From fbb8b327b493c90f940fd6edb25b8bf54f8c0bfb Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri, 28 Sep 2018 14:41:13 +0200
Subject: [PATCH 01/10] packaging/{centos-7,fedora}: update common Fedora
packaging to support CentOS 7
Add CentOS 7 to the shared Fedora RPM spec. Problems identified while building
rpm:
- outdated selinux-policy, this should be fixed in RHEL 7.6, see
https://bugzilla.redhat.com/show_bug.cgi?id=1574383
- hardened build with static linking fails, (snap-exec and snap-update-ns),
expecting RHEL 7.6 to be affected, reported to CentOS
https://bugs.centos.org/view.php?id=15333
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
packaging/centos-7 | 1 +
packaging/fedora/snapd.spec | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
create mode 120000 packaging/centos-7
diff --git a/packaging/centos-7 b/packaging/centos-7
new file mode 120000
index 0000000000..100fe0cd7b
--- /dev/null
+++ b/packaging/centos-7
@@ -0,0 +1 @@
+fedora
\ No newline at end of file
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index 7a5cdea645..6766a97df6 100644
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -83,11 +83,16 @@
%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
-# SELinux policy does not build on Amazon Linux 2 at the moment, fails with
-# checkmodule complaining about missing 'map' permission for 'file' class
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
%if 0%{?amzn2} == 1
%global with_selinux 0
%endif
+%if 0%{?centos} == 7
+%global with_selinux 0
+%endif
Name: snapd
Version: 2.36.1
From 3c61fbbd51478f2c3be8e6ea7b63cb5041e43afd Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri, 28 Sep 2018 14:44:54 +0200
Subject: [PATCH 02/10] tests: basic setup for CentOS 7
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
spread.yaml | 10 +++++++---
tests/lib/boot.sh | 2 +-
tests/lib/dirs.sh | 2 +-
tests/lib/pkgdb.sh | 22 +++++++++++-----------
tests/lib/prepare-restore.sh | 8 ++++----
tests/lib/reset.sh | 11 +++++++----
tests/lib/snaps.sh | 6 +++---
7 files changed, 34 insertions(+), 27 deletions(-)
diff --git a/spread.yaml b/spread.yaml
index 8cbd83227e..106b69d35e 100644
--- a/spread.yaml
+++ b/spread.yaml
@@ -94,6 +94,10 @@ backends:
workers: 4
storage: preserve-size
+ - centos-7-64:
+ workers: 4
+ image: centos-7-64
+
google-sru:
type: google
key: "$(HOST: echo $SPREAD_GOOGLE_KEY)"
@@ -497,7 +501,7 @@ prepare: |
fedora-*)
dnf install --refresh -y xdelta curl &> "$tf" || (cat "$tf"; exit 1)
;;
- amazon-*)
+ amazon-*|centos-*)
yum install -y xdelta curl &> "$tf" || (cat "$tf"; exit 1)
;;
opensuse-*)
@@ -625,7 +629,7 @@ suites:
# Test cases are not yet ported to Fedora/openSUSE/Arch that is why
# we keep them disabled. A later PR will enable most tests and
# drop this blacklist.
- systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+ systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
# unittests are run as part of the autopkgtest build already
backends: [-autopkgtest]
environment:
@@ -670,7 +674,7 @@ suites:
# Test cases are not yet ported to Fedora/openSUSE/Arch/AMZN2 that is why
# we keep them disabled. A later PR will enable most tests and
# drop this blacklist.
- systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*]
+ systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
"$TESTSLIB"/prepare-restore.sh --prepare-suite
prepare-each: |
diff --git a/tests/lib/boot.sh b/tests/lib/boot.sh
index e6cd906dea..475ceccdf8 100644
--- a/tests/lib/boot.sh
+++ b/tests/lib/boot.sh
@@ -2,7 +2,7 @@
GRUB_EDITENV=grub-editenv
case "$SPREAD_SYSTEM" in
- fedora-*|opensuse-*|amazon-*)
+ fedora-*|opensuse-*|amazon-*|centos-*)
GRUB_EDITENV=grub2-editenv
;;
esac
diff --git a/tests/lib/dirs.sh b/tests/lib/dirs.sh
index e83c053109..7000bc25e5 100644
--- a/tests/lib/dirs.sh
+++ b/tests/lib/dirs.sh
@@ -5,7 +5,7 @@ export LIBEXECDIR=/usr/lib
export MEDIA_DIR=/media
case "$SPREAD_SYSTEM" in
- fedora-*|amazon-*)
+ fedora-*|amazon-*|centos-*)
export SNAP_MOUNT_DIR=/var/lib/snapd/snap
export LIBEXECDIR=/usr/libexec
export MEDIA_DIR=/run/media
diff --git a/tests/lib/pkgdb.sh b/tests/lib/pkgdb.sh
index bae7fbd4c8..434444af57 100755
--- a/tests/lib/pkgdb.sh
+++ b/tests/lib/pkgdb.sh
@@ -128,7 +128,7 @@ distro_name_package() {
fedora-*)
fedora_name_package "$@"
;;
- amazon-*)
+ amazon-*|centos-*)
amazon_name_package "$@"
;;
opensuse-*)
@@ -174,7 +174,7 @@ distro_install_local_package() {
fedora-*)
quiet dnf -y install "$@"
;;
- amazon-*)
+ amazon-*|centos-*)
quiet yum -y localinstall "$@"
;;
opensuse-*)
@@ -255,7 +255,7 @@ distro_install_package() {
# shellcheck disable=SC2086
quiet dnf -y --refresh install $DNF_FLAGS "${pkg_names[@]}"
;;
- amazon-*)
+ amazon-*|centos-*)
# shellcheck disable=SC2086
quiet yum -y install $YUM_FLAGS "${pkg_names[@]}"
;;
@@ -296,7 +296,7 @@ distro_purge_package() {
quiet dnf -y remove "$@"
quiet dnf clean all
;;
- amazon-*)
+ amazon-*|centos-*)
quiet yum -y remove "$@"
;;
opensuse-*)
@@ -321,7 +321,7 @@ distro_update_package_db() {
quiet dnf clean all
quiet dnf makecache
;;
- amazon-*)
+ amazon-*|centos-*)
quiet yum clean all
quiet yum makecache
;;
@@ -346,7 +346,7 @@ distro_clean_package_cache() {
fedora-*)
dnf clean all
;;
- amazon-*)
+ amazon-*|centos-*)
yum clean all
;;
opensuse-*)
@@ -370,7 +370,7 @@ distro_auto_remove_packages() {
fedora-*)
quiet dnf -y autoremove
;;
- amazon-*)
+ amazon-*|centos-*)
quiet yum -y autoremove
;;
opensuse-*)
@@ -392,7 +392,7 @@ distro_query_package_info() {
fedora-*)
dnf info "$1"
;;
- amazon-*)
+ amazon-*|centos-*)
yum info "$1"
;;
opensuse-*)
@@ -429,7 +429,7 @@ distro_install_build_snapd(){
# shellcheck disable=SC2125
packages="${GOHOME}"/snapd_*.deb
;;
- fedora-*|amazon-*)
+ fedora-*|amazon-*|centos-*)
# shellcheck disable=SC2125
packages="${GOHOME}"/snap-confine*.rpm\ "${GOPATH%%:*}"/snapd*.rpm
;;
@@ -476,7 +476,7 @@ distro_get_package_extension() {
ubuntu-*|debian-*)
echo "deb"
;;
- fedora-*|opensuse-*|amazon-*)
+ fedora-*|opensuse-*|amazon-*|centos-*)
echo "rpm"
;;
arch-*)
@@ -719,7 +719,7 @@ pkg_dependencies(){
fedora-*)
pkg_dependencies_fedora
;;
- amazon-*)
+ amazon-*|centos-*)
pkg_dependencies_amazon
;;
opensuse-*)
