From b6a68ac7f9c80b6551e2c98a0d488108c3ee3e88 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 25 Apr 2024 12:04:35 -0400 Subject: [PATCH 01/31] daemon.start: improve grep inspecting LXD environment Signed-off-by: Simon Deziel (cherry picked from commit e19e947002235016c3136657d04660edb0cf0a90) --- snapcraft/commands/daemon.start | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 8f1cc2b28..7915f937a 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -620,7 +620,8 @@ fi # LXD ## Check for existing LXDs for pid in $(pgrep -f "lxd --logfile" ; pgrep -f "lxd.debug --logfile"); do - grep -qF "SNAP_NAME=lxd" "/proc/${pid}/environ" || continue + # Cheap confirmation that we likely have a LXD PID + grep -q --line-regexp --fixed-strings --max-count=1 "SNAP_NAME=lxd" "/proc/${pid}/environ" || continue rm -f "/var/snap/lxd/common/lxd/.validate" touch "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true From 9953d7a80e05ef8647333a82bad5b4300aa03d79 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 25 Apr 2024 13:01:53 -0400 Subject: [PATCH 02/31] daemon.start: only call pgrep once Signed-off-by: Simon Deziel (cherry picked from commit 10e9dee0e4abafdbb33160d2a7fc9a3c48dbf782) --- snapcraft/commands/daemon.start | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 7915f937a..84770d46b 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -619,7 +619,7 @@ fi # LXD ## Check for existing LXDs -for pid in $(pgrep -f "lxd --logfile" ; pgrep -f "lxd.debug --logfile"); do +for pid in $(pgrep -f "lxd(\.debug)? --logfile"); do # Cheap confirmation that we likely have a LXD PID grep -q --line-regexp --fixed-strings --max-count=1 "SNAP_NAME=lxd" "/proc/${pid}/environ" || continue From da90c42910af409fb5ff662b806e3e6057fef024 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 25 Apr 2024 13:27:19 -0400 Subject: [PATCH 03/31] daemon.start: explain how existing PIDs are validated Signed-off-by: Simon Deziel (cherry picked from commit 4c0adaa0b3f59f568a0de3e24f4d15c5c3c14f85) --- snapcraft/commands/daemon.start | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 84770d46b..e0cd68586 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -623,6 +623,11 @@ for pid in $(pgrep -f "lxd(\.debug)? --logfile"); do # Cheap confirmation that we likely have a LXD PID grep -q --line-regexp --fixed-strings --max-count=1 "SNAP_NAME=lxd" "/proc/${pid}/environ" || continue + # Confirm the PID found by pgrep is indeed ours and not one from + # a nested instance also running LXD or a recycled PID. By writing + # to a file using the `/proc` path and comparing the content seen from + # the `/var` path, we can conclude if the LXD daemon is executing + # in the same mount namespace as ours (safe to kill) or not (ignore). rm -f "/var/snap/lxd/common/lxd/.validate" touch "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true if [ -e "/var/snap/lxd/common/lxd/.validate" ]; then From 68da1b37dfb8ce5d5b99e5f85569870af967332c Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 25 Apr 2024 13:36:04 -0400 Subject: [PATCH 04/31] daemon.start: enhance how existing LXD PIDs are validated By using some cheap random data to write and compare, we reduce the risk of a nested LXD running the same code at the same time to also do this same validation. It is no longer needed to remove the .validate file first as we rely on its content more than its presence. Suggested-by: Alexander Mikhalitsyn Signed-off-by: Simon Deziel (cherry picked from commit c332f450d8234673310c0b5fde66709c1686d204) --- snapcraft/commands/daemon.start | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index e0cd68586..b6f82df91 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -628,9 +628,8 @@ for pid in $(pgrep -f "lxd(\.debug)? --logfile"); do # to a file using the `/proc` path and comparing the content seen from # the `/var` path, we can conclude if the LXD daemon is executing # in the same mount namespace as ours (safe to kill) or not (ignore). - rm -f "/var/snap/lxd/common/lxd/.validate" - touch "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true - if [ -e "/var/snap/lxd/common/lxd/.validate" ]; then + echo "$$" > "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true + if [ "$(cat /var/snap/lxd/common/lxd/.validate 2>/dev/null)" = "$$" ]; then echo "=> Killing conflicting LXD (pid=${pid})" kill -9 "${pid}" || true rm -f "/var/snap/lxd/common/lxd/.validate" From 81d77cd23627d43172dabfb72f16201bf34fb6c3 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 25 Apr 2024 13:49:19 -0400 Subject: [PATCH 05/31] daemon.start: limit pgrep to match on root-owned LXD PIDs This is a safeguard to ignore (unprivileged) nested LXD. Here is a comparison of the old way: ``` server_pid: 1293 5923 /var/snap/lxd/common/lxd.debug --logfile /var/snap/lxd/common/lxd/logs/lxd.log --group lxd 8424 lxd --logfile /var/snap/lxd/common/lxd/logs/lxd.log --group lxd ``` In the above, the PID `8424` is the LXD inside the `c1` instance. Now with the new way: ``` 5923 /var/snap/lxd/common/lxd.debug --logfile /var/snap/lxd/common/lxd/logs/lxd.log --group lxd ``` Note: privileged nested LXD would also be running as EUID 0 but would be in a different mount namespace which is what the `.validate` file comparison guards against. Signed-off-by: Simon Deziel (cherry picked from commit 5d7092d2fe8637a4c8ceab6fd691c0220c8b2f25) --- snapcraft/commands/daemon.start | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index b6f82df91..aa670788e 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -619,7 +619,7 @@ fi # LXD ## Check for existing LXDs -for pid in $(pgrep -f "lxd(\.debug)? --logfile"); do +for pid in $(pgrep --euid 0 --full "lxd(\.debug)? --logfile"); do # Cheap confirmation that we likely have a LXD PID grep -q --line-regexp --fixed-strings --max-count=1 "SNAP_NAME=lxd" "/proc/${pid}/environ" || continue @@ -628,6 +628,8 @@ for pid in $(pgrep -f "lxd(\.debug)? --logfile"); do # to a file using the `/proc` path and comparing the content seen from # the `/var` path, we can conclude if the LXD daemon is executing # in the same mount namespace as ours (safe to kill) or not (ignore). + # A priv nested LXD would pass the EUID=0 and SNAP_NAME=lxd tests but would + # fail the `.validate` test as it wouldn't be in the same mount namespace. echo "$$" > "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true if [ "$(cat /var/snap/lxd/common/lxd/.validate 2>/dev/null)" = "$$" ]; then echo "=> Killing conflicting LXD (pid=${pid})" From de203ad45bc605f6ea0f25b308250526a46951b1 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 1 May 2024 13:01:37 -0400 Subject: [PATCH 06/31] daemon.start: always remove the .validate file Doing the removal only on confirmed to be conflicting LXD meant that potentially multiple files could be left behind, one per invalid PID. Signed-off-by: Simon Deziel (cherry picked from commit 5eba0dd15948a26d3adaccfd49d6501b51df7c9e) --- snapcraft/commands/daemon.start | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index aa670788e..5a46b3990 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -634,8 +634,8 @@ for pid in $(pgrep --euid 0 --full "lxd(\.debug)? --logfile"); do if [ "$(cat /var/snap/lxd/common/lxd/.validate 2>/dev/null)" = "$$" ]; then echo "=> Killing conflicting LXD (pid=${pid})" kill -9 "${pid}" || true - rm -f "/var/snap/lxd/common/lxd/.validate" fi + rm -f "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" done ## Move the database out of the versioned path if present From e9faecedaf9cad3c5c7f7879372d174299f72d7b Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 1 May 2024 13:47:22 -0400 Subject: [PATCH 07/31] github: use non-shallow clones for differential shellcheck Signed-off-by: Simon Deziel (cherry picked from commit 2d3d84e591760e861bd9e63c20534b5ddbaeb8b8) --- .github/workflows/tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b2a8b32bd..3a82673f1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -23,6 +23,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + # A non-shallow clone is needed for the Differential ShellCheck + fetch-depth: 0 - id: ShellCheck name: Differential ShellCheck From fc37a357a0a81da93ee5a8f955bfdfe259b8f781 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 15:18:42 -0400 Subject: [PATCH 08/31] snapcraft: disable QEMU XKB common Same