snappy-hwe-snaps

Merge ~morphis/snappy-hwe-snaps/+git/network-manager:f/add-firewall-control-iface into ~snappy-hwe-team/snappy-hwe-snaps/+git/network-manager:master

  1. Git
  2. lp:~morphis/snappy-hwe-snaps/+git/network-manager
  3. f/add-firewall-control-iface
  4. Merge into master
Proposed by Simon Fels
Status: Merged
Approved by: Alfonso Sanchez-Beato
Approved revision: 1b168b391c2b34cc67c7dd66772736107f4bbce4
Merged at revision: 7b1a6ace4f57913689b21832919bbea75bb34bf5
Proposed branch: ~morphis/snappy-hwe-snaps/+git/network-manager:f/add-firewall-control-iface
Merge into: ~snappy-hwe-team/snappy-hwe-snaps/+git/network-manager:master
Diff against target: 65 lines (+17/-2)
5 files modified
snapcraft.yaml (+1/-1)
tests/lib/prepare.sh (+3/-0)
tests/lib/utilities.sh (+1/-1)
tests/main/can-exec-iptables/task.yaml (+10/-0)
tests/main/installation/task.yaml (+2/-0)
Reviewer Review Type Date Requested Status
System Enablement Bot continuous-integration Approve
Alfonso Sanchez-Beato Approve
Review via email: mp+320021@code.launchpad.net

Description of the change

Add firewall-control interface to allow NetworkManager accessing the iptables binary from the core snap to modify the system iptables configuration

To post a comment you must log in.
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:4036095b846ab48d52b13ebeab4df52954604682
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1322/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-build-snap-worker/511
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/1230/console
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-test-snap/1153
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-cleanup-snap/168

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1322/rebuild

review: Approve (continuous-integration)
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

FAILED: Continuous integration, rev:1b168b391c2b34cc67c7dd66772736107f4bbce4
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1324/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/system-enablement/job/generic-build-snap-worker/513/console
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/1231/console
    FAILURE: https://jenkins.canonical.com/system-enablement/job/generic-test-snap/1154/console
    None: https://jenkins.canonical.com/system-enablement/job/generic-cleanup-snap/169/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1324/rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

LGTM

review: Approve
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:1b168b391c2b34cc67c7dd66772736107f4bbce4
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1325/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-build-snap-worker/514
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/1232/console
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-test-snap/1155
    None: https://jenkins.canonical.com/system-enablement/job/generic-cleanup-snap/170/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/1325/rebuild

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/snapcraft.yaml b/snapcraft.yaml
2index fc22731..9e0dcc3 100644
3--- a/snapcraft.yaml
4+++ b/snapcraft.yaml
5@@ -31,7 +31,7 @@ apps:
6 command: bin/networkmanager
7 daemon: simple
8 slots: [service]
9- plugs: [modem-manager, ppp, network-setup-observe, wpa]
10+ plugs: [modem-manager, ppp, network-setup-observe, wpa, firewall-control]
11 # FIXME: This will create currently a symlink inside /snap/bin
12 # which points nowhere as the service isn't exposed as application
13 # for the user. Instead snapd needs to gain support to handle
14diff --git a/tests/lib/prepare.sh b/tests/lib/prepare.sh
15index 57d24b5..12a76da 100644
16--- a/tests/lib/prepare.sh
17+++ b/tests/lib/prepare.sh
18@@ -27,6 +27,9 @@ rm -f /home/network-manager/snapd-state.tar.gz
19 rm -f /home/network-manager/nm-state.tar.gz
20
21 snap_install network-manager
22+# FIXME: Until the store snap-declaration is updated we need to connect
23+# this plug manually.
24+snap connect network-manager:firewall-control
25
26 # Snapshot of the current snapd state for a later restore
27 systemctl stop snapd.service snapd.socket
28diff --git a/tests/lib/utilities.sh b/tests/lib/utilities.sh
29index 8ca1418..14dbebb 100644
30--- a/tests/lib/utilities.sh
31+++ b/tests/lib/utilities.sh
32@@ -59,4 +59,4 @@ mac_to_ipv6() {
33 mac=${mac#*:*:}
34 ipv6_address=$ipv6_address${mac%:*}${mac##*:}
35 echo $ipv6_address
36-}
37\ No newline at end of file
38+}
39diff --git a/tests/main/can-exec-iptables/task.yaml b/tests/main/can-exec-iptables/task.yaml
40new file mode 100644
41index 0000000..878df5d
42--- /dev/null
43+++ b/tests/main/can-exec-iptables/task.yaml
44@@ -0,0 +1,10 @@
45+summary: Verify the NetworkManager snap is allowed to modify the iptables firewall configuration
46+
47+execute: |
48+ # Running a simple command in the runtime environment of our service
49+ # binary will tell us if we're allowed to execute the iptables binary
50+ # from the core snap or not.
51+ snap run --shell network-manager.networkmanager <<EOF
52+ set -ex
53+ /sbin/iptables -L
54+ EOF
55diff --git a/tests/main/installation/task.yaml b/tests/main/installation/task.yaml
56index 2f1fe97..0dc8cf8 100644
57--- a/tests/main/installation/task.yaml
58+++ b/tests/main/installation/task.yaml
59@@ -12,4 +12,6 @@ execute: |
60 # Ensure all necessary plugs/slots are connected
61 snap interfaces | grep -Pzq ":network-setup-observe +network-manager"
62 snap interfaces | grep -Pzq ":ppp +network-manager"
63+ snap interfaces | grep -Pzq ":firewall-control +network-manager"
64+ snap interfaces | grep -Pzq ":network-setup-observe +network-manager"
65 snap interfaces | grep -Pzq "network-manager:service +network-manager:nmcli"

Subscribers

People subscribed via source and target branches