemp)" +test_name="$(basename "${script}")" KEY_NAME="ssh-key" FLAVOR="$(openstack flavor list -f value -c Name | grep -m1 'cpu8-ram32-disk20\b')" @@ -60,6 +61,7 @@ cleanup() { # Release the macine set +e openstack server delete "${NAME}" + rm -f "${_script}" if [ "${RET}" = "0" ]; then echo "" >&2 @@ -92,10 +94,11 @@ fi # Connect and run something echo "==> Running the job (${test_name})" >&2 +sed '1 r bin/helpers' "${script}" > "${_script}" if echo "${IP}" | grep -q ":"; then - scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "${script}" "ubuntu@[${IP}]:test-script" + scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "${_script}" "ubuntu@[${IP}]:test-script" else - scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "${script}" "ubuntu@${IP}:test-script" + scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "${_script}" "ubuntu@${IP}:test-script" fi ssh -n -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "ubuntu@${IP}" sudo "https_proxy=http://squid.internal:3128" sh test-script "$@" From cad6afd5d3e294bec5de5fe5a091cbc148861d2f Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 19:06:43 -0500 Subject: [PATCH 03/24] bin/openstack-run: add LXD_SNAP_CHANNEL variable and helper script to test script Signed-off-by: Simon Deziel --- bin/openstack-run | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/bin/openstack-run b/bin/openstack-run index cb3a8794d..d25281e7f 100755 --- a/bin/openstack-run +++ b/bin/openstack-run @@ -15,7 +15,8 @@ fi serie="${1}" kernel="${2}" script="${3}" -shift 3 +lxd_snap_channel="${4}" +shift 4 _script="$(mktemp)" test_name="$(basename "${script}")" @@ -43,7 +44,7 @@ wait_machine() { # https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2039441 for _ in $(seq 30); do ssh -o ConnectTimeout=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "ubuntu@${IP}" true && break - sleep 1 + sleep 1 done } @@ -58,7 +59,7 @@ create() { RET=1 cleanup() { - # Release the macine + # Release the machine set +e openstack server delete "${NAME}" rm -f "${_script}" @@ -94,7 +95,7 @@ fi # Connect and run something echo "==> Running the job (${test_name})" >&2 -sed '1 r bin/helpers' "${script}" > "${_script}" +sed -e "1 a LXD_SNAP_CHANNEL=${lxd_snap_channel}" -e "1 r bin/helpers" "${script}" > "${_script}" if echo "${IP}" | grep -q ":"; then scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "${_script}" "ubuntu@[${IP}]:test-script" else From ef31af933f0d2dd843244a6aa84ca1e545b3d39e Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 18:59:05 -0500 Subject: [PATCH 04/24] bin/openstack-run: add LXD snap channel name to instance name Signed-off-by: Simon Deziel --- bin/openstack-run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/openstack-run b/bin/openstack-run index d25281e7f..582a7cccc 100755 --- a/bin/openstack-run +++ b/bin/openstack-run @@ -24,7 +24,7 @@ KEY_NAME="ssh-key" FLAVOR="$(openstack flavor list -f value -c Name | grep -m1 'cpu8-ram32-disk20\b')" NETWORK="$(openstack network list -f value -c Name | grep -Fm1 "net_stg-lxd-cloud-testing")" IMAGE="$(openstack image list -f value -c Name --sort-column Name --sort-descending | grep -m1 "auto-sync/ubuntu-${serie}-.