Merge pull request #206 from simondeziel/4.0-edge

github: extent test matrix to 4.0/edge and 20.04
canonical · Jul 3, 2024 · 9e45e2f · 9e45e2f
2 parents 4578bf5 + f831acb
commit 9e45e2f
Show file tree

Hide file tree

Showing 9 changed files with 231 additions and 106 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -76,8 +76,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [22.04, 24.04]
-        track: ${{ fromJSON(inputs.snap-tracks || '["latest/edge", "5.21/edge", "5.0/edge"]') }}
+        os: [20.04, 22.04, 24.04]
+        track: ${{ fromJSON(inputs.snap-tracks || '["latest/edge", "5.21/edge", "5.0/edge", "4.0/edge"]') }}
         test:
           - cgroup
           - cluster
@@ -110,11 +110,59 @@ jobs:
         exclude:
           - test: cluster  # fan is not yet working on 24.04 kernel: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2064508
             os: "24.04"
+          # not compatible with 4.0/*
+          - test: container-copy
+            track: "4.0/edge"
+          - test: cpu-vm
+            track: "4.0/edge"
+          - test: devlxd-vm
+            track: "4.0/edge"
+          - test: efi-vars-editor-vm
+            track: "4.0/edge"
+          - test: network-bridge-firewall
+            os: 20.04
+            track: "4.0/edge"
+          - test: network-ovn
+            track: "4.0/edge"
+          # https://github.com/canonical/pylxd/issues/590
+          - test: pylxd
+            track: "4.0/edge"
+          - test: storage-buckets
+            track: "4.0/edge"
+          - test: storage-disks-vm
+            track: "4.0/edge"
+          - test: "storage-vm dir"
+            track: "4.0/edge"
+          - test: "storage-vm btrfs"
+            track: "4.0/edge"
+          - test: "storage-vm ceph"
+            track: "4.0/edge"
+          - test: "storage-vm lvm"
+            track: "4.0/edge"
+          - test: "storage-vm lvm-thin"
+            track: "4.0/edge"
+          - test: "storage-vm zfs"
+            track: "4.0/edge"
+          - test: storage-volumes-vm
+            track: "4.0/edge"
+          - test: tpm-vm
+            track: "4.0/edge"
+          # not compatible with 5.0/*
           - test: efi-vars-editor-vm  # not compatible with 5.0/*
             track: "5.0/edge"
-          - test: "storage-vm ceph"  # waiting for integration with microceph
+          # waiting for integration with microceph
+          - test: "storage-vm ceph"
+          # skip track/os combinaisons that are too far appart
+          - track: "4.0/edge"
+            os: "24.04"
           - track: "5.0/edge"
             os: "24.04"
+          - track: "5.0/edge"
+            os: "20.04"
+          - track: "5.21/edge"
+            os: "20.04"
+          - track: "latest/edge"
+            os: "20.04"
           - track: "latest/edge"
             os: "22.04"
 
@@ -132,7 +180,7 @@ jobs:
           echo "force-unsafe-io" | sudo tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io
 
       - name: Reclaim some space (storage tests only)
-        if: ${{ startsWith(matrix.test, 'storage') }}
+        if: ${{ startsWith(matrix.test, 'storage') || matrix.test == 'vm-nesting' }}
         run: |
           set -eux
           df -h
@@ -158,19 +206,7 @@ jobs:
           set -eux
           sudo apt-get autopurge -y containerd.io docker-ce podman uidmap
           sudo ip link delete docker0
-          sudo nft flush ruleset
-
-      - name: Remove needrestart
-        run: |
-          # XXX: workaround https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2067800
-          #      needrestart restarting runner-provisioner.service causes an immediate job failure:
-          #
-          #Restarting services...
-          # /etc/needrestart/restart.d/systemd-manager
-          # systemctl restart packagekit.service php8.3-fpm.service runner-provisioner.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-udevd.service udisks2.service walinuxagent.service
-          #Terminated
-          #++ cleanup
-          sudo apt-get autopurge -y needrestart
+          sudo nft flush ruleset || sudo iptables -I DOCKER-USER -j ACCEPT
 
