launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~cjwatson/launchpad-buildd/lxd-powerpc into lp:launchpad-buildd

To: mp+330208@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Tue, 05 Sep 2017 09:47:25 -0000
Reply-to: mp+330208@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging lp:~cjwatson/launchpad-buildd/lxd-powerpc into lp:launchpad-buildd.

Commit message:
Tell LXD to disable seccomp on powerpc, since it doesn't work there on Linux 4.4.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad-buildd/lxd-powerpc/+merge/330208
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad-buildd/lxd-powerpc into lp:launchpad-buildd.

=== modified file 'debian/changelog'
--- debian/changelog	2017-09-01 12:52:20 +0000
+++ debian/changelog	2017-09-05 09:46:49 +0000
@@ -1,3 +1,10 @@
+launchpad-buildd (150) UNRELEASED; urgency=medium
+
+  * Tell LXD to disable seccomp on powerpc, since it doesn't work there on
+    Linux 4.4.
+
+ -- Colin Watson <cjwatson@xxxxxxxxxx>  Tue, 05 Sep 2017 10:41:55 +0100
+
 launchpad-buildd (149) xenial; urgency=medium
 
   * Clamp the TCP MSS on the LXD bridge interface to the path MTU, to avoid

=== modified file 'lpbuildd/target/lxd.py'
--- lpbuildd/target/lxd.py	2017-09-01 12:47:09 +0000
+++ lpbuildd/target/lxd.py	2017-09-05 09:46:49 +0000
@@ -245,10 +245,7 @@
             os.unlink(self.dnsmasq_pid_file)
         subprocess.call(["sudo", "ip", "link", "delete", self.bridge_name])
 
-    def start(self):
-        """See `Backend`."""
-        self.stop()
-
+    def create_profile(self):
         for addr in self.ipv4_network:
             if addr not in (
                     self.ipv4_network.network, self.ipv4_network.ip,
@@ -267,20 +264,23 @@
         else:
             old_profile.delete()
 
+        raw_lxc_config = [
+            ("lxc.aa_profile", "unconfined"),
+            ("lxc.cgroup.devices.deny", ""),
+            ("lxc.cgroup.devices.allow", ""),
+            ("lxc.mount.auto", ""),
+            ("lxc.mount.auto", "proc:rw sys:rw"),
+            ("lxc.network.0.ipv4", ipv4_address),
+            ("lxc.network.0.ipv4.gateway", self.ipv4_network.ip),
+            ]
+        if self.arch == "powerpc":
+            raw_lxc_config.append(("lxc.seccomp", ""))
         config = {
             "security.privileged": "true",
             "security.nesting": "true",
-            "raw.lxc": dedent("""\
-                lxc.aa_profile=unconfined
-                lxc.cgroup.devices.deny=
-                lxc.cgroup.devices.allow=
-                lxc.mount.auto=
-                lxc.mount.auto=proc:rw sys:rw
-                lxc.network.0.ipv4={ipv4_address}
-                lxc.network.0.ipv4.gateway={ipv4_gateway}
-                """.format(
-                    ipv4_address=ipv4_address,
-                    ipv4_gateway=self.ipv4_network.ip)),
+            "raw.lxc": "".join(
+                "{key}={value}\n".format(key=key, value=value)
+                for key, value in raw_lxc_config),
             }
         devices = {
             "eth0": {
@@ -292,6 +292,11 @@
             }
         self.client.profiles.create(self.profile_name, config, devices)
 
+    def start(self):
+        """See `Backend`."""
+        self.stop()
+
+        self.create_profile()
         self.start_bridge()
 
         container = self.client.containers.create({

=== modified file 'lpbuildd/target/tests/test_lxd.py'
--- lpbuildd/target/tests/test_lxd.py	2017-09-01 12:47:09 +0000
+++ lpbuildd/target/tests/test_lxd.py	2017-09-05 09:46:49 +0000
@@ -122,32 +122,8 @@
         image.add_alias.assert_called_once_with(
             "lp-xenial-amd64", "lp-xenial-amd64")
 
