tests: properly build snapd snap #13517
Conversation
github-actions
bot
added
the
Run Nested -auto-
valentindavid
changed the title
valentindavid
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #13517 +/- ##
==========================================
- Coverage 78.86% 78.83% -0.03%
==========================================
Files 1043 1046 +3
Lines 134595 136020 +1425
==========================================
+ Hits 106144 107237 +1093
- Misses 21837 22083 +246
- Partials 6614 6700 +86
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
4 times, most recently
from
fbb31b8
to
1482ddf
Compare
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
11 times, most recently
from
8c2edc6
to
9a469fe
Compare
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
8 times, most recently
from
9cecdfc
to
2500bd5
Compare
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
2 times, most recently
from
d98beda
to
fa566af
Compare
.github/workflows/test.yaml
Outdated
| @@ -796,7 +833,7 @@ jobs: | |||
| key: "${{ github.job }}-results-${{ github.run_id }}-${{ matrix.group }}-${{ github.run_attempt }}" | |||
|
|
|||
| spread-nested: | |||
| needs: [unit-tests] | |||
| needs: [unit-tests, snap-builds] | |||
There was a problem hiding this comment.
this job is changing in #14032, we should skip any change in spread-nested
sergiocazzolato
added
the
Run nested
| # sign the snapd snap with fakestore if requested | ||
| if [ "$NESTED_SIGN_SNAPS_FAKESTORE" = "true" ]; then | ||
| "$TESTSTOOLS"/store-state make-snap-installable --noack "$NESTED_FAKESTORE_BLOB_DIR" "$(nested_get_extra_snaps_path)/$output_name" "$snap_id" | ||
| for f in "${NESTED_ASSETS_DIR}"/snapd_*.snap; do |
There was a problem hiding this comment.
how many snapd are we going to have? 2?, perhaps we could do:
`snap_path="$(ls ${NESTED_ASSETS_DIR}"/snapd_*.snap | head -n1)"
if [ -z "$snap_path" ]; then
...
There was a problem hiding this comment.
Only 1. There is a break.
There was a problem hiding this comment.
Loops are what is recommended by shellcheck on posix scripts. But given that prepare.sh uses bash (it is in the shebang), maybe we should just enable extglob. And stop doing any of those weird hacks.
| build_snapd_snap() { | ||
| local TARGET | ||
| local snapd_snap_cache | ||
| TARGET="${1}" |
There was a problem hiding this comment.
TARGET=$1 works as well
There was a problem hiding this comment.
I'd keep the quotes just in case, in general almost everything should be quoted unless there's clear reason to not do it eg. when one wants splitting to take place.
tests/lib/prepare.sh
Outdated
| local snapd_snap_cache | ||
| TARGET="${1}" | ||
|
|
||
| snapd_snap_cache="${NESTED_WORK_DIR:-/tmp/work-dir}/snapd_snap" |
There was a problem hiding this comment.
I would prefer to avoid using NESTED_WORK_DIR here, perhaps we could accept a parameter with the work dir
TARGET=$1
WORK_DIR=$2
snapd_snap_cache="${WORK_DIR:-/tmp/work-dir}/snapd_snap"
There was a problem hiding this comment.
Why accepting it as parameter? We need it to be the same across the tests. Otherwise there will be multiple cache.
| snapd_snap_cache="${NESTED_WORK_DIR:-/tmp/work-dir}/snapd_snap" | ||
| [ -d "${snapd_snap_cache}" ] || mkdir -p "${snapd_snap_cache}" | ||
| for snap in "${snapd_snap_cache}"/snapd_*.snap; do | ||
| if ! [ -f "${snap}" ]; then |
There was a problem hiding this comment.
is it possible that $snap is not a file?
There was a problem hiding this comment.
Yes. If if the glob does not expand.
tests/lib/prepare.sh
Outdated
| # data/preseed.json is not included in the deb, use the latest | ||
| # version from source tree to replace the one in the re-packed snapd snap. | ||
| cp "$PROJECT_PATH/data/preseed.json" "$UNPACK_DIR"/usr/lib/snapd | ||
| snapd_snap_cache="${NESTED_WORK_DIR:-/tmp/work-dir}/snapd_snap_with_tweaks" |
There was a problem hiding this comment.
same about the WORK_DIR
| snapd_snap_cache="${NESTED_WORK_DIR:-/tmp/work-dir}/snapd_snap_with_tweaks" | ||
| [ -d "${snapd_snap_cache}" ] || mkdir -p "${snapd_snap_cache}" | ||
| for snap in "${snapd_snap_cache}"/snapd_*.snap; do | ||
| if [ -f "${snap}" ]; then |
There was a problem hiding this comment.
is it possible that $snap is not a file?
