tests: new approach to run tests in ubuntu and debian using snapd deb from the repo

[sergiocazzolato]

The idea of this pr is to change de default behavior for the deb
package used in our spread tests. To simulate a more realistic scenario, and
having snapd snap build from local, this change is adding as default a
new scenario to have the snapd deb installed from the deb repository.

Then the deb package is saved in the same place as we do when we build it
during the test, making easy to have different scenarios working together.

It is a requirement also so be able to run the tests using a built snapd
deb as we are currently doing.

to run the tests building snapd deb, do:
SPREAD_SNAPD_DEB_FROM_REPO=false spread google:ubuntu-22.04-64:tests/

[sergiocazzolato]

I see the deb from the repo is not built with testkeys, and this is making fail too many tests.

[bboozzoo]

the no-reexec tests will be broken as 2.63.1 (currently in the Ubuntu archive), does not have this fix 0165d14

[zyga]

I did a full pass and left some comments. Most of my comments are purely technical in nature. I think overall this looks excellent and we shoud discuss next steps as to how to complete this work in the next pulse.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.89%. Comparing base (ac897ee) to head (38959dc).
Report is 61 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14496      +/-   ##
==========================================
+ Coverage   78.85%   78.89%   +0.04%     
==========================================
  Files        1079     1083       +4     
  Lines      145615   146377     +762     
==========================================
+ Hits       114828   115488     +660     
- Misses      23601    23688      +87     
- Partials     7186     7201      +15     

Flag	Coverage Δ
unittests	78.89% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zyga]

Thank you for good progress. I see some tests are failing because they meet unexpected conditions:

For instance google:ubuntu-24.04-64:tests/main/snapd-reexec:core

+ echo 'Ensure we re-exec by default'
Ensure we re-exec by default
+ MATCH 'DEBUG: restarting into "/snap/core/current/usr/bin/snap"'
+ /usr/bin/env SNAPD_DEBUG=1 snap list
grep error: pattern not found, got:
logger.go:93: DEBUG: snap (at "/snap/core/current") is older ("2.63+git5348.e45449bd5~ubuntu16.04.1") than distribution package ("2.63.1+24.04")
Name  Version                    Rev    Tracking     Publisher    Notes
core  16-2.63+git5348.e45449bd5  17195  latest/edge  canonical**  core

The test should accept this as valid outcome (core snap is indeed older than distro package).

Then google-distro-1:debian-11-64:tests/main/user-session-env fails on a missing environment value:

+ MATCH 'XDG_DATA_DIRS=.*[:]?/var/lib/snapd/desktop[:]?.*'
grep error: pattern not found, got:
HOME=/home/test-fish
LANG=C.UTF-8
LOGNAME=test-fish
MAIL=/var/mail/test-fish
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
***
SHELL=/usr/bin/fish
SHLVL=1
USER=test-fish

I don't know if this is supposed to pass. Debian 11 has pretty old snapd and perhaps this part relies on updated data files that do not participate in re-execution. Perhaps we should mark it as known failure.

Other than that I consider this a +0.98. Let get it green and land it.

[zyga]

Heh, and obviously my comment was not counted as the review. Please see my longer comment just above this one.

[bboozzoo]

Thanks for working on this and apologies for the delay in reviewing the code.

[bboozzoo]

does it need touch .skip somewhere?

[sergiocazzolato]

it is done in the spread.yaml. It is done in the prepare-each of the fips suite.

[zyga]

Hmmmmmm

I wonder if we can exit 0 from a prepare-each to effectively skip in prepare in the test? How does spread assemble sections of code together?

[sergiocazzolato]

it is not possible, prepare-each is executed before than the prepare section of the test, and if exit 0 then the prepare section of the test is executed (it is not skipped).

[bboozzoo]

should this be called is-snapd-deb-from-repo since it only works for debs? or is there a missing TODO to make this work on other systems as well?

[sergiocazzolato]

well, if at some point the re-execution is implemented for rpms, then we could make other systems download the rpm as we do with the deb.

