tests: Initial changes to run nested tests on uc22

* Initial changes to run nested tests on uc22 New nested tests configuration for uc22 and libraries updated. New basic nested test for uc22 on * Updated the build_initramfs_kernel_snap also other minor changes included * Minor fixes for build_initramfs_kernel_snap * Using OVMF_CODE and OVMF_VARS from focal ovmf package As in Jammy there is just the _4M got the snakeoil vars, the idea is to reuse the once available in focal. * Adding uc22 to nested tests execution * Fix preseed nested test to make it work for jammy * Update how kernel is re-packed * Fix the prepare.sh script * send the parameters to the new modify-the-tool function * Fix how modify_the_tool is called * Use uc20_build_initramfs_kernel_snap from master

7 files changed, 128 insertions, 25 deletions

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 44a48c37c3..996f8f2d22 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -373,6 +373,7 @@ jobs:
 - ubuntu-16.04-64
 - ubuntu-18.04-64
 - ubuntu-20.04-64
+ - ubuntu-22.04-64
 steps:
 - name: Cleanup job workspace
 id: cleanup-job-workspace
diff --git a/spread.yaml b/spread.yaml
index 5f43f1ad9d..11f7d0579c 100644
--- a/spread.yaml
+++ b/spread.yaml
@@ -212,6 +212,10 @@ backends:
 image: ubuntu-2110-64-virt-enabled
 storage: 20G
 workers: 3
+ - ubuntu-22.04-64:
+ image: ubuntu-2204-64-virt-enabled
+ storage: 20G
+ workers: 3
 
 qemu-nested:
 memory: 4G
@@ -1048,7 +1052,7 @@ suites:
 tests/nested/core/:
 summary: Tests for nested images
 backends: [google-nested, qemu-nested]
- systems: [ubuntu-16.04-64, ubuntu-18.04-64, ubuntu-20.04-64]
+ systems: [ubuntu-16.04-64, ubuntu-18.04-64, ubuntu-20.04-64, ubuntu-22.04-64]
 environment:
 NESTED_TYPE: "core"
 # Enable kvm in the qemu command line
diff --git a/tests/lib/assertions/nested-22-amd64.model b/tests/lib/assertions/nested-22-amd64.model
new file mode 100644
index 0000000000..908d01b36c
--- /dev/null
+++ b/tests/lib/assertions/nested-22-amd64.model
@@ -0,0 +1,42 @@
+type: model
+authority-id: canonical
+series: 16
+brand-id: canonical
+model: ubuntu-core-22-amd64-dangerous
+architecture: amd64
+base: core22
+grade: dangerous
+snaps:
+ -
+ default-channel: 22/edge
+ id: UqFziVZDHLSyO3TqSWgNBoAdHbLI4dAH
+ name: pc
+ type: gadget
+ -
+ default-channel: 22/edge
+ id: pYVQrBcKmBa0mZ4CCN7ExT6jH8rY1hza
+ name: pc-kernel
+ type: kernel
+ -
+ default-channel: latest/edge
+ id: amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
+ name: core22
+ type: base
+ -
+ default-channel: latest/edge
+ id: PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
+ name: snapd
+ type: snapd
+timestamp: 2020-10-06T11:18:00.0Z
+sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
+
+AcLBXAQAAQoABgUCX6ArRQAKCRDgT5vottzAEgMcD/sEHSh9hRbJ1dbrk6+Ey5imVRPUuP0QV5fp
+HyNGmqwOJ10mEHMUqMTGvriwSO+JpOWtoUxX+sHLVeVDr40qey2cmjtz0pHcaqfO/VD4GXUU53ef
+sudVwmqY4SoW60Q0xHItNVB2wlxOCXHNfm9HBTpG3orXGhHqZEHTnC6BnDCoD+kDyrNd9iHFtcej
+lw0qtYd4O9qhxWI6w59h7egcljB2Gc1SFvCyVE13JUMghMLpZeqK0EtrKuXashLLXwF4Kkb85OqJ
+mv1rS1BwyjV2n++zjE8BXzUz6vSbQwEydXPj8cPZNF/1SG01HROu90nrjIeSn6xBipNVeDcuwErm
+6tHhC+TYxiTG3YPZGwqO1xIYfTJfGLZ2EFpb0oW7DZ0JxNtuDg7Cqaa1Kr4YUulcSbOpgCUmHTVI
+/1z/grnoDVU++WFuNOWXSQdiKBy1DyLAfXYWCI8UvNiqEQi7+GyVKiyUSivyFzCXXj2hdKVt5rCo
+YIu/9nXlHtJLtEFWyXEtYtNCbrMs2YgR8BxNEGaisFE3HLFS/2EVtG+s9deYEEo62B0qaZj+nJ35
+BxJyUe2el12B1VIEWy3npJ7KGwvbFz0iTh4W0+jio9QSJ7KyXZTLKGx4en37ZCYuPnjI6Il1KUjH
+VRhqFX10Uts0unZphiNZxuSGNIUf7Gn0Vl5z+3iKsg== \ No newline at end of file
diff --git a/tests/lib/nested.sh b/tests/lib/nested.sh
index 2920d73452..65d77a524a 100644
--- a/tests/lib/nested.sh
+++ b/tests/lib/nested.sh
@@ -143,8 +143,8 @@ nested_uc20_transition_to_system_mode() {
 local recovery_system="$1"
 local mode="$2"
 