*-amd64-")" -NAME="lxd-ci-${test_name}-${serie}-$$" +NAME="lxd-ci-${test_name}-${serie}-$(echo "${lxd_snap_channel}" | sed 's/[./]/-/g')" if ! [ -e ~/.ssh/id_ed25519 ]; then mkdir -pm 0700 ~/.ssh From 3128099172029604720cb02298ad0e09ac8a46a9 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Fri, 17 Nov 2023 17:11:41 -0500 Subject: [PATCH 05/24] bin/openstack-run: silence a false security alert from GH Signed-off-by: Simon Deziel --- bin/openstack-run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/openstack-run b/bin/openstack-run index 582a7cccc..1a1ce5878 100755 --- a/bin/openstack-run +++ b/bin/openstack-run @@ -27,7 +27,7 @@ IMAGE="$(openstack image list -f value -c Name --sort-column Name --sort-descend NAME="lxd-ci-${test_name}-${serie}-$(echo "${lxd_snap_channel}" | sed 's/[./]/-/g')" if ! [ -e ~/.ssh/id_ed25519 ]; then - mkdir -pm 0700 ~/.ssh + [ -d ~/.ssh ] || mkdir -m 0700 ~/.ssh ssh-keygen -t ed25519 -C "" -f ~/.ssh/id_ed25519 -N "" openstack keypair create --public-key ~/.ssh/id_ed25519.pub ssh-key fi From 1f08fd82c42cc69ae128b2493695b8c3449a9d46 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Fri, 17 Nov 2023 18:19:24 -0500 Subject: [PATCH 06/24] tests/cgroup: use helper functions Signed-off-by: Simon Deziel --- tests/cgroup | 41 ++++++----------------------------------- 1 file changed, 6 insertions(+), 35 deletions(-) diff --git a/tests/cgroup b/tests/cgroup index b229fa51f..870a105e3 100755 --- a/tests/cgroup +++ b/tests/cgroup @@ -1,48 +1,19 @@ #!/bin/sh set -eu -waitSnapdSeed() ( - set +x - for i in $(seq 60); do # Wait up to 60s. - if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then - return 0 # Success. - fi - - sleep 1 - done - - echo "snapd not seeded after ${i}s" - return 1 # Failed. -) - -cleanup() { - echo "" - if [ "${FAIL}" = "1" ]; then - echo "Test failed" - exit 1 - fi - - echo "Test passed" - exit 0 -} - -FAIL=1 -trap cleanup EXIT HUP INT TERM - # Refresh apt apt-get update -# Wait for snapd seeding -waitSnapdSeed +# Install dependencies +apt-get install --no-install-recommends --yes jq iperf3 # Install LXD -snap remove lxd || true -snap install lxd --channel=latest/edge -apt-get install --no-install-recommends --yes jq iperf3 -lxd waitready --timeout=300 +install_lxd # Configure LXD lxd init --auto + +# Test set -x # Start a container with no limits @@ -258,5 +229,5 @@ lxc pause c1 ! lxc exec c1 bash || false lxc start c1 -set +x +# shellcheck disable=SC2034 FAIL=0 From c8078aa2e55374244473dd757fab2de829b3eaa5 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Fri, 17 Nov 2023 18:19:32 -0500 Subject: [PATCH 07/24] tests/cgroup: use 22.04 daily image Signed-off-by: Simon Deziel --- tests/cgroup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/cgroup b/tests/cgroup index 870a105e3..067c51b40 100755 --- a/tests/cgroup +++ b/tests/cgroup @@ -18,7 +18,7 @@ set -x # Start a container with no limits echo "=> Start a container with no limits" -lxc launch ubuntu:20.04 c1 +lxc launch ubuntu-daily:22.04 c1 echo "==> Validate default values" [ "$(lxc exec c1 -- nproc)" = "$(nproc)" ] From e8ccd056d646a5884faa614653c1ccaccfab5b30 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 13:27:51 -0500 Subject: [PATCH 08/24] tests/main: test against multiple LXD snap channels Signed-off-by: Simon Deziel --- tests/main.sh | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/tests/main.sh b/tests/main.sh index bbc5c3eb5..34eec7ab3 100755 --- a/tests/main.sh +++ b/tests/main.sh @@ -1,20 +1,25 @@ #!