as done in Ubuntu deb package: > # this disables building of qemu-keymap tool (!) > # qemu-keymap might be helpful for qemu-system -k > # but is -k flag useful these days? > common_configure_opts += --disable-xkbcommon Signed-off-by: Simon Deziel (cherry picked from commit 7396e317351e4e5c06363873768930376db9f90a) --- snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snapcraft.yaml b/snapcraft.yaml index 2824d9ab4..a1aaa311f 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -819,6 +819,7 @@ parts: - --disable-vdi - --disable-vnc - --disable-xen + - --disable-xkbcommon - --enable-attr - --enable-cap-ng - --enable-kvm From ba0d2a2fd292e2d18f2f87f20fcab5cdbdd4f4bc Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 15:20:32 -0400 Subject: [PATCH 09/31] snapcraft: disable QEMU pvrdma optimisation for vmxnet3 Same as done in Ubuntu deb package: > # pvrdma is an extension/optimisation for vmxnet3 vmware virtual network > # adapter. This piece of code seems to be buggy and poorly maintained, > # resulting in numerous security issues which comes unfixed for long time. > # This device isn't native for qemu. # Just disable it for now. > common_configure_opts += --disable-pvrdma Signed-off-by: Simon Deziel (cherry picked from commit 53d58e1f82c85ddf9ad5438f418524dd4ecaa8cd) --- snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snapcraft.yaml b/snapcraft.yaml index a1aaa311f..f03df768e 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -813,6 +813,7 @@ parts: - --disable-docs - --disable-guest-agent - --disable-parallels + - --disable-pvrdma - --disable-qed - --disable-slirp - --disable-user From 365d14de9ada2451a3f9583b970dcaca5966157f Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:10:30 -0400 Subject: [PATCH 10/31] daemon.reload: use shell builtin to read PID Signed-off-by: Simon Deziel (cherry picked from commit 2db6437d91ab3b1e2ea43484269df2c27eba4634) --- snapcraft/commands/daemon.reload | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.reload b/snapcraft/commands/daemon.reload index c06ac4cc5..8c85b777c 100755 --- a/snapcraft/commands/daemon.reload +++ b/snapcraft/commands/daemon.reload @@ -10,5 +10,5 @@ if [ -d /sys/kernel/security/apparmor ]; then fi echo reload > "${SNAP_COMMON}/state" -PID=$(cat "${SNAP_COMMON}/lxd.pid") +read -r PID < "${SNAP_COMMON}/lxd.pid" /bin/kill "$PID" From 451fccb32cffd5b27490637a32b2aa155488e2df Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:11:02 -0400 Subject: [PATCH 11/31] daemon.reload: don't use fully qualified path to kill This is for consistency. Signed-off-by: Simon Deziel (cherry picked from commit 65c7b4c7d0fe5af69176944482bec97f5cf74113) --- snapcraft/commands/daemon.reload | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.reload b/snapcraft/commands/daemon.reload index 8c85b777c..f8e7562a2 100755 --- a/snapcraft/commands/daemon.reload +++ b/snapcraft/commands/daemon.reload @@ -11,4 +11,4 @@ fi echo reload > "${SNAP_COMMON}/state" read -r PID < "${SNAP_COMMON}/lxd.pid" -/bin/kill "$PID" +kill "$PID" From ec72e37712bd171d44338a08c50894b953aeaf01 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:16:44 -0400 Subject: [PATCH 12/31] daemon.stop: use shell builtin to read state Signed-off-by: Simon Deziel (cherry picked from commit ec45102960f476563c58a056f8c3ce49dc418349) --- snapcraft/commands/daemon.stop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index 1016dcfc9..a8ad52d30 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -18,7 +18,7 @@ STATUS=$(snap-query 2>/dev/null || true) reason="host shutdown" if [ -s "${SNAP_COMMON}/state" ]; then - reason="$(cat "${SNAP_COMMON}/state")" + read -r reason < "${SNAP_COMMON}/state" elif [ "${STATUS}" = "auto-refresh" ]; then reason="snap refresh" elif [ "${STATUS}" = "refresh-snap" ]; then From c492f053791ff34f46cff7599d0c7b2254acb42c Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:19:02 -0400 Subject: [PATCH 13/31] daemon.stop: call snap-query only if needed Signed-off-by: Simon Deziel (cherry picked from commit 6c0711811b84d1f1cffbb10db4569fb52ae01198) --- snapcraft/commands/daemon.stop | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index