diff --git a/tests/lib/prepare-restore.sh b/tests/lib/prepare-restore.sh
index b5f8cd0b93..175a00623b 100755
--- a/tests/lib/prepare-restore.sh
+++ b/tests/lib/prepare-restore.sh
@@ -54,7 +54,7 @@ create_test_user(){
# unlikely to ever clash with anything, and easy to remember.
quiet adduser --uid 12345 --gid 12345 --disabled-password --gecos '' test
;;
- debian-*|fedora-*|opensuse-*|arch-*|amazon-*)
+ debian-*|fedora-*|opensuse-*|arch-*|amazon-*|centos-*)
quiet useradd -m --uid 12345 --gid 12345 test
;;
*)
@@ -102,7 +102,7 @@ build_rpm() {
rpm_dir=$(rpm --eval "%_topdir")
case "$SPREAD_SYSTEM" in
- fedora-*|amazon-*)
+ fedora-*|amazon-*|centos-*)
extra_tar_args="$extra_tar_args --exclude=vendor/*"
;;
opensuse-*)
@@ -122,7 +122,7 @@ build_rpm() {
mkdir -p "$rpm_dir/SOURCES"
# shellcheck disable=SC2086
(cd /tmp/pkg && tar "-c${archive_compression}f" "$rpm_dir/SOURCES/$archive_name" $extra_tar_args "snapd-$version")
- if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* ]]; then
+ if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* || "$SPREAD_SYSTEM" == centos-* ]]; then
# need to build the vendor tree
(cd /tmp/pkg && tar "-cJf" "$rpm_dir/SOURCES/snapd_${version}.only-vendor.tar.xz" "snapd-$version/vendor")
fi
@@ -354,7 +354,7 @@ prepare_project() {
ubuntu-*|debian-*)
build_deb
;;
- fedora-*|opensuse-*|amazon-*)
+ fedora-*|opensuse-*|amazon-*|centos-*)
build_rpm
;;
arch-*)
diff --git a/tests/lib/reset.sh b/tests/lib/reset.sh
index fead9623f8..ac47b8fb5b 100755
--- a/tests/lib/reset.sh
+++ b/tests/lib/reset.sh
@@ -37,7 +37,7 @@ reset_classic() {
ubuntu-*|debian-*)
sh -x "${SPREAD_PATH}/debian/snapd.postrm" purge
;;
- fedora-*|opensuse-*|arch-*|amazon-*)
+ fedora-*|opensuse-*|arch-*|amazon-*|centos-*)
# We don't know if snap-mgmt was built, so call the *.in file
# directly and pass arguments that will override the placeholders
sh -x "${SPREAD_PATH}/cmd/snap-mgmt/snap-mgmt.sh.in" \
@@ -48,6 +48,7 @@ reset_classic() {
rm -rf /var/lib/snapd
;;
*)
+ echo "don't know how to reset $SPREAD_SYSTEM"
exit 1
;;
esac
@@ -87,9 +88,11 @@ reset_classic() {
# wait for snapd listening
EXTRA_NC_ARGS="-q 1"
- if [[ "$SPREAD_SYSTEM" = fedora-* || "$SPREAD_SYSTEM" = amazon-* ]]; then
- EXTRA_NC_ARGS=""
- fi
+ case "$SPREAD_SYSTEM" in
+ fedora-*|amazon-*|centos-*)
+ EXTRA_NC_ARGS=""
+ ;;
+ esac
while ! printf 'GET / HTTP/1.0\r\n\r\n' | nc -U $EXTRA_NC_ARGS /run/snapd.socket; do sleep 0.5; done
fi
}
diff --git a/tests/lib/snaps.sh b/tests/lib/snaps.sh
index 0cf0d1d908..bebf66f42f 100644
--- a/tests/lib/snaps.sh
+++ b/tests/lib/snaps.sh
@@ -52,8 +52,8 @@ mksnap_fast() {
snap="$2"
case "$SPREAD_SYSTEM" in
- ubuntu-14.04-*|amazon-*)
- # trusty and AMZN2 do not support -Xcompression-level 1
+ ubuntu-14.04-*|amazon-*|centos-*)
+ # trusty, AMZN2 and CentOS 7 do not support -Xcompression-level 1
mksquashfs "$dir" "$snap" -comp gzip -no-fragments -no-progress
;;
*)
@@ -79,7 +79,7 @@ is_classic_confinement_supported() {
ubuntu-*|debian-*)
return 0
;;
- fedora-*)
+ fedora-*|centos-*)
return 1
;;
opensuse-*)
From 90c7c9b434102a5d720a84e784af34567ea1ac05 Mon Sep 17 00:00:00 2001
From: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Mon, 12 Nov 2018 23:49:47 -0300
Subject: [PATCH 03/10] Skip opensuse from interfaces-openvswitch-support test
Next update for opensuse is failing when interfaces-openvswitch-support
test is executed. The cause is the same than for arch system, where the
interface is allowing access to /run/uuidd/request and in these systems
the request is done in /run/run/uuidd/request, making fail the snaps
which try to request a random id.
test error:
https://paste.ubuntu.com/p/bv9xZj36XR/
debug info:
https://paste.ubuntu.com/p/nMF4BR8ZF7/
---
tests/main/interfaces-openvswitch-support/task.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/main/interfaces-openvswitch-support/task.yaml b/tests/main/interfaces-openvswitch-support/task.yaml
