o/ifacestate,tests: apparmor prompting not running if manager creation failed #14421
Conversation
olivercalder
force-pushed
the
prompting-fix-nil-backends-on-error
branch
from
566d4c9 to
d087a72
Compare
|
I would suggest rebase merging rather than squashing, as these are two separate bugs which are being fixed, the latter triggering the former. |
|
Looks like |
| echo "Check that we received one notices for the non-expired rule" | ||
| snap debug api --fail "/v2/notices?after=$CURRTIME&types=interfaces-requests-rule-update&user-id=1000" | jq | ||
| snap debug api "/v2/notices?after=$CURRTIME&types=interfaces-requests-rule-update&user-id=1000" | jq '.result | length' | MATCH 1 | ||
| snap debug api "/v2/notices?after=$CURRTIME&types=interfaces-requests-rule-update&user-id=1000" | jq '.result.[0].key' | MATCH "0000000000000002" |
There was a problem hiding this comment.
Per #14409, this needs to be
| snap debug api "/v2/notices?after=$CURRTIME&types=interfaces-requests-rule-update&user-id=1000" | jq '.result.[0].key' | MATCH "0000000000000002" | |
| snap debug api "/v2/notices?after=$CURRTIME&types=interfaces-requests-rule-update&user-id=1000" | jq '.result[0].key' | MATCH "0000000000000002" |
|
|
||
| echo "Check that the non-expired rule is still valid (must be done with UID 1000)" | ||
| sudo -iu '#1000' snap debug api /v2/interfaces/requests/rules | jq '.result | length' | MATCH 1 | ||
| sudo -iu '#1000' snap debug api /v2/interfaces/requests/rules | jq '.result.[0].id' | MATCH "0000000000000002" |
There was a problem hiding this comment.
Same here:
| sudo -iu '#1000' snap debug api /v2/interfaces/requests/rules | jq '.result.[0].id' | MATCH "0000000000000002" | |
| sudo -iu '#1000' snap debug api /v2/interfaces/requests/rules | jq '.result[0].id' | MATCH "0000000000000002" |
|
Spread tests were restarted for all tests, rather than just the failures, so I restarted manually from the results of run 1 of https://github.com/canonical/snapd/actions/runs/10528423541 This seems to have cancelled the checks below but marked them all as succeeded... This is incorrect, but the actual tests are still running in Run 2 of the original GH Action run: The current run (run 2) of the originally-failed tests can be found here: https://github.com/canonical/snapd/actions/runs/10528423541 |
|
Prompting client integration tests built on top of this change passed in locally-run spread for me, and should appear here under |
|
Test results are here: https://github.com/canonical/snapd/actions/runs/10528423541/job/29179028207 Failures:
So I think this is good to merge whenever you're ready @ernestl |
| systemctl stop snapd.service snapd.socket | ||
| # Try for a while to make sure it's not in failure mode | ||
| echo "Check that systemctl is-failed is never true after a while" | ||
| retry --wait 1 -n 30 systemctl is-failed snapd.service snapd.socket && exit 1 |
There was a problem hiding this comment.
nitpick: this relies in very hidden behavior of set -e, I think that not retry ... would work too
There was a problem hiding this comment.
Thanks, I'll try it with this instead
| systemctl stop snapd.service snapd.socket | ||
| # Try for a while to make sure it's not in failure mode | ||
| echo "Check that systemctl is-failed is never true after a while" | ||
| retry --wait 1 -n 30 systemctl is-failed snapd.service snapd.socket && exit 1 |
…n failed If creation of the interfaces requests manager fails for some reason, we need to mark the manager's internal `useAppArmorPrompting` value to false so that calls to `AppArmorPromptingRunning()` will return false, and we don't try to access a nil-pointer manager backend. Extend the apparmor-prompting-snapd-startup test to cover this scenario. Additionally, fix a few syntax inconsistencies in the spread test while we're at it. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
…t id file Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
olivercalder
force-pushed
the
prompting-fix-nil-backends-on-error
branch
from
d087a72 to
46fb37f
Compare
|
Tests are being very weird (all passing immediately), I'm going to close and reopen. |
If creation of the interfaces requests manager fails for some reason, we need to mark the manager's internal
useAppArmorPromptingvalue to false so that calls toAppArmorPromptingRunning()will return false, and we don't try to access a nil-pointer manager backend.Extend the apparmor-prompting-snapd-startup test to cover this scenario.
Further, we address one reason for this failure: lack of
/run/snapd/during the interface manager startup. We should ensure that this directory exists as part of the requestprompts backend attempting to open the max prompt ID mmap.This is tracked internally by https://warthogs.atlassian.net/browse/SNAPDENG-31381