Snapd spread tests should be able to run with kernel rate limiting disabled

jdstrand · April 27, 2017, 6:45pm

The seccomp arg filting PR for mknod introduced a change to disable kernel rate limiting in an effort to make debugging output more robust (since the kernel will sometimes throwaway valuable information). Unfortunately, this results in output that is too large and the CI tests fail. Eg: https://travis-ci.org/snapcore/snapd/builds/223540921. Here is a snippet of the output:

2017-04-19 13:36:01 Error executing linode:ubuntu-14.04-64:tests/main/snapd-reexec : 
-----
+ '[' '' = 0 ']'
+ echo 'Ensure we re-exec by default'
Ensure we re-exec by default
+ snap list
2017/04/19 13:35:59.295076 main.go:237: WARNING: cannot create syslog logger
2017/04/19 13:35:59.431711 main.go:237: WARNING: cannot create syslog logger
Name  Version  Rev   Developer  Notes
core  16-2     1736  canonical  -
+ MATCH 'DEBUG: restarting into'
+ journalctl
error: pattern not found, got:
-- Logs begin at Wed 2017-04-19 13:31:24 UTC, end at Wed 2017-04-19 13:31:25 UTC. --
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6094): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6095): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"
... <thousands of DENIED messages>

It isn’t clear to me, but it looks like this is either highlighting a legitimate problem in the test, network-bind-consumer doesn’t have the correct interfaces or network-bind-consumer is programmed to just slam the network and retry a gagillion times instead of failing gracefully.

I’m bringing up this topic here because I will be reverting the disabling kernel rate limiting in the PR that was triggering this and will reference this topic in the code as a TODO to address in the future.

mvo · April 28, 2017, 7:16am

I suspect this is a test issue, an strace of the running python3 /snap/network-bind-consumer/x1/bin/consumer without the interface shows it constantly loops like this:

poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
accept4(3, 0x7ffcde8ea590, 0x7ffcde8ea56c, SOCK_CLOEXEC) = -1 EACCES (Permission denied)
...

The test takes away the interface and then runs nc on the port which the snap sees but can not act on creating the loop. Not sure what the best action is here, maybe just disable logging in this particular test or changing the python code to die if it can not accept connections.

jdstrand · April 28, 2017, 1:06pm

Or re-enable kernel rate limiting for this test.