/bin/sh +set -eu -# cgroup -./bin/openstack-run jammy default tests/cgroup -./bin/openstack-run jammy cgroup1 tests/cgroup -./bin/openstack-run jammy swapaccount tests/cgroup +for lxd_snap_channel in "latest/edge" "5.0/edge"; do + # cgroup + ./bin/openstack-run jammy default tests/cgroup "${lxd_snap_channel}" + ./bin/openstack-run jammy cgroup1 tests/cgroup "${lxd_snap_channel}" + ./bin/openstack-run jammy swapaccount tests/cgroup "${lxd_snap_channel}" -# interception -./bin/openstack-run jammy default tests/interception + # interception + ./bin/openstack-run jammy default tests/interception "${lxd_snap_channel}" -# network-bridge-firewall -./bin/openstack-run jammy default tests/network-bridge-firewall + # network-bridge-firewall + ./bin/openstack-run jammy default tests/network-bridge-firewall "${lxd_snap_channel}" + + # pylxd + ./bin/openstack-run jammy default tests/pylxd "${lxd_snap_channel}" + + # storage + ./bin/openstack-run jammy default tests/storage-disks-vm "${lxd_snap_channel}" +done # pylxd -./bin/openstack-run jammy default tests/pylxd latest/edge -./bin/openstack-run jammy default tests/pylxd 5.0/edge -./bin/openstack-run jammy default tests/pylxd 4.0/edge +./bin/openstack-run jammy default tests/pylxd "4.0/edge" -# storage -./bin/openstack-run jammy default tests/storage-disks-vm From d298235756ef08b844b996ed35cf073765c128a9 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 16:42:47 -0500 Subject: [PATCH 09/24] tests/main: skip cgroup1 test on Jammy GA kernel (issue #7) Signed-off-by: Simon Deziel --- tests/main.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/main.sh b/tests/main.sh index 34eec7ab3..637bb9a9a 100755 --- a/tests/main.sh +++ b/tests/main.sh @@ -4,7 +4,9 @@ set -eu for lxd_snap_channel in "latest/edge" "5.0/edge"; do # cgroup ./bin/openstack-run jammy default tests/cgroup "${lxd_snap_channel}" - ./bin/openstack-run jammy cgroup1 tests/cgroup "${lxd_snap_channel}" + # XXX: disable test with Jammy's GA kernel configured for cgroup1 + # https://github.com/canonical/lxd-ci/issues/7 + #./bin/openstack-run jammy cgroup1 tests/cgroup "${lxd_snap_channel}" ./bin/openstack-run jammy swapaccount tests/cgroup "${lxd_snap_channel}" # interception From 53fd059919aa6b95a76c244e526e5ed9ec31edb8 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 13:41:32 -0500 Subject: [PATCH 10/24] tests/gpu-container: use 22.04 daily image Signed-off-by: Simon Deziel --- tests/gpu-container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gpu-container b/tests/gpu-container index 835c76469..3a31538ac 100755 --- a/tests/gpu-container +++ b/tests/gpu-container @@ -67,7 +67,7 @@ lxc profile device add default eth0 nic network=lxdbr0 name=eth0 # Launch a test container echo "==> Launching a test container" -lxc launch ubuntu:22.04 c1 +lxc launch ubuntu-daily:22.04 c1 sleep 10 # Confirm no GPU From 03bac00a60b599187a9908f7d75b37c33afcaf24 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 15:12:47 -0500 Subject: [PATCH 11/24] tests/interception: use helper functions Signed-off-by: Simon Deziel --- tests/interception | 40 +++++----------------------------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/tests/interception b/tests/interception index c08e7be74..6b75d6e70 100755 --- a/tests/interception +++ b/tests/interception @@ -1,48 +1,17 @@ #!