[zyga]

I think the name is fine and should not include the word "deb" -- we will soon enable this for RPMs in tests. My only personal preference would be to call it "is-snapd-from-archive" as it reads better than abbreviated repository IMO. No need to change this though :)

[zyga]

Three short comments but please see my last comment (topmost in the diff). I'll repeat the essence here:

• Can we skip from prepare-each by abusing the way exit is interpreted when suite-level prepare-each is combined with prepare in the individual tasks?

[bboozzoo]

LGTM

[bboozzoo]

maybe needs a TODO or a comment, that the is-snapd-pkg-repo only works for deb at the moment, hence the distro where this scenario is executed all use /snap. But yeah, it should use mount dir if we want to avoid coming back to the test later

[sergiocazzolato]

@bboozzoo @zyga Please, could do make a last pass here? I updated the failing tests.

[bboozzoo]

LGTM

[bboozzoo]

this would work too, wouldn't it?

Suggested change

	/usr/bin/env SNAPD_DEBUG=1 snap list 2>&1 | MATCH "DEBUG: restarting into \"$SNAPD_MOUNT_DIR/current/usr/bin/snap\""
	SNAPD_DEBUG=1 snap list 2>&1 | MATCH "DEBUG: restarting into \"$SNAPD_MOUNT_DIR/current/usr/bin/snap\""

[bboozzoo]

this makes sense now. the binaries request an interpreter at /snap/snapd/current/. When preseed is invoked through snap prepare-image, it will set up a temporary bind mount so that the interpreter can be found.

[zyga]

I left a mini-review on internal chat but to recap. Remaining test failures indicate that the test runs a somehow skewed copy where new snapd emits securirty profiles but old snap-confile fails to find them (snap-seccomp transition from .bin to .bin2). We should see if those tests need adjusting or if they are no longer sensible.

I had a look at failures of:

• google:ubuntu-16.04-64:tests/main/auto-refresh-pre-download:close_mid_restart
• google:ubuntu-16.04-64:tests/main/snap-run-devmode-classic:core_first
• google:ubuntu-16.04-64:tests/main/snap-run-devmode-classic:snapd_first
• google:ubuntu-16.04-64:tests/main/snapd-update-services

Some of those had insufficient information on failure, but I suspect the reason is common across them.

[zyga]

I wanted to approve this but there are three issues and one potential bug.

To unblock this we musts fix the logic that finds the core snap by revision. I left a partial suggestion that should be useful as a starting point.

We must also do something else for the udev and systemd generator tests - those are not measuring what will really happen on a normal system with snapd snap installed. Neither of the two programs participates in re-execution and the test is only measuring what happens when a classic package is updated.

Lastly the case about test keys is really bugging me as I think it's either indicative of a bug or the test is failing for another reason (I didn't check yet, sorry). If classic snapd is build with normal production keys but snapd snap is built with test keys, when we re-execute we should honor test keys without issues. If we are not doing that then something is fishy/wrong and warrants investigation.

CC @bboozzoo as you've approved this and I think you want to re-read.

[zyga]

CC @bboozzoo do you have any idea why this would be the case? I think this is a bug somewhere.

[zyga]

I think this is similar to the udev test that is just not measuring anything real. The test should be skipped on distributions where the systemd generators are too old or they give false sense of security where the reality is that it just doesn't work this way. Those helpers do not re-execute.

[zyga]

Let's keep this as-is and add this disclaimer next to this if statement:

# NOTE: This test doesn't measure what happens with a system using old classic
# package and a new snapd snap. Instead it measures what happens when the classic
# package is updated to contain the code in the tested branch. The test is valid
# but does not give confidence of the behavior during re-execution, as systemd
# generators do not participate in re-execution.

[zyga]

LGTM with the new comment I've suggested inline for the test working with systemd generators.

Once this lands we need to look at the test keys and re-execution, as that IMO is still wrong. I would like to try to re-enable that logic and see what really happens.

Since there will be other follow-ups, I think this is in a state good for landing and further iteration.

EDIT: For clarity, @bboozzoo figured out why it fails and it seems we fail before we re-execute due to global initialization happening before main.