Git log: commit a4a73de99007d85614303d8a9eb973835b4d9013
Merge: 89204da1ea db246d65b6
Author: Zygmunt Bazyli Krynicki <me@zygoon.pl>
Date: Mon Apr 6 07:06:03 2020 +0000
Merge branch 'debian' into 'debian'
update packaging to the snapd 2.44.2 release
See merge request debian/snapd!5
commit db246d65b6a72fa801e7a05b496a60e4bb944561
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Apr 6 08:28:44 2020 +0200
releasing package snapd version 2.44.1-2
commit 810701061e0debcb8ea2ee1dc950ed82cd0c0c0b
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Apr 6 08:28:35 2020 +0200
debian/not-installed:
* debian/not-installed:
- do not install usr/bin/snap-preseed on debian
commit 369475919c470ad0adb3a4ac54586bec1157b25c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 24 09:37:18 2020 +0100
releasing package snapd version 2.44.1-1
commit 675c4b9bbb51559bd02a2e5ad65b17ffd4864682
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 24 09:37:03 2020 +0100
debian: sync packaging changes from upstream
commit abd2159f8bb57c051675008a67301223ae462508
Merge: dd8b416cb2 46a653f101
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 24 09:36:14 2020 +0100
Merge tag '2.44.1' into debian
tagging package snapd version 2.44.1
commit 46a653f1017bdb27807455e8f7ed5e86f5d39a93
Author: Michael Vogt <mvo@ubuntu.com>
Date: Sat Mar 21 18:41:52 2020 +0100
releasing package snapd version 2.44.1
commit df7fb32e8c494c838d8607ed95e274ace279ef24
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Sat Mar 21 08:34:16 2020 +0100
randutil: improving comments
commit ecb0adfc37ce8788bafef3128cde129a9e050244
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Fri Mar 20 21:08:00 2020 +0100
avoid consuming kernel entropy, just mix hostname and interfaces info
commit cf006bd9fce0c1c1eeaa67b6571c365bb6083033
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Fri Mar 20 09:06:00 2020 +0100
randutil: try to re-improve the quality of RandomDuration
commit 1c08f48971d7fa54815c501b75edc2093e84604d
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Thu Mar 19 22:12:32 2020 +0100
randutil: switch back to setting up seed with lower entropy data
commit ed5ebb34cfcac19dc941cc477b9dde5a4b1cd3c8
Merge: 31092c0aa8 a53b1ea763
Author: Michael Vogt <mvo@ubuntu.com>
Date: Fri Mar 20 09:30:06 2020 +0100
Merge pull request #8303 from anonymouse64/feature/gg-1.9-update-take2-2.44
interfaces/greengrass-support: fix typo
commit a53b1ea7636378401eebfc606443eb11b95212e2
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Thu Mar 19 15:49:43 2020 -0500
interfaces/greengrass-support: fix typo
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit 31092c0aa89a760d3320108bbcd3764200a6d2d1
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 18 12:48:22 2020 +0100
packaging,tests: ensure debian-sid builds without vendor/
The debian-sid packaging does not currently build in a pristine
sbuild environment. The nightly suite did catch this but we did
not pay attention.
This commit fixes the first issue and removes the vendor/ content
when building the debian package in debian-sid. It also updates
the packaging to exclude the "snap-bootstrap" binary which contains
code that needs a vendored package. But snap-bootstrap is not used
in debian (and never will be) so that's fine.
commit f000444fa64997b0e6073fcef22955e2938632b3
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 19 09:28:01 2020 +0100
travis.yml: run unit tests with go/master as well
* travis.yml: run unit tests with go/master as well
The unit tests of snapd are broken currently for golang-1.14. This
was observed on debian-sid. We did not catch this. To ensure we
get an early warning about failures with the latest go this PR
adds "master" to the go versions to run the unit tests against.
This commit also fixes the broken tests with 1.14
commit c631b54598b2f1b74c2845e4339b5d7af4fe6c6d
Author: Zygmunt Krynicki <me@zygoon.pl>
Date: Tue Mar 17 21:36:33 2020 +0100
cmd/snap-update-ns: fix wording in debug message
commit b238846132d1a2165d22a15be58143f17c27f8a5
Author: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Tue Mar 17 14:17:00 2020 +0100
cmd/snap-update-ns: ignore EROFS from rmdir/unlink
Surprisingly, unlink/remove can return EROFS when the file being removed
is a bind mount from writable filesystem onto a read-only filesystem.