/bin/sh set -eu -waitSnapdSeed() ( - set +x - for i in $(seq 60); do # Wait up to 60s. - if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then - return 0 # Success. - fi - - sleep 1 - done - - echo "snapd not seeded after ${i}s" - return 1 # Failed. -) - -cleanup() { - echo "" - if [ "${FAIL}" = "1" ]; then - echo "Test failed" - exit 1 - fi - - echo "Test passed" - exit 0 -} - -FAIL=1 -trap cleanup EXIT HUP INT TERM - # Refresh apt apt-get update -# Wait for snapd seeding -waitSnapdSeed +# Install dependencies +apt-get install --no-install-recommends --yes attr # Install LXD -snap remove lxd || true -snap install lxd --channel=latest/edge -snap set lxd shiftfs.enable=true -apt-get install --no-install-recommends --yes attr -lxd waitready --timeout=300 +install_lxd # Configure LXD +snap set lxd shiftfs.enable=true lxd init --auto # Test @@ -112,4 +81,5 @@ lxc exec c1 -- mount /dev/sda /mnt [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] lxc exec c1 -- umount /mnt +# shellcheck disable=SC2034 FAIL=0 From f3617ab4c4ec0e33b7a4b29e7194afa09a0de1d3 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 15:13:13 -0500 Subject: [PATCH 12/24] tests/interception: use 22.04 daily image Signed-off-by: Simon Deziel --- tests/interception | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/interception b/tests/interception index 6b75d6e70..9accc5176 100755 --- a/tests/interception +++ b/tests/interception @@ -17,7 +17,7 @@ lxd init --auto # Test set -x -lxc launch ubuntu:20.04 c1 +lxc launch ubuntu-daily:22.04 c1 sleep 10 lxc exec c1 -- apt-get update lxc exec c1 -- apt-get install --no-install-recommends --yes attr fuse2fs From e86fb58f19d6d4c82c70d6e13c56bdbd3eca3917 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 15:20:13 -0500 Subject: [PATCH 13/24] tests/network-bridge-firewall: use helper functions Signed-off-by: Simon Deziel --- tests/network-bridge-firewall | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/tests/network-bridge-firewall b/tests/network-bridge-firewall index f453994a5..1308f6f19 100755 --- a/tests/network-bridge-firewall +++ b/tests/network-bridge-firewall @@ -1,44 +1,11 @@ #!/bin/sh set -eux -waitSnapdSeed() ( - set +x - for i in $(seq 60); do # Wait up to 60s. - if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then - return 0 # Success. - fi - - sleep 1 - done - - echo "snapd not seeded after ${i}s" - return 1 # Failed. -) - -cleanup() { - echo "" - if [ "${FAIL}" = "1" ]; then - echo "Test failed" - exit 1 - fi - - echo "Test passed" - exit 0 -} - -FAIL=1 -trap cleanup EXIT HUP INT TERM - # Refresh apt apt-get update -# Wait for snapd seeding -waitSnapdSeed - # Install LXD -snap remove lxd || true -snap install lxd --channel=latest/edge -lxd waitready --timeout=300 +install_lxd # Configure LXD lxc storage create default zfs From 0637da167aaa57cdbdf63fa90f0a4ea839fe65e4 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 17:52:29 -0500 Subject: [PATCH 14/24] tests/network-bridge-firewall: use 22.04 daily image Signed-off-by: Simon Deziel --- tests/network-bridge-firewall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/network-bridge-firewall b/tests/network-bridge-firewall index 1308f6f19..fee7b06d7 100755 --- a/tests/network-bridge-firewall +++ b/tests/network-bridge-firewall @@ -31,7 +31,7 @@ modprobe br_netfilter ip link add lxdbr0unmanaged type bridge firewallTests() { - lxc launch ubuntu:focal c1 + lxc launch ubuntu-daily:22.04 c1 sleep 10 managed=0 @@ -116,7 +116,7 @@ firewallTests() { } networkLimitsPriorityNftablesTest() { - lxc launch ubuntu:focal c1 + lxc launch ubuntu-daily:22.04 c1 sleep 10 prio=7 From 169809aaf7e946d3d528789ef2482e01400e1ee3 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 17:56:47 -0500 Subject: [PATCH 15/24] tests/network-bridge-firewall: skip test if the needed extension is missing or the kernel is too old. Signed-off-by: Simon Deziel --- tests/network-bridge-firewall | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/network-bridge-firewall b/tests/network-bridge-firewall index fee7b06d7..d609c4b90 100755 --- a/tests/network-bridge-firewall +++ b/tests/network-bridge-firewall @@ -1,5 +1,5 @@ #!