Strict confinement

.github/workflows/build-installer.yml

@@ -16,9 +16,9 @@ jobs:
         working-directory: ${{ github.workspace }}/installer/windows
     steps:
       - name: Checkout
-        uses: actions/checkout@v2.3.5
+        uses: actions/checkout@v2.4.0
       - name: Set up Python 3.8
-        uses: actions/setup-python@v2.2.2
+        uses: actions/setup-python@v2.3.2
         with:
           python-version: 3.8
       - name: Install Python requirements
@@ -30,21 +30,21 @@ jobs:
         working-directory: ${{ github.workspace }}/installer
         run: move microk8s.exe ./windows/microk8s.exe
       - name: Download EnVar plugin for NSIS
-        uses: carlosperate/download-file-action@v1.0.3
+        uses: carlosperate/download-file-action@v1.1.0
         with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
+          file-url: https://github.com/GsNSIS/EnVar/releases/download/v0.3.1/EnVar-Plugin.zip
           file-name: envar_plugin.zip
           location: ${{ github.workspace }}
       - name: Extract EnVar plugin
         run: 7z x -o"C:/Program Files (x86)/NSIS" "${{ github.workspace }}/envar_plugin.zip"
       - name: Download Multipass installer
-        uses: carlosperate/download-file-action@v1.0.3
+        uses: carlosperate/download-file-action@v1.1.0
         with:
-          file-url: https://github.com/canonical/multipass/releases/download/v1.7.2/multipass-1.7.2+win-win64.exe
+          file-url: https://github.com/canonical/multipass/releases/download/v1.8.0/multipass-1.8.0+win-win64.exe
           file-name: multipass.exe
           location: ${{ github.workspace }}/installer/windows
       - name: Download kubectl
-        uses: carlosperate/download-file-action@v1.0.3
+        uses: carlosperate/download-file-action@v1.1.0
         with:
           file-url: https://storage.googleapis.com/kubernetes-release/release/v1.20.0/bin/windows/amd64/kubectl.exe
           file-name: kubectl.exe

.github/workflows/build-snap.yml

@@ -1,12 +1,17 @@
 name: Build MicroK8s snap on PR and push to master
 
 on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
+  - push
+  - pull_request
+
+### While we work on the strict feature we want the tests to run even if we do put PRs against the master.
+### When this work get merged into master the following should be commented in.
+#  push:
+#    branches:
+#      - master
+#  pull_request:
+#    branches:
+#      - master
 
 jobs:
   build:
@@ -15,7 +20,7 @@ jobs:
 
