diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4efd4731a..3715de7e0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -76,8 +76,8 @@ jobs: strategy: fail-fast: false matrix: - os: [22.04, 24.04] - track: ${{ fromJSON(inputs.snap-tracks || '["latest/edge", "5.21/edge", "5.0/edge"]') }} + os: [20.04, 22.04, 24.04] + track: ${{ fromJSON(inputs.snap-tracks || '["latest/edge", "5.21/edge", "5.0/edge", "4.0/edge"]') }} test: - cgroup - cluster @@ -110,11 +110,59 @@ jobs: exclude: - test: cluster # fan is not yet working on 24.04 kernel: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2064508 os: "24.04" + # not compatible with 4.0/* + - test: container-copy + track: "4.0/edge" + - test: cpu-vm + track: "4.0/edge" + - test: devlxd-vm + track: "4.0/edge" + - test: efi-vars-editor-vm + track: "4.0/edge" + - test: network-bridge-firewall + os: 20.04 + track: "4.0/edge" + - test: network-ovn + track: "4.0/edge" + # https://github.com/canonical/pylxd/issues/590 + - test: pylxd + track: "4.0/edge" + - test: storage-buckets + track: "4.0/edge" + - test: storage-disks-vm + track: "4.0/edge" + - test: "storage-vm dir" + track: "4.0/edge" + - test: "storage-vm btrfs" + track: "4.0/edge" + - test: "storage-vm ceph" + track: "4.0/edge" + - test: "storage-vm lvm" + track: "4.0/edge" + - test: "storage-vm lvm-thin" + track: "4.0/edge" + - test: "storage-vm zfs" + track: "4.0/edge" + - test: storage-volumes-vm + track: "4.0/edge" + - test: tpm-vm + track: "4.0/edge" + # not compatible with 5.0/* - test: efi-vars-editor-vm # not compatible with 5.0/* track: "5.0/edge" - - test: "storage-vm ceph" # waiting for integration with microceph + # waiting for integration with microceph + - test: "storage-vm ceph" + # skip track/os combinaisons that are too far appart + - track: "4.0/edge" + os: "24.04" - track: "5.0/edge" os: "24.04" + - track: "5.0/edge" + os: "20.04" + - track: "5.21/edge" + os: "20.04" + - track: "latest/edge" + os: "20.04" - track: "latest/edge" os: "22.04" @@ -132,7 +180,7 @@ jobs: echo "force-unsafe-io" | sudo tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io - name: Reclaim some space (storage tests only) - if: ${{ startsWith(matrix.test, 'storage') }} + if: ${{ startsWith(matrix.test, 'storage') || matrix.test == 'vm-nesting' }} run: | set -eux df -h @@ -158,19 +206,7 @@ jobs: set -eux sudo apt-get autopurge -y containerd.io docker-ce podman uidmap sudo ip link delete docker0 - sudo nft flush ruleset - - - name: Remove needrestart - run: | - # XXX: workaround https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2067800 - # needrestart restarting runner-provisioner.service causes an immediate job failure: - # - #Restarting services... - # /etc/needrestart/restart.d/systemd-manager - # systemctl restart packagekit.service php8.3-fpm.service runner-provisioner.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-udevd.service udisks2.service walinuxagent.service - #Terminated - #++ cleanup - sudo apt-get autopurge -y needrestart + sudo nft flush ruleset || sudo iptables -I DOCKER-USER -j ACCEPT - name: Checkout uses: actions/checkout@v4 diff --git a/bin/helpers b/bin/helpers index b47bc9731..10c3b1443 100644 --- a/bin/helpers +++ b/bin/helpers @@ -148,7 +148,6 @@ install_lxd() ( else snap remove lxd || true fi - snap install lxd --channel="${LXD_SNAP_CHANNEL}" snap list lxd uname -a @@ -165,6 +164,12 @@ install_lxd() ( cp "${LXD_SIDELOAD_PATH}" /var/snap/lxd/common/lxd.debug systemctl start snap.lxd.daemon fi + + # TODO remove once 4.0.10 is in 4.0/stable + if [ "$(lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then + lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true + lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true + fi ) # hasNeededAPIExtension: check if LXD supports the needed extension. @@ -234,7 +239,7 @@ cleanup() { # Report some more information for diagnostic purposes snap list lxd uname -a - lxc list --all-projects + lxc list --all-projects || lxc list # LXD daemon logs echo "::group::lxd logs" diff --git