/bin/sh -set -eux +set -eu # Refresh apt apt-get update @@ -7,6 +7,9 @@ apt-get update # Install LXD install_lxd +# Test +set -x + # Configure LXD lxc storage create default zfs lxc network create lxdbr0 \ @@ -152,8 +155,12 @@ lxc info | grep 'firewall: nftables' lxc profile device add default eth0 nic network=lxdbr0 firewallTests -echo "=> Performing nftables network device limits.priority option test" -networkLimitsPriorityNftablesTest +if hasNeededAPIExtension instances_nic_limits_priority && runsMinimumKernel 5.17; then + echo "=> Performing nftables network device limits.priority option test" + networkLimitsPriorityNftablesTest +else + echo "=> Skipping nftables network device limits.priority option test" +fi echo "=> Performing nftables unmanaged bridge tests" ip a flush dev lxdbr0 # Clear duplicate address from lxdbr0. @@ -203,4 +210,5 @@ lxc storage delete default lxd shutdown iptables -D INPUT +# shellcheck disable=SC2034 FAIL=0 From e03bb908135f1a0a2e3f7b730f767712069bf9ad Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 18:37:29 -0500 Subject: [PATCH 16/24] tests/pylxd: use helper functions Signed-off-by: Simon Deziel --- tests/pylxd | 47 +++++++++-------------------------------------- 1 file changed, 9 insertions(+), 38 deletions(-) diff --git a/tests/pylxd b/tests/pylxd index c22a246ef..6497dd83a 100755 --- a/tests/pylxd +++ b/tests/pylxd @@ -1,48 +1,19 @@ #!/bin/sh set -eu -channel=${1:-latest/stable} +# Install LXD +install_lxd + +# Test +set -x export DEBIAN_FRONTEND=noninteractive export HOME=/root -waitSnapdSeed() ( - set +x - for i in $(seq 60); do # Wait up to 60s. - if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then - return 0 # Success. - fi - - sleep 1 - done - - echo "snapd not seeded after ${i}s" - return 1 # Failed. -) - -cleanup() { - echo "" - if [ "${FAIL}" = "1" ]; then - echo "Test failed" - exit 1 - fi - - echo "Test passed" - exit 0 -} - -FAIL=1 -trap cleanup EXIT HUP INT TERM - -# Wait for snapd seeding -waitSnapdSeed - -# Install LXD -snap remove lxd || true -snap install lxd --channel="${channel}" -lxd waitready --timeout=300 - # Run the pylxd tests [ -d pylxd ] || git clone https://github.com/canonical/pylxd cd pylxd -integration/run-integration-tests && FAIL=0 +integration/run-integration-tests + +# shellcheck disable=SC2034 +FAIL=0 \ No newline at end of file From 9b56ab888ae9da6fd73b9c1c4f6bb7121fd0cec9 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 19:07:02 -0500 Subject: [PATCH 17/24] tests/storage-disks-vm: use helper functions Signed-off-by: Simon Deziel --- tests/storage-disks-vm | 58 +++++------------------------------------- 1 file changed, 6 insertions(+), 52 deletions(-) diff --git a/tests/storage-disks-vm b/tests/storage-disks-vm index 3e72b5b8c..e8a90e969 100755 --- a/tests/storage-disks-vm +++ b/tests/storage-disks-vm @@ -1,58 +1,11 @@ #!