There was a problem hiding this comment.
Yes. Like the other place, if the glob does not expand, because there is no matching file.
tests/lib/prepare.sh
Outdated
| # file in place. Its called usr.lib.snapd.snap-confine on 14.04 but | ||
| # usr.lib.snapd.snap-confine.real everywhere else | ||
| rm -f "$UNPACK_DIR"/etc/apparmor.d/* | ||
| if ! os.query is-pc-amd64 || ! cp "${PROJECT_PATH}/built-snap"/snapd_1337.*.snap.keep "/tmp/snapd_from_snapcraft.snap"; then |
There was a problem hiding this comment.
it is not clear why:
! cp "${PROJECT_PATH}/built-snap"/snapd_1337.*.snap.keep "/tmp/snapd_from_snapcraft.snap"
There was a problem hiding this comment.
If running outside the github workflow, "${PROJECT_PATH}/built-snap" will not exist. cp will fail. And then we fallback to building the snap.
There was a problem hiding this comment.
I'd rather have an explicit environment variable controlling whether the build through snapcraft is (dis)allowed, otherwise there's a chance that everything will seem to be set up correctly, but the prepare will keep building snapd with snapcraft. , eg TESTS_USE_PREBUILT_SNAPD_SNAP: "$(HOST: echo PREBUILT_SNAPD)" in spread.yaml and then fail hard here?
There was a problem hiding this comment.
That makes total sense.
| @@ -21,9 +21,11 @@ prepare: | | |||
| exit | |||
| fi | |||
|
|
|||
| "$TESTSTOOLS"/snaps-state repack-snapd-deb-into-snap snapd | |||
| # shellcheck source=tests/lib/prepare.sh | |||
There was a problem hiding this comment.
I think in a following pr we should move out all the build/repack stuff from prepare.sh
I'll work on that once this is merged
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
from
bd87468
to
3349476
Compare
.github/workflows/test.yaml
Outdated
| echo "Checking ${snap}" | ||
| rm -rf squashfs-root | ||
| unsquashfs "${snap}" meta/snap.yaml usr/lib/snapd/ | ||
| if cat squashfs-root/meta/snap.yaml | grep -q "version:.*dirty.*"; then |
There was a problem hiding this comment.
it's probably ok to just grep both files
| if cat squashfs-root/meta/snap.yaml | grep -q "version:.*dirty.*"; then | |
| if grep -q "version:.*dirty.*" squashfs-root/meta/snap.yaml squashfs-root/usr/lib/snapd/info; then |
tests/lib/nested.sh
Outdated
| if [ "${NESTED_FORCE_SNAKEOIL_KEYS:-false}" = "true" ]; then | ||
| OVMF_VARS="snakeoil" | ||
| fi |
There was a problem hiding this comment.
That was probably not needed anymore.
tests/lib/prepare.sh
Outdated
| # file in place. Its called usr.lib.snapd.snap-confine on 14.04 but | ||
| # usr.lib.snapd.snap-confine.real everywhere else | ||
| rm -f "$UNPACK_DIR"/etc/apparmor.d/* | ||
| if ! os.query is-pc-amd64 || ! cp "${PROJECT_PATH}/built-snap"/snapd_1337.*.snap.keep "/tmp/snapd_from_snapcraft.snap"; then |
There was a problem hiding this comment.