a/tests/cluster b/tests/cluster index 1587b1aa8..7cffc10ab 100755 --- a/tests/cluster +++ b/tests/cluster @@ -60,7 +60,12 @@ for i in $(seq "${SIZE}"); do MEMBER_IP=$(lxc exec "${PREFIX}-$i" -- ip -4 addr show dev eth0 scope global | grep inet | cut -d' ' -f6 | cut -d/ -f1) # Get a join token - TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add --quiet "${PREFIX}-${i}")" + if echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + # 4.0 doesn't support --quiet + TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add "${PREFIX}-${i}" | tail -n1)" + else + TOKEN="$(lxc exec "${PREFIX}-1" -- lxc cluster add --quiet "${PREFIX}-${i}")" + fi lxc exec "${PREFIX}-$i" -- lxd init --preseed << EOF cluster: @@ -73,6 +78,12 @@ cluster: cluster_token: "${TOKEN}" EOF fi + + # add minimal remotes if needed (TODO: remove once 4.0.10 is in 4.0/stable) + if [ "$(lxc exec "${PREFIX}-$i" -- lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then + lxc exec "${PREFIX}-$i" -- lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true + lxc exec "${PREFIX}-$i" -- lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true + fi done echo "==> Validating the cluster" @@ -95,35 +106,51 @@ lxc exec "${PREFIX}-1" -- timeout 30s bash -c "grep -m1 ^SSH < /dev/tcp/${U2_IPV tmp_cert_dir="$(mktemp -d)" -echo "==> Add restricted and unrestricted certificates" +if hasNeededAPIExtension certificate_project; then + TEST_RESTRICTED=1 +else + echo "Skipping restricted certificate test, not supported" + TEST_RESTRICTED=0 +fi + +echo "==> Add unrestricted certificate" createCertificateAndKey "${tmp_cert_dir}/cert.key" "${tmp_cert_dir}/cert.crt" "cert.local" -createCertificateAndKey "${tmp_cert_dir}/cert-restricted.key" "${tmp_cert_dir}/cert-restricted.crt" "cert-restricted.local" lxc config trust add "${tmp_cert_dir}/cert.crt" -lxc config trust add "${tmp_cert_dir}/cert-restricted.crt" --restricted --projects default unrestricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert.crt")" -restricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert-restricted.crt")" -echo "==> Check the certificates for its permissions" +if [ "${TEST_RESTRICTED}" = "1" ]; then + echo "==> Add restricted certificate" + createCertificateAndKey "${tmp_cert_dir}/cert-restricted.key" "${tmp_cert_dir}/cert-restricted.crt" "cert-restricted.local" + lxc config trust add "${tmp_cert_dir}/cert-restricted.crt" --restricted --projects default + restricted_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/cert-restricted.crt")" +fi + +echo "==> Check the certificates for their permissions" lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".restricted" | grep -xF false lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".type" | grep -xF client -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default - -echo "==> Add restricted and unrestricted metrics certificates" -createCertificateAndKey "${tmp_cert_dir}/metrics.key" "${tmp_cert_dir}/metrics.crt" "metrics.local" -createCertificateAndKey "${tmp_cert_dir}/metrics-restricted.key" "${tmp_cert_dir}/metrics-restricted.crt" "metrics-restricted.local" -lxc config trust add "${tmp_cert_dir}/metrics.crt" --type metrics -lxc config trust add "${tmp_cert_dir}/metrics-restricted.crt" --type metrics --restricted --projects default -unrestricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics.crt")" -restricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics-restricted.crt")" - -echo "==> Check the metrics certificates for its permissions" -lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false -lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default + +if [ "${TEST_RESTRICTED}" = "1" ]; then + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default +fi + +if [ "${TEST_RESTRICTED}" = "1" ]; then + echo "==> Add restricted and unrestricted metrics certificates" + createCertificateAndKey "${tmp_cert_dir}/metrics.key" "${tmp_cert_dir}/metrics.crt" "metrics.local" + createCertificateAndKey "${tmp_cert_dir}/metrics-restricted.key" "${tmp_cert_dir}/metrics-restricted.crt" "metrics-restricted.local" + lxc