This was not handled by snap-update-ns logic before.
The case was reported by the MAAS team, many thanks for their reliable
reproduction instructions.
Fixes: https://bugs.launchpad.net/snapd/+bug/1867752
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
commit dd8b416cb2361e957b8500ff4a04881a7976f6b8
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 18 11:32:10 2020 +0100
debian: sync packaging changes from upstream
commit 995acf3b9975e74b2b679f853aa6eea10e8d31de
Merge: 034f60cad1 16631e228c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 18 11:31:57 2020 +0100
Merge tag '2.44' into debian
tagging package snapd version 2.44
commit 16631e228c07c969cc64737a2879cbe4ee71f01f
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 17 21:08:33 2020 +0100
releasing package snapd version 2.44
commit 7f5ce9640bd601c8cc0bc5f6cc8db4eaad31faee
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Tue Mar 17 11:22:38 2020 +0100
daemon: tweak log message and comments
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit d386de8f0b3e96e32002a017e3c399e358a0c294
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon Mar 16 18:22:29 2020 +0100
daemon: do a forceful serer shutdown if we hit a deadline
When the daemon is shutting down, and a slow client is keeping the socket
connection alive, we can hit a timeout. In such case, try to swallow up the
error and force-close the server.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit 9a76ee0a89e95a3484becdd2c1c3f8baeff737f0
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 18:39:24 2020 +0100
snap: whitelist lzo as support compression for snap pack
This will allow to use `snap pack --compression=lzo`.
commit 74bcf457351f268308535d53e167086adf4e3307
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon Mar 16 16:08:16 2020 +0100
tests/main/selinux-clean: cover more 'desktop' cases
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit 47bf262bc56770f8df44e52ca73c71d21e8234a1
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon Mar 16 16:03:34 2020 +0100
data/selinux: update policy to allow more ops
- allow snap-update-ns to operate more widely on tmpfs that's used for
constructing layouts
- allow snapd to clean up files in /run/user/<uid>/snap.<snap> (labeled as
user_tmp_t)
- same but for files with config_home_t (eg. user-dirs.locale cp -a'ed by
desktop-helpers to ~/snap/<snap>/.. on startup)
- allow snap-update-ns to list dirs /var/lib/snapd
- allow snap-update-ns to work with symlinks in mounted snaps
- allow snap-update-ns to remount snaps when recreating layouts
- allow snap-update-ns to remount xattr capable fs when recreating
layouts (needed when we pull in directories from the host, eg. fonts, cache)
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit e7e8afc967039fce3e3e2622dd385ad9f0465b39
Merge: a7a17f516e fd73a490e7
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 17 09:29:28 2020 +0100
Merge pull request #8274 from anonymouse64/feature/gg-support-1.9-update-2.44
interfaces/greengrass-support: add new 1.9 access (2.44)
commit a7a17f516ec26ad554a4e83ccf62c4c90df876f8
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 20:55:53 2020 +0100
snap: do not hardlink on overlayfs
We currently try to hardlink a snap on install first. However this
will cause a lot of memory usage on an overlayfs based system like
the ubuntu live-cd.
To avoid this extra memory, this commit detects an overlayfs and
uses a symlink in this case instead of a hardlink. This saves
~400Mb on the 20.04 livecd.
We could potentially just reverse the order of the hardlink/symlink
but that is a more risky change.
This should fix LP:1867415
commit 4472eba665ec4b55ffe613e4e288cbaa90f0e39f
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 11 18:02:07 2020 +0100
interfaces: make gpio robust against not-existing gpios in /sys
Right now the gpio interface fails with an error if a gpio device
node is missing in /sys. This leads to a not upgradable snapd.
This commit changes the code to warn only instead of failing. In
the longer run we probably want to do something smarter here but
this will unblock LP: 1866424
commit f56b5606afc3982c4b2ca9239d30ea59a74e40a7
Author: Pawel Stolowski <stolowski@gmail.com>
Date: Mon Mar 16 18:12:31 2020 +0100
cmd/snap-preseed: handle --reset flag (#8235)
Clean up any artifacts in the preseeded chroot dir if --reset flag is passed. Error out if trying to preseed over a system where state is already present.