- if ! nested_is_core_20_system; then
- echo "Transition can be done just on uc20 system, exiting..."
+ if ! nested_is_core_20_system && ! nested_is_core_22_system; then
+ echo "Transition can be done just on uc20 and uc22 systems, exiting..."
 exit 1
 fi
 
@@ -389,6 +389,10 @@ nested_is_classic_system() {
 test "$NESTED_TYPE" = "classic"
 }
 
+nested_is_core_22_system() {
+ os.query is-jammy
+}
+
 nested_is_core_20_system() {
 os.query is-focal
 }
@@ -414,7 +418,7 @@ nested_refresh_to_new_core() {
 nested_exec "snap info core" | grep -E "^tracking: +latest/${NEW_CHANNEL}"
 fi
 
- if nested_is_core_18_system || nested_is_core_20_system; then
+ if nested_is_core_18_system || nested_is_core_20_system || nested_is_core_22_system; then
 nested_exec "sudo snap refresh snapd --${NEW_CHANNEL}"
 nested_exec "snap info snapd" | grep -E "^tracking: +latest/${NEW_CHANNEL}"
 else
@@ -474,7 +478,10 @@ nested_get_image_name() {
 local NAME="${NESTED_IMAGE_ID:-generic}"
 local VERSION="16"
 
- if nested_is_core_20_system; then
+
+ if nested_is_core_22_system; then
+ VERSION="22"
+ elif nested_is_core_20_system; then
 VERSION="20"
 elif nested_is_core_18_system; then
 VERSION="18"
@@ -550,6 +557,9 @@ nested_get_model() {
 ubuntu-20.04-64)
 echo "$TESTSLIB/assertions/nested-20-amd64.model"
 ;;
+ ubuntu-22.04-64)
+ echo "$TESTSLIB/assertions/nested-22-amd64.model"
+ ;;
 *)
 echo "unsupported system"
 exit 1
@@ -638,10 +648,14 @@ nested_create_core_vm() {
 make_snap_installable_with_id --noack "$NESTED_FAKESTORE_BLOB_DIR" "$PWD/new-core18.snap" "CSO04Jhav2yK0uz97cr0ipQRyqg0qQL6"
 fi
 
- elif nested_is_core_20_system; then
+ elif nested_is_core_20_system || nested_is_core_22_system; then
+ VERSION=20
+ if nested_is_core_22_system; then
+ VERSION=22
+ fi
 if [ "$NESTED_REPACK_KERNEL_SNAP" = "true" ]; then
 echo "Repacking kernel snap"
- snap download --basename=pc-kernel --channel="20/edge" pc-kernel
+ snap download --basename=pc-kernel --channel="$VERSION/edge" pc-kernel
 