/bin/sh -set -eux - -waitSnapdSeed() ( - set +x - for i in $(seq 60); do # Wait up to 60s. - if systemctl show snapd.seeded.service --value --property SubState | grep -qx exited; then - return 0 # Success. - fi - - sleep 1 - done - - echo "snapd not seeded after ${i}s" - return 1 # Failed. -) - -cleanup() { - echo "" - if [ "${FAIL}" = "1" ]; then - echo "Test failed" - exit 1 - fi - - echo "Test passed" - exit 0 -} - -FAIL=1 -trap cleanup EXIT HUP INT TERM - -# Wait for snapd seeding -waitSnapdSeed +set -eu # Install LXD -snap remove lxd || true -snap install lxd --channel=latest/edge -lxd waitready --timeout=300 - -waitVMAgent() ( - set +x - # shellcheck disable=SC3043 - local vmName="$1" - for i in $(seq 90) # Wait up to 90s. - do - if lxc info "${vmName}" | grep -qF 127.0.0.1; then - return 0 # Success. - fi - - sleep 1 - done - - echo "VM ${vmName} agent not running after ${i}s" - return 1 # Failed. -) +install_lxd + +# Test +set -x echo "==> Setup share directory" # Create directory for use as basis for restricted disk source tests. @@ -194,4 +147,5 @@ rmdir "${testRoot}" losetup --detach "${loopdev}" rm "${loopimg}" +# shellcheck disable=SC2034 FAIL=0 From e2471d98b7bc8f854299925a84e88565b6d9f1d2 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 21 Nov 2023 19:07:28 -0500 Subject: [PATCH 18/24] tests/storage-disks-vm: use 22.04 daily image Signed-off-by: Simon Deziel --- tests/storage-disks-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/storage-disks-vm b/tests/storage-disks-vm index e8a90e969..e886c3211 100755 --- a/tests/storage-disks-vm +++ b/tests/storage-disks-vm @@ -46,7 +46,7 @@ lxc profile device add default eth0 nic network=lxdbr0 lxc profile show default # Create instance and add check relative source paths are not allowed. -lxc init ubuntu:22.04 v1 --vm +lxc init ubuntu-daily:22.04 v1 --vm ! lxc config device add v1 d1 disk source=foo path=/mnt || false # Check adding a disk with a source path above the restricted parent source path isn't allowed. From 4f94a7965eaa800f2bf1b66521178d91fcbb3c27 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 15:48:35 -0500 Subject: [PATCH 19/24] tests/storage-disks-vm: skip the NVME test if the needed extension is missing Signed-off-by: Simon Deziel --- tests/storage-disks-vm | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/tests/storage-disks-vm b/tests/storage-disks-vm index e886c3211..e1e954aca 100755 --- a/tests/storage-disks-vm +++ b/tests/storage-disks-vm @@ -115,18 +115,22 @@ lxc restart -f v1 waitVMAgent v1 lxc exec v1 -- mokutil --sb-state | grep -Fx "SecureBoot disabled" -# Remove disk device restrictions and add a NVMe disk -lxc stop -f v1 -lxc config device remove v1 d1 -lxc project unset restricted restricted.devices.disk -lxc project unset restricted restricted.devices.disk.paths -lxc project unset restricted restricted - -# Add a NVMe disk and check if a NVMe controller is added to the VM -lxc config device add v1 nvme-ssd disk source="${loopdev}" io.bus=nvme -lxc start v1 -waitVMAgent v1 -lxc exec v1 -- lspci | grep -F "QEMU NVM Express Controller" +if hasNeededAPIExtension disk_io_bus; then + # Remove disk device restrictions and add a NVMe disk + lxc stop -f v1 + lxc config device remove v1 d1 + lxc project unset restricted restricted.devices.disk + lxc project unset restricted restricted.devices.disk.paths + lxc project unset restricted restricted + + # Add a NVMe disk and check if a NVMe controller is added to the VM + lxc config device add v1 nvme-ssd disk source="${loopdev}" io.bus=nvme + lxc start v1 + waitVMAgent v1 + lxc exec v1 -- lspci | grep -F "QEMU NVM Express Controller" +else + echo 'Skipping NVME test due to missing extension: "disk_io_bus"' +fi echo "==> Cleanup" lxc delete -f v1 From 