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/bin/helpers b/bin/helpers
@@ -148,7 +148,6 @@ install_lxd() (
     else
         snap remove lxd || true
     fi
-
     snap install lxd --channel="${LXD_SNAP_CHANNEL}"
     snap list lxd
     uname -a
@@ -165,6 +164,12 @@ install_lxd() (
         cp "${LXD_SIDELOAD_PATH}" /var/snap/lxd/common/lxd.debug
         systemctl start snap.lxd.daemon
     fi
+
+    # TODO remove once 4.0.10 is in 4.0/stable
+    if [ "$(lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then
+        lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true
+        lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true
+    fi
 )
 
 # hasNeededAPIExtension: check if LXD supports the needed extension.
@@ -234,7 +239,7 @@ cleanup() {
         # Report some more information for diagnostic purposes
         snap list lxd
         uname -a
-        lxc list --all-projects
+        lxc list --all-projects || lxc list
 
         # LXD daemon logs
         echo "::group::lxd logs"

diff --git a/tests/cluster b/tests/cluster
@@ -60,7 +60,12 @@ for i in $(seq "${SIZE}"); do
         MEMBER_IP=$(lxc exec "${PREFIX}-$i" -- ip -4 addr show dev eth0 scope global | grep inet | cut -d' ' -f6 | cut -d/ -f1)
 
         # Get a join token
-        TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add --quiet "${PREFIX}-${i}")"
+        if echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then
+            # 4.0 doesn't support --quiet
+            TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add "${PREFIX}-${i}" | tail -n1)"
+        else
+            TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add --quiet "${PREFIX}-${i}")"
+        fi
 
         lxc exec "${PREFIX}-$i" -- lxd init --preseed << EOF
 cluster:
@@ -73,6 +78,12 @@ cluster:
   cluster_token: "${TOKEN}"
 EOF
     fi
+
+    # add minimal remotes if needed (TODO: remove once 4.0.10 is in 4.0/stable)
+    if [ "$(lxc exec "${PREFIX}-$i" -- lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then
+        lxc exec "${PREFIX}-$i" -- lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true
+        lxc exec "${PREFIX}-$i" -- lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true
+    fi
 done
 
 echo "==> Validating the cluster"
@@ -95,35 +106,51 @@ lxc exec "${PREFIX}-1" -- timeout 30s bash -c "grep -m1 ^SSH < /dev/tcp/${U2_IPV
 
 tmp_cert_dir="$(mktemp -d)"
 
-echo "==> Add restricted and unrestricted certificates"
+if hasNeededAPIExtension certificate_project; then
+    TEST_RESTRICTED=1
+else
+    echo "Skipping restricted certificate test, not supported"
+    TEST_RESTRICTED=0
+fi
+
+echo "==> Add unrestricted certificate"
 createCertificateAndKey "${tmp_cert_dir}/cert.key" "${tmp_cert_dir}/cert.crt" "cert.local"
-createCertificateAndKey "${tmp_cert_dir}/cert-restricted.key" "${tmp_cert_dir}/cert-restricted.crt" "cert-restricted.local"
 lxc config trust add "${tmp_cert_dir}/cert.crt"
-lxc config trust add "${tmp_cert_dir}/cert-restricted.crt" --restricted --projects default
 unrestricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert.crt")"
-restricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert-restricted.crt")"
 