index 9d174c0783..f937129810 100644
--- a/tests/main/interfaces-openvswitch-support/task.yaml
+++ b/tests/main/interfaces-openvswitch-support/task.yaml
@@ -5,8 +5,8 @@ details: |
# ubuntu-core, ubuntu-14, fedora, amazon are skipped as /run/uuidd/request file does not
# exist. On those systems different files are being used instead.
-# arch: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122
-systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*]
+# arch, opensuse: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122
+systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*]
prepare: |
snap install test-snapd-openvswitch-support
From 3efcf8c8859d698dbd32264fa2d0728496786c87 Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri, 28 Sep 2018 18:19:58 +0200
Subject: [PATCH 04/10] tests: update tests for CentOS 7
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
tests/main/appstream-id/task.yaml | 4 ++--
tests/main/cgroup-freezer/task.yaml | 4 ++--
tests/main/classic-confinement/task.yaml | 22 ++++++++++--------
.../classic-ubuntu-core-transition/task.yaml | 10 ++++----
tests/main/confinement-classic/task.yaml | 23 +++++++++++--------
tests/main/create-key/task.yaml | 2 +-
tests/main/create-user/task.yaml | 2 +-
tests/main/debs-have-built-using/task.yaml | 2 +-
.../main/document-portal-activation/task.yaml | 2 +-
tests/main/interfaces-alsa/task.yaml | 2 +-
tests/main/interfaces-avahi-observe/task.yaml | 2 +-
.../interfaces-calendar-service/task.yaml | 2 +-
.../interfaces-contacts-service/task.yaml | 2 +-
tests/main/interfaces-cups-control/task.yaml | 2 +-
.../task.yaml | 2 +-
.../task.yaml | 2 +-
.../task.yaml | 2 +-
.../main/interfaces-locale-control/task.yaml | 2 +-
tests/main/interfaces-network/task.yaml | 2 +-
.../interfaces-openvswitch-support/task.yaml | 2 +-
.../main/interfaces-upower-observe/task.yaml | 2 +-
tests/main/manpages/task.yaml | 2 +-
tests/main/nfs-support/task.yaml | 2 +-
tests/main/prepare-image-grub/task.yaml | 2 +-
tests/main/refresh-hold/task.yaml | 2 +-
tests/main/refresh/task.yaml | 4 ++--
.../security-device-cgroups-classic/task.yaml | 2 +-
.../task.yaml | 2 +-
.../security-device-cgroups-strict/task.yaml | 2 +-
tests/main/security-setuid-root/task.yaml | 2 +-
tests/main/server-snap/task.yaml | 2 +-
tests/main/snap-confine-from-core/task.yaml | 2 +-
tests/main/snap-info/task.yaml | 2 +-
tests/main/snap-repair/task.yaml | 2 +-
tests/main/snap-sign/task.yaml | 2 +-
tests/main/snapd-reexec-snapd-snap/task.yaml | 2 +-
tests/main/snapd-reexec/task.yaml | 2 +-
tests/main/try/task.yaml | 2 +-
38 files changed, 70 insertions(+), 61 deletions(-)
diff --git a/tests/main/appstream-id/task.yaml b/tests/main/appstream-id/task.yaml
index f58fe3bd23..3bf7e46359 100644
--- a/tests/main/appstream-id/task.yaml
+++ b/tests/main/appstream-id/task.yaml
@@ -1,7 +1,7 @@
summary: Verify AppStream ID integration
-# fedora-*, amazon-*: uses nmap netcat by default (https://nmap.org/ncat/)
-systems: [-fedora-*, -amazon-*]
+# fedora-*, amazon-*, centos-*: use nmap netcat by default (https://nmap.org/ncat/)
+systems: [-fedora-*, -amazon-*, -centos-*]
prepare: |
snap install jq
diff --git a/tests/main/cgroup-freezer/task.yaml b/tests/main/cgroup-freezer/task.yaml
index 38ca0153f3..16cc9cb6ce 100644
--- a/tests/main/cgroup-freezer/task.yaml
+++ b/tests/main/cgroup-freezer/task.yaml
@@ -41,9 +41,9 @@ execute: |
# When the process terminates the control group is updated and the task no
# longer registers there.
kill "$pid1"
- wait -n || true # wait returns the exit code and we kill the process
+ wait "$pid1" || true # wait returns the exit code and we kill the process
MATCH -v "$pid1" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
kill "$pid2"
- wait -n || true # same as above
+ wait "$pid2" || true # same as above
MATCH -v "$pid2" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
diff --git a/tests/main/classic-confinement/task.yaml b/tests/main/classic-confinement/task.yaml
index 7392135f8a..46c42885ac 100644
--- a/tests/main/classic-confinement/task.yaml
+++ b/tests/main/classic-confinement/task.yaml
@@ -13,17 +13,21 @@ prepare: |
. "$TESTSLIB"/dirs.sh
snap pack "$TESTSLIB/snaps/$CLASSIC_SNAP/"
- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then
- # although classic snaps do not work out of the box on fedora,
- # we still want to verify if the basics do work if the user
- # symlinks /snap to $SNAP_MOUNT_DIR themselves
- ln -sf $SNAP_MOUNT_DIR /snap
- fi
+ case "$SPREAD_SYSTEM" in
+ fedora-*|arch-*|centos-*)
+ # although classic snaps do not work out of the box on fedora,
+ # we still want to verify if the basics do work if the user
+ # symlinks /snap to $SNAP_MOUNT_DIR themselves
+ ln -sf $SNAP_MOUNT_DIR /snap
+ ;;
+ esac
restore: |
- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then
- rm -f /snap
- fi
+ case "$SPREAD_SYSTEM" in
+ fedora-*|arch-*|centos-*)
+ rm -f /snap
+ ;;
+ esac
execute: |
echo "Check that classic snaps work only with --classic"
diff --git a/tests/main/classic-ubuntu-core-transition/task.yaml b/tests/main/classic-ubuntu-core-transition/task.yaml
index b7cbcc3eb6..fb796ed216 100644
--- a/tests/main/classic-ubuntu-core-transition/task.yaml
+++ b/tests/main/classic-ubuntu-core-transition/task.yaml
@@ -1,10 +1,10 @@
summary: Ensure that the ubuntu-core -> core transition works
-# we never test on core because the transition can only happen on "classic"
-# we disable on ppc64el because the downloads are very slow there
-# Fedora, openSUSE and Arch are disabled at the moment as there is something
-# fishy going on and the snapd service gets terminated during the process.
-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386, -arch-*, -amazon-*]
+# we never test on core because the transition can only happen on "classic" we
+# disable on ppc64el because the downloads are very slow there Fedora, openSUSE,
+# Arch, CentOS are disabled at the moment as there is something fishy going on
+# and the snapd service gets terminated during the process.
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386, -arch-*, -amazon-*, -centos-*]
# autopkgtest run only a subset of tests that deals with the integration
# with the distro
diff --git a/tests/main/confinement-classic/task.yaml b/tests/main/confinement-classic/task.yaml
index a5a1bf8abd..8f7395cce1 100644
--- a/tests/main/confinement-classic/task.yaml
+++ b/tests/main/confinement-classic/task.yaml
@@ -11,17 +11,22 @@ details: |
prepare: |
#shellcheck source=tests/lib/dirs.sh
. "$TESTSLIB"/dirs.sh
- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then
- # although classic snaps do not work out of the box on fedora,
- # we still want to verify if the basics do work if the user
- # symlinks /snap to $SNAP_MOUNT_DIR themselves
- ln -sf $SNAP_MOUNT_DIR /snap
- fi
+ case "$SPREAD_SYSTEM" in
+ fedora-*|arch-*|centos-*)
+ # although classic snaps do not work out of the box on fedora,
+ # we still want to verify if the basics do work if the user
+ # symlinks /snap to $SNAP_MOUNT_DIR themselves
+ ln -sf $SNAP_MOUNT_DIR /snap
+ ;;
+ esac
+
restore: |
- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then
- rm -f /snap
- fi
+ case "$SPREAD_SYSTEM" in
+ fedora-*|arch-*|centos-*)
+ rm -f /snap
+ ;;
+ esac
execute: |
#shellcheck source=tests/lib/dirs.sh
diff --git a/tests/main/create-key/task.yaml b/tests/main/create-key/task.yaml
index e344df0234..7426e6630c 100644
--- a/tests/main/create-key/task.yaml
+++ b/tests/main/create-key/task.yaml
@@ -2,7 +2,7 @@ summary: Checks for snap create-key
# ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
# amazon: requires extra gpg-agent setup
-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -amazon-*]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -amazon-*, -centos-*]
