canonical-ubuntu-qa team mailing list archive

Thread
Date

[Merge] ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master

To: mp+467776@xxxxxxxxxxxxxxxxxx
From: Tim Andersson <mp+467776@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Jun 2024 07:59:20 -0000
In-reply-to: <171878392040.2721374.9209033207209622281.launchpad@scripts.lp.internal>
Reply-to: mp+467776@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Tim Andersson has proposed merging ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master.

Commit message:
fix: lxd-worker: add security.nesting=true to lxd config

There's a version of systemd in oracular-proposed which is purported to
break armhf tests (for oracular) once it migrates to the release pocket.

TLDR; Any systemd units with credentials on unprivileged containers will
fail on oracular tests with the new version of systemd in proposed.

This would cause systemd-tmpfiles-setup.service to be broken on the lxd
containers, which is a service which creates /var/run/utmp, which is how
runlevel is stored. runlevel is checked in lib/VirtSubProc.py [1] in the
wait_booted function. So, subsequently, wait_booted would eventually
timeout, as systemd-tmpfiles-setup.service would never store runlevel
appropriately on the testbed.

The workaround was discussed [2] between the systemd maintainer (enr0n)
and the lxd team, and the solution was to enable security.nesting for
the lxd containers running our armhf tests.

security.nesting simply allows for nested containerisation. [3]

To summarise, we would be hitting [4] because of [5].

[1] https://salsa.debian.org/ubuntu-ci-team/autopkgtest/-/blob/master/lib/VirtSubproc.py?ref_type=heads#L454
[2] https://github.com/canonical/lxd/issues/13631
[3] https://discuss.linuxcontainers.org/t/what-does-security-nesting-true/7156/4
[4] https://bugs.launchpad.net/ubuntu/+source/autopkgtest/+bug/1998943
[5] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486

Requested reviews:
  Canonical's Ubuntu QA (canonical-ubuntu-qa)

For more details, see:
https://code.launchpad.net/~andersson123/autopkgtest-cloud/+git/autopkgtest-cloud/+merge/467776
-- 
Your team Canonical's Ubuntu QA is requested to review the proposed merge of ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master.

diff --git a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/tools/armhf-lxd.userdata b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/tools/armhf-lxd.userdata
index 9141db5..e413ac7 100644
--- a/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/tools/armhf-lxd.userdata
+++ b/charms/focal/autopkgtest-cloud-worker/autopkgtest-cloud/tools/armhf-lxd.userdata
@@ -58,6 +58,7 @@ write_files:
      config:
        core.https_address: '[::]:8443'
        core.trust_password: autopkgtest
+       security.nesting: "true"
      networks:
      - config:
          bridge.mtu: "1458"

References

[Merge] ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master
From: Tim Andersson, 2024-06-19