-echo "==> Check the certificates for its permissions"
+if [ "${TEST_RESTRICTED}" = "1" ]; then
+  echo "==> Add restricted certificate"
+  createCertificateAndKey "${tmp_cert_dir}/cert-restricted.key" "${tmp_cert_dir}/cert-restricted.crt" "cert-restricted.local"
+  lxc config trust add "${tmp_cert_dir}/cert-restricted.crt" --restricted --projects default
+  restricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert-restricted.crt")"
+fi
+
+echo "==> Check the certificates for their permissions"
 lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".restricted" | grep -xF false
 lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".type" | grep -xF client
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default
-
-echo "==> Add restricted and unrestricted metrics certificates"
-createCertificateAndKey "${tmp_cert_dir}/metrics.key" "${tmp_cert_dir}/metrics.crt" "metrics.local"
-createCertificateAndKey "${tmp_cert_dir}/metrics-restricted.key" "${tmp_cert_dir}/metrics-restricted.crt" "metrics-restricted.local"
-lxc config trust add "${tmp_cert_dir}/metrics.crt" --type metrics
-lxc config trust add "${tmp_cert_dir}/metrics-restricted.crt" --type metrics --restricted --projects default
-unrestricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics.crt")"
-restricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics-restricted.crt")"
-
-echo "==> Check the metrics certificates for its permissions"
-lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false
-lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+
+if [ "${TEST_RESTRICTED}" = "1" ]; then
+  lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true
+  lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client
+  lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+fi
+
+if [ "${TEST_RESTRICTED}" = "1" ]; then
+  echo "==> Add restricted and unrestricted metrics certificates"
+  createCertificateAndKey "${tmp_cert_dir}/metrics.key" "${tmp_cert_dir}/metrics.crt" "metrics.local"
+  createCertificateAndKey "${tmp_cert_dir}/metrics-restricted.key" "${tmp_cert_dir}/metrics-restricted.crt" "metrics-restricted.local"
+  lxc config trust add "${tmp_cert_dir}/metrics.crt" --type metrics
+  lxc config trust add "${tmp_cert_dir}/metrics-restricted.crt" --type metrics --restricted --projects default
+  unrestricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics.crt")"
+  restricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics-restricted.crt")"
+
+  echo "==> Check the metrics certificates for its permissions"
+  lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false
+  lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
+  lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true
+  lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
+  lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+fi
 
 echo "==> Upgrading the cluster"
 for i in $(seq "${SIZE}"); do
@@ -150,16 +177,20 @@ lxc exec "${PREFIX}-1" -- lxc cluster list
 echo "==> Check the certificates for its permissions after cluster upgrade"
 lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".restricted" | grep -xF false
 lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".type" | grep -xF client
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client
-lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default
-
-echo "==> Check the metrics certificates for its permissions after cluster upgrade"
-lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false
-lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
-lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+if [ "${TEST_RESTRICTED}" = "1" ]; then
+    lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true
+    lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client
+    lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+fi
+
+if [ "${TEST_RESTRICTED}" = "1" ]; then
+    echo "==> Check the metrics certificates for its permissions after cluster upgrade"
+    lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false
+    lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
+    lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true
+    lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics
+    lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default
+fi
 
 echo "==> Deleting the cluster"
 for i in $(seq "${SIZE}"); do

diff --git a/tests/container b/tests/container
@@ -76,6 +76,11 @@ ignore_known_issues() {
 }
 
 for release in 20.04 22.04 24.04; do
+    if [ "${release}" = "24.04" ] && echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then
+        echo "Skip 24.04 container tests on ${LXD_SNAP_CHANNEL}"
+        continue
+    fi
+
     IMAGE="ubuntu-minimal-daily:${release}"
 
     echo "==> unprivileged container (${release})"
@@ -98,6 +103,12 @@ for release in 20.04 22.04 24.04; do
     isSystemdClean n1 || ignore_known_issues "nesting"
     lxc exec n1 -- snap install lxd --channel="${LXD_SNAP_CHANNEL}"
     lxc exec n1 -- lxd init --auto
+
+    # 4.0/* doesn't have ubuntu-minimal remotes
+    if [ "$(lxc exec n1 -- lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then
+        lxc exec n1 -- lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true
+        lxc exec n1 -- lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true
+    fi
     lxc exec n1 -- lxc launch "${IMAGE}" n11
     sleep 5
     [ "$(lxc exec n1 -- lxc exec n11 -- systemctl --quiet --failed)" = "" ] || ignore_known_issues "nested"

diff --git a/tests/cpu-vm b/tests/cpu-vm
@@ -4,11 +4,17 @@ set -eux
 architecture="$(uname -m)"
 if [ "${architecture}" != "x86_64" ] && [ "${architecture}" != "s390x" ]; then
   echo "Skipping test as CPU hotplugging not supported on ${architecture}"
+  exit 0
 fi
 
 # Install LXD
 install_lxd
 
+if ! hasNeededAPIExtension cpu_hotplug; then
+  echo "Skipping test as CPU hotplugging not supported on ${LXD_SNAP_CHANNEL}"
+  exit 0
+fi
+
 # required for "CPU auto pinning" feature check
 # as we don't have a separate API extension for it
 # and we rely on the debug output in the LXD daemon logs.
@@ -31,12 +37,18 @@ lxc storage create "${poolName}" "${poolDriver}"
 # still work
 lxc profile set default limits.kernel.nofile 50
 