config trust add "${tmp_cert_dir}/metrics.crt" --type metrics + lxc config trust add "${tmp_cert_dir}/metrics-restricted.crt" --type metrics --restricted --projects default + unrestricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics.crt")" + restricted_metrics_fingerprint="$(certificateFingerprintShort "${tmp_cert_dir}/metrics-restricted.crt")" + + echo "==> Check the metrics certificates for its permissions" + lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false + lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default +fi echo "==> Upgrading the cluster" for i in $(seq "${SIZE}"); do @@ -150,16 +177,20 @@ lxc exec "${PREFIX}-1" -- lxc cluster list echo "==> Check the certificates for its permissions after cluster upgrade" lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".restricted" | grep -xF false lxc query "/1.0/certificates/${unrestricted_fingerprint}" | jq -r ".type" | grep -xF client -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client -lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default - -echo "==> Check the metrics certificates for its permissions after cluster upgrade" -lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false -lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics -lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default +if [ "${TEST_RESTRICTED}" = "1" ]; then + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".restricted" | grep -xF true + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".type" | grep -xF client + lxc query "/1.0/certificates/${restricted_fingerprint}" | jq -r ".projects[0]" | grep -xF default +fi + +if [ "${TEST_RESTRICTED}" = "1" ]; then + echo "==> Check the metrics certificates for its permissions after cluster upgrade" + lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF false + lxc query "/1.0/certificates/${unrestricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".restricted" | grep -xF true + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".type" | grep -xF metrics + lxc query "/1.0/certificates/${restricted_metrics_fingerprint}" | jq -r ".projects[0]" | grep -xF default +fi echo "==> Deleting the cluster" for i in $(seq "${SIZE}"); do diff --git a/tests/container b/tests/container index 15996f5ac..26ed656bb 100755 --- a/tests/container +++ b/tests/container @@ -76,6 +76,11 @@ ignore_known_issues() { } for release in 20.04 22.04 24.04; do + if [ "${release}" = "24.04" ] && echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + echo "Skip 24.04 container tests on ${LXD_SNAP_CHANNEL}" + continue + fi + IMAGE="ubuntu-minimal-daily:${release}" echo "==> unprivileged container (${release})" @@ -98,6 +103,12 @@ for release in 20.04 22.04 24.04; do isSystemdClean n1 || ignore_known_issues "nesting" lxc exec n1 -- snap install lxd --channel="${LXD_SNAP_CHANNEL}" lxc exec n1 -- lxd init --auto + + # 4.0/* doesn't have ubuntu-minimal remotes + if [ "$(lxc exec n1 -- lxc remote list -f csv | grep -cwF "minimal")" -lt 2 ]; then + lxc exec n1 -- lxc remote add ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ --protocol simplestreams || true + lxc exec n1 -- lxc remote add ubuntu-minimal-daily https://cloud-images.ubuntu.com/minimal/daily/ --protocol simplestreams || true + fi lxc exec n1 -- lxc launch "${IMAGE}" n11 sleep 5 [ "$(lxc exec n1 -- lxc exec n11 -- systemctl --quiet --failed)" = "" ] || ignore_known_issues "nested" diff --git a/tests/cpu-vm b/tests/cpu-vm index f993427a9..b58c41fa1 100755 --- a/tests/cpu-vm +++ b/tests/cpu-vm @@ -4,11 +4,17 @@ set -eux architecture="$(uname -m)" if [ "${architecture}" != "x86_64" ] && [ "${architecture}" != "s390x" ]; then echo "Skipping test as CPU hotplugging not supported on ${architecture}" + exit 0 fi # Install LXD install_lxd +if ! hasNeededAPIExtension cpu_hotplug; then + echo "Skipping test as CPU hotplugging not supported on ${LXD_SNAP_CHANNEL}" + exit 0 +fi + # required for "CPU auto pinning" feature check # as we don't have a separate API extension for it # and we rely on the debug output in the LXD daemon logs. @@ -31,12 +37,18 @@ lxc storage create "${poolName}" "${poolDriver}" # still work lxc profile set default limits.kernel.nofile 50 -! lxc init v0 --vm --empty -c limits.kernel.cpu=46 -s "${poolName}" || false +# 4.0 does not reject `limits.kernel.