a8ad52d30..a94cf0796 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -12,21 +12,23 @@ fi export LXD_DIR="${SNAP_COMMON}/lxd/" PID=$(cat "${SNAP_COMMON}/lxd.pid" || true) -# FIXME: Detect stop reason -# This should be exposed by snapd directly -STATUS=$(snap-query 2>/dev/null || true) - reason="host shutdown" if [ -s "${SNAP_COMMON}/state" ]; then read -r reason < "${SNAP_COMMON}/state" -elif [ "${STATUS}" = "auto-refresh" ]; then - reason="snap refresh" -elif [ "${STATUS}" = "refresh-snap" ]; then - reason="snap refresh" -elif [ "${STATUS}" = "install-snap" ]; then - reason="snap refresh" -elif [ "${STATUS}" = "remove-snap" ]; then - reason="snap removal" +else + # FIXME: Detect stop reason + # This should be exposed by snapd directly + STATUS=$(snap-query 2>/dev/null || true) + + if [ "${STATUS}" = "auto-refresh" ]; then + reason="snap refresh" + elif [ "${STATUS}" = "refresh-snap" ]; then + reason="snap refresh" + elif [ "${STATUS}" = "install-snap" ]; then + reason="snap refresh" + elif [ "${STATUS}" = "remove-snap" ]; then + reason="snap removal" + fi fi echo "=> Stop reason is: ${reason}" From 8c186f6da3e3726c75c5da2a2350d46711682524 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:26:11 -0400 Subject: [PATCH 14/31] daemon.stop: use shell builtin to read PIDs Also ignore errors when reading OVS/LXCFS PIDs as the code already handles those being empty. Rename the OVS and LXCFS PID variabes to avoid confusion: ``` $ PID=1234 $ read -r PID < /does/not/exist.pid sh: 10: cannot open /does/not/exist.pid: No such file $ echo "${PID}" 1234 ``` Signed-off-by: Simon Deziel (cherry picked from commit 9b3ddfe8ccdce48d7b2db9a70ca8e96efca6e6a1) --- snapcraft/commands/daemon.stop | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index a94cf0796..1bf6534ae 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -10,7 +10,7 @@ if [ -d /sys/kernel/security/apparmor ]; then fi export LXD_DIR="${SNAP_COMMON}/lxd/" -PID=$(cat "${SNAP_COMMON}/lxd.pid" || true) +read -r PID < "${SNAP_COMMON}/lxd.pid" || true reason="host shutdown" if [ -s "${SNAP_COMMON}/state" ]; then @@ -106,8 +106,8 @@ fi ## OpenVswitch if [ -e "${SNAP_COMMON}/openvswitch/run/ovs-vswitchd.pid" ]; then - PID=$(cat "${SNAP_COMMON}/openvswitch/run/ovs-vswitchd.pid") - if [ -n "${PID}" ] && kill -0 "${PID}" 2>/dev/null; then + read -r OVS_PID < "${SNAP_COMMON}/openvswitch/run/ovs-vswitchd.pid" || true + if [ -n "${OVS_PID}" ] && kill -0 "${OVS_PID}" 2>/dev/null; then ( echo "=> Stopping Open vSwitch" @@ -133,15 +133,16 @@ fi if [ -e "${SNAP_COMMON}/lxcfs.pid" ]; then echo "=> Stopping LXCFS" - PID=$(cat "${SNAP_COMMON}/lxcfs.pid") - if [ -n "${PID}" ] && kill -0 "${PID}" 2>/dev/null; then - if ! kill "$PID"; then + read -r LXCFS_PID < "${SNAP_COMMON}/lxcfs.pid" || true + if [ -n "${LXCFS_PID}" ] && kill -0 "${LXCFS_PID}" 2>/dev/null; then + + if ! kill "${LXCFS_PID}"; then echo "==> Failed to signal LXCFS to stop" fi DEAD=0 for _ in $(seq 30); do - if ! kill -0 "${PID}" 2>/dev/null; then + if ! kill -0 "${LXCFS_PID}" 2>/dev/null; then DEAD=1 echo "==> Stopped LXCFS" break @@ -151,7 +152,7 @@ if [ -e "${SNAP_COMMON}/lxcfs.pid" ]; then if [ "${DEAD}" = "0" ]; then echo "==> Forcefully stopping LXCFS after 30 seconds wait" - if kill -9 "${PID}" 2>/dev/null; then + if kill -9 "${LXCFS_PID}" 2>/dev/null; then echo "==> Stopped LXCFS" else echo "==> Failed to stop LXCFS" From aa2ccc821c347f2c09ff93d4303beb2154579738 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:28:55 -0400 Subject: [PATCH 15/31] daemon.stop: announce LXCFS stopping when we actually do so Signed-off-by: Simon Deziel (cherry picked from commit 7281ba5503a4ade54f14920aba6ce9c918933dbf) --- snapcraft/commands/daemon.stop | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index 1bf6534ae..e64c6b289 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -131,10 +131,9 @@ fi ## LXCFS if [ -e "${SNAP_COMMON}/lxcfs.pid" ]; then - echo "=> Stopping LXCFS" - read -r LXCFS_PID < "${SNAP_COMMON}/lxcfs.pid" || true if [ -n "${LXCFS_PID}" ] && kill -0 "${LXCFS_PID}" 2>/dev/null; then + echo "=> Stopping LXCFS" if ! kill "${LXCFS_PID}"; then echo "==> Failed to