Merge branch 'master' into syscall-reboot

canonical · Aug 1, 2023 · 0506dc9 · 0506dc9
2 parents f99d1c7 + 37a6155
commit 0506dc9
Show file tree

Hide file tree

Showing 63 changed files with 1,840 additions and 1,195 deletions.
diff --git a/.github/.golangci.yml b/.github/.golangci.yml
@@ -0,0 +1,14 @@
+linters:
+  disable-all: true
+  enable:
+    - gci
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - Prefix(github.com/canonical/pebble)
+issues:
+  # these values ensure that all issues will be surfaced
+  max-issues-per-linter: 0
+  max-same-issues: 0
diff --git a/.github/.trivyignore b/.github/.trivyignore
@@ -0,0 +1,6 @@
+# ignore known CVEs that are not backported before Go 1.17
+
+CVE-2022-41721
+CVE-2022-41717
+CVE-2022-41723
+CVE-2022-32149
diff --git a/.github/trivy.yaml b/.github/trivy.yaml
@@ -0,0 +1,4 @@
+timeout: 20m
+scan:
+  offline-scan: true
+ignore-file: .github/.trivyignore
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,30 @@
+name: Lint
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-mod-file: 'go.mod'
+          cache: false
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        id: lint
+        with:
+          version: latest
+          args: '-c .github/.golangci.yml --out-format=colored-line-number'
+          skip-cache: true
+
+      - name: Print error message
+        if: always() && steps.lint.outcome == 'failure'
+        run: |
+          echo '
+          Linting failed. On your local machine, please run
+              golangci-lint run -c .github/.golangci.yml --fix
+          and check in the changes.'
+          exit 1
diff --git a/.github/workflows/scanning.yml b/.github/workflows/scanning.yml
@@ -0,0 +1,22 @@
+name: Vulnerability scanning
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  scan:
+    name: Scan for known vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Run Github Trivy FS Action
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: .github/trivy.yaml
diff --git a/.github/workflows/snap.yml b/.github/workflows/snap.yml
@@ -1,6 +1,13 @@
 name: Pebble snap
 
-on: [pull_request]
+on:
+  pull_request:
+    branches: [master]
+  release:
+    types: [published]
+
+env:
+  SNAP_NAME: pebble
 
 jobs:
   build:
@@ -27,19 +34,67 @@ jobs:
   test:
     runs-on: ubuntu-latest
     needs: [build]
+    outputs:
+      pebble-version: ${{ steps.install-pebble.outputs.version }}
 
     steps:
       - uses: actions/download-artifact@v3
         with:
           name: ${{ needs.build.outputs.pebble-snap }}
 
       - name: Install the Pebble snap
+        id: install-pebble
         run: |
+          set -ex
           # Install the Pebble snap from the artifact built in the previous job
           sudo snap install --dangerous --classic ${{ needs.build.outputs.pebble-snap }}
 
           # Make sure Pebble is installed
-          pebble version
+          echo "version=$(pebble version --client)" >> "$GITHUB_OUTPUT"
 
