Skip to content

Draft: Debug build deb bwrap #1160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
adombeck wants to merge 41 commits into
base: main
Choose a base branch
from
Draft

Draft: Debug build deb bwrap #1160

adombeck wants to merge 41 commits into from

Conversation

@adombeck
Copy link
Contributor

@adombeck adombeck commented Dec 10, 2025

only for debugging

@adombeck adombeck force-pushed the debug-build-deb-bwrap branch from 2442f14 to 9272315 Compare December 10, 2025 16:39
@adombeck
refactor: Split cmd/authctl/user/user_test.go
1c3b018
@adombeck
Fix comment
18844de 
There's nothing encrypted in this string.
@adombeck
Add gRPC method SetUserID
2ed063c
@adombeck
Add authctl user set-uid command
c50b72c
@adombeck
Return a gRPC error with code PermissionDenied
4f94f43 
... instead of prefixing the error message with "permission denied"
@adombeck
debian/authd.service.in: Grant capability CAP_DAC_READ_SEARCH
f14ed3d 
Required to change the ownership of the user's home directory when
changing the user's UID.
@adombeck
fileutils: Add ChownRecursiveFrom
1a7fedd 
We use this to recursively change the owner and group of the user's home
directory when changing the user's UID.
@adombeck
testutils: Add RunTestAsRoot
d4a36a9 
Needed to test fileutils.ChownRecursiveFrom. We can't use bubblewrap for
that because bubblewrap only creates UID mapping for one user, using
chown with a different UID fails with:

    chown: changing ownership of 'file': Invalid argument
@adombeck
Add TestChownRecursiveFrom
41deb99
@adombeck
Automatically change owner of home directory when changing UID
01822a2 
Do the same usermod does when changing a UID of a user: If the home
directory is currently owned by the user, recursively change the owner
and group of the home directory and all files in the home directory from
the old UID and GID to the new UID and GID.
@adombeck
Add TestSetUIDCommand
349c0f3
@adombeck
Add db_test.TestSetUserID
dd18cd2
@adombeck
Support creating users/groups in bubblewrap
8014e2e 
We need that for the SetUserID tests
@adombeck
tests: Support chown in bubblewrap
dd66043
@adombeck
tests: Run TestChownRecursiveFrom in bubblewrap
ed8dea1 
We now support chown in bubblewrap, so we don't have to run the test as
root anymore.
@adombeck
refactor: Remove unused parameter from runInBubbleWrap
dedf440
@adombeck
testutils/bubblewrap: Support updating golden files
0ccc1bc
@adombeck
testutils: Skip cleanup when in bubblewrap
32c0326
@adombeck
bubblewrap: Mount a tmpfs to /tmp in the sandbox
5f18f6e 
We have a use case where we want to create a directory at a
deterministic path in /tmp. That fails if /tmp is shared with the host
and other bubblewrap sandboxes which use the same directory.
@adombeck
Add users_test.TestSetUserID
6178554
@adombeck
Add SetGroupID
887b9ca
@adombeck
Add db_test.TestSetGroupID
1e86c69
@adombeck
Add users_test.TestSetGroupID
9e889a1
@adombeck
Add authctl group command
f8791fa
@adombeck
Add authctl group set-gid command
55ad11d
@adombeck
Add TestSetGIDCommand
fdd1ff2
@adombeck
pam/integration-tests: Don't print authctl usage message in VHS tape
df81d8f 
It doesn't test anything that's not already covered by other tests and
it's annoying to have to manually update the golden files of the SSH
integration tests whenever the authctl usage message changes.
@adombeck
authctl: Add long description for set-uid command
e10f78b
@adombeck
authctl: Add long description for set-gid command
b4c1522
@adombeck
Take lock in SetUserID/SetGroupID
f29cac6 
userslocking.WriteLock() immediately returns ErrLock if the lock is
already taken *by the current process*. lckpwdf behaves similarly (even
though the man page doesn't mention it).

To avoid that issue, we now take another lock which blocks concurrent
goroutines.
@adombeck
tests: Don't skip bubblewrap tests in CI
bf8ebac 
We broke the bubblewrap tests in the CI without noticing it (at first)
because the tests were skipped. The only case where we really want to
skip the tests is on Launchpad builders. To detect that, we check if the
DEB_BUILD_ARCH environment variable is set and we're *not* in GitHub CI.
@adombeck
Try enabling unprivileged user namespaces in CI
169453e
@adombeck
tests: Avoid unshare hanging forever in some environments
be55c5e 
When executing `unshare --map-user` via exec.Command and connecting the
process's stdout or stderr, the command hangs forever if unprivileged
user namespaces are disabled.

We avoid that by checking via `unshare --user` if unprivileged user
namespaces are enabled.
@adombeck
tests: Make chown work with bubblewrap executed via sudo
3b4e593
@adombeck
tests: Skip bubblewrap tests in autopkgtest
50d6f17 
The "Run autopkgtests" CI job runs the tests in an LXD container which
doesn't allow using bubblewrap. It fails with:

    bwrap: Failed to make / slave: Permission denied

To avoid that these jobs fail, we allow them to skip the bubblewrap
tests. We still run the tests in the "Go Tests" CI jobs.
@adombeck
ci: Group log lines of llvm-symbolizer installation
66ba38e
@adombeck
debian: Run go tests with -v
612789e 
Running our tests with -v produces so much output that it makes it
harder to inspect test failures, for example when viewing the logs of
the "Build debian packages" CI job in GitHub.

Running the tests without -v still prints the logs of the failed tests
which should include all the information we need to debug test failures.
@adombeck
XXX: Remove other CI jobs
27c7714
@adombeck
WIP: Try with more restrictions
e10dc27 
Restrictions from
https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/tests/control
@adombeck
XXX: debug-build-deb-bwrap
160f47e
@adombeck
fixup: Require bwrap tests in autopkgtest
ee56fbf
@adombeck adombeck force-pushed the debug-build-deb-bwrap branch from 9272315 to ee56fbf Compare December 10, 2025 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adombeck