-! lxc init v0 --vm --empty -c limits.kernel.cpu=46 -s "${poolName}" || false
+# 4.0 does not reject `limits.kernel.*` keys on VM instances
+if ! echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then
+  ! lxc init v0 --vm --empty -c limits.kernel.cpu=46 -s "${poolName}" || false
+fi
 
 lxc init v0 --vm --empty -s "${poolName}"
 
-# limits.kernel.* only applies to containers (shouldn't work)
-! lxc config set v0 limits.kernel.as=1GiB || false
+# 4.0 does not reject `limits.kernel.*` keys on VM instances
+if ! echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then
+  # limits.kernel.* only applies to containers (shouldn't work)
+  ! lxc config set v0 limits.kernel.as=1GiB || false
+fi
 
 lxc delete v0
 

diff --git a/tests/interception b/tests/interception
@@ -47,11 +47,11 @@ lxc exec c1 -- mknod /dev/mknod-test c 1 3
 lxc exec c1 -- mknod /root/mknod-test1 c 1 3
 
 ## bpf (needs 5.9 or higher)
-if runsMinimumKernel 5.9; then
+if runsMinimumKernel 5.9 && hasNeededAPIExtension container_syscall_intercept_bpf_devices; then
     lxc config set c1 security.syscalls.intercept.bpf=true security.syscalls.intercept.bpf.devices=true
     lxc restart c1 -f
 else
-    echo "Skipping security.syscalls.intercept.bpf config as the kernel is too old"
+    echo "Skipping security.syscalls.intercept.bpf config as the kernel is too old or LXD support missing"
 fi
 
 ## mount
@@ -68,23 +68,23 @@ lxc exec c1 -- mount /dev/sda /mnt
 [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "65534:65534" ]
 lxc exec c1 -- umount /mnt
 
-lxc config set c1 security.syscalls.intercept.mount.shift=true
-lxc exec c1 -- mount /dev/sda /mnt
-[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ]
-lxc exec c1 -- umount /mnt
-
-if hasNeededAPIExtension container_syscall_intercept_mount_fuse; then
-    lxc config unset c1 security.syscalls.intercept.mount.allowed
-    lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs
-    lxc restart c1 -f
-
+if echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then
+    echo "Skipping security.syscalls.intercept.mount.shift test, not compatible with ${LXD_SNAP_CHANNEL}"
+else
+    lxc config set c1 security.syscalls.intercept.mount.shift=true
     lxc exec c1 -- mount /dev/sda /mnt
     [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ]
     lxc exec c1 -- umount /mnt
-else
-    echo "Skipping mount fuse tests as the container_syscall_intercept_mount_fuse API extension is missing"
 fi
 
+lxc config unset c1 security.syscalls.intercept.mount.allowed
+lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs
+lxc restart c1 -f
+
+lxc exec c1 -- mount /dev/sda /mnt
+[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ]
+lxc exec c1 -- umount /mnt
+
 if hasNeededAPIExtension container_syscall_intercept_finit_module; then
     # it can be any module which is present in the host filesystem and at the same time not used and can be unloaded
     # good examples: slip, ip_nat_pptp, ip_gre, ip_conntrack_pptp (rarely used modules at the same time widely available)

diff --git a/tests/network-bridge-firewall b/tests/network-bridge-firewall
@@ -13,7 +13,7 @@ IMAGE="${TEST_IMG:-ubuntu-daily:24.04}"
 set -x
 
 # Configure LXD
-lxc storage create default zfs
+lxc storage create default btrfs
 lxc network create lxdbr0 \
     ipv4.address=192.0.2.1/24 \
     ipv6.address=2001:db8::1/64 \
@@ -30,7 +30,7 @@ iptables --version 2>&1 | grep legacy
 ip6tables --version 2>&1 | grep legacy
 ebtables --version 2>&1 | grep legacy
 
-# Setup bridge filter and unmanaged bridge.s
+# Setup bridge filter and unmanaged bridges
 modprobe br_netfilter
 ip link add lxdbr0unmanaged type bridge