launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #32395
[Merge] ~tushar5526/lpci:set-security-nesting into lpci:main
Tushar Gupta has proposed merging ~tushar5526/lpci:set-security-nesting into lpci:main.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~tushar5526/lpci/+git/lpcraft/+merge/484592
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~tushar5526/lpci:set-security-nesting into lpci:main.
diff --git a/lpci/commands/run.py b/lpci/commands/run.py
index 2ae335b..e42a8a9 100644
--- a/lpci/commands/run.py
+++ b/lpci/commands/run.py
@@ -551,10 +551,6 @@ def _run_job(
gpu_nvidia=gpu_nvidia,
root=root,
) as instance:
- # XXX tushar5526 2025-04-11: relax apparmor permissions to allow
- # noble builds on focal host. This workaround can be removed once
- # we have migrated our builders to Noble
- instance.config_set("raw.apparmor", "mount,")
snaps = list(itertools.chain(*pm.hook.lpci_install_snaps()))
for snap in snaps:
emit.progress(
diff --git a/lpci/commands/tests/test_run.py b/lpci/commands/tests/test_run.py
index e7fc821..efd180c 100644
--- a/lpci/commands/tests/test_run.py
+++ b/lpci/commands/tests/test_run.py
@@ -3545,7 +3545,7 @@ class TestRun(RunBaseTestCase):
lxc.profile_edit.assert_called_once_with(
profile="default",
config={
- "config": {"nvidia.runtime": "true"},
+ "config": {"nvidia.runtime": "true", "security.nesting": "true"},
"devices": {"gpu": {"type": "gpu"}},
},
project="test-project",
@@ -4816,7 +4816,7 @@ class TestRunOne(RunBaseTestCase):
lxc.profile_edit.assert_called_once_with(
profile="default",
config={
- "config": {"nvidia.runtime": "true"},
+ "config": {"nvidia.runtime": "true", "security.nesting": "true"},
"devices": {"gpu": {"type": "gpu"}},
},
project="test-project",
diff --git a/lpci/providers/_lxd.py b/lpci/providers/_lxd.py
index 218a8c0..ad6270e 100644
--- a/lpci/providers/_lxd.py
+++ b/lpci/providers/_lxd.py
@@ -321,6 +321,10 @@ class LXDProvider(Provider):
if gpu_nvidia:
profile["config"]["nvidia.runtime"] = "true"
profile["devices"]["gpu"] = {"type": "gpu"}
+ # XXX tushar5526 2025-04-11: relax apparmor permissions to allow
+ # noble builds on focal host. This workaround can be removed once
+ # we have migrated our builders to Noble
+ profile["config"]["security.nesting"] = "true"
else:
profile["config"].pop("nvidia.runtime", None)
profile["devices"].pop("gpu", None)
@@ -340,7 +344,7 @@ class LXDProvider(Provider):
auto_clean=True,
auto_create_project=True,
map_user_uid=True,
- use_base_instance=False,
+ use_base_instance=True,
project=self.lxd_project,
remote=self.lxd_remote,
lxc=self.lxc,
diff --git a/lpci/providers/tests/test_lxd.py b/lpci/providers/tests/test_lxd.py
index 8e9f9ff..8bf3940 100644
--- a/lpci/providers/tests/test_lxd.py
+++ b/lpci/providers/tests/test_lxd.py
@@ -460,7 +460,7 @@ class TestLXDProvider(TestCase):
auto_clean=True,
auto_create_project=True,
map_user_uid=True,
- use_base_instance=False,
+ use_base_instance=True,
project="test-project",
remote="test-remote",
lxc=mock_lxc,
@@ -579,7 +579,7 @@ class TestLXDProvider(TestCase):
auto_clean=True,
auto_create_project=True,
map_user_uid=True,
- use_base_instance=False,
+ use_base_instance=True,
project="test-project",
remote="test-remote",
lxc=mock_lxc,
@@ -933,7 +933,7 @@ class TestLXDProvider(TestCase):
mock_lxc.profile_edit.assert_called_once_with(
profile="default",
config={
- "config": {"nvidia.runtime": "true"},
+ "config": {"nvidia.runtime": "true", "security.nesting": "true"},
"devices": {"gpu": {"type": "gpu"}},
},
project="test-project",
Follow ups