708ff08a486754ec2cf5db8e1eb2d7aa8dd0f996 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 09:42:46 -0500 Subject: [PATCH 20/24] bin/custom-kernel: support HWE generic kernel too Signed-off-by: Simon Deziel --- bin/custom-kernel | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/bin/custom-kernel b/bin/custom-kernel index 1d23d0679..f5280f52a 100644 --- a/bin/custom-kernel +++ b/bin/custom-kernel @@ -39,15 +39,20 @@ case "$i" in update-grub ;; - virtual-hwe) - echo "===> Installing the virtual HWE kernel" + hwe) + echo "===> Installing the HWE kernel" echo "MODULES=dep" > /etc/initramfs-tools/conf.d/modules.conf apt-get update apt-get dist-upgrade --yes - . /etc/os-release - apt-get install --no-install-recommends --yes "linux-image-virtual-hwe-${VERSION_ID}" - apt-get autopurge --yes linux-image-virtual "linux-image-$(uname -r)" "linux-modules-$(uname -r)" + . /etc/os-release + + FLAVOR="generic" + if systemd-detect-virt --quiet --vm; then + FLAVOR="virtual" + fi + apt-get install --no-install-recommends --yes "linux-image-${FLAVOR}-hwe-${VERSION_ID}" + apt-get autopurge --yes "linux-image-${FLAVOR}" "linux-image-$(uname -r)" "linux-modules-$(uname -r)" ;; ubuntu) From b51606b262e01087411f7ddb190cd01b9eec507f Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 15:54:34 -0500 Subject: [PATCH 21/24] tests/main: test network-bridge-firewall with GA and HWE kernels The networkLimitsPriorityNftablesTest case requires the HWE kernel. Signed-off-by: Simon Deziel --- tests/main.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/main.sh b/tests/main.sh index 637bb9a9a..0d0d5b7f8 100755 --- a/tests/main.sh +++ b/tests/main.sh @@ -14,6 +14,7 @@ for lxd_snap_channel in "latest/edge" "5.0/edge"; do # network-bridge-firewall ./bin/openstack-run jammy default tests/network-bridge-firewall "${lxd_snap_channel}" + ./bin/openstack-run jammy hwe tests/network-bridge-firewall "${lxd_snap_channel}" # pylxd ./bin/openstack-run jammy default tests/pylxd "${lxd_snap_channel}" From 2855e1200c200838cc39c6dea15a291e8a777ffb Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 17:23:29 -0500 Subject: [PATCH 22/24] tests/interception: use runsMinimumKernel function Signed-off-by: Simon Deziel --- tests/interception | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/interception b/tests/interception index 9accc5176..780637d8b 100755 --- a/tests/interception +++ b/tests/interception @@ -45,9 +45,7 @@ lxc exec c1 -- mknod /dev/mknod-test c 1 3 lxc exec c1 -- mknod /root/mknod-test1 c 1 3 ## bpf (needs 5.9 or higher) -KMAJ="$(uname -r | cut -d. -f1)" -KMIN="$(uname -r | cut -d. -f2)" -if [ "${KMAJ}" -gt 5 ] || [ "${KMAJ}" -eq 5 ] && [ "${KMIN}" -ge 9 ]; then +if runsMinimumKernel 5.9; then lxc config set c1 security.syscalls.intercept.bpf=true security.syscalls.intercept.bpf.devices=true lxc restart c1 -f else From 81968edabdc65d47cab785f5be38a7302c4256da Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 17:23:47 -0500 Subject: [PATCH 23/24] tests/interception: use API extension detection to skip sub tests Signed-off-by: Simon Deziel --- tests/interception | 60 ++++++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/tests/interception b/tests/interception index 780637d8b..6f8af567b 100755 --- a/tests/interception +++ b/tests/interception @@ -52,32 +52,40 @@ else echo "Skipping security.syscalls.intercept.bpf config as the kernel is too old" fi -## mount -truncate -s 10G loop.img -LOOP=$(losetup -f --show loop.img) -lxc