diff --git a/PR6183-Add-CentOS-7-support.patch b/PR6183-Add-CentOS-7-support.patch new file mode 100644 index 0000000..11a56f7 --- /dev/null +++ b/PR6183-Add-CentOS-7-support.patch @@ -0,0 +1,1484 @@ +From fbb8b327b493c90f940fd6edb25b8bf54f8c0bfb Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Fri, 28 Sep 2018 14:41:13 +0200 +Subject: [PATCH 01/10] packaging/{centos-7,fedora}: update common Fedora + packaging to support CentOS 7 + +Add CentOS 7 to the shared Fedora RPM spec. Problems identified while building +rpm: + +- outdated selinux-policy, this should be fixed in RHEL 7.6, see + https://bugzilla.redhat.com/show_bug.cgi?id=1574383 + +- hardened build with static linking fails, (snap-exec and snap-update-ns), + expecting RHEL 7.6 to be affected, reported to CentOS + https://bugs.centos.org/view.php?id=15333 + +Signed-off-by: Maciej Borzecki +--- + packaging/centos-7 | 1 + + packaging/fedora/snapd.spec | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + create mode 120000 packaging/centos-7 + +diff --git a/packaging/centos-7 b/packaging/centos-7 +new file mode 120000 +index 0000000000..100fe0cd7b +--- /dev/null ++++ b/packaging/centos-7 +@@ -0,0 +1 @@ ++fedora +\ No newline at end of file +diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec +index 7a5cdea645..6766a97df6 100644 +--- a/packaging/fedora/snapd.spec ++++ b/packaging/fedora/snapd.spec +@@ -83,11 +83,16 @@ + %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} + %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} + +-# SELinux policy does not build on Amazon Linux 2 at the moment, fails with +-# checkmodule complaining about missing 'map' permission for 'file' class ++# Fedora selinux-policy includes 'map' permission on a 'file' class. However, ++# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to ++# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the ++# necessary updates. For now disable SELinux on the affected distros. + %if 0%{?amzn2} == 1 + %global with_selinux 0 + %endif ++%if 0%{?centos} == 7 ++%global with_selinux 0 ++%endif + + Name: snapd + Version: 2.36.1 + +From 3c61fbbd51478f2c3be8e6ea7b63cb5041e43afd Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Fri, 28 Sep 2018 14:44:54 +0200 +Subject: [PATCH 02/10] tests: basic setup for CentOS 7 + +Signed-off-by: Maciej Borzecki +--- + spread.yaml | 10 +++++++--- + tests/lib/boot.sh | 2 +- + tests/lib/dirs.sh | 2 +- + tests/lib/pkgdb.sh | 22 +++++++++++----------- + tests/lib/prepare-restore.sh | 8 ++++---- + tests/lib/reset.sh | 11 +++++++---- + tests/lib/snaps.sh | 6 +++--- + 7 files changed, 34 insertions(+), 27 deletions(-) + +diff --git a/spread.yaml b/spread.yaml +index 8cbd83227e..106b69d35e 100644 +--- a/spread.yaml ++++ b/spread.yaml +@@ -94,6 +94,10 @@ backends: + workers: 4 + storage: preserve-size + ++ - centos-7-64: ++ workers: 4 ++ image: centos-7-64 ++ + google-sru: + type: google + key: "$(HOST: echo $SPREAD_GOOGLE_KEY)" +@@ -497,7 +501,7 @@ prepare: | + fedora-*) + dnf install --refresh -y xdelta curl &> "$tf" || (cat "$tf"; exit 1) + ;; +- amazon-*) ++ amazon-*|centos-*) + yum install -y xdelta curl &> "$tf" || (cat "$tf"; exit 1) + ;; + opensuse-*) +@@ -625,7 +629,7 @@ suites: + # Test cases are not yet ported to Fedora/openSUSE/Arch that is why + # we keep them disabled. A later PR will enable most tests and + # drop this blacklist. +- systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++ systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + # unittests are run as part of the autopkgtest build already + backends: [-autopkgtest] + environment: +@@ -670,7 +674,7 @@ suites: + # Test cases are not yet ported to Fedora/openSUSE/Arch/AMZN2 that is why + # we keep them disabled. A later PR will enable most tests and + # drop this blacklist. +- systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*] ++ systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + prepare: | + "$TESTSLIB"/prepare-restore.sh --prepare-suite + prepare-each: | +diff --git a/tests/lib/boot.sh b/tests/lib/boot.sh +index e6cd906dea..475ceccdf8 100644 +--- a/tests/lib/boot.sh ++++ b/tests/lib/boot.sh +@@ -2,7 +2,7 @@ + + GRUB_EDITENV=grub-editenv + case "$SPREAD_SYSTEM" in +- fedora-*|opensuse-*|amazon-*) ++ fedora-*|opensuse-*|amazon-*|centos-*) + GRUB_EDITENV=grub2-editenv + ;; + esac +diff --git a/tests/lib/dirs.sh b/tests/lib/dirs.sh +index e83c053109..7000bc25e5 100644 +--- a/tests/lib/dirs.sh ++++ b/tests/lib/dirs.sh +@@ -5,7 +5,7 @@ export LIBEXECDIR=/usr/lib + export MEDIA_DIR=/media + + case "$SPREAD_SYSTEM" in +- fedora-*|amazon-*) ++ fedora-*|amazon-*|centos-*) + export SNAP_MOUNT_DIR=/var/lib/snapd/snap + export LIBEXECDIR=/usr/libexec + export MEDIA_DIR=/run/media +diff --git a/tests/lib/pkgdb.sh b/tests/lib/pkgdb.sh +index bae7fbd4c8..434444af57 100755 +--- a/tests/lib/pkgdb.sh ++++ b/tests/lib/pkgdb.sh +@@ -128,7 +128,7 @@ distro_name_package() { + fedora-*) + fedora_name_package "$@" + ;; +- amazon-*) ++ amazon-*|centos-*) + amazon_name_package "$@" + ;; + opensuse-*) +@@ -174,7 +174,7 @@ distro_install_local_package() { + fedora-*) + quiet dnf -y install "$@" + ;; +- amazon-*) ++ amazon-*|centos-*) + quiet yum -y localinstall "$@" + ;; + opensuse-*) +@@ -255,7 +255,7 @@ distro_install_package() { + # shellcheck disable=SC2086 + quiet dnf -y --refresh install $DNF_FLAGS "${pkg_names[@]}" + ;; +- amazon-*) ++ amazon-*|centos-*) + # shellcheck disable=SC2086 + quiet yum -y install $YUM_FLAGS "${pkg_names[@]}" + ;; +@@ -296,7 +296,7 @@ distro_purge_package() { + quiet dnf -y remove "$@" + quiet dnf clean all + ;; +- amazon-*) ++ amazon-*|centos-*) + quiet yum -y remove "$@" + ;; + opensuse-*) +@@ -321,7 +321,7 @@ distro_update_package_db() { + quiet dnf clean all + quiet dnf makecache + ;; +- amazon-*) ++ amazon-*|centos-*) + quiet yum clean all + quiet yum makecache + ;; +@@ -346,7 +346,7 @@ distro_clean_package_cache() { + fedora-*) + dnf clean all + ;; +- amazon-*) ++ amazon-*|centos-*) + yum clean all + ;; + opensuse-*) +@@ -370,7 +370,7 @@ distro_auto_remove_packages() { + fedora-*) + quiet dnf -y autoremove + ;; +- amazon-*) ++ amazon-*|centos-*) + quiet yum -y autoremove + ;; + opensuse-*) +@@ -392,7 +392,7 @@ distro_query_package_info() { + fedora-*) + dnf info "$1" + ;; +- amazon-*) ++ amazon-*|centos-*) + yum info "$1" + ;; + opensuse-*) +@@ -429,7 +429,7 @@ distro_install_build_snapd(){ + # shellcheck disable=SC2125 + packages="${GOHOME}"/snapd_*.deb + ;; +- fedora-*|amazon-*) ++ fedora-*|amazon-*|centos-*) + # shellcheck disable=SC2125 + packages="${GOHOME}"/snap-confine*.rpm\ "${GOPATH%%:*}"/snapd*.rpm + ;; +@@ -476,7 +476,7 @@ distro_get_package_extension() { + ubuntu-*|debian-*) + echo "deb" + ;; +- fedora-*|opensuse-*|amazon-*) ++ fedora-*|opensuse-*|amazon-*|centos-*) + echo "rpm" + ;; + arch-*) +@@ -719,7 +719,7 @@ pkg_dependencies(){ + fedora-*) + pkg_dependencies_fedora + ;; +- amazon-*) ++ amazon-*|centos-*) + pkg_dependencies_amazon + ;; + opensuse-*) +diff --git a/tests/lib/prepare-restore.sh b/tests/lib/prepare-restore.sh +index b5f8cd0b93..175a00623b 100755 +--- a/tests/lib/prepare-restore.sh ++++ b/tests/lib/prepare-restore.sh +@@ -54,7 +54,7 @@ create_test_user(){ + # unlikely to ever clash with anything, and easy to remember. + quiet adduser --uid 12345 --gid 12345 --disabled-password --gecos '' test + ;; +- debian-*|fedora-*|opensuse-*|arch-*|amazon-*) ++ debian-*|fedora-*|opensuse-*|arch-*|amazon-*|centos-*) + quiet useradd -m --uid 12345 --gid 12345 test + ;; + *) +@@ -102,7 +102,7 @@ build_rpm() { + rpm_dir=$(rpm --eval "%_topdir") + + case "$SPREAD_SYSTEM" in +- fedora-*|amazon-*) ++ fedora-*|amazon-*|centos-*) + extra_tar_args="$extra_tar_args --exclude=vendor/*" + ;; + opensuse-*) +@@ -122,7 +122,7 @@ build_rpm() { + mkdir -p "$rpm_dir/SOURCES" + # shellcheck disable=SC2086 + (cd /tmp/pkg && tar "-c${archive_compression}f" "$rpm_dir/SOURCES/$archive_name" $extra_tar_args "snapd-$version") +- if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* ]]; then ++ if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* || "$SPREAD_SYSTEM" == centos-* ]]; then + # need to build the vendor tree + (cd /tmp/pkg && tar "-cJf" "$rpm_dir/SOURCES/snapd_${version}.only-vendor.tar.xz" "snapd-$version/vendor") + fi +@@ -354,7 +354,7 @@ prepare_project() { + ubuntu-*|debian-*) + build_deb + ;; +- fedora-*|opensuse-*|amazon-*) ++ fedora-*|opensuse-*|amazon-*|centos-*) + build_rpm + ;; + arch-*) +diff --git a/tests/lib/reset.sh b/tests/lib/reset.sh +index fead9623f8..ac47b8fb5b 100755 +--- a/tests/lib/reset.sh ++++ b/tests/lib/reset.sh +@@ -37,7 +37,7 @@ reset_classic() { + ubuntu-*|debian-*) + sh -x "${SPREAD_PATH}/debian/snapd.postrm" purge + ;; +- fedora-*|opensuse-*|arch-*|amazon-*) ++ fedora-*|opensuse-*|arch-*|amazon-*|centos-*) + # We don't know if snap-mgmt was built, so call the *.in file + # directly and pass arguments that will override the placeholders + sh -x "${SPREAD_PATH}/cmd/snap-mgmt/snap-mgmt.sh.in" \ +@@ -48,6 +48,7 @@ reset_classic() { + rm -rf /var/lib/snapd + ;; + *) ++ echo "don't know how to reset $SPREAD_SYSTEM" + exit 1 + ;; + esac +@@ -87,9 +88,11 @@ reset_classic() { + + # wait for snapd listening + EXTRA_NC_ARGS="-q 1" +- if [[ "$SPREAD_SYSTEM" = fedora-* || "$SPREAD_SYSTEM" = amazon-* ]]; then +- EXTRA_NC_ARGS="" +- fi ++ case "$SPREAD_SYSTEM" in ++ fedora-*|amazon-*|centos-*) ++ EXTRA_NC_ARGS="" ++ ;; ++ esac + while ! printf 'GET / HTTP/1.0\r\n\r\n' | nc -U $EXTRA_NC_ARGS /run/snapd.socket; do sleep 0.5; done + fi + } +diff --git a/tests/lib/snaps.sh b/tests/lib/snaps.sh +index 0cf0d1d908..bebf66f42f 100644 +--- a/tests/lib/snaps.sh ++++ b/tests/lib/snaps.sh +@@ -52,8 +52,8 @@ mksnap_fast() { + snap="$2" + + case "$SPREAD_SYSTEM" in +- ubuntu-14.04-*|amazon-*) +- # trusty and AMZN2 do not support -Xcompression-level 1 ++ ubuntu-14.04-*|amazon-*|centos-*) ++ # trusty, AMZN2 and CentOS 7 do not support -Xcompression-level 1 + mksquashfs "$dir" "$snap" -comp gzip -no-fragments -no-progress + ;; + *) +@@ -79,7 +79,7 @@ is_classic_confinement_supported() { + ubuntu-*|debian-*) + return 0 + ;; +- fedora-*) ++ fedora-*|centos-*) + return 1 + ;; + opensuse-*) + +From 90c7c9b434102a5d720a84e784af34567ea1ac05 Mon Sep 17 00:00:00 2001 +From: Sergio Cazzolato +Date: Mon, 12 Nov 2018 23:49:47 -0300 +Subject: [PATCH 03/10] Skip opensuse from interfaces-openvswitch-support test + +Next update for opensuse is failing when interfaces-openvswitch-support +test is executed. The cause is the same than for arch system, where the +interface is allowing access to /run/uuidd/request and in these systems +the request is done in /run/run/uuidd/request, making fail the snaps +which try to request a random id. + +test error: +https://paste.ubuntu.com/p/bv9xZj36XR/ + +debug info: +https://paste.ubuntu.com/p/nMF4BR8ZF7/ +--- + tests/main/interfaces-openvswitch-support/task.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/main/interfaces-openvswitch-support/task.yaml b/tests/main/interfaces-openvswitch-support/task.yaml +index 9d174c0783..f937129810 100644 +--- a/tests/main/interfaces-openvswitch-support/task.yaml ++++ b/tests/main/interfaces-openvswitch-support/task.yaml +@@ -5,8 +5,8 @@ details: | + + # ubuntu-core, ubuntu-14, fedora, amazon are skipped as /run/uuidd/request file does not + # exist. On those systems different files are being used instead. +-# arch: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122 +-systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*] ++# arch, opensuse: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122 ++systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*] + + prepare: | + snap install test-snapd-openvswitch-support + +From 3efcf8c8859d698dbd32264fa2d0728496786c87 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Fri, 28 Sep 2018 18:19:58 +0200 +Subject: [PATCH 04/10] tests: update tests for CentOS 7 + +Signed-off-by: Maciej Borzecki +--- + tests/main/appstream-id/task.yaml | 4 ++-- + tests/main/cgroup-freezer/task.yaml | 4 ++-- + tests/main/classic-confinement/task.yaml | 22 ++++++++++-------- + .../classic-ubuntu-core-transition/task.yaml | 10 ++++---- + tests/main/confinement-classic/task.yaml | 23 +++++++++++-------- + tests/main/create-key/task.yaml | 2 +- + tests/main/create-user/task.yaml | 2 +- + tests/main/debs-have-built-using/task.yaml | 2 +- + .../main/document-portal-activation/task.yaml | 2 +- + tests/main/interfaces-alsa/task.yaml | 2 +- + tests/main/interfaces-avahi-observe/task.yaml | 2 +- + .../interfaces-calendar-service/task.yaml | 2 +- + .../interfaces-contacts-service/task.yaml | 2 +- + tests/main/interfaces-cups-control/task.yaml | 2 +- + .../task.yaml | 2 +- + .../task.yaml | 2 +- + .../task.yaml | 2 +- + .../main/interfaces-locale-control/task.yaml | 2 +- + tests/main/interfaces-network/task.yaml | 2 +- + .../interfaces-openvswitch-support/task.yaml | 2 +- + .../main/interfaces-upower-observe/task.yaml | 2 +- + tests/main/manpages/task.yaml | 2 +- + tests/main/nfs-support/task.yaml | 2 +- + tests/main/prepare-image-grub/task.yaml | 2 +- + tests/main/refresh-hold/task.yaml | 2 +- + tests/main/refresh/task.yaml | 4 ++-- + .../security-device-cgroups-classic/task.yaml | 2 +- + .../task.yaml | 2 +- + .../security-device-cgroups-strict/task.yaml | 2 +- + tests/main/security-setuid-root/task.yaml | 2 +- + tests/main/server-snap/task.yaml | 2 +- + tests/main/snap-confine-from-core/task.yaml | 2 +- + tests/main/snap-info/task.yaml | 2 +- + tests/main/snap-repair/task.yaml | 2 +- + tests/main/snap-sign/task.yaml | 2 +- + tests/main/snapd-reexec-snapd-snap/task.yaml | 2 +- + tests/main/snapd-reexec/task.yaml | 2 +- + tests/main/try/task.yaml | 2 +- + 38 files changed, 70 insertions(+), 61 deletions(-) + +diff --git a/tests/main/appstream-id/task.yaml b/tests/main/appstream-id/task.yaml +index f58fe3bd23..3bf7e46359 100644 +--- a/tests/main/appstream-id/task.yaml ++++ b/tests/main/appstream-id/task.yaml +@@ -1,7 +1,7 @@ + summary: Verify AppStream ID integration + +-# fedora-*, amazon-*: uses nmap netcat by default (https://nmap.org/ncat/) +-systems: [-fedora-*, -amazon-*] ++# fedora-*, amazon-*, centos-*: use nmap netcat by default (https://nmap.org/ncat/) ++systems: [-fedora-*, -amazon-*, -centos-*] + + prepare: | + snap install jq +diff --git a/tests/main/cgroup-freezer/task.yaml b/tests/main/cgroup-freezer/task.yaml +index 38ca0153f3..16cc9cb6ce 100644 +--- a/tests/main/cgroup-freezer/task.yaml ++++ b/tests/main/cgroup-freezer/task.yaml +@@ -41,9 +41,9 @@ execute: | + # When the process terminates the control group is updated and the task no + # longer registers there. + kill "$pid1" +- wait -n || true # wait returns the exit code and we kill the process ++ wait "$pid1" || true # wait returns the exit code and we kill the process + MATCH -v "$pid1" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks + + kill "$pid2" +- wait -n || true # same as above ++ wait "$pid2" || true # same as above + MATCH -v "$pid2" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks +diff --git a/tests/main/classic-confinement/task.yaml b/tests/main/classic-confinement/task.yaml +index 7392135f8a..46c42885ac 100644 +--- a/tests/main/classic-confinement/task.yaml ++++ b/tests/main/classic-confinement/task.yaml +@@ -13,17 +13,21 @@ prepare: | + . "$TESTSLIB"/dirs.sh + snap pack "$TESTSLIB/snaps/$CLASSIC_SNAP/" + +- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then +- # although classic snaps do not work out of the box on fedora, +- # we still want to verify if the basics do work if the user +- # symlinks /snap to $SNAP_MOUNT_DIR themselves +- ln -sf $SNAP_MOUNT_DIR /snap +- fi ++ case "$SPREAD_SYSTEM" in ++ fedora-*|arch-*|centos-*) ++ # although classic snaps do not work out of the box on fedora, ++ # we still want to verify if the basics do work if the user ++ # symlinks /snap to $SNAP_MOUNT_DIR themselves ++ ln -sf $SNAP_MOUNT_DIR /snap ++ ;; ++ esac + + restore: | +- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then +- rm -f /snap +- fi ++ case "$SPREAD_SYSTEM" in ++ fedora-*|arch-*|centos-*) ++ rm -f /snap ++ ;; ++ esac + + execute: | + echo "Check that classic snaps work only with --classic" +diff --git a/tests/main/classic-ubuntu-core-transition/task.yaml b/tests/main/classic-ubuntu-core-transition/task.yaml +index b7cbcc3eb6..fb796ed216 100644 +--- a/tests/main/classic-ubuntu-core-transition/task.yaml ++++ b/tests/main/classic-ubuntu-core-transition/task.yaml +@@ -1,10 +1,10 @@ + summary: Ensure that the ubuntu-core -> core transition works + +-# we never test on core because the transition can only happen on "classic" +-# we disable on ppc64el because the downloads are very slow there +-# Fedora, openSUSE and Arch are disabled at the moment as there is something +-# fishy going on and the snapd service gets terminated during the process. +-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386, -arch-*, -amazon-*] ++# we never test on core because the transition can only happen on "classic" we ++# disable on ppc64el because the downloads are very slow there Fedora, openSUSE, ++# Arch, CentOS are disabled at the moment as there is something fishy going on ++# and the snapd service gets terminated during the process. ++systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386, -arch-*, -amazon-*, -centos-*] + + # autopkgtest run only a subset of tests that deals with the integration + # with the distro +diff --git a/tests/main/confinement-classic/task.yaml b/tests/main/confinement-classic/task.yaml +index a5a1bf8abd..8f7395cce1 100644 +--- a/tests/main/confinement-classic/task.yaml ++++ b/tests/main/confinement-classic/task.yaml +@@ -11,17 +11,22 @@ details: | + prepare: | + #shellcheck source=tests/lib/dirs.sh + . "$TESTSLIB"/dirs.sh +- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then +- # although classic snaps do not work out of the box on fedora, +- # we still want to verify if the basics do work if the user +- # symlinks /snap to $SNAP_MOUNT_DIR themselves +- ln -sf $SNAP_MOUNT_DIR /snap +- fi ++ case "$SPREAD_SYSTEM" in ++ fedora-*|arch-*|centos-*) ++ # although classic snaps do not work out of the box on fedora, ++ # we still want to verify if the basics do work if the user ++ # symlinks /snap to $SNAP_MOUNT_DIR themselves ++ ln -sf $SNAP_MOUNT_DIR /snap ++ ;; ++ esac ++ + + restore: | +- if [[ "$SPREAD_SYSTEM" == fedora-* || "$SPREAD_SYSTEM" == arch-* ]]; then +- rm -f /snap +- fi ++ case "$SPREAD_SYSTEM" in ++ fedora-*|arch-*|centos-*) ++ rm -f /snap ++ ;; ++ esac + + execute: | + #shellcheck source=tests/lib/dirs.sh +diff --git a/tests/main/create-key/task.yaml b/tests/main/create-key/task.yaml +index e344df0234..7426e6630c 100644 +--- a/tests/main/create-key/task.yaml ++++ b/tests/main/create-key/task.yaml +@@ -2,7 +2,7 @@ summary: Checks for snap create-key + + # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594 + # amazon: requires extra gpg-agent setup +-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -amazon-*] ++systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -amazon-*, -centos-*] + + prepare: | + #shellcheck source=tests/lib/mkpinentry.sh +diff --git a/tests/main/create-user/task.yaml b/tests/main/create-user/task.yaml +index 3272673bf5..c8cae5f0bd 100644 +--- a/tests/main/create-user/task.yaml ++++ b/tests/main/create-user/task.yaml +@@ -2,7 +2,7 @@ summary: Ensure create-user functionality + + # Disabled for Fedora, openSUSE, Arch, AMZN2 as none have all options for add user + # the `snap create-user` command requires. Needs code rework. +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + environment: + USER_EMAIL: mvo@ubuntu.com +diff --git a/tests/main/debs-have-built-using/task.yaml b/tests/main/debs-have-built-using/task.yaml +index 09439bdb1e..0abcd1af16 100644 +--- a/tests/main/debs-have-built-using/task.yaml ++++ b/tests/main/debs-have-built-using/task.yaml +@@ -1,6 +1,6 @@ + summary: Ensure that our debs have the "built-using" header + +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + execute: | + out=$(dpkg -I "$GOHOME"/snapd_*.deb) +diff --git a/tests/main/document-portal-activation/task.yaml b/tests/main/document-portal-activation/task.yaml +index 4e3ac51a72..0b6ef2f81f 100644 +--- a/tests/main/document-portal-activation/task.yaml ++++ b/tests/main/document-portal-activation/task.yaml +@@ -17,7 +17,7 @@ description: | + # Disabled on Ubuntu Core because it doesn't provide the "desktop" + # slot, and Amazon Linux because it doesn't have the required Python 3 + # packages to run the test. +-systems: [ "-ubuntu-core-*", "-amazon-linux-2-*" ] ++systems: [ -ubuntu-core-*, -amazon-linux-2-*, -centos-* ] + + environment: + XDG_RUNTIME_DIR: /run/user/$(id -u) +diff --git a/tests/main/interfaces-alsa/task.yaml b/tests/main/interfaces-alsa/task.yaml +index 59bfa67c99..d13e1f3d4a 100644 +--- a/tests/main/interfaces-alsa/task.yaml ++++ b/tests/main/interfaces-alsa/task.yaml +@@ -1,7 +1,7 @@ + summary: Ensure that the alsa interface works. + + # Spread system for Fedora, openSUSE and AMZN2 don't seem to provide any /dev/snd entries +-systems: [-fedora-*, -opensuse-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*] + + details: | + The alsa interface allows connected plugs to access raw ALSA devices. +diff --git a/tests/main/interfaces-avahi-observe/task.yaml b/tests/main/interfaces-avahi-observe/task.yaml +index 3b48513879..39f20de67c 100644 +--- a/tests/main/interfaces-avahi-observe/task.yaml ++++ b/tests/main/interfaces-avahi-observe/task.yaml +@@ -1,6 +1,6 @@ + summary: check that avahi-observe interface works + +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + echo "Given a snap with an avahi-observe interface plug is installed" +diff --git a/tests/main/interfaces-calendar-service/task.yaml b/tests/main/interfaces-calendar-service/task.yaml +index f8d2f49379..4b7172f08a 100644 +--- a/tests/main/interfaces-calendar-service/task.yaml ++++ b/tests/main/interfaces-calendar-service/task.yaml +@@ -2,7 +2,7 @@ summary: Ensure that the calendar-service interface works + + # Only test on classic systems. Don't test on Ubuntu 14.04, which + # does not ship a new enough evolution-data-server. Don't test on AMZN2. +-systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*] ++systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*] + + # fails in the autopkgtest env with: + # [Wed Aug 15 16:34:12 2018] audit: type=1400 +diff --git a/tests/main/interfaces-contacts-service/task.yaml b/tests/main/interfaces-contacts-service/task.yaml +index c5627a6be5..d42f535d71 100644 +--- a/tests/main/interfaces-contacts-service/task.yaml ++++ b/tests/main/interfaces-contacts-service/task.yaml +@@ -3,7 +3,7 @@ summary: Ensure that the contacts-service interface works + # Only test on classic systems. Don't test on Ubuntu 14.04, which + # does not ship a new enough evolution-data-server. + # amazon: no need to run this on amazon +-systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*] ++systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*] + + # fails in autopkgtest environment with: + # [Wed Aug 15 16:08:23 2018] audit: type=1400 +diff --git a/tests/main/interfaces-cups-control/task.yaml b/tests/main/interfaces-cups-control/task.yaml +index d89387178c..b00be1654f 100644 +--- a/tests/main/interfaces-cups-control/task.yaml ++++ b/tests/main/interfaces-cups-control/task.yaml +@@ -15,7 +15,7 @@ details: | + + # Default cups/cups-pdf configuration on these distributions isn't + # working yet without further tweaks. +-systems: [-ubuntu-core-*, -opensuse-*, -fedora-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -opensuse-*, -fedora-*, -arch-*, -amazon-*, -centos-*] + + environment: + TEST_FILE: /var/snap/test-snapd-cups-control-consumer/current/test_file.txt +diff --git a/tests/main/interfaces-hardware-random-control/task.yaml b/tests/main/interfaces-hardware-random-control/task.yaml +index eed5b46690..07fbd321cd 100644 +--- a/tests/main/interfaces-hardware-random-control/task.yaml ++++ b/tests/main/interfaces-hardware-random-control/task.yaml +@@ -12,7 +12,7 @@ summary: | + + # Execution skipped on debian, arch and amazon due to device /dev/hwrng not + # created by default +-systems: [-debian-*, -arch-*, -amazon-*] ++systems: [-debian-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + #shellcheck source=tests/lib/snaps.sh +diff --git a/tests/main/interfaces-hardware-random-observe/task.yaml b/tests/main/interfaces-hardware-random-observe/task.yaml +index 240f012f74..48e2b2a493 100644 +--- a/tests/main/interfaces-hardware-random-observe/task.yaml ++++ b/tests/main/interfaces-hardware-random-observe/task.yaml +@@ -12,7 +12,7 @@ summary: | + + # Execution skipped on debian, arch and amazon due to device /dev/hwrng not + # created by default +-systems: [-debian-*, -arch-*, -amazon-*] ++systems: [-debian-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + #shellcheck source=tests/lib/snaps.sh +diff --git a/tests/main/interfaces-kernel-module-control/task.yaml b/tests/main/interfaces-kernel-module-control/task.yaml +index d25bcbd89b..184ab516bd 100644 +--- a/tests/main/interfaces-kernel-module-control/task.yaml ++++ b/tests/main/interfaces-kernel-module-control/task.yaml +@@ -1,7 +1,7 @@ + summary: Ensure that the kernel-module-control interface works. + + # the s390x kernel has no minix module +-systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x, -arch-*, -amazon-*, -centos-*] + + environment: + MODULE: minix +diff --git a/tests/main/interfaces-locale-control/task.yaml b/tests/main/interfaces-locale-control/task.yaml +index b3b77281aa..36105d5052 100644 +--- a/tests/main/interfaces-locale-control/task.yaml ++++ b/tests/main/interfaces-locale-control/task.yaml +@@ -1,6 +1,6 @@ + summary: Ensure that the locale-control interface works. + +-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + summary: | + The locale-control interface allows a snap to access the locale configuration. +diff --git a/tests/main/interfaces-network/task.yaml b/tests/main/interfaces-network/task.yaml +index 47d0d12f95..ddd8fae416 100644 +--- a/tests/main/interfaces-network/task.yaml ++++ b/tests/main/interfaces-network/task.yaml +@@ -10,7 +10,7 @@ details: | + A snap declaring a plug on this interface must be able to access network services. + + # amazon: uses nmap-netcat +-systems: [-fedora-*, -opensuse-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*] + + environment: + SNAP_NAME: network-consumer +diff --git a/tests/main/interfaces-openvswitch-support/task.yaml b/tests/main/interfaces-openvswitch-support/task.yaml +index f937129810..7e834586de 100644 +--- a/tests/main/interfaces-openvswitch-support/task.yaml ++++ b/tests/main/interfaces-openvswitch-support/task.yaml +@@ -6,7 +6,7 @@ details: | + # ubuntu-core, ubuntu-14, fedora, amazon are skipped as /run/uuidd/request file does not + # exist. On those systems different files are being used instead. + # arch, opensuse: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122 +-systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*] ++systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*, -centos-*] + + prepare: | + snap install test-snapd-openvswitch-support +diff --git a/tests/main/interfaces-upower-observe/task.yaml b/tests/main/interfaces-upower-observe/task.yaml +index ce314b6600..1f601302cd 100644 +--- a/tests/main/interfaces-upower-observe/task.yaml ++++ b/tests/main/interfaces-upower-observe/task.yaml +@@ -11,7 +11,7 @@ details: | + it without error while the plug is connected. + + # ppc64el disabled because of https://github.com/snapcore/snapd/issues/2504 +-systems: [-ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + echo "Given a snap declaring a plug on the upower-observe interface is installed" +diff --git a/tests/main/manpages/task.yaml b/tests/main/manpages/task.yaml +index a5251def14..fba8acffac 100644 +--- a/tests/main/manpages/task.yaml ++++ b/tests/main/manpages/task.yaml +@@ -12,7 +12,7 @@ execute: | + # This issue happens with any package, not just with snap related ones + # The command "man snap" works well in this case (man 2.6.6) + case "$SPREAD_SYSTEM" in +- opensuse-*|arch-*|amazon-*) ++ opensuse-*|arch-*|amazon-*|centos-*) + for manpage in snap snap-confine snap-discard-ns; do + if ! LC_ALL=C man -u --where $manpage; then + echo "Expected to see manual page path for $manpage" +diff --git a/tests/main/nfs-support/task.yaml b/tests/main/nfs-support/task.yaml +index a0935a5172..bd3a2bedcc 100644 +--- a/tests/main/nfs-support/task.yaml ++++ b/tests/main/nfs-support/task.yaml +@@ -74,7 +74,7 @@ execute: | + systemctl enable nfsserver.service + systemctl start nfsserver.service + ;; +- amazon-*) ++ amazon-*|centos-*) + systemctl enable nfs + systemctl restart nfs + ;; +diff --git a/tests/main/prepare-image-grub/task.yaml b/tests/main/prepare-image-grub/task.yaml +index 88339ae46c..867fdc843a 100644 +--- a/tests/main/prepare-image-grub/task.yaml ++++ b/tests/main/prepare-image-grub/task.yaml +@@ -1,6 +1,6 @@ + summary: Check that prepare-image works for grub-systems + +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + backends: [-autopkgtest] + +diff --git a/tests/main/refresh-hold/task.yaml b/tests/main/refresh-hold/task.yaml +index 664573dd5a..15ea0b13fc 100644 +--- a/tests/main/refresh-hold/task.yaml ++++ b/tests/main/refresh-hold/task.yaml +@@ -10,7 +10,7 @@ summary: Check that the refresh hold works + # - fixed version: 2018-07-27T08:05:00+00:00 + + # ubuntu-14.04 and amazon are shipped with buggy date +-systems: [-ubuntu-14.04-*, -amazon-*] ++systems: [-ubuntu-14.04-*, -amazon-*, -centos-*] + + execute: | + echo "Ensure snap set core refresh.hold works" +diff --git a/tests/main/refresh/task.yaml b/tests/main/refresh/task.yaml +index 406b9475cc..df662dd843 100644 +--- a/tests/main/refresh/task.yaml ++++ b/tests/main/refresh/task.yaml +@@ -34,7 +34,7 @@ prepare: | + flags= + if [[ "$SNAP_NAME" =~ classic ]]; then + case "$SPREAD_SYSTEM" in +- ubuntu-core-*|fedora-*|arch-*) ++ ubuntu-core-*|fedora-*|arch-*|centos-*) + exit + ;; + esac +@@ -89,7 +89,7 @@ execute: | + + if [[ "$SNAP_NAME" =~ classic ]]; then + case "$SPREAD_SYSTEM" in +- ubuntu-core-*|fedora-*|arch-*) ++ ubuntu-core-*|fedora-*|arch-*|centos-*) + exit + ;; + esac +diff --git a/tests/main/security-device-cgroups-classic/task.yaml b/tests/main/security-device-cgroups-classic/task.yaml +index 872fafc781..5444117cc5 100644 +--- a/tests/main/security-device-cgroups-classic/task.yaml ++++ b/tests/main/security-device-cgroups-classic/task.yaml +@@ -7,7 +7,7 @@ details: | + + # Disabled on Fedora, Ubuntu Core and Arch because they don't support classic + # confinement. +-systems: [-fedora-*, -ubuntu-core-*, -arch-*] ++systems: [-fedora-*, -ubuntu-core-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + # Create framebuffer device node and give it some content we can verify +diff --git a/tests/main/security-device-cgroups-jailmode/task.yaml b/tests/main/security-device-cgroups-jailmode/task.yaml +index 9604f46715..e4842ffd7c 100644 +--- a/tests/main/security-device-cgroups-jailmode/task.yaml ++++ b/tests/main/security-device-cgroups-jailmode/task.yaml +@@ -6,7 +6,7 @@ details: | + still accessible (ie, the cgroup is not in effect). + + # None of those systems support strict confinement which is required to formally enable jailmode. +-systems: [-fedora-*, -opensuse-*, -debian-*, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -debian-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + # Create framebuffer device node and give it some content we can verify +diff --git a/tests/main/security-device-cgroups-strict/task.yaml b/tests/main/security-device-cgroups-strict/task.yaml +index 912413ec0c..c891fe069d 100644 +--- a/tests/main/security-device-cgroups-strict/task.yaml ++++ b/tests/main/security-device-cgroups-strict/task.yaml +@@ -5,7 +5,7 @@ details: | + sure that other devices not included in the snap's plugged interfaces are + still accessible (ie, the cgroup is not in effect). + +-systems: [-fedora-*, -opensuse-*,-debian-*, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*,-debian-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + # Create framebuffer device node and give it some content we can verify +diff --git a/tests/main/security-setuid-root/task.yaml b/tests/main/security-setuid-root/task.yaml +index 8b747101bb..3ad4ec6ad4 100644 +--- a/tests/main/security-setuid-root/task.yaml ++++ b/tests/main/security-setuid-root/task.yaml +@@ -7,7 +7,7 @@ details: | + it should detect and refuse to run if invoked from the core snap. + + # No confinement (AppArmor, Seccomp) available on these systems +-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + #shellcheck source=tests/lib/snaps.sh +diff --git a/tests/main/server-snap/task.yaml b/tests/main/server-snap/task.yaml +index c85e58ac1c..03974042da 100644 +--- a/tests/main/server-snap/task.yaml ++++ b/tests/main/server-snap/task.yaml +@@ -1,7 +1,7 @@ + summary: Check snap web servers + + # arch: there is no ip6-localhost +-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + environment: + SNAP_NAME/pythonServer: test-snapd-python-webserver +diff --git a/tests/main/snap-confine-from-core/task.yaml b/tests/main/snap-confine-from-core/task.yaml +index fc5de25a51..2b27ae2304 100644 +--- a/tests/main/snap-confine-from-core/task.yaml ++++ b/tests/main/snap-confine-from-core/task.yaml +@@ -1,7 +1,7 @@ + summary: Test that snap-confine is run from core on re-exec + + # Disable for Fedora, openSUSE, Arch and Amazon Linux 2 as re-exec is not support there yet +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + echo "Installing test-snapd-tools" +diff --git a/tests/main/snap-info/task.yaml b/tests/main/snap-info/task.yaml +index 8b1062cdf2..3f3fdd0141 100644 +--- a/tests/main/snap-info/task.yaml ++++ b/tests/main/snap-info/task.yaml +@@ -2,7 +2,7 @@ summary: Check that snap info works + + # core18 has no python3-yaml + # amazon: no PyYAML is not packaged for python3 +-systems: [-ubuntu-core-18-*, -amazon-*] ++systems: [-ubuntu-core-18-*, -amazon-*, -centos-*] + + prepare: | + snap pack "$TESTSLIB"/snaps/basic +diff --git a/tests/main/snap-repair/task.yaml