commit fd73a490e7954e8639cfad3177a1bb801bf26586
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Mon Mar 16 11:53:32 2020 -0500
interfaces/greengrass-support: add new 1.9 access
This is needed for newer versions of AWS IoT Greengrass 1.9+.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit c56d3fad8246c2fa16d670dcfebe1baeef3a8821
Merge: a0b43cce56 197571669e
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 14:39:14 2020 +0100
Merge pull request #8259 from jdstrand/k8s-lp1867216-2.44
interfaces/kubernetes-support: allow autobind to journald socket - 2.44
commit a0b43cce561d5cfcd3e6b9ddcd4fbbee8201783c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 10:17:32 2020 +0100
snap-seccomp: allow mprotect() to unblock the tests
This will unblock the tests but there is more to come to fully
understand the issue.
commit f32ad59f1b3eaf5b98a2c0d197e2e84be4b60817
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Mon Mar 16 10:40:59 2020 +0100
tests/lib/reset: workaround unicode dot in systemctl output
The newer versions of systemd seem to insist on printing out a huge colorful dot
in the output of `systemctl --failed` command:
●snap.test-snapd-service-stop-timeout.svc.service not-found failed failed snap.test-snapd-service-stop-timeout.svc.service
The dot is printed even when the output is piped to another program. Make sure
we pass --plain to avoid this. The dot is then replaced by whitespace. Adjust
the pattern to handle that.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit a6c48657bc702c91892508b54a47ab0ec8f114ae
Merge: c4671fdc5e 0238e68a48
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 08:44:24 2020 +0100
Merge pull request #8261 from pedronis/fix/lp-1866349-2.44
interfaces: work around apparmor_parser slowness affecting uio (2.44)
commit c4671fdc5e37a35f024d90e4ac2cb685692bd951
Merge: f4ad3c7618 7072370a9c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 16 08:43:22 2020 +0100
Merge pull request #8263 from jdstrand/udisks-plugs-accesses-2.44
interfaces/udisks2: also allow Introspection on /org/freedesktop/UDisks2/** - 2.44
commit 7072370a9cdd3c18db0c2cbd6b19f3a61e12b025
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Fri Mar 13 16:02:59 2020 +0000
interfaces/udisks2: also allow Introspection on /org/freedesktop/UDisks2/**
References:
https://forum.snapcraft.io/t/interfaces-for-raspberry-pi-imager/15822/13
commit 197571669e4c6deb9f1d9a911e5564497373fe12
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Thu Mar 12 22:55:28 2020 +0000
interfaces/kubernetes-support: allow autobind to journald socket
k8s.io/apiserver/pkg/storage/etcd3/logger.go pulls in go-systemd via
go.etcd.io/etcd/clientv3 and several k8s services use
apiserver/pkg/storage. go-systemd connects to the journald socket using
the 'autobind' feature of bind(). While an argument could be made to add
this support to the default policy since we generally want all snaps to
be able to log to journald, due to LP: 1867216, we cannot use the
specific 'unix (bind) type=dgram addr=none' rule and must instead use a
less specific rule that allows bind() to arbitrary SOCK_DGRAM abstract
socket names (separate send and receive rules are still required for
communicating over the socket). For now, since the rule would allow
snaps to DoS each other and the system by allowing them to bind to
well-known socket names, omit this from default (and other interface)
policy and add a new kubernetes-support flavor (autobind-unix). In this
manner, any k8s service can utilize this logging API without granting
the more privileged rules for kubelet and kubeproxy. The journald rules
are included in all the flavors (and default), while the autobind-unix
flavor only has the journald rules.
References:
https://github.com/coreos/go-systemd/blob/master/journal/journal.go#L211
https://bugs.launchpad.net/apparmor/+bug/1867216
commit 0238e68a48df5ed3158e7c43611f9148c329a6f1
Author: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Fri Mar 13 09:49:58 2020 +0100
interfaces: work around apparmor_parser slowness affecting uio (#8241)
This branch contains two new patches: a way to add apparmor snippets that are
de-duplicated by snapd and a modification of uio interface to avoid a
performance regression when using multiple uio interfaces.