config device add c1 loop unix-block source="${LOOP}" path=/dev/sda -lxc exec c1 -- mkfs.ext4 /dev/sda -! lxc exec c1 -- mount /dev/sda /mnt || false -lxc config set c1 security.syscalls.intercept.mount=true - -lxc config set c1 security.syscalls.intercept.mount.allowed=ext4 -lxc restart c1 -f -lxc exec c1 -- mount /dev/sda /mnt -[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "65534:65534" ] -lxc exec c1 -- umount /mnt - -lxc config set c1 security.syscalls.intercept.mount.shift=true -lxc exec c1 -- mount /dev/sda /mnt -[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] -lxc exec c1 -- umount /mnt - -lxc config unset c1 security.syscalls.intercept.mount.allowed -lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs -lxc restart c1 -f - -lxc exec c1 -- mount /dev/sda /mnt -[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] -lxc exec c1 -- umount /mnt +if hasNeededAPIExtension container_syscall_intercept_mount; then + ## mount + truncate -s 10G loop.img + LOOP=$(losetup -f --show loop.img) + lxc config device add c1 loop unix-block source="${LOOP}" path=/dev/sda + lxc exec c1 -- mkfs.ext4 /dev/sda + ! lxc exec c1 -- mount /dev/sda /mnt || false + lxc config set c1 security.syscalls.intercept.mount=true + + lxc config set c1 security.syscalls.intercept.mount.allowed=ext4 + lxc restart c1 -f + lxc exec c1 -- mount /dev/sda /mnt + [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "65534:65534" ] + lxc exec c1 -- umount /mnt + + lxc config set c1 security.syscalls.intercept.mount.shift=true + lxc exec c1 -- mount /dev/sda /mnt + [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] + lxc exec c1 -- umount /mnt + + if hasNeededAPIExtension container_syscall_intercept_mount_fuse; then + lxc config unset c1 security.syscalls.intercept.mount.allowed + lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs + lxc restart c1 -f + + lxc exec c1 -- mount /dev/sda /mnt + [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] + lxc exec c1 -- umount /mnt + else + echo "Skipping mount fuse tests as the container_syscall_intercept_mount_fuse API extension is missing" + fi +else + echo "Skipping mount tests as the container_syscall_intercept_mount API extension is missing" +fi # shellcheck disable=SC2034 FAIL=0 From 4466b8a9b03bffa44c0ab68bf89f656a463f297f Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 Nov 2023 17:57:37 -0500 Subject: [PATCH 24/24] test/mains: interception doesn't work on 5.0/edge Signed-off-by: Simon Deziel --- tests/main.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/main.sh b/tests/main.sh index 0d0d5b7f8..292ea462e 100755 --- a/tests/main.sh +++ b/tests/main.sh @@ -9,9 +9,6 @@ for lxd_snap_channel in "latest/edge" "5.0/edge"; do #./bin/openstack-run jammy cgroup1 tests/cgroup "${lxd_snap_channel}" ./bin/openstack-run jammy swapaccount tests/cgroup "${lxd_snap_channel}" - # interception - ./bin/openstack-run jammy default tests/interception "${lxd_snap_channel}" - # network-bridge-firewall ./bin/openstack-run jammy default tests/network-bridge-firewall "${lxd_snap_channel}" ./bin/openstack-run jammy hwe tests/network-bridge-firewall "${lxd_snap_channel}" @@ -23,6 +20,8 @@ for lxd_snap_channel in "latest/edge" "5.0/edge"; do ./bin/openstack-run jammy default tests/storage-disks-vm "${lxd_snap_channel}" done +# interception +./bin/openstack-run jammy default tests/interception "latest/edge" + # pylxd ./bin/openstack-run jammy default tests/pylxd "4.0/edge" -