b/tests/main/snap-repair/task.yaml +index d5967318c1..cc090bb727 100644 +--- a/tests/main/snap-repair/task.yaml ++++ b/tests/main/snap-repair/task.yaml +@@ -1,6 +1,6 @@ + summary: Ensure that snap-repair is available + +-systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + execute: | + #shellcheck source=tests/lib/dirs.sh +diff --git a/tests/main/snap-sign/task.yaml b/tests/main/snap-sign/task.yaml +index 6939ebd49e..d2caaa94af 100644 +--- a/tests/main/snap-sign/task.yaml ++++ b/tests/main/snap-sign/task.yaml +@@ -2,7 +2,7 @@ summary: Run snap sign to sign a model assertion + + # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594 + # amazon: requires extra gpg-agent setup +-systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -amazon-*] ++systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -amazon-*, -centos-*] + + prepare: | + #shellcheck source=tests/lib/mkpinentry.sh +diff --git a/tests/main/snapd-reexec-snapd-snap/task.yaml b/tests/main/snapd-reexec-snapd-snap/task.yaml +index 3db1949255..19f956f07d 100644 +--- a/tests/main/snapd-reexec-snapd-snap/task.yaml ++++ b/tests/main/snapd-reexec-snapd-snap/task.yaml +@@ -1,7 +1,7 @@ + summary: Test that snapd reexecs itself into the snapd snap + + # Disable for Fedora, openSUSE and Arch as re-exec is not support there yet +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + restore: | + umount /snap/snapd/current/usr/lib/snapd/info || true +diff --git a/tests/main/snapd-reexec/task.yaml b/tests/main/snapd-reexec/task.yaml +index 1b67a672af..a7c5ce491f 100644 +--- a/tests/main/snapd-reexec/task.yaml ++++ b/tests/main/snapd-reexec/task.yaml +@@ -1,7 +1,7 @@ + summary: Test that snapd reexecs itself into core + + # Disable for Fedora, openSUSE and Arch as re-exec is not support there yet +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + restore: | + #shellcheck source=tests/lib/dirs.sh +diff --git a/tests/main/try/task.yaml b/tests/main/try/task.yaml +index 398e1e3594..265a86267c 100644 +--- a/tests/main/try/task.yaml ++++ b/tests/main/try/task.yaml +@@ -1,7 +1,7 @@ + summary: Check that try command works + + # s390x does not have /dev/kmsg +-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x] ++systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x, -centos-*] + + environment: + PORT: 8081 + +From 5e4d96ef3ab1bdc2bd4e1b54014ffea092155ad6 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Mon, 19 Nov 2018 11:29:24 +0100 +Subject: [PATCH 05/10] data/sysctl: snap specific kernel tweaks, enable mount + detach for RHEL 7.4+ + +Enable lazily unmounting mounts in other namespaces that have not received the +propagated unmount when a mount point directory is removed. + +See: + RHBZ#1247935 + https://access.redhat.com/articles/3128691 + +Signed-off-by: Maciej Borzecki +--- + data/sysctl/99-snap.conf | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 data/sysctl/99-snap.conf + +diff --git a/data/sysctl/99-snap.conf b/data/sysctl/99-snap.conf +new file mode 100644 +index 0000000000..588661621c +--- /dev/null ++++ b/data/sysctl/99-snap.conf +@@ -0,0 +1,4 @@ ++# RHEL 7.4+ specific: ++# Unexpected "Device or resource busy" error when removing a directory ++# see https://access.redhat.com/articles/3128691 for details ++fs.may_detach_mounts=1 + +From e25654f501d60a0c72d3d63a591ebd295348d391 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Mon, 19 Nov 2018 11:38:04 +0100 +Subject: [PATCH 06/10] packaging: install RHEL 7 specific kernel tweaks + +Signed-off-by: Maciej Borzecki +--- + packaging/fedora/snapd.spec | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec +index 6766a97df6..f5da422a0f 100644 +--- a/packaging/fedora/snapd.spec ++++ b/packaging/fedora/snapd.spec +@@ -592,12 +592,18 @@ pushd ./data + SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \ + SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \ + SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd" ++popd ++ ++%if 0%{?rhel} == 7 ++# Install kernel tweaks ++# See: https://access.redhat.com/articles/3128691 ++install -m 644 -D data/sysctl/99-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf ++%endif + + # Remove snappy core specific units + rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service + rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.* + rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.* +-popd + + # Remove snappy core specific scripts + rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh +@@ -727,6 +733,9 @@ popd + %if %{with snap_symlink} + /snap + %endif ++%if 0%{?rhel} == 7 ++%{_sysconfdir}/sysctl.d/99-snap.conf ++%endif + + %files -n snap-confine + %doc cmd/snap-confine/PORTING +@@ -768,6 +777,9 @@ popd + %endif + + %post ++%if 0%{?rhel} == 7 ++%sysctl_apply 99-snap.conf ++%endif + %systemd_post %{snappy_svcs} + # If install, test if snapd socket and timer are enabled. + # If enabled, then attempt to start them. This will silently fail + +From f587302efcf55ecda24fdf0b6c593a276737e9ca Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Tue, 20 Nov 2018 07:54:51 +0100 +Subject: [PATCH 07/10] data/sysctl: use distro specific name for RHEL7 kernel + tweaks + +Signed-off-by: Maciej Borzecki +--- + data/sysctl/{99-snap.conf => rhel7-snap.conf} | 0 + packaging/fedora/snapd.spec | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename data/sysctl/{99-snap.conf => rhel7-snap.conf} (100%) + +diff --git a/data/sysctl/99-snap.conf b/data/sysctl/rhel7-snap.conf +similarity index 100% +rename from data/sysctl/99-snap.conf +rename to data/sysctl/rhel7-snap.conf +diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec +index f5da422a0f..c556138b3c 100644 +--- a/packaging/fedora/snapd.spec ++++ b/packaging/fedora/snapd.spec +@@ -597,7 +597,7 @@ popd + %if 0%{?rhel} == 7 + # Install kernel tweaks + # See: https://access.redhat.com/articles/3128691 +-install -m 644 -D data/sysctl/99-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf ++install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysconfdir}/sysctl.d/99-snap.conf + %endif + + # Remove snappy core specific units + +From 1fd66d77dda4041f21475a853b02821078dbfe84 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Tue, 20 Nov 2018 08:44:41 +0100 +Subject: [PATCH 08/10] tests: more test tweaks for CentOS + +Signed-off-by: Maciej Borzecki +--- + tests/regression/lp-1595444/task.yaml | 4 ++-- + tests/regression/lp-1599891/task.yaml | 2 +- + tests/regression/lp-1618683/task.yaml | 14 ++++++++++++++ + tests/regression/lp-1641885/task.yaml | 2 +- + tests/upgrade/basic/task.yaml | 4 ++-- + 5 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/tests/regression/lp-1595444/task.yaml b/tests/regression/lp-1595444/task.yaml +index 83330fbf74..004491f4a0 100644 +--- a/tests/regression/lp-1595444/task.yaml ++++ b/tests/regression/lp-1595444/task.yaml +@@ -5,8 +5,8 @@ details: | + a