signal LXCFS to stop" From d8a648ef6751ef07c8619a6ca0d7cd84fbae1073 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 8 May 2024 10:31:05 -0400 Subject: [PATCH 16/31] daemon.stop: read LXD PID only if we are going to use it Signed-off-by: Simon Deziel (cherry picked from commit 5c5632cfcd093387043dc663c2893e2a83d64f86) --- snapcraft/commands/daemon.stop | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index e64c6b289..88b766bb9 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -9,9 +9,6 @@ if [ -d /sys/kernel/security/apparmor ]; then fi fi -export LXD_DIR="${SNAP_COMMON}/lxd/" -read -r PID < "${SNAP_COMMON}/lxd.pid" || true - reason="host shutdown" if [ -s "${SNAP_COMMON}/state" ]; then read -r reason < "${SNAP_COMMON}/state" @@ -43,6 +40,9 @@ if [ "${reason}" = "reload" ] || [ "${reason}" = "crashed" ]; then exit 0 fi +export LXD_DIR="${SNAP_COMMON}/lxd/" +read -r PID < "${SNAP_COMMON}/lxd.pid" || true + # Handle refreshes if [ "${reason}" = "snap refresh" ]; then echo "=> Stopping LXD" From 44c3f90c527a5ec6e6ad7b2990c8d5f65e1c0c87 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 11:17:21 -0400 Subject: [PATCH 17/31] daemon.start: group first run detection Signed-off-by: Simon Deziel (cherry picked from commit 14cf45b4f08086be8b288a0f4f80999bd9bd10b0) --- snapcraft/commands/daemon.start | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 5a46b3990..4c3a46ab9 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -690,12 +690,6 @@ if [ "${daemon_verbose:-"false"}" = "true" ]; then CMD="${CMD} --verbose" fi -# Check if this is the first time LXD is started. -FIRSTRUN="false" -if [ ! -d "${SNAP_COMMON}/lxd/database" ]; then - FIRSTRUN="true" -fi - # We deal with errors ourselves from this point on set +e @@ -741,11 +735,12 @@ if [ "${RET}" -gt "0" ]; then exit 1 fi -## Process preseed if present -if [ "${FIRSTRUN}" = "true" ]; then +## Check if this is the first time LXD is started +if [ ! -d "${SNAP_COMMON}/lxd/database" ]; then set -e echo "=> First LXD execution on this system" + ## Process preseed if present if [ -e "${SNAP_COMMON}/init.yaml" ]; then echo "==> Running LXD preseed file" ${LXD} init --preseed < "${SNAP_COMMON}/init.yaml" From ebe8640c7f5c2d718045856a68e587823c9e461d Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 11:28:20 -0400 Subject: [PATCH 18/31] daemon.activate: test for lxd/database dir for first run detection Signed-off-by: Simon Deziel (cherry picked from commit 40aba7231d848eb79de5f809afbd8e0f7ebe4ca9) --- snapcraft/commands/daemon.activate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index 2ea5bcb86..11e442fb6 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -95,7 +95,7 @@ if getent group "${daemon_user_group}" >/dev/null 2>&1; then fi # Check if LXD ever started -if [ ! -e "${SNAP_COMMON}/lxd/database" ]; then +if [ ! -d "${SNAP_COMMON}/lxd/database" ]; then echo "==> LXD never started on this system, no need to start it now" exit 0 fi From 49ba466a9ca1823d3f204f5226b4b65001f93ad7 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 11:34:18 -0400 Subject: [PATCH 19/31] daemon.start: consistently use SNAP_COMMON var Signed-off-by: Simon Deziel (cherry picked from commit 309f29431969f8409576dc7c65594b278944009e) --- snapcraft/commands/daemon.start | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 4c3a46ab9..9f790650d 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -630,12 +630,12 @@ for pid in $(pgrep --euid 0 --full "lxd(\.debug)? --logfile"); do # in the same mount namespace as ours (safe to kill) or not (ignore). # A priv nested LXD would pass the EUID=0 and SNAP_NAME=lxd tests but would # fail the `.validate` test as it wouldn't be in the same mount namespace. - echo "$$" > "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" 2>/dev/null || true - if [ "$(cat /var/snap/lxd/common/lxd/.validate 2>/dev/null)" = "$$" ]; then + echo "$$" > "/proc/${pid}/root${SNAP_COMMON}/lxd/.validate" 2>/dev/null || true + if [ "$(cat "${SNAP_COMMON}/lxd/.validate" 2>/dev/null)" = "$$" ]; then echo "=> Killing conflicting LXD (pid=${pid})" kill -9 "${pid}" || true fi - rm -f "/proc/${pid}/root/var/snap/lxd/common/lxd/.validate" + rm -f "/proc/${pid}/root${SNAP_COMMON}/lxd/.validate" done ## Move the database out of the versioned path if present @@ -671,8 +671,8 @@ CMD="${LXD} --logfile ${SNAP_COMMON}/lxd/logs/lxd.log" if getent group "${daemon_group}" >/dev/null 2>&1; then CMD="${CMD} --group ${daemon_group}" - if [ -e "/var/snap/lxd/common/lxd/unix.socket" ]; then - chgrp "${daemon_group}" /var/snap/lxd/common/lxd/unix.socket + if [ -e "${SNAP_COMMON}/lxd/unix.socket" ]; then + chgrp "${daemon_group}" "${SNAP_COMMON}/lxd/unix.socket" fi else echo "==> No \"${daemon_group}\" group found, only root will be able to use LXD." From 52f163e406a41185664a3f91831ac09875d3373a Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Mon, 6 May 2024 11:34:20 -0400 Subject: [PATCH 20/31] daemon.stop: consistently use SNAP_COMMON var Signed-off-by: Simon Deziel (cherry picked from commit de08b119b70886f228fec426891bdd7f708ffbf6) --- snapcraft/commands/daemon.stop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/commands/daemon.stop b/snapcraft/commands/daemon.stop index 88b766bb9..1f84e953e 100755 --- a/snapcraft/commands/daemon.stop +++ b/snapcraft/commands/daemon.stop @@ -168,7 +168,7 @@ rm -f "${SNAP_COMMON}/lxcfs.pid" "${SNAP_COMMON}/lxd.pid" ## Flush our shared namespace from the host echo "=> Cleaning up namespaces" -nsenter -t 1 -m umount -l /var/snap/lxd/common/ns 2>/dev/null || true +nsenter -t 1 -m umount -l "${SNAP_COMMON}/ns" 2>/dev/null || true echo "=> All done" exit 0 From d252f0027b1262169a71ac8f4fd5277afa173bb6 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 May 2024 09:12:38 -0400 Subject: [PATCH 21/31] daemon.activate: simplify LXD appliance detection Replaces 2 `grep` and 1 `cut` by a single `grep`. Signed-off-by: Simon Deziel (cherry picked from commit 879920427571da596061613584df8c59ec47ed54) --- snapcraft/commands/daemon.activate | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index 11e442fb6..f2410c41d 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -52,8 +52,7 @@ if ! nsenter -t 1 -m systemctl is-active -q snap."${SNAP_INSTANCE_NAME}".daemon. fi # Start LXD if running as an appliance -SNAP_MODEL="$(nsenter -t 1 -m snap model --assertion | grep "^model: " | cut -d' ' -f2)" -if echo "${SNAP_MODEL}" | grep -q "^lxd-core"; then +if nsenter -t 1 -m snap model --assertion | grep -q "^model: lxd-core"; then echo "==> LXD appliance detected, starting LXD" nsenter -t 1 -m systemctl start snap."${SNAP_INSTANCE_NAME}".daemon --no-block exit 0 From 2a7afa38a77ceb6e47dbcb6897ab1f5d7d0c9b51 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 22 May 2024 09:15:34 -0400 Subject: [PATCH 22/31] daemon.start: simplify LXD appliance detection Replaces `sed` and 2 `grep` by a single `grep`. Signed-off-by: Simon Deziel (cherry picked from commit ecc6b2b80be79a770800b0becadc8016e531156f) --- snapcraft/commands/daemon.start | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 9f790650d..30ec03ed1 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -28,14 +28,17 @@ export LXD_CLUSTER_UPDATE="${SNAP_CURRENT}/commands/refresh" export LXD_QEMU_FW_PATH="${SNAP_CURRENT}/share/qemu" export PYTHONPATH=/snap/lxd/current/lib/python3/dist-packages/ -# Detect model -SNAP_MODEL="$(nsenter -t 1 -m snap model --assertion | sed -n 's/^model: \(.\+\)/\1/p')" +# Detect LXD appliance +LXD_APPLIANCE="false" +if nsenter -t 1 -m snap model --assertion | grep -q "^model: lxd-core"; then + LXD_APPLIANCE="true" +fi # Detect base name SNAP_BASE="$(sed -n '/^name:/ s/^name:\s*\(core[0-9]\{2\}\)/\1/p' /meta/snap.yaml)" # Wait for appliance configuration -if echo "${SNAP_MODEL}" | grep -q "^lxd-core"; then +if [ "${LXD_APPLIANCE}" = "true" ]; then while :; do [ "$(nsenter -t 1 -m snap managed)" = "true" ] && break sleep 5 @@ -745,7 +748,7 @@ if [ ! -d "${SNAP_COMMON}/lxd/database" ]; then echo "==> Running LXD preseed file" ${LXD} init --preseed < "${SNAP_COMMON}/init.yaml" mv "${SNAP_COMMON}/init.yaml" "${SNAP_COMMON}/init.yaml.applied" - elif echo "${SNAP_MODEL}" | grep -q "^lxd-core"; then + elif [ "${LXD_APPLIANCE}" = "true" ]; then echo "==> Initializing LXD appliance" # Network (NIC with the default