Fixes: https://launchpad.net/bugs/1866349
commit f4ad3c7618b6aa007e06c17ccfa8cfffe589df40
Merge: c6995651db 3504c9711e
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Fri Mar 13 09:46:24 2020 +0100
tests: backport master test fixes
#8256 for 2.44
commit 3504c9711e2c32f90e0aebd907e41421794fffa3
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 19:54:53 2020 +0100
tests: add sleep for potentially racy postrm-purge test
commit a4aa2d5e4cdad9ff09405fa41f7a71c83269c084
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 18:05:59 2020 +0100
tests: disable snap-session-agent-socket-activation on UC16
commit 557907b05df71c35358158be2245c4528e76052c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 15:57:28 2020 +0100
spread.yaml: move centos-8 to unstable
Centos 8 fails currently with: "Failed to download metadata for
repo 'google-compute-engine'
commit db7daf130500da5de27f2c5956bc2bacf61b9274
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 15:57:00 2020 +0100
tests: retry journal match, on debian-sid there seems to be a delay here
commit d07938158d4d6f98c5394e98290389bbb859deb5
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 15:05:16 2020 +0100
tests: improve output of postrm-purge on failure
commit bb43f1c44cce204cca1e7f69b29c32f33966e140
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Mar 12 13:02:55 2020 +0100
tests: disable ubuntu-16.04-32:tests/main/lxd
This test constantly fails right now so disable it. It seems like
the 32 bit image is having network problems right now.
commit c6995651db6223693d57bc0a1fa6d8735acbe4c6
Merge: 143e3e2ce7 367acc9e12
Author: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Thu Mar 12 10:58:19 2020 +0100
Merge pull request #8250 from mvo5/overlord-tests-robust-2.44
tests: mock prune ticker in overlord tests to reduce wait times (2.44)
commit 367acc9e124fb38e506eae71a4a1bc09bc2268ef
Author: Pawel Stolowski <stolowski@gmail.com>
Date: Wed Mar 11 17:15:12 2020 +0100
tests: mock prune ticker in overlord tests to reduce wait times (#8201)
Mock prune ticker in overlord tests to reduce wait times.
commit 143e3e2ce751de6b9cf4d994e16718d0516a9c86
Merge: effd1e4f89 5bf7613382
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 11 08:52:29 2020 +0100
Merge pull request #8237 from jdstrand/k8s-updates-2.44
interfaces/{docker,kubernetes}-support: updates for lastest k8s - 2.44
commit effd1e4f8961be9589fedbd1b3b3f4df6ec909c1
Author: Pawel Stolowski <stolowski@gmail.com>
Date: Tue Mar 10 17:42:40 2020 +0100
Set base in SnapSetup on snap revert as otherwise "prerequisites" handler assumes "core". Fixes LP #1864944.
commit 5a2965425ca356651e718b858fec01300beba488
Merge: 41ab75fb05 0ce6575bc8
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Mar 11 07:20:17 2020 +0100
Merge pull request #8240 from mvo5/tests-fix-create-user-2.44
tests: just remove user when the system is not managed on create-user-2 test (2.44)
commit 0ce6575bc831a65708fa9acd95f3a3b15a1b99db
Author: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Fri Feb 28 14:18:46 2020 -0300
Fix expected name used when user is created
commit d7b6d67e6f2b20c7c4898762a672c97209c09890
Author: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Fri Feb 28 08:32:44 2020 -0300
Fix create-user test
commit cf413bf1592e6632a8f32021132545598e973885
Author: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Thu Feb 27 15:58:20 2020 -0300
Fix tests create/remove user to work on managed devices
The idea of this change is to make tests work properly on devices which
are managed by default.
A following change should make those test work idependently is they are
initially managed or not.
commit b2a537de84084c24a840ed4c21954abd4f4e38b3
Author: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Wed Feb 26 11:35:02 2020 -0300
Just remove user when the system is not managed on create-user-2 test
This is failing on boards where the system is managed and it is making
the whole execution to fail
commit 41ab75fb051b4eb2dc8a4bbf32655130abfeb0ec
Merge: 07eb8f1780 7abf01b075
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 10 14:58:58 2020 +0100
Merge pull request #8236 from jdstrand/policy-updates-xliii-2.44
interfaces: miscellaneous policy updates - 2.44
commit 07eb8f1780b28a15c9c00f7a5bd7141772535fa9
Merge: 818b535464 5054dd0d4c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Mar 10 14:57:32 2020 +0100
Merge pull request #8239 from Erick555/244
interfaces/audio_playback: Fix pulseaudio config access [2.44]
commit 5054dd0d4ce49b9dd2ed180fc97df96da84e4d10
Author: Erick555 <37542552+Erick555@users.noreply.github.com>
Date: Sat Mar 7 12:28:10 2020 +0000
interfaces/audio_playback: Fix pulseaudio config access
The audio_playback interface permission for /etc/pulse was incomplete in comparison with old pulseadio interface and causes regressions when it tries to read config from subdirs like /etc/pulse/client.conf.d. which is denied.