prepare: |
#shellcheck source=tests/lib/mkpinentry.sh
diff --git a/tests/main/create-user/task.yaml b/tests/main/create-user/task.yaml
index 3272673bf5..c8cae5f0bd 100644
--- a/tests/main/create-user/task.yaml
+++ b/tests/main/create-user/task.yaml
@@ -2,7 +2,7 @@ summary: Ensure create-user functionality
# Disabled for Fedora, openSUSE, Arch, AMZN2 as none have all options for add user
# the `snap create-user` command requires. Needs code rework.
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
environment:
USER_EMAIL: mvo@ubuntu.com
diff --git a/tests/main/debs-have-built-using/task.yaml b/tests/main/debs-have-built-using/task.yaml
index 09439bdb1e..0abcd1af16 100644
--- a/tests/main/debs-have-built-using/task.yaml
+++ b/tests/main/debs-have-built-using/task.yaml
@@ -1,6 +1,6 @@
summary: Ensure that our debs have the "built-using" header
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
execute: |
out=$(dpkg -I "$GOHOME"/snapd_*.deb)
diff --git a/tests/main/document-portal-activation/task.yaml b/tests/main/document-portal-activation/task.yaml
index 4e3ac51a72..0b6ef2f81f 100644
--- a/tests/main/document-portal-activation/task.yaml
+++ b/tests/main/document-portal-activation/task.yaml
@@ -17,7 +17,7 @@ description: |
# Disabled on Ubuntu Core because it doesn't provide the "desktop"
# slot, and Amazon Linux because it doesn't have the required Python 3
# packages to run the test.
-systems: [ "-ubuntu-core-*", "-amazon-linux-2-*" ]
+systems: [ -ubuntu-core-*, -amazon-linux-2-*, -centos-* ]
environment:
XDG_RUNTIME_DIR: /run/user/$(id -u)
diff --git a/tests/main/interfaces-alsa/task.yaml b/tests/main/interfaces-alsa/task.yaml
index 59bfa67c99..d13e1f3d4a 100644
--- a/tests/main/interfaces-alsa/task.yaml
+++ b/tests/main/interfaces-alsa/task.yaml
@@ -1,7 +1,7 @@
summary: Ensure that the alsa interface works.
# Spread system for Fedora, openSUSE and AMZN2 don't seem to provide any /dev/snd entries
-systems: [-fedora-*, -opensuse-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*]
details: |
The alsa interface allows connected plugs to access raw ALSA devices.
diff --git a/tests/main/interfaces-avahi-observe/task.yaml b/tests/main/interfaces-avahi-observe/task.yaml
index 3b48513879..39f20de67c 100644
--- a/tests/main/interfaces-avahi-observe/task.yaml
+++ b/tests/main/interfaces-avahi-observe/task.yaml
@@ -1,6 +1,6 @@
summary: check that avahi-observe interface works
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
echo "Given a snap with an avahi-observe interface plug is installed"
diff --git a/tests/main/interfaces-calendar-service/task.yaml b/tests/main/interfaces-calendar-service/task.yaml
index f8d2f49379..4b7172f08a 100644
--- a/tests/main/interfaces-calendar-service/task.yaml
+++ b/tests/main/interfaces-calendar-service/task.yaml
@@ -2,7 +2,7 @@ summary: Ensure that the calendar-service interface works
# Only test on classic systems. Don't test on Ubuntu 14.04, which
# does not ship a new enough evolution-data-server. Don't test on AMZN2.
-systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*]
+systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*]
# fails in the autopkgtest env with:
# [Wed Aug 15 16:34:12 2018] audit: type=1400
diff --git a/tests/main/interfaces-contacts-service/task.yaml b/tests/main/interfaces-contacts-service/task.yaml
index c5627a6be5..d42f535d71 100644
--- a/tests/main/interfaces-contacts-service/task.yaml
+++ b/tests/main/interfaces-contacts-service/task.yaml
@@ -3,7 +3,7 @@ summary: Ensure that the contacts-service interface works
# Only test on classic systems. Don't test on Ubuntu 14.04, which
# does not ship a new enough evolution-data-server.
# amazon: no need to run this on amazon
-systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*]
+systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*]
# fails in autopkgtest environment with:
# [Wed Aug 15 16:08:23 2018] audit: type=1400
diff --git a/tests/main/interfaces-cups-control/task.yaml b/tests/main/interfaces-cups-control/task.yaml
index d89387178c..b00be1654f 100644
--- a/tests/main/interfaces-cups-control/task.yaml
+++ b/tests/main/interfaces-cups-control/task.yaml
@@ -15,7 +15,7 @@ details: |
# Default cups/cups-pdf configuration on these distributions isn't
# working yet without further tweaks.
-systems: [-ubuntu-core-*, -opensuse-*, -fedora-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -opensuse-*, -fedora-*, -arch-*, -amazon-*, -centos-*]
environment:
TEST_FILE: /var/snap/test-snapd-cups-control-consumer/current/test_file.txt
diff --git a/tests/main/interfaces-hardware-random-control/task.yaml b/tests/main/interfaces-hardware-random-control/task.yaml
index eed5b46690..07fbd321cd 100644
--- a/tests/main/interfaces-hardware-random-control/task.yaml
+++ b/tests/main/interfaces-hardware-random-control/task.yaml
@@ -12,7 +12,7 @@ summary: |
# Execution skipped on debian, arch and amazon due to device /dev/hwrng not
# created by default
-systems: [-debian-*, -arch-*, -amazon-*]
+systems: [-debian-*, -arch-*, -amazon-*, -centos-*]
prepare: |
#shellcheck source=tests/lib/snaps.sh
diff --git a/tests/main/interfaces-hardware-random-observe/task.yaml b/tests/main/interfaces-hardware-random-observe/task.yaml
index 240f012f74..48e2b2a493 100644
--- a/tests/main/interfaces-hardware-random-observe/task.yaml
+++ b/tests/main/interfaces-hardware-random-observe/task.yaml
@@ -12,7 +12,7 @@ summary: |
# Execution skipped on debian, arch and amazon due to device /dev/hwrng not
# created by default
-systems: [-debian-*, -arch-*, -amazon-*]
+systems: [-debian-*, -arch-*, -amazon-*, -centos-*]
prepare: |
#shellcheck source=tests/lib/snaps.sh
diff --git a/tests/main/interfaces-kernel-module-control/task.yaml b/tests/main/interfaces-kernel-module-control/task.yaml
index d25bcbd89b..184ab516bd 100644
--- a/tests/main/interfaces-kernel-module-control/task.yaml
+++ b/tests/main/interfaces-kernel-module-control/task.yaml
@@ -1,7 +1,7 @@
summary: Ensure that the kernel-module-control interface works.
# the s390x kernel has no minix module
-systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x, -arch-*, -amazon-*, -centos-*]
environment:
MODULE: minix
diff --git a/tests/main/interfaces-locale-control/task.yaml b/tests/main/interfaces-locale-control/task.yaml
index b3b77281aa..36105d5052 100644
--- a/tests/main/interfaces-locale-control/task.yaml
+++ b/tests/main/interfaces-locale-control/task.yaml
@@ -1,6 +1,6 @@
summary: Ensure that the locale-control interface works.
-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
summary: |
The locale-control interface allows a snap to access the locale configuration.
diff --git a/tests/main/interfaces-network/task.yaml b/tests/main/interfaces-network/task.yaml
index 47d0d12f95..ddd8fae416 100644
--- a/tests/main/interfaces-network/task.yaml
+++ b/tests/main/interfaces-network/task.yaml
@@ -10,7 +10,7 @@ details: |
A snap declaring a plug on this interface must be able to access network services.
