> 1) Following line in debian/tests/unshare will break Debian (since
> the script runs with "set -e"):
>
> [ "$distro" = ubuntu ] && umask 022
>
> Either use || or an if-clause. Besides that, you can just source
> /etc/os-release and then use the ID variable.
It only breaks Debian if the distro=$(...) line (22) isn't
incorporated (which, were this change to be upstreamed, it should be).
As to sourcing /etc/os-release, that's effectively what it's doing in
that line (admittedly via lsb_release, but that seems to me a
reasonably standard means of querying os-release).
> 2) Running the unshare autopkgtest with a kinetic schroot fails:
>
> autopkgtest [12:48:47]: test unshare: [-----------------------
> + [ -z x ]
> + grep -q ^1$ /proc/sys/kernel/unprivileged_userns_clone
> + dpkg --print-architecture
> [...]
> + mmdebstrap --mode=unshare --variant=apt kinetic /tmp/autopkgtest.4hxHnh/autopkgtest_tmp/chroot.tar
> W: unshare syscall failed: Operation not permitted
>
> Does it need more checks or does it need to declare to be better
> isolated?
Good point, it needs more isolation. Knowing that the unshare-wrapper
test involved isolation-machine I'd only tested under qemu.
Incidentally, that one winds up skipped on Ubuntu because
linux-image-amd64 is not installable (and skip-not-installable is
set), which is presumably why we added the (unwrapped) unshare test in
the first place. Still, that test works happily with a Debian qemu
setup.
I've subsequently tested with LXD as well, and that works with the
(unwrapped) unshare test, but requires a privileged container with
nesting to execute successfully:
> 1) Following line in debian/ tests/unshare will break Debian (since
> the script runs with "set -e"):
>
> [ "$distro" = ubuntu ] && umask 022
>
> Either use || or an if-clause. Besides that, you can just source
> /etc/os-release and then use the ID variable.
It only breaks Debian if the distro=$(...) line (22) isn't
incorporated (which, were this change to be upstreamed, it should be).
As to sourcing /etc/os-release, that's effectively what it's doing in
that line (admittedly via lsb_release, but that seems to me a
reasonably standard means of querying os-release).
> 2) Running the unshare autopkgtest with a kinetic schroot fails: ------- ------- --- kernel/ unprivileged_ userns_ clone architecture t.4hxHnh/ autopkgtest_ tmp/chroot. tar
>
> autopkgtest [12:48:47]: test unshare: [------
> + [ -z x ]
> + grep -q ^1$ /proc/sys/
> + dpkg --print-
> [...]
> + mmdebstrap --mode=unshare --variant=apt kinetic /tmp/autopkgtes
> W: unshare syscall failed: Operation not permitted
>
> Does it need more checks or does it need to declare to be better
> isolated?
Good point, it needs more isolation. Knowing that the unshare-wrapper installable is
test involved isolation-machine I'd only tested under qemu.
Incidentally, that one winds up skipped on Ubuntu because
linux-image-amd64 is not installable (and skip-not-
set), which is presumably why we added the (unwrapped) unshare test in
the first place. Still, that test works happily with a Debian qemu
setup.
I've subsequently tested with LXD as well, and that works with the
(unwrapped) unshare test, but requires a privileged container with
nesting to execute successfully:
$ autopkgtest- build-lxd images: ubuntu/ kinetic/ amd64 ubuntu/ kinetic/ amd64 -c security. privileged= true -c security. nesting= true
$ autopkgtest . -- lxd autopkgtest/
So perhaps isolation-machine is more appropriate there anyway. I'll
amend d/t/control accordingly.