See https://bugs.launchpad.net/snapd/+bug/1865282
commit 5bf76133829e03b67e137c06fe11901da98cea95
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed Mar 4 20:45:05 2020 +0000
docker-support: future proof socket with @/containerd-shim/**/shim.sock\x00
commit 127d1fd23c67eb81ed8381481a2bf46625a79e95
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed Mar 4 20:35:23 2020 +0000
kubernetes-support: allow mounts of certain block devices for kubelet
commit b9a0d97b669f43f0ab44266c191506185ee33ce5
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Wed Mar 4 20:32:11 2020 +0000
kubernetes-support: update for /run/systemd/private read by kubelet
commit 7abf01b075a20f4ece93124def4641ba5e784b8d
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 21:39:58 2020 +0000
apparmor: allow introspection of dbus-daemon (with accompanying connections)
Allow apps to perform DBus introspection on org.freedesktop.DBus for
both the system and session buses. Note: this does not grant access to
the DBus sockets of these buses, but we grant it here to ease our
maintenance burden since it is missing from the dbus abstractions.
References:
https://bugs.launchpad.net/snapd/+bug/1866168
commit f1177f2ae77e55f0b84b9ee07f82d10f34e25670
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 21:32:15 2020 +0000
interfaces/mpris: allow provider to send PropertiesChanged to the consumer
References:
https://forum.snapcraft.io/t/error-trying-to-comunicate-with-spotify-via-dbus/15501/7
commit d1bad1b53cb72de6ce66313867ab069910d7c6a3
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 21:25:54 2020 +0000
interfaces/system-observe: allow reading CFS items from cpu,cpuacct
Allow read-only access to some system-wide cpu,cpuacct cgroups file
related to CFS Bandwidth Control. This is needed by some Java and Qt5
applications.
References:
https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html
https://forum.snapcraft.io/t/ubuntu-core-16-04-on-dell-edge-gw-apparmor-denial-of-read-of-files-is-sys-fs-cgroup/10652
https://forum.snapcraft.io/t/pulseaudio-on-core18-and-desktop-qt5/11140/6
commit 1434e698745a79e9448cc31b180ba613f9008710
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 21:13:39 2020 +0000
apparmor: also /run/uuidd/request in default template
References:
https://github.com/snapcore/snapd/commit/8537ba5b2816ac1a2f77dc03ba709947b11a2531
commit 60df34c04db747598dcc29c4038113f91ecda94f
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 21:06:14 2020 +0000
interfaces/browser-support: allow RealtimeKit APIs with allow-sandbox: true
Allow setting realtime priorities. Clients require RLIMIT_RTTIME in the
first place and client authorization is done via PolicyKit. Note that
setrlimit() (used to set RLIMIT_RTTIME) is allowed by default seccomp
policy but requires 'capability sys_resource', which we deny by default.
The added rules both silence denials and allow firefox to successfully
request MakeThreadRealtime() and MakeThreadHighPriority() *if* it was
somehow (eg, when plugging 'process-control').
References:
http://git.0pointer.net/rtkit.git/tree/README
commit 76fa416777c11df4fa3b4be9a2569efae17a8139
Author: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon Mar 9 20:27:39 2020 +0000
interfaces/seccomp: cleanup comment surrounding setpriority rule
commit 818b535464207de0755fd08fc57731314b2ad316
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 9 15:40:25 2020 +0100
debian: release 2.44~pre2
commit aadb92199363b2b81c89ca16dfe2f0b1b0c5edcb
Merge: a42072a13a 6bce5ae65f
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 9 15:36:45 2020 +0100
Merge pull request #8229 from mvo5/disable-TestEnsureLoopPruneAbortsOld-2.44
overlord: disable Test..AbortShortlyAfterStartOfOperation for 2.44
commit 6bce5ae65f337450238e9d189c4fae1c9362d36c
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Mar 9 08:11:05 2020 +0100
overlord: disable selected PruneAbort unit tests for 2.44
This test fails due to races in the test mocks. There are two
PRs for master (#8198 and #8201) that will fix the test. Both
are not quite fully reviewed/discussed so this is a temporary
measure to unblock 2.44.
commit a42072a13a5710e5da0a28a6a8ae2757e89ab46b
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Thu Mar 5 09:19:42 2020 +0100
ovelord/snapstate: update only system wide fonts cache
Snapd is running as root, make sure that the fontconfig cache is rebuilt only for
system wide locations, omitting the user's home (/root in this case).