I'd rather have an explicit environment variable controlling whether the build through snapcraft is (dis)allowed, otherwise there's a chance that everything will seem to be set up correctly, but the prepare will keep building snapd with snapcraft. , eg TESTS_USE_PREBUILT_SNAPD_SNAP: "$(HOST: echo PREBUILT_SNAPD)" in spread.yaml and then fail hard here?
tests/lib/prepare.sh
Outdated
| mkdir -p "${snapd_snap_cache}" | ||
| for snap in "${snapd_snap_cache}"/snapd_*.snap; do | ||
| if ! [ -f "${snap}" ]; then | ||
| if os.query is-pc-amd64 && cp "${PROJECT_PATH}/built-snap"/snapd_1337.*.snap.keep "${snapd_snap_cache}/snapd_from_ci.snap"; then |
There was a problem hiding this comment.
see my comment in build_snapd_snap_with_run_mode_firstboot_tweaks
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
from
3137b4c
to
c73512d
Compare
| @@ -592,7 +621,7 @@ jobs: | |||
| verbose: true | |||
|
|
|||
| spread: | |||
| needs: [unit-tests] | |||
| needs: [unit-tests, snap-builds] | |||
There was a problem hiding this comment.
we may want to revisit this later, there'd be 4 snap builds to complete now before spread tests even start
since I don't think github supports adding needs on matrix defined jobs, perhaps we can split the snap builds into separate jobs and share some code through composite action, such that we can then organize it all as:
- snap-build - regular snapd snap build for anyone to test locally
- snap-build-test - which spread jobs could wait on
- snap-build-fips - for local testing
- snap-build-test-fips - which eg. FIPS spread jobs could wait on
in such setup only snap-build*-test would be needed for blocking the spread test jobs
There was a problem hiding this comment.
just to be clear, this would be a followup once we see that the current setup is an issue and FIPS testing is added
| build_snapd_snap() { | ||
| local TARGET | ||
| local snapd_snap_cache | ||
| TARGET="${1}" |
There was a problem hiding this comment.
I'd keep the quotes just in case, in general almost everything should be quoted unless there's clear reason to not do it eg. when one wants splitting to take place.
tests/main/preseed-core20/task.yaml
Outdated
| @@ -18,8 +18,8 @@ environment: | |||
| prepare: | | |||
| #shellcheck source=tests/lib/prepare.sh | |||
| . "$TESTSLIB"/prepare.sh | |||
| snap download "--channel=${SNAPD_CHANNEL}" snapd | |||
| repack_snapd_snap_with_deb_content_and_run_mode_firstboot_tweaks /tmp | |||
| [ -d /tmp/teaked-snapd-snap ] || mkdir -p /tmp/teaked-snapd-snap | |||
tests/main/preseed-core20/task.yaml
Outdated
| @@ -18,8 +18,8 @@ environment: | |||
| prepare: | | |||
| #shellcheck source=tests/lib/prepare.sh | |||
| . "$TESTSLIB"/prepare.sh | |||
| snap download "--channel=${SNAPD_CHANNEL}" snapd | |||
| repack_snapd_snap_with_deb_content_and_run_mode_firstboot_tweaks /tmp | |||
| [ -d /tmp/teaked-snapd-snap ] || mkdir -p /tmp/teaked-snapd-snap | |||
There was a problem hiding this comment.
restore should probably rm -rf this directory
tests/main/preseed-core20/task.yaml
Outdated
| @@ -47,7 +47,13 @@ execute: | | |||
| export SNAPPY_FORCE_SAS_URL=http://$STORE_ADDR | |||
|
|
|||
| echo "Running pre-seeding" | |||
| SNAPD_SNAP=$(ls /tmp/snapd*.snap) | |||
| for f in /tmp/teaked-snapd-snap/snapd*.snap; do | |||
|
|
||
| - name: Uploading snapd snap artifact | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: snap-files-${{ matrix.toolchain }} | ||
| name: snap-files-${{ matrix.toolchain }}-${{ matrix.version }} |
There was a problem hiding this comment.
is it possible to add a comment somewhere to explain what are those snap artifacts used for?
There was a problem hiding this comment.
something like Maciej did below
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
from
ffb295e
to
bb418ff
Compare
Now we build also the test version of snapd snap in `snap-builds` workflow job. We copy this into the spread tests. And we use that snap, which we only instrument instead of copying the snapd deb build. If the snap is not available, then we build it in spread. On CI, this happens on arm since the workflow does not build it. It will also happen when triggering test manually.
valentindavid
force-pushed
the
valentindavid/with-patchelf-run-tests
branch
from
165be0f
to
9b95b5c
Compare
Now we build also the test version of snapd snap in
snap-buildsworkflow job. We copy this into the spread tests. And we use that snap, which we only instrument instead of copying the snapd deb build.If the snap is not available, then we build it in spread. On CI, this happens on arm since the workflow does not build it. It will also happen when triggering test manually.