# amazon: uses nmap-netcat
-systems: [-fedora-*, -opensuse-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*]
environment:
SNAP_NAME: network-consumer
diff --git a/tests/main/interfaces-openvswitch-support/task.yaml b/tests/main/interfaces-openvswitch-support/task.yaml
index f937129810..7e834586de 100644
--- a/tests/main/interfaces-openvswitch-support/task.yaml
+++ b/tests/main/interfaces-openvswitch-support/task.yaml
@@ -6,7 +6,7 @@ details: |
# ubuntu-core, ubuntu-14, fedora, amazon are skipped as /run/uuidd/request file does not
# exist. On those systems different files are being used instead.
# arch, opensuse: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122
-systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*]
+systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*, -centos-*]
prepare: |
snap install test-snapd-openvswitch-support
diff --git a/tests/main/interfaces-upower-observe/task.yaml b/tests/main/interfaces-upower-observe/task.yaml
index ce314b6600..1f601302cd 100644
--- a/tests/main/interfaces-upower-observe/task.yaml
+++ b/tests/main/interfaces-upower-observe/task.yaml
@@ -11,7 +11,7 @@ details: |
it without error while the plug is connected.
# ppc64el disabled because of https://github.com/snapcore/snapd/issues/2504
-systems: [-ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
echo "Given a snap declaring a plug on the upower-observe interface is installed"
diff --git a/tests/main/manpages/task.yaml b/tests/main/manpages/task.yaml
index a5251def14..fba8acffac 100644
--- a/tests/main/manpages/task.yaml
+++ b/tests/main/manpages/task.yaml
@@ -12,7 +12,7 @@ execute: |
# This issue happens with any package, not just with snap related ones
# The command "man snap" works well in this case (man 2.6.6)
case "$SPREAD_SYSTEM" in
- opensuse-*|arch-*|amazon-*)
+ opensuse-*|arch-*|amazon-*|centos-*)
for manpage in snap snap-confine snap-discard-ns; do
if ! LC_ALL=C man -u --where $manpage; then
echo "Expected to see manual page path for $manpage"
diff --git a/tests/main/nfs-support/task.yaml b/tests/main/nfs-support/task.yaml
index a0935a5172..bd3a2bedcc 100644
--- a/tests/main/nfs-support/task.yaml
+++ b/tests/main/nfs-support/task.yaml
@@ -74,7 +74,7 @@ execute: |
systemctl enable nfsserver.service
systemctl start nfsserver.service
;;
- amazon-*)
+ amazon-*|centos-*)
systemctl enable nfs
systemctl restart nfs
;;
diff --git a/tests/main/prepare-image-grub/task.yaml b/tests/main/prepare-image-grub/task.yaml
index 88339ae46c..867fdc843a 100644
--- a/tests/main/prepare-image-grub/task.yaml
+++ b/tests/main/prepare-image-grub/task.yaml
@@ -1,6 +1,6 @@
summary: Check that prepare-image works for grub-systems
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
backends: [-autopkgtest]
diff --git a/tests/main/refresh-hold/task.yaml b/tests/main/refresh-hold/task.yaml
index 664573dd5a..15ea0b13fc 100644
--- a/tests/main/refresh-hold/task.yaml
+++ b/tests/main/refresh-hold/task.yaml
@@ -10,7 +10,7 @@ summary: Check that the refresh hold works
# - fixed version: 2018-07-27T08:05:00+00:00
# ubuntu-14.04 and amazon are shipped with buggy date
-systems: [-ubuntu-14.04-*, -amazon-*]
+systems: [-ubuntu-14.04-*, -amazon-*, -centos-*]
execute: |
echo "Ensure snap set core refresh.hold works"
diff --git a/tests/main/refresh/task.yaml b/tests/main/refresh/task.yaml
index 406b9475cc..df662dd843 100644
--- a/tests/main/refresh/task.yaml
+++ b/tests/main/refresh/task.yaml
@@ -34,7 +34,7 @@ prepare: |
flags=
if [[ "$SNAP_NAME" =~ classic ]]; then
case "$SPREAD_SYSTEM" in
- ubuntu-core-*|fedora-*|arch-*)
+ ubuntu-core-*|fedora-*|arch-*|centos-*)
exit
;;
esac
@@ -89,7 +89,7 @@ execute: |
if [[ "$SNAP_NAME" =~ classic ]]; then
case "$SPREAD_SYSTEM" in
- ubuntu-core-*|fedora-*|arch-*)
+ ubuntu-core-*|fedora-*|arch-*|centos-*)
exit
;;
esac
diff --git a/tests/main/security-device-cgroups-classic/task.yaml b/tests/main/security-device-cgroups-classic/task.yaml
index 872fafc781..5444117cc5 100644
--- a/tests/main/security-device-cgroups-classic/task.yaml
+++ b/tests/main/security-device-cgroups-classic/task.yaml
@@ -7,7 +7,7 @@ details: |
# Disabled on Fedora, Ubuntu Core and Arch because they don't support classic
# confinement.
-systems: [-fedora-*, -ubuntu-core-*, -arch-*]
+systems: [-fedora-*, -ubuntu-core-*, -arch-*, -amazon-*, -centos-*]
prepare: |
# Create framebuffer device node and give it some content we can verify
diff --git a/tests/main/security-device-cgroups-jailmode/task.yaml b/tests/main/security-device-cgroups-jailmode/task.yaml
index 9604f46715..e4842ffd7c 100644
--- a/tests/main/security-device-cgroups-jailmode/task.yaml
+++ b/tests/main/security-device-cgroups-jailmode/task.yaml
@@ -6,7 +6,7 @@ details: |
still accessible (ie, the cgroup is not in effect).
# None of those systems support strict confinement which is required to formally enable jailmode.
-systems: [-fedora-*, -opensuse-*, -debian-*, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -debian-*, -arch-*, -amazon-*, -centos-*]
prepare: |
# Create framebuffer device node and give it some content we can verify
diff --git a/tests/main/security-device-cgroups-strict/task.yaml b/tests/main/security-device-cgroups-strict/task.yaml
index 912413ec0c..c891fe069d 100644
--- a/tests/main/security-device-cgroups-strict/task.yaml
+++ b/tests/main/security-device-cgroups-strict/task.yaml
@@ -5,7 +5,7 @@ details: |
sure that other devices not included in the snap's plugged interfaces are
still accessible (ie, the cgroup is not in effect).
-systems: [-fedora-*, -opensuse-*,-debian-*, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*,-debian-*, -arch-*, -amazon-*, -centos-*]
prepare: |
# Create framebuffer device node and give it some content we can verify
diff --git a/tests/main/security-setuid-root/task.yaml b/tests/main/security-setuid-root/task.yaml
index 8b747101bb..3ad4ec6ad4 100644
--- a/tests/main/security-setuid-root/task.yaml
+++ b/tests/main/security-setuid-root/task.yaml
@@ -7,7 +7,7 @@ details: |
it should detect and refuse to run if invoked from the core snap.