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit 66b788a7b9db025cd06d1b98668264c4187b90c3
Author: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Thu Mar 5 11:39:57 2020 +0100
wrappers: import /etc/environment in all services
We were alerted that setting a http proxy in the system is not actually
allowing snap services to see the appropriate value. On core systems
proxy settings are written to /etc/environment but systemd service units
that start all snap-installed services do not load that file. This patch
fixes that.
Fixes: https://bugs.launchpad.net/snapd/+bug/1866095
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
commit 0018bb3cdabb9a90f9ecbbf9a18f0ea6b0f10eed
Author: Stéphane Graber <stgraber@ubuntu.com>
Date: Thu Mar 5 17:18:25 2020 +0100
interfaces/u2f: Add Titan USB-C key
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
commit 6af1b9e8f36f8296f2d254b9061b072a7c77a94e
Author: Pawel Stolowski <stolowski@gmail.com>
Date: Fri Mar 6 11:10:51 2020 +0100
overlord, taskrunner: exit on task/ensure error when preseeding (#8190)
Support an optional task error callback in taskrunner. Exit with an error from overlord if a task or ensure execution fail in preseeding mode.
commit 224f960b5ec3cc5686ea1320f89f7e8b7bba9305
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Thu Feb 27 10:53:35 2020 +0100
overlord/snapstate/backend: update snapd services contents in unit tests
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit 3f98a6416282c77324ab55085f78e2aad573f305
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Wed Feb 26 16:53:31 2020 +0100
wrappers: add mount unit dependency for snapd services on core devices
Snapd services on core devices are executed directly from the mounted snapd
snap. For this reason need to ensure that the snap is mounted. This is done by
adding a RequiresMountsFor=<snap-mount-path> when updating the service's
ExecStart line.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
commit e08f25b758a80b237fab6df7ede6d957360a6d3d
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Feb 24 10:58:41 2020 +0100
Revert "tests: remove /tmp/snap.* left over by other tests"
This reverts commit 19720c10b56ba9eb6795629a32eacd4951944f14.
commit 2f79ed2262fbef49a7d12424379231333dd37197
Author: Michael Vogt <mvo@ubuntu.com>
Date: Mon Feb 24 10:58:35 2020 +0100
Revert "packaging: work around review-tools and snap-confine"
This reverts commit cb9db884a12f3cdd73d0a69a641762165b5f4267.
commit 77555cd01ee2dc9c05b52e35fe0bb44285204da8
Author: Michael Vogt <mvo@ubuntu.com>
Date: Fri Feb 28 13:09:56 2020 +0100
netlink: fix panic on arm64 with the new rawsockstop code
This is a workaround for a bug in go1.10 where syscall.Select()
with a nil Timeval panics. See the upstream bug about this at:
https://github.com/golang/go/issues/24189
Once we move off from go-1.10 we can revert this change again.
Co-Authored-By: Ian Johnson <person.uwsome@gmail.com>
Co-authored-by: Samuele Pedroni <pedronis@lucediurna.net>
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
commit a03e217be36e91cca67acacd81d95f0ce9159c89
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri Feb 28 11:38:42 2020 +0100
spread, data/selinux: add CentOS 8, update policy (#8083)
* data/selinux, spread: tweak policy, add CentOS to spread
SELinux policy tweak is needed to allow ld.so to read/mmap ld.so.cache which is on
tmpfs. This happens when snap-update-ns is run within the mount namespace of a
snap.
commit 1f07d5f27dad75b76c56727da44a5eaded1fcb0f
Author: Sergio Cazzolato <sergio.cazzolato@canonical.com>
Date: Thu Feb 27 11:58:15 2020 -0300
Updating checks to new test account for snapd-test snaps
commit f5c8843bf4b55c5145c1de4c9b82e01167f1427c
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Thu Feb 27 14:02:23 2020 -0600
spread.yaml: mv opensuse tumbleweed to unstable too
The repos for tumbleweed are also failing like this:
+ zypper ref
Problem retrieving files from 'Cloud:Tools (openSUSE_Tumbleweed)'.
