snapd icon indicating copy to clipboard operation
snapd copied to clipboard
verified publisher icon snapcore

asserts,confdb: have operators as a list in confdb-control assertion

Open st3v3nmw opened this issue 1 year ago • 3 comments

This is a follow-up on last week's design sessions.

Internal Format

I've simplified the internal model to this:

operator:
    id: operator
    views:
        path/to/view: OperatorKey|Store
        some/other/view: Store
        aa/bb/cc: OperatorKey|Store
operator2:
    id: operator2
    views:
        path/to/view: OperatorKey|Store
        path/to/another: OperatorKey
        aa/bb/cc: OperatorKey|Store
operator3:
    id: operator3
    views:
        path/to/view: Store

This format works best with the Delegate(operator, views, auth) and Undelegate(operator, views, auth) API as operations are done one operator at a time.

The view's authentication is represented as a bitmask which allows us to easily update it with bitwise operations.

This simple representation allows us to avoid writing complex code that re-compacts the groups every time an update is made.

External Format

Once we're ready to output the assertion, it's serialized in the compact format prescribed by SD172:

groups:
    - operators: [ operator2 ]
      authentications: [ operator-key ]
      views: [ path/to/another ]
    - operators: [ operator3 ]
      authentications: [ store ]
      views: [ path/to/view ]
    - operators: [ operator ]
      authentications: [ store ]
      views: [ some/other/view ]
    - operators: [ operator, operator2 ]
      authentications: [ operator-key, store ]
      views: [ aa/bb/cc, path/to/view ]

Groups are loosely sorted by authentications: groups with ["operator-key"] appear first, then groups with ["store"] only, and finally, groups with ["operator-key", "store"]. The fields group.operators, group.authentications, and group.views are always sorted alphabetically.

st3v3nmw avatar Feb 03 '25 10:02 st3v3nmw

Tue Feb 18 12:09:34 UTC 2025 The following results are from: https://github.com/canonical/snapd/actions/runs/13385313111

Failures:

Preparing:

  • openstack:debian-sid-64:tests/main/
  • google:ubuntu-22.04-64:tests/main/interfaces-mount-control-cifs
  • google:ubuntu-18.04-64:tests/regression/lp-1871652

Executing:

  • openstack:centos-9-64:tests/main/degraded
  • google-arm:ubuntu-20.04-arm-64:tests/main/progress
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage
  • google:ubuntu-25.04-64:tests/main/cgroup-devices-v2
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
  • google:ubuntu-22.04-64:tests/main/snapd-state

Restoring:

  • openstack:debian-12-64:tests/unit/c-unit-tests-gcc
  • openstack:debian-12-64:tests/unit/
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
  • google:ubuntu-18.04-64:tests/regression/lp-1871652

github-actions[bot] avatar Feb 03 '25 10:02 github-actions[bot]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 78.09%. Comparing base (a272aac) to head (254af50). Report is 314 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #15013      +/-   ##
==========================================
+ Coverage   78.07%   78.09%   +0.02%     
==========================================
  Files        1182     1180       -2     
  Lines      157743   157853     +110     
==========================================
+ Hits       123154   123280     +126     
+ Misses      26943    26922      -21     
- Partials     7646     7651       +5
Flag Coverage Δ
unittests 78.09% <100.00%> (+0.02%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Feb 03 '25 11:02 codecov[bot]

Thanks for the review! I've made the changes

st3v3nmw avatar Feb 12 '25 07:02 st3v3nmw

Looking at the failing tests:

spread debian-not-req / run-spread E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 28224 (unattended-upgr) E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?

spread ubuntu-arm64 / run-spread snap "test-snapd-tools-core24" is not installed

spread ubuntu-jammy / run-spread // 1 Time 2025-02-18T10:28:40+00:00 too far from current time (2025-02-18T12:01:17+00:00)

// 2: Error connecting to Samba systemctl restart smbd.service smbclient --no-pass -L //localhost MATCH 'var-cifs-share .* test CIFS share' do_connect: Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) grep error: pattern not found, got:

spread ubuntu-xenial-bionic / run-spread lxc exec bionic -- chmod -x /usr/local/bin/systemctl chmod: cannot access '/usr/local/bin/systemctl': No such file or directory

spread centos / run-spread systemctl reports the system is in degraded mode systemctl --failed UNIT LOAD ACTIVE SUB DESCRIPTION ● dnf-makecache.service loaded failed failed dnf makecache

spread ubuntu-daily / run-spread // 1 bpftool map dump pinned /sys/fs/bpf/snap/snap_test-snapd-service_sh WARNING: bpftool not found for kernel 6.12.0-1001

You may need to install the following packages for this specific kernel: linux-tools-6.12.0-1001-gcp linux-cloud-tools-6.12.0-1001-gcp

You may also want to install one of the following packages to keep up to date: linux-tools-gcp linux-cloud-tools-gcp

// 2 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-strict-cgroup-helper_sh', '-j']' returned non-zero exit status 2. grep error: pattern not found, got:

// 3 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-snapd-sh-core24_sh', '-j']' returned non-zero exit status 2. grep error: pattern not found, got:

// 4 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_container-mgr-snap_docker-support', '-j']' returned non-zero exit status 2. grep error: pattern not found, got:

// 5 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-snapd-sh_sh', '-j']' returned non-zero exit status 2. grep error: pattern not found, got:

// 6 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-strict-cgroup_sh', '-j']' returned non-zero exit status 2. grep error: pattern not found, got:

// 7 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-snapd-sh_sh', '-j']' returned non-zero exit status 2.

// 8 subprocess.CalledProcessError: Command '['bpftool', 'map', 'dump', 'pinned', '/sys/fs/bpf/snap/snap_test-snapd-sh_sh', '-j']' returned non-zero exit status 2.

st3v3nmw avatar Feb 19 '25 08:02 st3v3nmw