Merge pull request #33359 from bluca/test_apparmor_unpriv

mkosi: enable unprivileged user ns for integration tests
2024-07-01 07:34:28 +00:00 · 2024-06-18 00:13:15 +01:00 · 2024-06-18 00:13:15 +01:00 · 3f4f065bab
commit 3f4f065bab
parent fcbe3e3b2e 3001339dc5
13 changed files with 56 additions and 18 deletions
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -92,7 +92,7 @@ jobs:

    steps:
    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-    - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+    - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e

    # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
    # immediately, we remove the files in the background. However, we first move them to a different location
@ -117,6 +117,8 @@ jobs:

    - name: Configure
      run: |
+        # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
+        sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
        tee mkosi.local.conf <<EOF
        [Distribution]
        Distribution=${{ matrix.distro }}
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@ -20,8 +20,6 @@ VolatilePackages=
        libsystemd-dev
        libudev-dev
        systemd
-        systemd-boot
-        systemd-boot-efi
        systemd-container
        systemd-coredump
        systemd-dev
@ -74,7 +72,6 @@ Packages=
        python3-pexpect
        python3-psutil
        quota
-        sbsigntool
        softhsm2
        squashfs-tools
        stress
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# sbsigntool exists only on UEFI architectures
+
+[Match]
+Architecture=|x86
+Architecture=|x86-64
+Architecture=|arm
+Architecture=|arm64
+Architecture=|riscv32
+Architecture=|riscv64
+
+[Content]
+Packages=
+        sbsigntool
+        systemd-boot
+        systemd-boot-efi
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@ -3,9 +3,6 @@
 [Match]
 Distribution=ubuntu

-[Distribution]
-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
-
 [Content]
 Packages=
        linux-image-generic
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The ports Ubuntu archive is for non i386/amd64 repositories
+
+[Match]
+Architecture=!x86-64
+Architecture=!x86
+
+[Distribution]
+PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The main Ubuntu archive is only for i386/amd64 repositories
+
+[Match]
+Architecture=|x86-64
+Architecture=|x86
+
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://ports.ubuntu.com
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
--- a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
@ -0,0 +1,4 @@
+# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
+# for integration tests
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@ -5,7 +5,8 @@ integration_tests += [
                'name' : fs.name(meson.current_source_dir()),
                'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
+                # Use 'auto' to automatically fallback on non-uefi architectures.
+                'firmware' : 'auto',
                'vm' : true,
        },
 ]
--- a/test/TEST-09-REBOOT/meson.build
+++ b/test/TEST-09-REBOOT/meson.build
@ -4,7 +4,5 @@ integration_tests += [
        integration_test_template + {
                'name' : fs.name(meson.current_source_dir()),
                'storage' : 'persistent',
-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
        },
 ]
--- a/test/TEST-18-FAILUREACTION/meson.build
+++ b/test/TEST-18-FAILUREACTION/meson.build
@ -3,7 +3,5 @@
 integration_tests += [
        integration_test_template + {
                'name' : fs.name(meson.current_source_dir()),
-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
        },
 ]
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@ -2,10 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

 '''Test wrapper command for driving integration tests.
-
-Note: This is deliberately rough and only intended to drive existing tests
-with the expectation that as part of formally defining the API it will be tidy.
-
 '''

 import argparse
@ -61,6 +57,10 @@ def main():
        print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
        exit(77)

+    if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+        print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+        exit(77)
+
    name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")

    dropin = textwrap.dedent(
@ -128,6 +128,7 @@ def main():
        *args.mkosi_args,
        '--append',
        '--qemu-firmware', args.firmware,
+        '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
        '--kernel-command-line-extra',
        ' '.join([
            'systemd.hostname=H',
--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
@ -6,13 +6,13 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh

-install_extension_images
-
 if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
    echo "Cannot create unprivileged user namespaces" >/skipped
    exit 77
 fi

+install_extension_images
+
 systemd-analyze log-level debug

 runas testuser systemd-run --wait --user --unit=test-private-users \