gateway) From b66c1c74fcf98a52abb6772c55df82e79d195460 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 13:59:50 -0400 Subject: [PATCH 23/31] daemon.start: replace `basename` by var substitution This avoids forking to `basename`. Signed-off-by: Simon Deziel (cherry picked from commit d9747f627726812761bfde07e220a3c1bdd1d685) --- snapcraft/commands/daemon.start | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 30ec03ed1..536b8209c 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -14,8 +14,10 @@ echo "=> Preparing the system (${SNAP_REVISION})" # shellcheck disable=SC2155 export SNAP_CURRENT="$(realpath "${SNAP}/..")/current" -# shellcheck disable=SC2155 -export ARCH="$(basename "$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)")" +# Turn `/snap/lxd/28637/lib/x86_64-linux-gnu` into `x86_64-linux-gnu` +# Similar to `basename` but using variable substitution instead of external executable +LIB_ARCH="$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)" +export ARCH="${LIB_ARCH##*/}" export HOME="/tmp/" export LXD_DIR="${SNAP_COMMON}/lxd/" From cbe819cd226150cf5e9695085b85c8a1aa13b10c Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:01:04 -0400 Subject: [PATCH 24/31] daemon.activate: replace `basename` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit bbd0e0abee8fce22007a08a24f4e9a9624d3130e) --- snapcraft/commands/daemon.activate | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index f2410c41d..a979e7742 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -18,8 +18,10 @@ fi # shellcheck disable=SC2155 export SNAP_CURRENT="$(realpath "${SNAP}/..")/current" -# shellcheck disable=SC2155 -export ARCH="$(basename "$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)")" +# Turn `/snap/lxd/28637/lib/x86_64-linux-gnu` into `x86_64-linux-gnu` +# Similar to `basename` but using variable substitution instead of external executable +LIB_ARCH="$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)" +export ARCH="${LIB_ARCH##*/}" export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${SNAP_CURRENT}/lib:${SNAP_CURRENT}/lib/${ARCH}:${SNAP_CURRENT}/lib/${ARCH}/ceph" export PATH="${PATH}:${SNAP_CURRENT}/bin" From 6c332a5ea3aeeab69ea468739485fe0d89bcedf4 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:01:13 -0400 Subject: [PATCH 25/31] lxd: replace `basename` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit d3fe73f82b498e593f658a059a9c1946f26784a5) --- snapcraft/commands/lxd | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/snapcraft/commands/lxd b/snapcraft/commands/lxd index 7b8d9d756..dc9fc6f1e 100755 --- a/snapcraft/commands/lxd +++ b/snapcraft/commands/lxd @@ -12,8 +12,10 @@ fi # shellcheck disable=SC2155 export SNAP_CURRENT="$(realpath "${SNAP}/..")/current" -# shellcheck disable=SC2155 -export ARCH="$(basename "$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)")" +# Turn `/snap/lxd/28637/lib/x86_64-linux-gnu` into `x86_64-linux-gnu` +# Similar to `basename` but using variable substitution instead of external executable +LIB_ARCH="$(readlink -f "${SNAP_CURRENT}"/lib/*-linux-gnu*/)" +export ARCH="${LIB_ARCH##*/}" export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${SNAP_CURRENT}/lib:${SNAP_CURRENT}/lib/${ARCH}:${SNAP_CURRENT}/lib/${ARCH}/ceph" export PATH="${PATH}:${SNAP_CURRENT}/bin" From b881f7c9542be499f67bbfcb948e7afb9b343c9b Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:01:23 -0400 Subject: [PATCH 26/31] kmod: replace `basename` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit 3a7d072cb52fdc2d1faa061a776532bd5896dabd) --- snapcraft/wrappers/kmod | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/snapcraft/wrappers/kmod b/snapcraft/wrappers/kmod index 565e03a06..0cff21e3e 100755 --- a/snapcraft/wrappers/kmod +++ b/snapcraft/wrappers/kmod @@ -1,5 +1,7 @@ #!