# No confinement (AppArmor, Seccomp) available on these systems
-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
#shellcheck source=tests/lib/snaps.sh
diff --git a/tests/main/server-snap/task.yaml b/tests/main/server-snap/task.yaml
index c85e58ac1c..03974042da 100644
--- a/tests/main/server-snap/task.yaml
+++ b/tests/main/server-snap/task.yaml
@@ -1,7 +1,7 @@
summary: Check snap web servers
# arch: there is no ip6-localhost
-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
environment:
SNAP_NAME/pythonServer: test-snapd-python-webserver
diff --git a/tests/main/snap-confine-from-core/task.yaml b/tests/main/snap-confine-from-core/task.yaml
index fc5de25a51..2b27ae2304 100644
--- a/tests/main/snap-confine-from-core/task.yaml
+++ b/tests/main/snap-confine-from-core/task.yaml
@@ -1,7 +1,7 @@
summary: Test that snap-confine is run from core on re-exec
# Disable for Fedora, openSUSE, Arch and Amazon Linux 2 as re-exec is not support there yet
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
echo "Installing test-snapd-tools"
diff --git a/tests/main/snap-info/task.yaml b/tests/main/snap-info/task.yaml
index 8b1062cdf2..3f3fdd0141 100644
--- a/tests/main/snap-info/task.yaml
+++ b/tests/main/snap-info/task.yaml
@@ -2,7 +2,7 @@ summary: Check that snap info works
# core18 has no python3-yaml
# amazon: no PyYAML is not packaged for python3
-systems: [-ubuntu-core-18-*, -amazon-*]
+systems: [-ubuntu-core-18-*, -amazon-*, -centos-*]
prepare: |
snap pack "$TESTSLIB"/snaps/basic
diff --git a/tests/main/snap-repair/task.yaml b/tests/main/snap-repair/task.yaml
index d5967318c1..cc090bb727 100644
--- a/tests/main/snap-repair/task.yaml
+++ b/tests/main/snap-repair/task.yaml
@@ -1,6 +1,6 @@
summary: Ensure that snap-repair is available
-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
execute: |
#shellcheck source=tests/lib/dirs.sh
diff --git a/tests/main/snap-sign/task.yaml b/tests/main/snap-sign/task.yaml
index 6939ebd49e..d2caaa94af 100644
--- a/tests/main/snap-sign/task.yaml
+++ b/tests/main/snap-sign/task.yaml
@@ -2,7 +2,7 @@ summary: Run snap sign to sign a model assertion
# ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
# amazon: requires extra gpg-agent setup
-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -amazon-*]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -amazon-*, -centos-*]
prepare: |
#shellcheck source=tests/lib/mkpinentry.sh
diff --git a/tests/main/snapd-reexec-snapd-snap/task.yaml b/tests/main/snapd-reexec-snapd-snap/task.yaml
index 3db1949255..19f956f07d 100644
--- a/tests/main/snapd-reexec-snapd-snap/task.yaml
+++ b/tests/main/snapd-reexec-snapd-snap/task.yaml
@@ -1,7 +1,7 @@
summary: Test that snapd reexecs itself into the snapd snap
# Disable for Fedora, openSUSE and Arch as re-exec is not support there yet
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
restore: |
umount /snap/snapd/current/usr/lib/snapd/info || true
diff --git a/tests/main/snapd-reexec/task.yaml b/tests/main/snapd-reexec/task.yaml
index 1b67a672af..a7c5ce491f 100644
--- a/tests/main/snapd-reexec/task.yaml
+++ b/tests/main/snapd-reexec/task.yaml
@@ -1,7 +1,7 @@
summary: Test that snapd reexecs itself into core
# Disable for Fedora, openSUSE and Arch as re-exec is not support there yet
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
restore: |
#shellcheck source=tests/lib/dirs.sh
diff --git a/tests/main/try/task.yaml b/tests/main/try/task.yaml
index 398e1e3594..265a86267c 100644
--- a/tests/main/try/task.yaml
+++ b/tests/main/try/task.yaml
@@ -1,7 +1,7 @@
summary: Check that try command works
# s390x does not have /dev/kmsg
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x, -centos-*]
environment:
PORT: 8081
From 5e4d96ef3ab1bdc2bd4e1b54014ffea092155ad6 Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon, 19 Nov 2018 11:29:24 +0100
Subject: [PATCH 05/10] data/sysctl: snap specific kernel tweaks, enable mount
detach for RHEL 7.4+
Enable lazily unmounting mounts in other namespaces that have not received the
propagated unmount when a mount point directory is removed.
See:
RHBZ#1247935
https://access.redhat.com/articles/3128691
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
data/sysctl/99-snap.conf | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 data/sysctl/99-snap.conf
diff --git a/data/sysctl/99-snap.conf b/data/sysctl/99-snap.conf
new file mode 100644
index 0000000000..588661621c
--- /dev/null
+++ b/data/sysctl/99-snap.conf
@@ -0,0 +1,4 @@
+# RHEL 7.4+ specific:
+# Unexpected "Device or resource busy" error when removing a directory
+# see https://access.redhat.com/articles/3128691 for details
+fs.may_detach_mounts=1
From e25654f501d60a0c72d3d63a591ebd295348d391 Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon, 19 Nov 2018 11:38:04 +0100
Subject: [PATCH 06/10] packaging: install RHEL 7 specific kernel tweaks
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
packaging/fedora/snapd.spec | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index 6766a97df6..f5da422a0f 100644
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -592,12 +592,18 @@ pushd ./data
SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/99-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf
+%endif
# Remove snappy core specific units
rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
# Remove snappy core specific scripts
rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
@@ -727,6 +733,9 @@ popd
%if %{with snap_symlink}
/snap
%endif
+%if 0%{?rhel} == 7
+%{_sysconfdir}/sysctl.d/99-snap.conf
+%endif
%files -n snap-confine
%doc cmd/snap-confine/PORTING
@@ -768,6 +777,9 @@ popd
%endif
%post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
%systemd_post %{snappy_svcs}
# If install, test if snapd socket and timer are enabled.
# If enabled, then attempt to start them. This will silently fail
From f587302efcf55ecda24fdf0b6c593a276737e9ca Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Tue, 20 Nov 2018 07:54:51 +0100
Subject: [PATCH 07/10] data/sysctl: use distro specific name for RHEL7 kernel
tweaks
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
data/sysctl/{99-snap.conf => rhel7-snap.conf} | 0
packaging/fedora/snapd.spec | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename data/sysctl/{99-snap.conf => rhel7-snap.conf} (100%)
diff --git a/data/sysctl/99-snap.conf b/data/sysctl/rhel7-snap.conf
similarity index 100%
rename from data/sysctl/99-snap.conf
rename to data/sysctl/rhel7-snap.conf
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index f5da422a0f..c556138b3c 100644
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -597,7 +597,7 @@ popd
%if 0%{?rhel} == 7
# Install kernel tweaks
# See: https://access.redhat.com/articles/3128691
-install -m 644 -D data/sysctl/99-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf
%endif
# Remove snappy core specific units
From 1fd66d77dda4041f21475a853b02821078dbfe84 Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Tue, 20 Nov 2018 08:44:41 +0100
Subject: [PATCH 08/10] tests: more test tweaks for CentOS
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
tests/regression/lp-1595444/task.yaml | 4 ++--
tests/regression/lp-1599891/task.yaml | 2 +-
tests/regression/lp-1618683/task.yaml | 14 ++++++++++++++
tests/regression/lp-1641885/task.yaml | 2 +-
tests/upgrade/basic/task.yaml | 4 ++--
5 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/tests/regression/lp-1595444/task.yaml b/tests/regression/lp-1595444/task.yaml
index 83330fbf74..004491f4a0 100644
--- a/tests/regression/lp-1595444/task.yaml
+++ b/tests/regression/lp-1595444/task.yaml
@@ -5,8 +5,8 @@ details: |
a directory that doesn't exist in the execution environment (chroot).