     steps:
       - name: Checking out repo
-        uses: actions/checkout@v2.3.5
+        uses: actions/checkout@v2.4.0
       - name: Install lxd
         run: |
           sudo lxd init --auto
@@ -32,33 +37,111 @@ jobs:
         with:
           name: microk8s.snap
           path: microk8s.snap
+      - name: Fetch addon tests
+        run: |
+          set -x
+          sudo apt-get install python3-click
+          source ./build-scripts/set-env-variables.sh
+          python3 build-scripts/fetch-addons.py
+          cp -r core/tests ./tests/addon-tests
       # TEMPORARY WHILE GITHUB FIXES THIS https://github.com/actions/virtual-environments/issues/3185
       - name: Add the current IP address, long hostname and short hostname record to /etc/hosts file
         run: |
           echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
       # DO NOT FORGET TO REMOVE CODE ABOVE WHEN ISSUE IS ADDRESSED!
-      - name: Running upgrade path test
+      - name: Install dependencies
         run: |
           set -x
           sudo apt-get install python3-setuptools
           sudo pip3 install --upgrade pip
           sudo pip3 install -U pytest sh
-          sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=`pwd`/`ls microk8s*.snap` pytest -s ./tests/test-upgrade-path.py
-          sudo snap remove microk8s --purge
-      - name: Running addons tests
-        run: |
-          set -x
           sudo apt-get -y install open-iscsi
           sudo systemctl enable iscsid
-          sudo snap install *.snap --classic --dangerous
+          # Remove the snapd refresh as soon as v2.52 lands
+          sudo snap refresh snapd --channel=latest/edge
+      - name: Check branches
+        run: |
+          set -x
+          (cd tests; pytest -s verify-branches.py)
+      - name: Running addons tests in strict mode
+        run: |
+          set -x
+          sudo snap install microk8s.snap --dangerous
+          for i in docker-privileged docker-support kubernetes-support k8s-journald k8s-kubelet \
+                   k8s-kubeproxy dot-kube network network-bind network-control network-observe \
+                   firewall-control process-control kernel-module-observe mount-observe \
+                   hardware-observe system-observe home opengl home-read-all \
+                   login-session-observe log-observe dot-config-helm
+          do
+            sudo snap connect microk8s:$i
+          done
           ./tests/smoke-test.sh
           export UNDER_TIME_PRESSURE="True"
+          export SKIP_OPENEBS="True"
           export SKIP_PROMETHEUS="False"
           (cd tests; pytest -s verify-branches.py)
-          (cd tests; sudo -E pytest -s -ra test-addons.py)
+          (cd tests; sudo -E pytest -s -ra addon-tests/test-addons.py)
+          sudo microk8s inspect |
+          grep -Po "Report tarball is at \K.+" |
+          sudo xargs -I {} mv {} inspection-report-strict-${{ strategy.job-index }}.tar.gz
           sudo snap remove microk8s --purge
-      - name: Running upgrade tests
+          sudo rm -rf $HOME/.kube
+          sudo rm -rf $HOME/.config/helm
+          sudo dmesg | grep 'apparmor="DENIED"' > ./denials-${{ strategy.job-index }}.log
+      - name: Upload strict inspect tarball
+        uses: actions/upload-artifact@v2
+        with:
+          name: inspection-report-strict-actions
+          path: ./inspection-report-strict-${{ strategy.job-index }}.tar.gz
+      - name: Upload AppArmor denials
+        uses: actions/upload-artifact@v2
+        with:
+          name: apparmor-denials
+          path: ./denials-${{ strategy.job-index }}.log
+      - name: Running addons tests in devmode
         run: |
           set -x
+          sudo snap install microk8s.snap --devmode --dangerous
+          for i in docker-privileged docker-support kubernetes-support k8s-journald k8s-kubelet \
+                   k8s-kubeproxy dot-kube network network-bind network-control network-observe \
+                   firewall-control process-control kernel-module-observe mount-observe \
+                   hardware-observe system-observe home opengl home-read-all \
+                   login-session-observe log-observe dot-config-helm
+          do
+            sudo snap connect microk8s:$i
+          done
+          ./tests/smoke-test.sh
           export UNDER_TIME_PRESSURE="True"
-          sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=`pwd`/`ls microk8s*.snap` pytest -s ./tests/test-upgrade.py
+          export SKIP_OPENEBS="False"
+          export SKIP_PROMETHEUS="False"
+          (cd tests; sudo -E pytest -s -ra test-addons.py)
+          sudo microk8s inspect |
+          grep -Po "Report tarball is at \K.+" |
+          sudo xargs -I {} mv {} inspection-report-devmode-${{ strategy.job-index }}.tar.gz
+          sudo snap remove microk8s --purge
+      - name: Upload devmode inspect tarball
+        uses: actions/upload-artifact@v2
+        with:
+          name: inspection-report-devmode-actions
+          path: ./inspection-report-devmode-${{ strategy.job-index }}.tar.gz
+      - name: Generate AppArmor on failure
+        run: sudo dmesg | grep 'apparmor="DENIED"' > ./denials-${{ strategy.job-index }}.log
+        if: failure()
+      - name: Upload AppArmor denials failure
+        uses: actions/upload-artifact@v2
+        with:
+          name: apparmor-denials
+          path: ./denials-${{ strategy.job-index }}.log
+        if: failure()
+      - name: Generate inspect tarball
+        run: >
+          sudo microk8s inspect |
+          grep -Po "Report tarball is at \K.+" |
+          sudo xargs -I {} mv {} inspection-report-fail-${{ strategy.job-index }}.tar.gz
+        if: failure()
+      - name: Upload inspect tarball
+        uses: actions/upload-artifact@v2
+        with:
+          name: inspection-report-actions
+          path: ./inspection-report-fail-${{ strategy.job-index }}.tar.gz
+        if: failure()

.github/workflows/check-formatting.yml

@@ -5,13 +5,13 @@ on:
   - pull_request
 
 jobs:
-  build:
+  check-formatting:
     name: Check Formatting
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.5
+        uses: actions/checkout@v2.4.0
 
       - name: Install dependencies
         run: |

.github/workflows/strict-common.yml

@@ -0,0 +1,24 @@
+name: Check common strict merge issues
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  strict-common:
+    name: Check common strict merge issues
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checking out repo
+        uses: actions/[email protected]
+
+      - name: Checking run_with_sudo
+        run: |
+          if grep -lr --exclude-dir="workflow" "run_with_sudo" *
+          then
+            echo "run_with_sudo found, failing."
+            exit 1
+          else
+            echo "run_with_sudo not found, passing."
+          fi