       - name: Run smoke test
-        run: pebble enter exec echo Hello | grep Hello
+        run: pebble enter --create-dirs exec echo Hello | grep Hello
+
+  promote:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    needs: [test]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [amd64, arm64, ppc64el, armhf, s390x]
+    env:
+      TRACK: latest
+      DEFAULT_RISK: edge
+      TO_RISK: candidate
+    steps:
+      - name: Install Snapcraft
+        run: sudo snap install snapcraft --classic
+
+      - name: Wait for ${{ needs.test.outputs.pebble-version }} to be released
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: |
+          while ! `snapcraft status ${{ env.SNAP_NAME }} --track ${{ env.TRACK }} --arch ${{ matrix.arch }} \
+              | grep "${{ env.DEFAULT_RISK }}" \
+              | awk -F' ' '{print $2}' \
+              | grep -Fxq "${{ needs.test.outputs.pebble-version }}"`; do
+            echo "[${{ matrix.arch }}] Waiting for ${{ needs.test.outputs.pebble-version }} \
+          to be released to ${{ env.TRACK }}/${{ env.DEFAULT_RISK }}..."
+            sleep 10
+          done
+
+      # It would be easier to use `snapcraft promote`, but there's an error when trying
+      # to avoid the prompt with the "--yes" option: 
+      # > 'latest/edge' is not a valid set value for --from-channel when using --yes.
+      - name: Promote ${{ needs.test.outputs.pebble-version }} (${{ matrix.arch }}) to ${{ env.TO_RISK }}
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+        run: |
+          revision="$(snapcraft status ${{ env.SNAP_NAME }} \
+            --track ${{ env.TRACK }} --arch ${{ matrix.arch }} \
+            | grep "${{ env.DEFAULT_RISK }}" | awk -F' ' '{print $3}')"
+
+          snapcraft release ${{ env.SNAP_NAME }} \
+            $revision \
+            ${{ env.TRACK }}/${{ env.TO_RISK }}
diff --git a/HACKING.md b/HACKING.md
@@ -83,6 +83,39 @@ $ curl --unix-socket ~/pebble/.pebble.socket 'http://localhost/v1/services?names
 ```
 
 
+## Code style
+
+Pebble imports should be arranged in three groups:
+- standard library imports
+- third-party / non-Pebble imports
+- Pebble imports (i.e. those prefixed with `github.com/canonical/pebble`)
+
+Imports should be sorted alphabetically within each group.
+
+We use the [`gopkg.in/check.v1`](https://pkg.go.dev/gopkg.in/check.v1) package for testing. Inside a test file, import this as follows:
+```go
+. "gopkg.in/check.v1"
+```
+so that identifiers from that package will be added to the local namespace.
+
+
+Here is an example of correctly arranged imports:
+
+```go
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/gorilla/mux"
+	. "gopkg.in/check.v1"
+
+	"github.com/canonical/pebble/internals/systemd"
+	"github.com/canonical/pebble/internals/testutil"
+)
+```
+
+
 ## Running the tests
 
 Pebble has a suite of Go unit tests, which you can run using the regular `go test` command. To test all packages in the Pebble repository:

diff --git a/README.md b/README.md
@@ -688,6 +688,13 @@ checks:
             # directly, not interpreted by a shell.
             command: <commmand>
 
+            # (Optional) Run the command in the context of this service.
+            # Specifically, inherit its environment variables, user/group
+            # settings, and working directory. The check's context (the
+            # settings below) will override the service's; the check's
+            # environment map will be merged on top of the service's.
+            service-context: <service-name>
+
             # (Optional) A list of key/value pairs defining environment
             # variables that should be set when running the command.
             environment:

diff --git a/client/exec.go b/client/exec.go
@@ -30,22 +30,28 @@ type ExecOptions struct {
 	// Required: command and arguments (first element is the executable).
 	Command []string
 
+	// Optional: run the command in the context of this service. Specifically,
+	// inherit its environment variables, user/group settings, and working
+	// and working directory. The other options in this struct will override
+	// the service context; Environment will be merged on top of the service's.
+	ServiceContext string
+
 	// Optional environment variables.
 	Environment map[string]string
 
 	// Optional working directory (default is $HOME or "/" if $HOME not set).
 	WorkingDir string
 
-	// Optional timeout for the command execution, after which the process
-	// will be terminated. If zero, no timeout applies.
-	Timeout time.Duration
-
 	// Optional user ID and group ID for the process to run as.
 	UserID  *int
 	User    string
 	GroupID *int
 	Group   string
 
+	// Optional timeout for the command execution, after which the process
+	// will be terminated. If zero, no timeout applies.
+	Timeout time.Duration
+
 	// True to ask the server to set up a pseudo-terminal (PTY) for stdout
 	// (this also allows window resizing). The default is no PTY, and just
 	// to use pipes for stdout/stderr.
@@ -74,19 +80,20 @@ type ExecOptions struct {
 }
 
 type execPayload struct {
-	Command     []string          `json:"command"`
-	Environment map[string]string `json:"environment,omitempty"`
-	WorkingDir  string            `json:"working-dir,omitempty"`
-	Timeout     string            `json:"timeout,omitempty"`
-	UserID      *int              `json:"user-id,omitempty"`
-	User        string            `json:"user,omitempty"`
-	GroupID     *int              `json:"group-id,omitempty"`
-	Group       string            `json:"group,omitempty"`
-	Terminal    bool              `json:"terminal,omitempty"`
-	Interactive bool              `json:"interactive,omitempty"`
-	SplitStderr bool              `json:"split-stderr,omitempty"`
-	Width       int               `json:"width,omitempty"`
-	Height      int               `json:"height,omitempty"`
+	Command        []string          `json:"command"`
+	ServiceContext string            `json:"service-context,omitempty"`
+	Environment    map[string]string `json:"environment,omitempty"`
+	WorkingDir     string            `json:"working-dir,omitempty"`
+	Timeout        string            `json:"timeout,omitempty"`
+	UserID         *int              `json:"user-id,omitempty"`
+	User           string            `json:"user,omitempty"`
+	GroupID        *int              `json:"group-id,omitempty"`
+	Group          string            `json:"group,omitempty"`
+	Terminal       bool              `json:"terminal,omitempty"`
+	Interactive    bool              `json:"interactive,omitempty"`
+	SplitStderr    bool              `json:"split-stderr,omitempty"`
+	Width          int               `json:"width,omitempty"`
+	Height         int               `json:"height,omitempty"`
 }
 
 type execResult struct {
@@ -122,19 +129,20 @@ func (client *Client) Exec(opts *ExecOptions) (*ExecProcess, error) {
 		timeoutStr = opts.Timeout.String()
 	}
 	payload := execPayload{
-		Command:     opts.Command,
-		Environment: opts.Environment,
-		WorkingDir:  opts.WorkingDir,
-		Timeout:     timeoutStr,
-		UserID:      opts.UserID,
-		User:        opts.User,
-		GroupID:     opts.GroupID,
-		Group:       opts.Group,
-		Terminal:    opts.Terminal,
-		Interactive: opts.Interactive,
-		SplitStderr: opts.Stderr != nil,
-		Width:       opts.Width,
-		Height:      opts.Height,
+		Command:        opts.Command,
+		ServiceContext: opts.ServiceContext,
+		Environment:    opts.Environment,
+		WorkingDir:     opts.WorkingDir,
+		Timeout:        timeoutStr,
+		UserID:         opts.UserID,
+		User:           opts.User,
+		GroupID:        opts.GroupID,
+		Group:          opts.Group,
+		Terminal:       opts.Terminal,
+		Interactive:    opts.Interactive,
+		SplitStderr:    opts.Stderr != nil,
+		Width:          opts.Width,
+		Height:         opts.Height,
 	}
 	var body bytes.Buffer
 	err := json.NewEncoder(&body).Encode(&payload)