directory that doesn't exist in the execution environment (chroot). + + #ubuntu-core: this test only applies to classic systems +-#debian, fedora, opensuse, arch, amazon-linux-2: just available for systems with confinement (AppArmor, Seccomp) +-systems: [-ubuntu-core-*, -debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++#debian, fedora, opensuse, arch, amazon-linux-2, centos: just available for systems with confinement (AppArmor, Seccomp) ++systems: [-ubuntu-core-*, -debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + prepare: | + echo "Having installed the test snap" +diff --git a/tests/regression/lp-1599891/task.yaml b/tests/regression/lp-1599891/task.yaml +index d33545b1a9..3ab2f2264b 100644 +--- a/tests/regression/lp-1599891/task.yaml ++++ b/tests/regression/lp-1599891/task.yaml +@@ -1,7 +1,7 @@ + summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1599891 + + # No confinement (AppArmor, Seccomp) available on these systems +-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + execute: | + snap_confine=/usr/lib/snapd/snap-confine +diff --git a/tests/regression/lp-1618683/task.yaml b/tests/regression/lp-1618683/task.yaml +index e92d49eed3..63931b13a4 100644 +--- a/tests/regression/lp-1618683/task.yaml ++++ b/tests/regression/lp-1618683/task.yaml +@@ -12,6 +12,20 @@ prepare: | + . "$TESTSLIB/snaps.sh" + install_local_devmode test-snapd-tools + ++ if [[ "$SPREAD_SYSTEM" == centos-* ]]; then ++ # RHEL/Centos 7.4+ set this to 0 by default ++ # see: https://access.redhat.com/solutions/3188102 ++ cat /proc/sys/user/max_user_namespaces > old_max_user_ns ++ echo 1500 > /proc/sys/user/max_user_namespaces ++ fi ++ ++restore: | ++ if [[ "$SPREAD_SYSTEM" == centos-* ]]; then ++ # RHEL/Centos 7.4+ set this to 0 by default ++ cat old_max_user_ns > /proc/sys/user/max_user_namespaces ++ rm -f old_max_user_ns ++ fi ++ + execute: | + echo "We can run unshare -U as a regular user and expect it to work" + test-snapd-tools.cmd unshare -U true +diff --git a/tests/regression/lp-1641885/task.yaml b/tests/regression/lp-1641885/task.yaml +index d8e38dff40..da6591b6e0 100644 +--- a/tests/regression/lp-1641885/task.yaml ++++ b/tests/regression/lp-1641885/task.yaml +@@ -1,7 +1,7 @@ + summary: snaps installed with --jailmode are not in devmode + + # No confinement (AppArmor, Seccomp) available on these systems +-systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*] ++systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*] + + details: | + Users found that a snap that uses "confinement: devmode", even when +diff --git a/tests/upgrade/basic/task.yaml b/tests/upgrade/basic/task.yaml +index 959539a556..38c3fdd99c 100644 +--- a/tests/upgrade/basic/task.yaml ++++ b/tests/upgrade/basic/task.yaml +@@ -1,8 +1,8 @@ + summary: Check that upgrade works + + # arch: there is no snapd in arch repos +-# amazon: same for amazon linux +-systems: [-debian-sid-*, -arch-*, -amazon-*] ++# amazon, centos: enable when snapd hits EPEL ++systems: [-debian-sid-*, -arch-*, -amazon-*, -centos-*] + + restore: | + if [ "$REMOTE_STORE" = staging ]; then + +From 54ffb070bf4809c4aa58515a39f4ca70578c13bb Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Mon, 19 Nov 2018 16:08:47 +0100 +Subject: [PATCH 09/10] sanity: extend the kernel version check to cover + CentOS/RHEL kernels + +Extend the check to cover kernel versions in CentOS/RHEL 7.x. Probe for a known +sysctl that needs to be enabled. + +Signed-off-by: Maciej Borzecki +--- + sanity/version.go | 64 +++++++++++++++++++++--- + sanity/version_test.go | 107 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 163 insertions(+), 8 deletions(-) + +diff --git a/sanity/version.go b/sanity/version.go +index 35533dd044..b889d72e4b 100644 +--- a/sanity/version.go ++++ b/sanity/version.go +@@ -20,9 +20,13 @@ + package sanity + + import ( ++ "bytes" + "fmt" ++ "io/ioutil" ++ "path/filepath" + "strings" + ++ "github.com/snapcore/snapd/dirs" + "github.com/snapcore/snapd/logger" + "github.com/snapcore/snapd/osutil" + "github.com/snapcore/snapd/release" +@@ -33,21 +37,65 @@ func init() { + checks = append(checks, checkKernelVersion) + } + ++// supportsMayDetachMounts checks whether a RHEL 7.4+ specific kernel knob is present ++// and set to proper value ++func supportsMayDetachMounts(kver string) error { ++ p := filepath.Join(dirs.GlobalRootDir, "/proc/sys/fs/may_detach_mounts") ++ value, err := ioutil.ReadFile(p) ++ if err != nil { ++ return fmt.Errorf("cannot read fs.may_detach_mounts state: %v", err) ++ } ++ if !bytes.Equal(value, []byte("1\n")) { ++ return fmt.Errorf("fs.may_detach_mounts is present but disabled") ++ } ++ return nil ++} ++ + // checkKernelVersion looks for some unsupported configurations that users may + // encounter and provides advice on how to resolve them. + func checkKernelVersion() error { +- if release.OnClassic && release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04" { +- kver := osutil.KernelVersion() +- // a kernel version looks like this: "4.4.0-112-generic" and +- // we are only interested in the bits before the "-" +- kver = strings.SplitN(kver, "-", 2)[0] +- cmp, err := strutil.VersionCompare(kver, "3.13.0") ++ if !release.OnClassic { ++ return nil ++ } ++ ++ switch release.ReleaseInfo.ID { ++ case "ubuntu": ++ if release.ReleaseInfo.VersionID == "14.04" { ++ kver := osutil.KernelVersion() ++ // a kernel version looks like this: "4.4.0-112-generic" and ++ // we are only interested in the bits before the "-" ++ kver = strings.SplitN(kver, "-", 2)[0] ++ cmp, err := strutil.VersionCompare(kver, "3.13.0") ++ if err != nil { ++ logger.Noticef("cannot check kernel: %v", err) ++ return nil ++ } ++ if cmp <= 0 { ++ return fmt.Errorf("you need to reboot into a 4.4 kernel to start using snapd") ++ } ++ } ++ case "rhel", "centos": ++ // check for kernel tweaks on RHEL/CentOS 7.5+ ++ // CentoS 7.5 has VERSION_ID="7", RHEL 7.6 has VERSION_ID="7.6" ++ if release.ReleaseInfo.VersionID == "" || release.ReleaseInfo.VersionID[0] != '7' { ++ return nil ++ } ++ fullKver := osutil.KernelVersion() ++ // kernel version looks like this: "3.10.0-957.el7.x86_64" ++ kver := strings.SplitN(fullKver, "-", 2)[0] ++ cmp, err := strutil.VersionCompare(kver, "3.18.0") + if err != nil { + logger.Noticef("cannot check kernel: %v", err) + return nil + } +- if cmp <= 0 { +- return fmt.Errorf("you need to reboot into a 4.4 kernel to start using snapd") ++ if cmp < 0 { ++ // pre 3.18 kernels here ++ if idx := strings.Index(fullKver, ".el7."); idx == -1 { ++ // non stock kernel, assume it's not supported ++ return fmt.Errorf("unsupported kernel version %q, you need to switch to the stock kernel", fullKver) ++ } ++ // stock kernel had bugfixes backported to it ++ return supportsMayDetachMounts(kver) + } + } + return nil +diff --git a/sanity/version_test.go b/sanity/version_test.go +index 