Download (curl) error for 'http://download.opensuse.org/repositories/Cloud:/Tools/openSUSE_Tumbleweed/repodata/repomd.xml':
Error code: Connection failed
Error message:
Please see the above error message for a hint.
Skipping repository 'Cloud:Tools (openSUSE_Tumbleweed)' because of the above error.
Problem retrieving files from 'repo-debug'.
Download (curl) error for 'http://download.opensuse.org/tumbleweed/repo/debug/repodata/repomd.xml':
Error code: Connection failed
Error message:
Please see the above error message for a hint.
Skipping repository 'repo-debug' because of the above error.
Problem retrieving files from 'repo-non-oss'.
We will re-enable when they are working again.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit b712e7de43456091ba33f108dae59b4311f48f7c
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Thu Feb 27 13:40:42 2020 -0600
spread.yaml: mv opensuse 15.1 to unstable
The repos are currently failing to fetch like this:
+ zypper ref
Repository 'openSUSE-Leap-15.1-Non-Oss' is up to date.
Repository 'openSUSE-Leap-15.1-Oss' is up to date.
Problem retrieving files from 'openSUSE-Leap-15.1-Update'.
Download (curl) error for 'http://download.opensuse.org/update/leap/15.1/oss/repodata/repomd.xml':
Error code: Connection failed
Error message: Could not resolve host: download.opensuse.org
Please see the above error message for a hint.
Skipping repository 'openSUSE-Leap-15.1-Update' because of the above error.
Retrieving repository 'openSUSE-Leap-Cloud-Tools' metadata [.......done]
Building repository 'openSUSE-Leap-Cloud-Tools' cache [....done]
Problem retrieving files from 'openSUSE-Leap-15.1-Update'.
We will move back when the repos are stable again.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit 155b0d93e2a687cccd7db14f7e4f2dfdcb1750e5
Author: Michael Vogt <mvo@ubuntu.com>
Date: Thu Feb 27 10:03:08 2020 +0100
tests: use ipv4 in retry-network to unblock failing master
This commit unblocks master. Most recently "getenv hosts" returns
ipv6 addresses. But when those are passed to the script they are
not put inside [] so the "http://2001::01:123" style confuses
go ang things fail. I'm also working on a followup that will
use ipv6. Unfortunately this is more work as right now we get
a very different error in the network namespace and it's not
quite clear yet if the network namespace is just not configured
right or if it's a real error we should handle.
commit 9328c1b069446241cd9281f1443af7d65e0e6357
Author: Sergio Schvezov <sergio.schvezov@canonical.com>
Date: Wed Feb 26 08:51:51 2020 -0300
data/systemd: improve the description
While the code may have references to "snappy" we have long ago
not exposed that name. Fix the service description so that the
"Snappy" reference is not seen on system startup nor shutdown.
Signed-off-by: Sergio Schvezov <sergio.schvezov@canonical.com>
commit c9529d25e9789aa7ecd137c514506296dcc66090
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 11:50:27 2020 +0100
debian: relase 2.44~pre1
commit 4bef06d63287e578e12cd63db46aee0843762498
Merge: e0d102928e b25175efb7
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Wed Feb 26 07:45:28 2020 +0100
Merge pull request #8195 from anonymouse64/tweak/prepare-simplifications
tests/lib/prepare.sh: simplify, combine code paths
This does some changes that I thought had already been merged to master, but apparently never made it, probably because one of those branches was closed before merging.
This may speedup uc20 spread prepare times a smidgen because we don't hit the archive again to install debootstrap.
commit e0d102928e448fd3564a27bfed6bc9b9574f13fc
Merge: 67c29d7f6f dfe86d02bd
Author: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Wed Feb 26 07:34:48 2020 +0100
Merge pull request #8081 from bboozzoo/bboozzoo/user-env-generator
tests/main/user-session-env: add test verifying environment variables inside the user session
There were numerous bug reports and forum posts about either $SNAP_MOUNT_DIR/bin
not being added to the $PATH, or application icons not appearing inside the
desktop environment (i.e. /var/lib/snapd/desktop missing from XDG_DATA_DIRS).