#ubuntu-core: this test only applies to classic systems
-#debian, fedora, opensuse, arch, amazon-linux-2: just available for systems with confinement (AppArmor, Seccomp)
-systems: [-ubuntu-core-*, -debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+#debian, fedora, opensuse, arch, amazon-linux-2, centos: just available for systems with confinement (AppArmor, Seccomp)
+systems: [-ubuntu-core-*, -debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
prepare: |
echo "Having installed the test snap"
diff --git a/tests/regression/lp-1599891/task.yaml b/tests/regression/lp-1599891/task.yaml
index d33545b1a9..3ab2f2264b 100644
--- a/tests/regression/lp-1599891/task.yaml
+++ b/tests/regression/lp-1599891/task.yaml
@@ -1,7 +1,7 @@
summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1599891
# No confinement (AppArmor, Seccomp) available on these systems
-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
execute: |
snap_confine=/usr/lib/snapd/snap-confine
diff --git a/tests/regression/lp-1618683/task.yaml b/tests/regression/lp-1618683/task.yaml
index e92d49eed3..63931b13a4 100644
--- a/tests/regression/lp-1618683/task.yaml
+++ b/tests/regression/lp-1618683/task.yaml
@@ -12,6 +12,20 @@ prepare: |
. "$TESTSLIB/snaps.sh"
install_local_devmode test-snapd-tools
+ if [[ "$SPREAD_SYSTEM" == centos-* ]]; then
+ # RHEL/Centos 7.4+ set this to 0 by default
+ # see: https://access.redhat.com/solutions/3188102
+ cat /proc/sys/user/max_user_namespaces > old_max_user_ns
+ echo 1500 > /proc/sys/user/max_user_namespaces
+ fi
+
+restore: |
+ if [[ "$SPREAD_SYSTEM" == centos-* ]]; then
+ # RHEL/Centos 7.4+ set this to 0 by default
+ cat old_max_user_ns > /proc/sys/user/max_user_namespaces
+ rm -f old_max_user_ns
+ fi
+
execute: |
echo "We can run unshare -U as a regular user and expect it to work"
test-snapd-tools.cmd unshare -U true
diff --git a/tests/regression/lp-1641885/task.yaml b/tests/regression/lp-1641885/task.yaml
index d8e38dff40..da6591b6e0 100644
--- a/tests/regression/lp-1641885/task.yaml
+++ b/tests/regression/lp-1641885/task.yaml
@@ -1,7 +1,7 @@
summary: snaps installed with --jailmode are not in devmode
# No confinement (AppArmor, Seccomp) available on these systems
-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*]
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
details: |
Users found that a snap that uses "confinement: devmode", even when
diff --git a/tests/upgrade/basic/task.yaml b/tests/upgrade/basic/task.yaml
index 959539a556..38c3fdd99c 100644
--- a/tests/upgrade/basic/task.yaml
+++ b/tests/upgrade/basic/task.yaml
@@ -1,8 +1,8 @@
summary: Check that upgrade works
# arch: there is no snapd in arch repos
-# amazon: same for amazon linux
-systems: [-debian-sid-*, -arch-*, -amazon-*]
+# amazon, centos: enable when snapd hits EPEL
+systems: [-debian-sid-*, -arch-*, -amazon-*, -centos-*]
restore: |
if [ "$REMOTE_STORE" = staging ]; then
From 54ffb070bf4809c4aa58515a39f4ca70578c13bb Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon, 19 Nov 2018 16:08:47 +0100
Subject: [PATCH 09/10] sanity: extend the kernel version check to cover
CentOS/RHEL kernels
Extend the check to cover kernel versions in CentOS/RHEL 7.x. Probe for a known
sysctl that needs to be enabled.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
sanity/version.go | 64 +++++++++++++++++++++---
sanity/version_test.go | 107 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 163 insertions(+), 8 deletions(-)
diff --git a/sanity/version.go b/sanity/version.go
index 35533dd044..b889d72e4b 100644
--- a/sanity/version.go
+++ b/sanity/version.go
@@ -20,9 +20,13 @@
package sanity
import (
+ "bytes"
"fmt"
+ "io/ioutil"
+ "path/filepath"
"strings"
+ "github.com/snapcore/snapd/dirs"
"github.com/snapcore/snapd/logger"
"github.com/snapcore/snapd/osutil"
"github.com/snapcore/snapd/release"
@@ -33,21 +37,65 @@ func init() {
checks = append(checks, checkKernelVersion)
}
+// supportsMayDetachMounts checks whether a RHEL 7.4+ specific kernel knob is present
+// and set to proper value
+func supportsMayDetachMounts(kver string) error {
+ p := filepath.Join(dirs.GlobalRootDir, "/proc/sys/fs/may_detach_mounts")
+ value, err := ioutil.ReadFile(p)
+ if err != nil {
+ return fmt.Errorf("cannot read fs.may_detach_mounts state: %v", err)
+ }
+ if !bytes.Equal(value, []byte("1\n")) {
+ return fmt.Errorf("fs.may_detach_mounts is present but disabled")
+ }
+ return nil
+}
+
// checkKernelVersion looks for some unsupported configurations that users may
// encounter and provides advice on how to resolve them.