 # set the unix bump time if the NESTED_* var is set, 
 # otherwise leave it empty
@@ -650,6 +664,7 @@ nested_create_core_vm() {
 if [ -n "$epochBumpTime" ]; then
 epochBumpTime="--epoch-bump-time=$epochBumpTime"
 fi
+
 uc20_build_initramfs_kernel_snap "$PWD/pc-kernel.snap" "$NESTED_ASSETS_DIR" "$epochBumpTime"
 rm -f "$PWD/pc-kernel.snap"
 
@@ -680,7 +695,7 @@ nested_create_core_vm() {
 SNAKEOIL_KEY="$PWD/$KEY_NAME.key"
 SNAKEOIL_CERT="$PWD/$KEY_NAME.pem"
 
- snap download --basename=pc --channel="20/edge" pc
+ snap download --basename=pc --channel="$VERSION/edge" pc
 unsquashfs -d pc-gadget pc.snap
 nested_secboot_sign_gadget pc-gadget "$SNAKEOIL_KEY" "$SNAKEOIL_CERT"
 case "${NESTED_UBUNTU_SAVE:-}" in
@@ -739,7 +754,11 @@ EOF
 
 # sign the snapd snap with fakestore if requested
 if [ "$NESTED_SIGN_SNAPS_FAKESTORE" = "true" ]; then
- make_snap_installable_with_id --noack "$NESTED_FAKESTORE_BLOB_DIR" "$PWD/new-core20.snap" "DLqre5XGLbDqg9jPtiAhRRjDuPVa5X1q"
+ CORE_SNAP_IP=DLqre5XGLbDqg9jPtiAhRRjDuPVa5X1q
+ if nested_is_core_22_system; then
+ CORE_SNAP_IP=amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
+ fi
+ make_snap_installable_with_id --noack "$NESTED_FAKESTORE_BLOB_DIR" "$PWD/new-core${VERSION}.snap" "$CORE_SNAP_IP"
 fi
 
 else
@@ -789,7 +808,7 @@ EOF
 
 # Configure the user for the vm
 if [ "$NESTED_USE_CLOUD_INIT" = "true" ]; then
- if nested_is_core_20_system; then
+ if nested_is_core_20_system || nested_is_core_22_system; then
 nested_configure_cloud_init_on_core20_vm "$NESTED_IMAGES_DIR/$IMAGE_NAME"
 else
 nested_configure_cloud_init_on_core_vm "$NESTED_IMAGES_DIR/$IMAGE_NAME"
@@ -983,7 +1002,7 @@ nested_start_core_vm_unit() {
 local PARAM_DISPLAY PARAM_NETWORK PARAM_MONITOR PARAM_USB PARAM_CD PARAM_RANDOM PARAM_CPU PARAM_TRACE PARAM_LOG PARAM_SERIAL PARAM_RTC
 PARAM_DISPLAY="-nographic"
 PARAM_NETWORK="-net nic,model=virtio -net user,hostfwd=tcp::$NESTED_SSH_PORT-:22"
- PARAM_MONITOR="-monitor tcp:127.0.0.1:$NESTED_MON_PORT,server,nowait"
+ PARAM_MONITOR="-monitor tcp:127.0.0.1:$NESTED_MON_PORT,server=on,wait=off"
 PARAM_USB="-usb"
 PARAM_CD="${NESTED_PARAM_CD:-}"
 PARAM_RANDOM="-object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0"
@@ -1002,7 +1021,7 @@ nested_start_core_vm_unit() {
 # XXX: remove once we no longer support xenial hosts
 PARAM_SERIAL="-serial file:${NESTED_LOGS_DIR}/serial.log"
 else
- PARAM_SERIAL="-chardev socket,telnet,host=localhost,server,port=7777,nowait,id=char0,logfile=${NESTED_LOGS_DIR}/serial.log,logappend=on -serial chardev:char0"
+ PARAM_SERIAL="-chardev socket,telnet=on,host=localhost,server=on,port=7777,wait=off,id=char0,logfile=${NESTED_LOGS_DIR}/serial.log,logappend=on -serial chardev:char0"
 fi
 