*` keys on VM instances +if ! echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + ! lxc init v0 --vm --empty -c limits.kernel.cpu=46 -s "${poolName}" || false +fi lxc init v0 --vm --empty -s "${poolName}" -# limits.kernel.* only applies to containers (shouldn't work) -! lxc config set v0 limits.kernel.as=1GiB || false +# 4.0 does not reject `limits.kernel.*` keys on VM instances +if ! echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + # limits.kernel.* only applies to containers (shouldn't work) + ! lxc config set v0 limits.kernel.as=1GiB || false +fi lxc delete v0 diff --git a/tests/interception b/tests/interception index 3785b41f2..ff1fe5313 100755 --- a/tests/interception +++ b/tests/interception @@ -47,11 +47,11 @@ lxc exec c1 -- mknod /dev/mknod-test c 1 3 lxc exec c1 -- mknod /root/mknod-test1 c 1 3 ## bpf (needs 5.9 or higher) -if runsMinimumKernel 5.9; then +if runsMinimumKernel 5.9 && hasNeededAPIExtension container_syscall_intercept_bpf_devices; then lxc config set c1 security.syscalls.intercept.bpf=true security.syscalls.intercept.bpf.devices=true lxc restart c1 -f else - echo "Skipping security.syscalls.intercept.bpf config as the kernel is too old" + echo "Skipping security.syscalls.intercept.bpf config as the kernel is too old or LXD support missing" fi ## mount @@ -68,23 +68,23 @@ lxc exec c1 -- mount /dev/sda /mnt [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "65534:65534" ] lxc exec c1 -- umount /mnt -lxc config set c1 security.syscalls.intercept.mount.shift=true -lxc exec c1 -- mount /dev/sda /mnt -[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] -lxc exec c1 -- umount /mnt - -if hasNeededAPIExtension container_syscall_intercept_mount_fuse; then - lxc config unset c1 security.syscalls.intercept.mount.allowed - lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs - lxc restart c1 -f - +if echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + echo "Skipping security.syscalls.intercept.mount.shift test, not compatible with ${LXD_SNAP_CHANNEL}" +else + lxc config set c1 security.syscalls.intercept.mount.shift=true lxc exec c1 -- mount /dev/sda /mnt [ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] lxc exec c1 -- umount /mnt -else - echo "Skipping mount fuse tests as the container_syscall_intercept_mount_fuse API extension is missing" fi +lxc config unset c1 security.syscalls.intercept.mount.allowed +lxc config set c1 security.syscalls.intercept.mount.fuse=ext4=fuse2fs +lxc restart c1 -f + +lxc exec c1 -- mount /dev/sda /mnt +[ "$(lxc exec c1 -- stat --format=%u:%g /mnt)" = "0:0" ] +lxc exec c1 -- umount /mnt + if hasNeededAPIExtension container_syscall_intercept_finit_module; then # it can be any module which is present in the host filesystem and at the same time not used and can be unloaded # good examples: slip, ip_nat_pptp, ip_gre, ip_conntrack_pptp (rarely used modules at the same time widely available) diff --git a/tests/network-bridge-firewall b/tests/network-bridge-firewall index a54ac7bee..d90f3df36 100755 --- a/tests/network-bridge-firewall +++ b/tests/network-bridge-firewall @@ -13,7 +13,7 @@ IMAGE="${TEST_IMG:-ubuntu-daily:24.04}" set -x # Configure LXD -lxc storage create default zfs +lxc storage create default btrfs lxc network create lxdbr0 \ ipv4.address=192.0.2.1/24 \ ipv6.address=2001:db8::1/64 \ @@ -30,7 +30,7 @@ iptables --version 2>&1 | grep legacy ip6tables --version 2>&1 | grep legacy ebtables --version 2>&1 | grep legacy -# Setup bridge filter and unmanaged bridge.s +# Setup bridge filter and unmanaged bridges modprobe br_netfilter ip link add lxdbr0unmanaged type bridge diff --git a/tests/network-routed b/tests/network-routed index e59cc110b..08cebe5cb 100755 --- a/tests/network-routed +++ b/tests/network-routed @@ -32,7 +32,11 @@ lxc config device add v1 eth0 nic \ ipv4.address=192.0.2.2,192.0.2.3 \ ipv6.address=2001:db8::2,2001:db8::3 -lxc config set v1 cloud-init.network-config - << EOF +NET_CONFIG_KEY="cloud-init.network-config" +if ! hasNeededAPIExtension cloud_init; then + NET_CONFIG_KEY="user.network-config" +fi +lxc config set v1 "${NET_CONFIG_KEY}" - << EOF network: version: 2 ethernets: diff --git a/tests/vm-nesting b/tests/vm-nesting index 42d20733e..5c595c94d 100755 --- a/tests/vm-nesting +++ b/tests/vm-nesting @@ -6,9 +6,29 @@ set -eux # Install LXD. install_lxd +VM_IN_CTN=1 +VMs=10 +nestedVMs=5 +storageDriver="zfs" +if echo "${LXD_SNAP_CHANNEL}" | grep -qE "^4\.0/"; then + # VMs on 4.0 are more resource intensive and slower to boot + export MAX_WAIT_SECONDS=240 + + # VMs inside containers do not work + VM_IN_CTN=0 + + VMs=3 + nestedVMs=2 + + if modinfo zfs | grep -qE '^version:\s*2\.2\.'; then + storageDriver="lvm" + echo "${LXD_SNAP_CHANNEL} does not support ZFS 2.2, falling back to ${storageDriver}" + fi +fi + # Configure LXD. lxc project switch default -lxc storage create default zfs size=30GiB +lxc storage create default "${storageDriver}" size=30GiB lxc network create lxdbr0 IMAGE="${TEST_IMG:-ubuntu-minimal-daily:24.04}" @@ -69,38 +89,44 @@ function delete() { lxc delete -f "${instances[@]}" } -echo "==> Test 10 VMs in parallel" -init 10 --vm -start 10 -delete 10 - -echo "==> Test 10 VMs in parallel for vsock ID collision" -init 10 --vm -conf 10 volatile.vsock_id=42 -start 10 -delete 10 - -echo "==> Test 5 VMs each with one nested VM" -init 5 --vm -start 5 -wait 5 -cmd 5 "snap wait system seed.loaded && snap install lxd --channel ${LXD_SNAP_CHANNEL}" -cmd 5 "lxd init --auto" -cmd 5 "lxc launch ${IMAGE} nested --vm -c limits.memory=512MiB -d root,size=3584MiB" -delete 5 - -echo "==> Test 5 containers each with one nested VM" -init 5 -conf 5 security.devlxd.images=true -conf 5 security.nesting=true -device_add 5 kvm unix-char source=/dev/kvm -device_add 5 vhost-net unix-char source=/dev/vhost-net -device_add 5 vhost-vsock unix-char source=/dev/vhost-vsock -device_add 5 vsock unix-char source=/dev/vsock -start 5 -cmd 5 "snap wait system seed.loaded && snap install lxd --channel ${LXD_SNAP_CHANNEL}" -cmd 5 "lxd init --auto" -cmd 5 "lxc launch ${IMAGE} nested --vm -c limits.memory=512MiB -d root,size=3584MiB" +echo "==> Test ${VMs} VMs in parallel" +init "${VMs}" --vm +start "${VMs}" +delete "${VMs}" + +echo "==> Test ${VMs} VMs in parallel for vsock ID collision" +init "${VMs}" --vm +conf "${VMs}" volatile.vsock_id=42 +start "${VMs}" +delete "${VMs}" + +echo "==> Test ${nestedVMs} VMs each with one nested VM" +init "${nestedVMs}" --vm +start "${nestedVMs}" +wait "${nestedVMs}" +cmd "${nestedVMs}" "snap wait system seed.loaded && snap install lxd --channel ${LXD_SNAP_CHANNEL}" +cmd "${nestedVMs}" "lxd init --auto" +cmd "${nestedVMs}" "lxc profile device set default root size=3584MiB" +cmd "${nestedVMs}" "lxc launch ${IMAGE} nested --vm -c limits.memory=512MiB" +delete "${nestedVMs}" + +if [ "${VM_IN_CTN}" = "1" ]; then + echo "==> Test ${nestedVMs} containers each with one nested VM" + init "${nestedVMs}" + conf "${nestedVMs}" security.devlxd.images=true + conf "${nestedVMs}" security.nesting=true + device_add "${nestedVMs}" kvm unix-char source=/dev/kvm + device_add "${nestedVMs}" vhost-net unix-char source=/dev/vhost-net + device_add "${nestedVMs}" vhost-vsock unix-char source=/dev/vhost-vsock + device_add "${nestedVMs}" vsock unix-char source=/dev/vsock + start "${nestedVMs}" + cmd "${nestedVMs}" "snap wait system seed.loaded && snap install lxd --channel ${LXD_SNAP_CHANNEL}" + cmd "${nestedVMs}" "lxd init --auto" + cmd "${nestedVMs}" "lxc profile device set default root size=3584MiB" + cmd "${nestedVMs}" "lxc launch ${IMAGE} nested --vm -c limits.memory=510MiB" +else + echo "Skipping VM in container tests on ${LXD_SNAP_CHANNEL}" +fi echo "==> Cleaning up" instCount="$(lxc list -f csv -c n t | wc -l)"