func checkKernelVersion() error {
- if release.OnClassic && release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04" {
- kver := osutil.KernelVersion()
- // a kernel version looks like this: "4.4.0-112-generic" and
- // we are only interested in the bits before the "-"
- kver = strings.SplitN(kver, "-", 2)[0]
- cmp, err := strutil.VersionCompare(kver, "3.13.0")
+ if !release.OnClassic {
+ return nil
+ }
+
+ switch release.ReleaseInfo.ID {
+ case "ubuntu":
+ if release.ReleaseInfo.VersionID == "14.04" {
+ kver := osutil.KernelVersion()
+ // a kernel version looks like this: "4.4.0-112-generic" and
+ // we are only interested in the bits before the "-"
+ kver = strings.SplitN(kver, "-", 2)[0]
+ cmp, err := strutil.VersionCompare(kver, "3.13.0")
+ if err != nil {
+ logger.Noticef("cannot check kernel: %v", err)
+ return nil
+ }
+ if cmp <= 0 {
+ return fmt.Errorf("you need to reboot into a 4.4 kernel to start using snapd")
+ }
+ }
+ case "rhel", "centos":
+ // check for kernel tweaks on RHEL/CentOS 7.5+
+ // CentoS 7.5 has VERSION_ID="7", RHEL 7.6 has VERSION_ID="7.6"
+ if release.ReleaseInfo.VersionID == "" || release.ReleaseInfo.VersionID[0] != '7' {
+ return nil
+ }
+ fullKver := osutil.KernelVersion()
+ // kernel version looks like this: "3.10.0-957.el7.x86_64"
+ kver := strings.SplitN(fullKver, "-", 2)[0]
+ cmp, err := strutil.VersionCompare(kver, "3.18.0")
if err != nil {
logger.Noticef("cannot check kernel: %v", err)
return nil
}
- if cmp <= 0 {
- return fmt.Errorf("you need to reboot into a 4.4 kernel to start using snapd")
+ if cmp < 0 {
+ // pre 3.18 kernels here
+ if idx := strings.Index(fullKver, ".el7."); idx == -1 {
+ // non stock kernel, assume it's not supported
+ return fmt.Errorf("unsupported kernel version %q, you need to switch to the stock kernel", fullKver)
+ }
+ // stock kernel had bugfixes backported to it
+ return supportsMayDetachMounts(kver)
}
}
return nil
diff --git a/sanity/version_test.go b/sanity/version_test.go
index 3fc172dd58..8e3b50f5ef 100644
--- a/sanity/version_test.go
+++ b/sanity/version_test.go
@@ -20,8 +20,13 @@
package sanity_test
import (
+ "io/ioutil"
+ "os"
+ "path/filepath"
+
. "gopkg.in/check.v1"
+ "github.com/snapcore/snapd/dirs"
"github.com/snapcore/snapd/osutil"
"github.com/snapcore/snapd/release"
"github.com/snapcore/snapd/sanity"
@@ -58,3 +63,105 @@ func (s *sanitySuite) TestRebootedOnTrusty(c *C) {
err := sanity.CheckKernelVersion()
c.Assert(err, IsNil)
}
+
+func (s *sanitySuite) TestRHEL80OK(c *C) {
+ // Mock an Ubuntu 14.04 system running a 4.4.0 kernel
+ restore := release.MockOnClassic(true)
+ defer restore()
+ restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "8.0"})
+ defer restore()
+ // RHEL 8 beta
+ restore = osutil.MockKernelVersion("4.18.0-32.el8.x86_64")
+ defer restore()
+
+ // Check for the given advice.
+ err := sanity.CheckKernelVersion()
+ c.Assert(err, IsNil)
+}
+
+func (s *sanitySuite) TestRHEL7x(c *C) {
+ dir := c.MkDir()
+ dirs.SetRootDir(dir)
+ defer dirs.SetRootDir("/")
+ // mock RHEL 7.6
+ restore := release.MockOnClassic(true)
+ defer restore()
+ // VERSION="7.6 (Maipo)"
+ // ID="rhel"
+ // ID_LIKE="fedora"
+ // VERSION_ID="7.6"
+ restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "7.6"})
+ defer restore()
+ restore = osutil.MockKernelVersion("3.10.0-957.el7.x86_64")
+ defer restore()
+
+ // pretend the kernel knob is not there
+ err := sanity.CheckKernelVersion()
+ c.Assert(err, ErrorMatches, "cannot read fs.may_detach_mounts state: .*")
+
+ p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts")
+ err = os.MkdirAll(filepath.Dir(p), 0755)
+ c.Assert(err, IsNil)
+
+ // the knob is there, but disabled
+ err = ioutil.WriteFile(p, []byte("0\n"), 0644)
+ c.Assert(err, IsNil)
+
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled")
+
+ // actually enabled
+ err = ioutil.WriteFile(p, []byte("1\n"), 0644)
+ c.Assert(err, IsNil)
+
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, IsNil)
+
+ // custom kernel version, which is old and we have no knowledge about
+ restore = osutil.MockKernelVersion("3.10.0-1024.foo.x86_64")
+ defer restore()
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, ErrorMatches, `unsupported kernel version "3.10.0-1024.foo.x86_64", you need to switch to the stock kernel`)
+
+ // custom kernel version, but new enough
+ restore = osutil.MockKernelVersion("4.18.0-32.foo.x86_64")
+ defer restore()
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, IsNil)
+}
+
+func (s *sanitySuite) TestCentOS7x(c *C) {
+ dir := c.MkDir()
+ dirs.SetRootDir(dir)
+ defer dirs.SetRootDir("/")
+ // mock CentOS 7.5
+ restore := release.MockOnClassic(true)
+ defer restore()
+ // NAME="CentOS Linux"
+ // VERSION="7 (Core)"
+ // ID="centos"
+ // ID_LIKE="rhel fedora"
+ // VERSION_ID="7"
+ restore = release.MockReleaseInfo(&release.OS{ID: "centos", VersionID: "7"})
+ defer restore()
+ restore = osutil.MockKernelVersion("3.10.0-862.14.4.el7.x86_64")
+ defer restore()
+
+ p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts")
+ err := os.MkdirAll(filepath.Dir(p), 0755)
+ c.Assert(err, IsNil)
+
+ // the knob there, but disabled
+ err = ioutil.WriteFile(p, []byte("0\n"), 0644)
+ c.Assert(err, IsNil)
+
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled")
+
+ // actually enabled
+ err = ioutil.WriteFile(p, []byte("1\n"), 0644)
+ c.Assert(err, IsNil)
+
+ err = sanity.CheckKernelVersion()
+ c.Assert(err, IsNil)
+}
From 88fdf6cca3cbe80a26cfa0a278935df5d3512b5e Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Tue, 20 Nov 2018 07:42:35 +0100
Subject: [PATCH 10/10] sanity: tweak error messages for fs.may_detach_mounts
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
sanity/version.go | 4 ++--
sanity/version_test.go | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/sanity/version.go b/sanity/version.go
index b889d72e4b..76fd7e9e5b 100644
--- a/sanity/version.go
+++ b/sanity/version.go
@@ -43,10 +43,10 @@ func supportsMayDetachMounts(kver string) error {
p := filepath.Join(dirs.GlobalRootDir, "/proc/sys/fs/may_detach_mounts")
value, err := ioutil.ReadFile(p)
if err != nil {
- return fmt.Errorf("cannot read fs.may_detach_mounts state: %v", err)
+ return fmt.Errorf("cannot read the value of fs.may_detach_mounts kernel parameter: %v", err)
}
if !bytes.Equal(value, []byte("1\n")) {
- return fmt.Errorf("fs.may_detach_mounts is present but disabled")
+ return fmt.Errorf("fs.may_detach_mounts kernel parameter is supported but disabled")
}
return nil
}
diff --git a/sanity/version_test.go b/sanity/version_test.go
index 8e3b50f5ef..16a278ee5f 100644
--- a/sanity/version_test.go
+++ b/sanity/version_test.go
@@ -97,7 +97,7 @@ func (s *sanitySuite) TestRHEL7x(c *C) {
// pretend the kernel knob is not there
err := sanity.CheckKernelVersion()
- c.Assert(err, ErrorMatches, "cannot read fs.may_detach_mounts state: .*")
+ c.Assert(err, ErrorMatches, "cannot read the value of fs.may_detach_mounts kernel parameter: .*")
p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts")
err = os.MkdirAll(filepath.Dir(p), 0755)
@@ -108,7 +108,7 @@ func (s *sanitySuite) TestRHEL7x(c *C) {
c.Assert(err, IsNil)
err = sanity.CheckKernelVersion()
- c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled")
+ c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled")
// actually enabled
err = ioutil.WriteFile(p, []byte("1\n"), 0644)
@@ -156,7 +156,7 @@ func (s *sanitySuite) TestCentOS7x(c *C) {
c.Assert(err, IsNil)
err = sanity.CheckKernelVersion()
- c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled")
+ c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled")
// actually enabled
err = ioutil.WriteFile(p, []byte("1\n"), 0644)