 # save logs from previous runs
@@ -1050,12 +1069,19 @@ nested_start_core_vm_unit() {
 # storage to
 PARAM_ASSERTIONS="-drive if=none,id=stick,format=raw,file=$NESTED_ASSETS_DIR/assertions.disk,cache=none,format=raw -device nec-usb-xhci,id=xhci -device usb-storage,bus=xhci.0,removable=true,drive=stick"
 fi
- if nested_is_core_20_system; then
+ if nested_is_core_20_system || nested_is_core_22_system; then
 # use a bundle EFI bios by default
 PARAM_BIOS="-bios /usr/share/ovmf/OVMF.fd"
 local OVMF_CODE OVMF_VARS
 OVMF_CODE="secboot"
 OVMF_VARS="ms"
+
+ if nested_is_core_22_system; then
+ wget https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_CODE.secboot.fd
+ mv OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_CODE.secboot.fd
+ wget https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_VARS.snakeoil.fd
+ mv OVMF_VARS.snakeoil.fd /usr/share/OVMF/OVMF_VARS.snakeoil.fd
+ fi
 # In this case the kernel.efi is unsigned and signed with snaleoil certs
 if [ "$NESTED_BUILD_SNAPD_FROM_CURRENT" = "true" ]; then
 OVMF_VARS="snakeoil"
@@ -1064,10 +1090,9 @@ nested_start_core_vm_unit() {
 if [ "${NESTED_ENABLE_OVMF:-}" = "true" ]; then
 PARAM_BIOS="-bios /usr/share/OVMF/OVMF_CODE.fd"
 fi
- 
 if nested_is_secure_boot_enabled; then
 cp -f "/usr/share/OVMF/OVMF_VARS.$OVMF_VARS.fd" "$NESTED_ASSETS_DIR/OVMF_VARS.$OVMF_VARS.fd"
- PARAM_BIOS="-drive file=/usr/share/OVMF/OVMF_CODE.$OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly -drive file=$NESTED_ASSETS_DIR/OVMF_VARS.$OVMF_VARS.fd,if=pflash,format=raw"
+ PARAM_BIOS="-drive file=/usr/share/OVMF/OVMF_CODE.$OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=$NESTED_ASSETS_DIR/OVMF_VARS.$OVMF_VARS.fd,if=pflash,format=raw"
 PARAM_MACHINE="-machine q35${ATTR_KVM} -global ICH9-LPC.disable_s3=1"
 fi
 
@@ -1279,7 +1304,7 @@ nested_start_classic_vm() {
 local PARAM_DISPLAY PARAM_NETWORK PARAM_MONITOR PARAM_USB PARAM_CPU PARAM_CD PARAM_RANDOM PARAM_SNAPSHOT
 PARAM_DISPLAY="-nographic"
 PARAM_NETWORK="-net nic,model=virtio -net user,hostfwd=tcp::$NESTED_SSH_PORT-:22"
- PARAM_MONITOR="-monitor tcp:127.0.0.1:$NESTED_MON_PORT,server,nowait"
+ PARAM_MONITOR="-monitor tcp:127.0.0.1:$NESTED_MON_PORT,server=on,wait=off"
 PARAM_USB="-usb"
 PARAM_CPU=""
 PARAM_CD="${NESTED_PARAM_CD:-}"
@@ -1317,7 +1342,7 @@ nested_start_classic_vm() {
 # XXX: remove once we no longer support xenial hosts
 PARAM_SERIAL="-serial file:${NESTED_LOGS_DIR}/serial.log"
 else
- PARAM_SERIAL="-chardev socket,telnet,host=localhost,server,port=7777,nowait,id=char0,logfile=${NESTED_LOGS_DIR}/serial.log,logappend=on -serial chardev:char0"
+ PARAM_SERIAL="-chardev socket,telnet=on,host=localhost,server=on,port=7777,wait=off,id=char0,logfile=${NESTED_LOGS_DIR}/serial.log,logappend=on -serial chardev:char0"
 fi
 PARAM_BIOS=""
 PARAM_TPM=""
diff --git a/tests/lib/prepare.sh b/tests/lib/prepare.sh
index e6cbeeb17f..4285d752d2 100755
--- a/tests/lib/prepare.sh
+++ b/tests/lib/prepare.sh
@@ -524,7 +524,6 @@ EOF
 rm -rf "$UNPACK_DIR"
 }
 