/bin/sh -NAME="$(basename "${0}")" +# Turn `/usr/sbin/foo` into `foo` +# Similar to `basename` but using variable substitution instead of external executable +NAME="${0##/*}" # Detect base name SNAP_BASE="$(sed -n '/^name:/ s/^name:\s*\(core[0-9]\{2\}\)/\1/p' /meta/snap.yaml)" From 88e33335bddc2a7cea2864d1b9a34c4de5b5dd01 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:01:29 -0400 Subject: [PATCH 27/31] run-host: replace `basename` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit f543706462979b92ba061f1bf68581c86172c27e) --- snapcraft/wrappers/run-host | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/snapcraft/wrappers/run-host b/snapcraft/wrappers/run-host index 69dd011d9..26309e370 100755 --- a/snapcraft/wrappers/run-host +++ b/snapcraft/wrappers/run-host @@ -1,5 +1,7 @@ #!/bin/sh -CMD="$(basename "${0}")" +# Turn `/usr/sbin/foo` into `foo` +# Similar to `basename` but using variable substitution instead of external executable +CMD="${0##*/}" unset LD_LIBRARY_PATH unset PYTHONPATH From 46555c3cf2d9dff4b5b0be18182084bbdbebd3dc Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:01:34 -0400 Subject: [PATCH 28/31] sshfs: replace `basename` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit c3eecf6eff3f2eed382a30054b397dbc62318e77) --- snapcraft/wrappers/sshfs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/snapcraft/wrappers/sshfs b/snapcraft/wrappers/sshfs index f7d8b45a2..0d232c630 100755 --- a/snapcraft/wrappers/sshfs +++ b/snapcraft/wrappers/sshfs @@ -7,7 +7,10 @@ if [ "$(id -u)" != "0" ]; then exit 1 fi -CMD="$(basename "${0}")" +# Turn `/usr/sbin/foo` into `foo` +# Similar to `basename` but using variable substitution instead of external executable +CMD="${0##*/}" + unset LD_LIBRARY_PATH export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" From bb2f15b52404090c1040c02904f9f9e022fe3cd5 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Sat, 11 May 2024 14:06:19 -0400 Subject: [PATCH 29/31] editor: replace `echo | cut` by var substitution Signed-off-by: Simon Deziel (cherry picked from commit d666ce14b590df25000d9ef4ca3e02328bdd4ff4) --- snapcraft/wrappers/editor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/wrappers/editor b/snapcraft/wrappers/editor index c431f513c..b66064549 100755 --- a/snapcraft/wrappers/editor +++ b/snapcraft/wrappers/editor @@ -52,7 +52,7 @@ fi if [ -n "${EDIT_CMD}" ] && [ "${USERNS}" = 1 ]; then exec 9< /tmp/ # Replace "/tmp/" prefix by exec'ed FD 9. - EDIT_PATH_HOST="/proc/self/fd/9/$(echo "${EDIT_PATH}" | cut -d/ -f3)" + EDIT_PATH_HOST="/proc/self/fd/9/${EDIT_PATH##*/}" find_and_spawn "${EDIT_CMD}" "${EDIT_PATH_HOST}" fi From 471cdee3efe99c463ca2d2eef3dc173cffb36c90 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 23 May 2024 13:48:50 -0400 Subject: [PATCH 30/31] snapcraft/wrappers/kmod: fix typo in `basename` emulation Signed-off-by: Simon Deziel (cherry picked from commit cda21842c7079a05a2a34fb3ec267fdfb1c800d1) --- snapcraft/wrappers/kmod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft/wrappers/kmod b/snapcraft/wrappers/kmod index 0cff21e3e..5823b66e6 100755 --- a/snapcraft/wrappers/kmod +++ b/snapcraft/wrappers/kmod @@ -1,7 +1,7 @@ #!/bin/sh # Turn `/usr/sbin/foo` into `foo` # Similar to `basename` but using variable substitution instead of external executable -NAME="${0##/*}" +NAME="${0##*/}" # Detect base name SNAP_BASE="$(sed -n '/^name:/ s/^name:\s*\(core[0-9]\{2\}\)/\1/p' /meta/snap.yaml)" From 256a067c7ab5abf2d35d125adb1d745dc7ec5a1c Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 4 Jun 2024 15:18:11 -0400 Subject: [PATCH 31/31] snapcraft: lxd docs are now under doc/_build/ Since https://github.com/canonical/lxd/pull/13537 Signed-off-by: Simon Deziel (cherry picked from commit 0dd5da4e0b603c26482dfda88e4adfab9fc615a6) --- snapcraft.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index f03df768e..ce6d3bcb5 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -1411,14 +1411,14 @@ parts: make doc # Remove unneeded bits - rm doc/html/objects.inv # only objects.inv.txt is used + rm doc/_build/objects.inv # only objects.inv.txt is used # not needed once built - rm doc/html/.buildinfo - rm -rf doc/html/_sphinx_design_static/ + rm doc/_build/.buildinfo + rm -rf doc/_build/_sphinx_design_static/ # Stage the static website mkdir -p "${CRAFT_STAGE}/share/lxd-documentation" - cp -a doc/html/. "${CRAFT_STAGE}/share/lxd-documentation/" + cp -a doc/_build/. "${CRAFT_STAGE}/share/lxd-documentation/" fi # Setup bash completion