-    def test_start(self):
-        fs_fixture = self.useFixture(FakeFilesystem())
-        fs_fixture.add("/sys")
-        fs_fixture.add("/run")
-        os.makedirs("/run/launchpad-buildd")
-        fs_fixture.add("/etc")
-        os.mkdir("/etc")
-        with open("/etc/resolv.conf", "w") as f:
-            print("host resolv.conf", file=f)
-        os.chmod("/etc/resolv.conf", 0o644)
-        self.useFixture(MockPatch("pylxd.Client"))
+    def assert_correct_profile(self, extra_raw_lxc_config=""):
         client = pylxd.Client()
-        client.profiles.get.side_effect = FakeLXDAPIException
-        container = client.containers.create.return_value
-        client.containers.get.return_value = container
-        container.start.side_effect = (
-            lambda wait=False: setattr(container, "status_code", LXD_RUNNING))
-        files_api = container.api.files
-        files_api._api_endpoint = "/1.0/containers/lp-xenial-amd64/files"
-        files_api.session.get.return_value.status_code = 200
-        files_api.session.get.return_value.iter_content.return_value = (
-            iter([b"127.0.0.1\tlocalhost\n"]))
-        processes_fixture = self.useFixture(FakeProcesses())
-        processes_fixture.add(lambda _: {}, name="sudo")
-        LXD("1", "xenial", "amd64").start()
-
         client.profiles.get.assert_called_once_with("lpbuildd")
         expected_config = {
             "security.privileged": "true",
@@ -160,7 +136,7 @@
                 lxc.mount.auto=proc:rw sys:rw
                 lxc.network.0.ipv4=10.10.10.2/24
                 lxc.network.0.ipv4.gateway=10.10.10.1
-                """),
+                """) + extra_raw_lxc_config,
             }
         expected_devices = {
             "eth0": {
@@ -173,6 +149,48 @@
         client.profiles.create.assert_called_once_with(
             "lpbuildd", expected_config, expected_devices)
 
+    def test_create_profile_amd64(self):
+        self.useFixture(MockPatch("pylxd.Client"))
+        client = pylxd.Client()
+        client.profiles.get.side_effect = FakeLXDAPIException
+        LXD("1", "xenial", "amd64").create_profile()
+        self.assert_correct_profile()
+
+    def test_create_profile_powerpc(self):
+        self.useFixture(MockPatch("pylxd.Client"))
+        client = pylxd.Client()
+        client.profiles.get.side_effect = FakeLXDAPIException
+        LXD("1", "xenial", "powerpc").create_profile()
+        self.assert_correct_profile("lxc.seccomp=\n")
+
+    def test_start(self):
+        fs_fixture = self.useFixture(FakeFilesystem())
+        fs_fixture.add("/sys")
+        fs_fixture.add("/run")
+        os.makedirs("/run/launchpad-buildd")
+        fs_fixture.add("/etc")
+        os.mkdir("/etc")
+        with open("/etc/resolv.conf", "w") as f:
+            print("host resolv.conf", file=f)
+        os.chmod("/etc/resolv.conf", 0o644)
+        self.useFixture(MockPatch("pylxd.Client"))
+        client = pylxd.Client()
+        client.profiles.get.side_effect = FakeLXDAPIException
+        container = client.containers.create.return_value
+        client.containers.get.return_value = container
+        container.start.side_effect = (
+            lambda wait=False: setattr(container, "status_code", LXD_RUNNING))
+        files_api = container.api.files
+        files_api._api_endpoint = "/1.0/containers/lp-xenial-amd64/files"
+        files_api.session.get.return_value.status_code = 200
+        files_api.session.get.return_value.iter_content.return_value = (
+            iter([b"127.0.0.1\tlocalhost\n"]))
+        processes_fixture = self.useFixture(FakeProcesses())
+        processes_fixture.add(lambda _: {}, name="sudo")
+        LXD("1", "xenial", "amd64").start()
+
+        self.assert_correct_profile()
+
         ip = ["sudo", "ip"]
         iptables = ["sudo", "iptables", "-w"]
         iptables_comment = [