-
 uc20_build_initramfs_kernel_snap() {
 # carries ubuntu-core-initframfs
 add-apt-repository ppa:snappy-dev/image -y
@@ -583,21 +582,15 @@ uc20_build_initramfs_kernel_snap() {
 cp -a /usr/lib/snapd/snap-bootstrap "$skeletondir/main/usr/lib/snapd/snap-bootstrap.real"
 cat <<'EOF' | sed -E "s/^ {8}//" >"$skeletondir/main/usr/lib/snapd/snap-bootstrap"
 #!/bin/sh
-
 set -eux
-
 if [ "$1" != initramfs-mounts ]; then
 exec /usr/lib/snapd/snap-bootstrap.real "$@"
 fi
-
 beforeDate="$(date --utc '+%s')"
-
 /usr/lib/snapd/snap-bootstrap.real "$@"
-
 if [ -d /run/mnt/data/system-data ]; then
 touch /run/mnt/data/system-data/the-tool-ran
 fi
-
 # also copy the time for the clock-epoch to system-data, this is
 # used by a specific test but doesn't hurt anything to do this for
 # all tests
diff --git a/tests/nested/core/core22-basic/task.yaml b/tests/nested/core/core22-basic/task.yaml
new file mode 100644
index 0000000000..d807345a9a
--- /dev/null
+++ b/tests/nested/core/core22-basic/task.yaml
@@ -0,0 +1,38 @@
+summary: Run a smoke test on UC22 with encryption enabled
+
+details: |
+ This test checks basic snapd commands on UC22 with secure boot and encryption enabled
+
+systems: [ubuntu-22.04-64]
+
+execute: |
+ echo "Wait for the system to be seeded first"
+ tests.nested exec "sudo snap wait system seed.loaded"
+
+ echo "Ensure 'snap install' works"
+ tests.nested exec "sudo snap install test-snapd-sh"
+
+ echo "Ensure 'snap list' works and test-snapd-sh snap is installed"
+ tests.nested exec "snap list" | MATCH test-snapd-sh
+
+ echo "Ensure 'snap find' works"
+ tests.nested exec "snap find test-snapd-sh" | MATCH ^test-snapd-sh
+
+ echo "Ensure 'snap info' works"
+ tests.nested exec "snap info test-snapd-sh" | MATCH '^name:\ +test-snapd-sh'
+
+ echo "Ensure 'snap remove' works"
+ tests.nested exec "sudo snap remove test-snapd-sh"
+
+ echo "Ensure 'snap list' works and test-snapd-sh snap is removed"
+ tests.nested exec "! snap list test-snapd-sh"
+
+ echo "Ensure 'snap debug show-keys' works as root"
+ tests.nested exec "sudo snap recovery --show-keys" | MATCH 'recovery:\s+[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}'
+ tests.nested exec "sudo snap recovery --show-keys" | MATCH 'reinstall:\s+[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}'
+
+ echo "But not as user (normal file permissions prevent this)"
+ if tests.nested exec "snap recovery --show-key"; then
+ echo "snap recovery --show-key should not work as a user"
+ exit 1
+ fi
diff --git a/tests/nested/manual/preseed/task.yaml b/tests/nested/manual/preseed/task.yaml
index 297bf3f6ef..153466010a 100644
--- a/tests/nested/manual/preseed/task.yaml
+++ b/tests/nested/manual/preseed/task.yaml
@@ -92,7 +92,7 @@ execute: |
 # the host VM as the nested VM, currently we are not, and as such there is a 
 # diff between the preseed apparmor-features and the nested VM actual 
 # system-key
- if [ "$SPREAD_SYSTEM" != "ubuntu-20.04-64" ]; then
+ if not os.query is-focal && not os.query is-jammy; then
 # note, this doesn't actually test the functionality, but acts as a canary:
 # the test is run against a vm image with ubuntu release matching that from spread host;
 # system-key check can fail if the nested vm image differs too much from the spread host system,