packaging/ubuntu-16.04/rules: turn modules off explicitly
We already set GO111MODULE=off in spread.yaml, but for some reason that's not
sufficient when building the deb in hirsute, which now has Go 1.16 and defaults
to using modules. So explicitly disable it for all the manual go commands we run
here.
To access the TEE (Trusted Execution Environment) subsystem in Linux access to /dev/tee0 and /dev/teepriv0 is necessary for client applications. This PR adds a new "tee" interface that grants access to these devices to client applications that have the interface connected (this is for example required for ARM devices using ARM Trusted Firmware with a secure watchdog timer. If the timer does not get triggered on a regular schedule from a secure-wdt user space daemon, the system will hard-reboot after a certain time defined in the bootloader code at build time).
The "socket" syscall on ppc64el needs to be de-multiplexed with
recent versions of libseccomp. This is similar to what we need
to do on i386 and s390x.
overlord/snapstate, wrappers: add dependency on usr-lib-snapd.mount for services on core with snapd snap
* snapdtool: add helper for checking whether the current process runs from the snapd snap
Add a helper that checks whether the currently process binary is running form
the snapd snap.
Signed-off-by: Maciej Borzecki <email address hidden>
* wrappers: add dependency on usr-lib-snapd.mount for services on core with snapd snap
In a core system with snapd snap, the contents of <snapd-snap>/usr/lib/snapd are
exported to the host via a bind mount of done by usr-lib-snapd.mount unit. The
mount unit implicitly depends on the snap mount to be present. By adding that
tooling mount as a dependency for all services on core where snapd is present we
gain some confidence that by the time the unit is started:
- /usr/lib/snapd contains the right tooling
- /snap/snapd/<rev> is mounted
Signed-off-by: Maciej Borzecki <email address hidden>
* Revert "snapdtool: add helper for checking whether the current process runs from the snapd snap"
This reverts commit 93fa5a3f0c91860cd5e0a54f0d364c7a3d73e0a0.
* wrappers: add flag for expressing a dependency on the snapd tooling
Add a flag to the add services helper that indicates the services require
additional dependency on the snapd tooling provided by the snapd snap.
Signed-off-by: Maciej Borzecki <email address hidden>
* overlord/snapstate: pass flags to require snapd tooling when linking a snap on UC with base
When linking a snap on an Ubuntu Core system which uses one of core* bases, set
the additional flags that require dependency on the snapd tooling mount.
Signed-off-by: Maciej Borzecki <email address hidden>
* overlord/snapstate, wrappers: tweak naming
Signed-off-by: Maciej Borzecki <email address hidden>
* overlord/snapstate: comments and test tweaks
Signed-off-by: Maciej Borzecki <email address hidden>
o/configstate: deal with no longer valid refresh.timer=managed
* Deal with no longer valid refresh.timer=managed / refresh.schedule=managed in
the state when validating refresh config option of core. This option may
become invalid if the snap managing refreshes is not signed anymore
(i.e. devicestate.CanManageRefreshes returns false).
Fixes LP #1899992.
* Unset refresh.schedule and refresh.timer before testing reject behavior.
overlord/snapstate: make sure that snapd current symlink is not removed during refresh
When snap is refreshed, the current symlink would briefly go away between
unlink-current-snap and link-snap tasks. If the system gets rebooted at this
time, during startup all services from snaps will fail to start. This is caused
by the fact that /usr/bin/snap, which on Core is linked to
/snap/snapd/current/usr/bin/snap will be dangling, as /snap/snapd/current was
removed.
Address the problem by not removing current of the snapd snap, unless unlinking
is called during removal for the first install of the snapd snap on core or a
general snapd snap removal. In the snapd on core scenario, the /usr/bin/snap
will be invoked from the core snap anyway.
Signed-off-by: Maciej Borzecki <email address hidden>