Add a test that verifies both PATH and XDG_DATA_DIRS are augmented with proper
snap related entries for users of bash and zsh.
commit 67c29d7f6f5d8ebce7893b05cb21dd40f410dd71
Merge: fef0245833 717a083a06
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 07:32:42 2020 +0100
Merge pull request #8188 from mvo5/uc20-spread-ubuntu-20.04
spread.yaml: make qemu ubuntu-core-20-64 use ubuntu-20.04-64
commit fef024583360373fda5703939782786b22fd1755
Merge: 9b91e7548e e9ba5013a6
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 07:18:48 2020 +0100
Merge pull request #8186 from zyga/tweak/confusing-gofmt
run-checks: SKIP_GMFMT really skips formatting checks
commit 9b91e7548ed7f737ba71d64dd3986cd782c11fb2
Merge: 8e4fe73f93 9dbc68c117
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 07:17:21 2020 +0100
Merge pull request #8140 from anonymouse64/feature/uc20-moar-tests
tests: enable more tests for UC20/UC18
commit 8e4fe73f937dce2a7841fa476f1c1079b1bdd61a
Merge: f4fe164601 3a4407c0f0
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 07:04:35 2020 +0100
Merge pull request #8183 from sergiocazzolato/tests-fix-security-private-tmp
tests: remove tmp dir for snap not-test-snapd-sh on security-private-tmp test
commit f4fe16460113387983088ecb7865851a3e3082ab
Merge: 508565c266 e51985ce7a
Author: Michael Vogt <mvo@ubuntu.com>
Date: Wed Feb 26 07:04:08 2020 +0100
Merge pull request #8189 from pedronis/seed-essential-types
seed,cmd/snap-bootstrap: introduce seed.Snap.EssentialType, simplify bootstrap code
commit 9dbc68c117131dee1fe48aa2784414172fd395cf
Merge: 15501294c9 508565c266
Author: Ian Johnson <person.uwsome@gmail.com>
Date: Tue Feb 25 19:40:58 2020 -0600
Merge branch 'master' into feature/uc20-moar-tests
Signed-off-by: Ian Johnson <person.uwsome@gmail.com>
commit b25175efb7cd408c19f4700225e7c66e6b59f865
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Tue Feb 25 14:48:02 2020 -0600
tests/lib/prepare.sh: simplify downloading snapd snap, extracting core snap
For setting up UC systems, this is a simpler way to do it that shares more code.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit 07eb7aef1b9aaa10115de375b71939fcbd297d52
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Tue Feb 25 14:47:10 2020 -0600
tests/lib/prepare.sh: combine uc systems partition mount logic
The uc18 and uc16 cases have the same partition mounted, it's just uc20 that is
different so use that as the condition in the if/fi.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit 4d2e97692dafc1c112fa80dda559e9a4d0ecbe4c
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Tue Feb 25 14:46:19 2020 -0600
tests/lib/prepare.sh: don't install debootstrap on uc20
This isn't necessary anymore and should have been deleted.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
commit e51985ce7a29dda411c6b022d3f8f669558fde71
Merge: 9ad1d6b6de 508565c266
Author: Samuele Pedroni <pedronis@lucediurna.net>
Date: Tue Feb 25 22:55:43 2020 +0100
Merge remote-tracking branch 'upstream/master' into seed-essential-types
commit 508565c2664b53741627745cb6c9579d76558c0e
Merge: facabf58f8 8386116faa
Author: Ian Johnson <ian.johnson@canonical.com>
Date: Tue Feb 25 14:27:15 2020 -0600
Merge pull request #8193 from mvo5/snapd-failover-failsover
snapstate: do not restart in undoLinkSnap unless on first install
This commit does not restart snapd when undoing a snapd snap
that is not a first-install. Undoing at this point for regular
snapd failures causes the failover handling to break. The reason
is that the snapd snap is restarted before the fixed snapd.service
unit is written.
commit 8386116faaddfd15ff574b1d23cbf33630f75c07
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Feb 25 17:29:01 2020 +0100
snapstate: do not restart in undoLinkSnap unless on first install
This commit does not restart snapd when undoing a snapd snap
that is not a first-install. Undoing at this point for regular
snapd failures causes the failover handling to break. The reason
is that the snapd snap is restarted before the fixed snapd.service
unit is written.
commit 793d43294f397d2557ab8a7100fdad6128dd357b
Author: Michael Vogt <mvo@ubuntu.com>
Date: Tue Feb 25 14:47:54 2020 +0100
tests: add more debug output to the snapd-failure handling
The snapd-failure test is currently failing for unknown reasons
since the systemd version got bumped to 237-3ubuntu10.39. In
order to get more info this PR adds some more debug output.