tests: add prompting client integration tests #14387
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olivercalder
force-pushed
the
prompting-add-client-integration-tests
branch
from
f2a6cf9 to
86d15c3
Compare
olivercalder
force-pushed
the
prompting-add-client-integration-tests
branch
2 times, most recently
from
18126be to
1f150f1
Compare
olivercalder
added
Squash-merge
|
Restore is failing, claiming the system is corrupted... I suspect this may have something to do with using |
olivercalder
force-pushed
the
prompting-add-client-integration-tests
branch
from
1f150f1 to
53f9e5e
Compare
sergiocazzolato
requested changes
Aug 26, 2024
| lxd init --auto | ||
| snap install snapcraft --classic | ||
|
|
||
| git clone https://github.com/canonical/prompting-client /home/ubuntu/prompting-client |
There was a problem hiding this comment.
about this, is it possible to upload the snap to the snapt and avoid using snapcraft in the test?
There was a problem hiding this comment.
Ideally we'd build the snap and integration tests binary whenever a new release of the prompting-client occurs, but this is not being done at the moment. I'll bring it up with the Desktop team again, as these do take a very long time in spread.
|
|
||
| restore: | | ||
| rm -rf /home/ubuntu/prompting-client | ||
| snap remove --purge lxd |
There was a problem hiding this comment.
this shouldn't be required, it is done automatically
| cargo test --no-run | ||
| FNAME=$(find . -regextype grep -regex './target/debug/deps/integration.*[^.][^d]' | head -n1) | ||
| cp "$FNAME" /home/ubuntu/integration-tests | ||
| chown ubuntu:ubuntu /home/ubuntu/integration-tests |
There was a problem hiding this comment.
this dir needs to be cleaned
ZeyadYasser
reviewed
Aug 30, 2024
| lxd init --auto | ||
| snap install snapcraft --classic | ||
|
|
||
| git clone https://github.com/canonical/prompting-client /home/ubuntu/prompting-client |
There was a problem hiding this comment.
It might be a good idea to use relative paths when building If this test is ever extended to more distros.
| cargo test --no-run | ||
| FNAME=$(find . -regextype grep -regex './target/debug/deps/integration.*[^.][^d]' | head -n1) | ||
| cp "$FNAME" /home/ubuntu/integration-tests | ||
| chown ubuntu:ubuntu /home/ubuntu/integration-tests |
There was a problem hiding this comment.
A new user session using tests.session -u test prepare in the prepare script would be distro agnostic.
| snap set system experimental.apparmor-prompting=true | ||
|
|
||
| echo "Run prompting-client integration tests as non-root user" | ||
| sudo -iu ubuntu /home/ubuntu/integration-tests |
There was a problem hiding this comment.
then this would be
Suggested change
| sudo -iu ubuntu /home/ubuntu/integration-tests | |
| tests.session -u test exec /home/ubuntu/integration-tests |
| when run against snapd. | ||
|
|
||
| systems: | ||
| - ubuntu-2* |
There was a problem hiding this comment.
it might be a good idea to check what happens in a few more distros.
olivercalder
force-pushed
the
prompting-add-client-integration-tests
branch
from
9933012 to
e33f87b
Compare
github-actions
bot
added
the
Needs Documentation -auto-
|
Looks like prompting client integration tests pass on 22.04 with whatever kernel the cloud image uses. Interesting... |
|
Can confirm, prompting client integration tests did run and pass on 22.04: We only compile the integration tests on systems where they'll be run, so we know they did run, and the spread test itself passed, so we know the integration tests passed. |
olivercalder
removed
the
Needs Documentation -auto-
Prompting cannot be supported if the kernel notification socket does not exist. Thus, add a check for its presence to PromptingSupportedByFeatures. However, this alone is not sufficient. The notification socket may be used for other purposes as well. When this becomes the case, a directory will be added at `/sys/kernel/security/apparmor/features/policy/notify`. If that directory exists, and it contains a file called `user`, which contains the list of prompting mediation classes, then prompting is supported on the system. If no file called `user` exists in that directory, but the directory itself exists, then we know prompting is not supported. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…support test Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…itu test Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…le on debian-sid" This reverts commit 66eb862. Debian Sid reports prompting support in its AppArmor kernel and parser features, the former because the upstream kernel has extended permissions merged (but non-functional), and the latter because we use vendored AppArmor with snapd. But the kernel does not actually support AppArmor prompting, as this requires patches from the Ubuntu kernel which have not yet been upstreamed. Now that we check for the presence of the kernel notification socket as well as the AppArmor kernel and parser features, we can correctly identify that prompting is not supported on Debian Sid. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…ored apparmor on 22.04" This reverts commit 1ec4132. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…nal apparmor" This reverts commit a4e46bb. On Ubuntu LTS releases < 24.04, prompting is still not supported by the standard (non-hwe) kernels. This is reflected in tests, now that AppArmor prompting support checks test for the presence of the kernel notification socket. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Ubuntu systems older than 24.04 are capable of supporting AppArmor prompting if they are running a new enough Ubuntu kernel. In particular, the Ubuntu 22.04 image on GCP runs a 6.5 kernel which supports prompting. Thus, if run on GCP, Jammy supports prompting, but if run on lxd, it does not. Therefore, checks for Ubuntu version are insufficient for spread to identify whether prompting should be supported. Instead, check for the presence of the `prompt` directive in the permissions listed in `/sys/kernel/security/apparmor/features/policy/permstable32`. Any Ubuntu system which has `prompt` in that file should support prompting. This can't be the entirety of the check, because those permissions have been upstreamed to the Linux kernel, but other pieces which are required for prompting to function have not yet been upstreamed. Thus, Debian Sid reports supporting the prompt directive, even though prompting is not supported. Therefore, we must check that the system is Ubuntu, that it's not core, and that the `prompt` directive is supported. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…s't include file Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
I checked, gcp is using a recent 6.5 custom kernel which has all the features needed by prompting. |
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…ests Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
… system Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
olivercalder
force-pushed
the
prompting-add-client-integration-tests
branch
from
e33f87b to
d135758
Compare
github-actions
bot
added
the
Needs Documentation -auto-
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a spread test to run the integration tests from https://github.com/canonical/prompting-client
This is tracked internally by https://warthogs.atlassian.net/browse/SNAPDENG-30440
This PR is blocked until https://github.com/canonical/prompting-client is made public and the
integration-testsbinary andaa-prompting-testsnap are published and accessible from spread. For now, use unlisted binaries on a private webserver.This PR is based on #14448, only the commits from "add prompting client integration tests" on are relevant.