3fc172dd58..8e3b50f5ef 100644 +--- a/sanity/version_test.go ++++ b/sanity/version_test.go +@@ -20,8 +20,13 @@ + package sanity_test + + import ( ++ "io/ioutil" ++ "os" ++ "path/filepath" ++ + . "gopkg.in/check.v1" + ++ "github.com/snapcore/snapd/dirs" + "github.com/snapcore/snapd/osutil" + "github.com/snapcore/snapd/release" + "github.com/snapcore/snapd/sanity" +@@ -58,3 +63,105 @@ func (s *sanitySuite) TestRebootedOnTrusty(c *C) { + err := sanity.CheckKernelVersion() + c.Assert(err, IsNil) + } ++ ++func (s *sanitySuite) TestRHEL80OK(c *C) { ++ // Mock an Ubuntu 14.04 system running a 4.4.0 kernel ++ restore := release.MockOnClassic(true) ++ defer restore() ++ restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "8.0"}) ++ defer restore() ++ // RHEL 8 beta ++ restore = osutil.MockKernelVersion("4.18.0-32.el8.x86_64") ++ defer restore() ++ ++ // Check for the given advice. ++ err := sanity.CheckKernelVersion() ++ c.Assert(err, IsNil) ++} ++ ++func (s *sanitySuite) TestRHEL7x(c *C) { ++ dir := c.MkDir() ++ dirs.SetRootDir(dir) ++ defer dirs.SetRootDir("/") ++ // mock RHEL 7.6 ++ restore := release.MockOnClassic(true) ++ defer restore() ++ // VERSION="7.6 (Maipo)" ++ // ID="rhel" ++ // ID_LIKE="fedora" ++ // VERSION_ID="7.6" ++ restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "7.6"}) ++ defer restore() ++ restore = osutil.MockKernelVersion("3.10.0-957.el7.x86_64") ++ defer restore() ++ ++ // pretend the kernel knob is not there ++ err := sanity.CheckKernelVersion() ++ c.Assert(err, ErrorMatches, "cannot read fs.may_detach_mounts state: .*") ++ ++ p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts") ++ err = os.MkdirAll(filepath.Dir(p), 0755) ++ c.Assert(err, IsNil) ++ ++ // the knob is there, but disabled ++ err = ioutil.WriteFile(p, []byte("0\n"), 0644) ++ c.Assert(err, IsNil) ++ ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled") ++ ++ // actually enabled ++ err = ioutil.WriteFile(p, []byte("1\n"), 0644) ++ c.Assert(err, IsNil) ++ ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, IsNil) ++ ++ // custom kernel version, which is old and we have no knowledge about ++ restore = osutil.MockKernelVersion("3.10.0-1024.foo.x86_64") ++ defer restore() ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, ErrorMatches, `unsupported kernel version "3.10.0-1024.foo.x86_64", you need to switch to the stock kernel`) ++ ++ // custom kernel version, but new enough ++ restore = osutil.MockKernelVersion("4.18.0-32.foo.x86_64") ++ defer restore() ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, IsNil) ++} ++ ++func (s *sanitySuite) TestCentOS7x(c *C) { ++ dir := c.MkDir() ++ dirs.SetRootDir(dir) ++ defer dirs.SetRootDir("/") ++ // mock CentOS 7.5 ++ restore := release.MockOnClassic(true) ++ defer restore() ++ // NAME="CentOS Linux" ++ // VERSION="7 (Core)" ++ // ID="centos" ++ // ID_LIKE="rhel fedora" ++ // VERSION_ID="7" ++ restore = release.MockReleaseInfo(&release.OS{ID: "centos", VersionID: "7"}) ++ defer restore() ++ restore = osutil.MockKernelVersion("3.10.0-862.14.4.el7.x86_64") ++ defer restore() ++ ++ p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts") ++ err := os.MkdirAll(filepath.Dir(p), 0755) ++ c.Assert(err, IsNil) ++ ++ // the knob there, but disabled ++ err = ioutil.WriteFile(p, []byte("0\n"), 0644) ++ c.Assert(err, IsNil) ++ ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled") ++ ++ // actually enabled ++ err = ioutil.WriteFile(p, []byte("1\n"), 0644) ++ c.Assert(err, IsNil) ++ ++ err = sanity.CheckKernelVersion() ++ c.Assert(err, IsNil) ++} + +From 88fdf6cca3cbe80a26cfa0a278935df5d3512b5e Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Tue, 20 Nov 2018 07:42:35 +0100 +Subject: [PATCH 10/10] sanity: tweak error messages for fs.may_detach_mounts + +Signed-off-by: Maciej Borzecki +--- + sanity/version.go | 4 ++-- + sanity/version_test.go | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sanity/version.go b/sanity/version.go +index b889d72e4b..76fd7e9e5b 100644 +--- a/sanity/version.go ++++ b/sanity/version.go +@@ -43,10 +43,10 @@ func supportsMayDetachMounts(kver string) error { + p := filepath.Join(dirs.GlobalRootDir, "/proc/sys/fs/may_detach_mounts") + value, err := ioutil.ReadFile(p) + if err != nil { +- return fmt.Errorf("cannot read fs.may_detach_mounts state: %v", err) ++ return fmt.Errorf("cannot read the value of fs.may_detach_mounts kernel parameter: %v", err) + } + if !bytes.Equal(value, []byte("1\n")) { +- return fmt.Errorf("fs.may_detach_mounts is present but disabled") ++ return fmt.Errorf("fs.may_detach_mounts kernel parameter is supported but disabled") + } + return nil + } +diff --git a/sanity/version_test.go b/sanity/version_test.go +index 8e3b50f5ef..16a278ee5f 100644 +--- a/sanity/version_test.go ++++ b/sanity/version_test.go +@@ -97,7 +97,7 @@ func (s *sanitySuite) TestRHEL7x(c *C) { + + // pretend the kernel knob is not there + err := sanity.CheckKernelVersion() +- c.Assert(err, ErrorMatches, "cannot read fs.may_detach_mounts state: .*") ++ c.Assert(err, ErrorMatches, "cannot read the value of fs.may_detach_mounts kernel parameter: .*") + + p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts") + err = os.MkdirAll(filepath.Dir(p), 0755) +@@ -108,7 +108,7 @@ func (s *sanitySuite) TestRHEL7x(c *C) { + c.Assert(err, IsNil) + + err = sanity.CheckKernelVersion() +- c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled") ++ c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled") + + // actually enabled + err = ioutil.WriteFile(p, []byte("1\n"), 0644) +@@ -156,7 +156,7 @@ func (s *sanitySuite) TestCentOS7x(c *C) { + c.Assert(err, IsNil) + + err = sanity.CheckKernelVersion() +- c.Assert(err, ErrorMatches, "fs.may_detach_mounts is present but disabled") ++ c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled") + + // actually enabled + err = ioutil.WriteFile(p, []byte("1\n"), 0644) diff --git a/snapd.spec b/snapd.spec index f856ce2..4071628 100644 --- a/snapd.spec +++ b/snapd.spec @@ -76,7 +76,7 @@ Name: snapd Version: 2.36 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A transactional software package manager Group: System Environment/Base License: GPLv3 @@ -87,6 +87,10 @@ Source1: https://%{provider_prefix}/releases/download/%{version}/%{name}_ # Upstream proposed PR: https://github.com/snapcore/snapd/pull/3162 Patch0001: 0001-cmd-use-libtool-for-the-internal-library.patch +# Upstream proposed PR: https://github.com/snapcore/snapd/pull/6183 +# Merged upstream, remove when rebasing to 2.37 +Patch0101: PR6183-Add-CentOS-7-support.patch + %if 0%{?with_goarches} # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}} @@ -767,6 +771,9 @@ fi %changelog +* Wed Nov 21 2018 Neal Gompa - 2.36-3 +- Backport fixes for EL7 support + * Wed Nov 14 2018 Neal Gompa - 2.36-2 - Fix runtime dependency for selinux subpackage for EL7