canonical · yhaliaw · Jan 5, 2024 · Dec 14, 2023 · Dec 18, 2023 · Dec 18, 2023
@@ -13,6 +13,7 @@ parts:
       - rust-all  # for cryptography
     prime:
       - scripts/build-image.sh
+      - scripts/repo_policy_compliance_service.py
 bases:
   - build-on:
     - name: "ubuntu"

@@ -50,7 +50,15 @@ cleanup() {
 
 HTTP_PROXY="$1"
 HTTPS_PROXY="$2"
-MODE="$3"
+NO_PROXY="$3"
+MODE="$4"
+
+if [[ -n "$HTTP_PROXY" ]]; then
+    /snap/bin/lxc config set core.proxy_http "$HTTP_PROXY"
+fi
+if [[ -n "$HTTPS_PROXY" ]]; then
+    /snap/bin/lxc config set core.proxy_https "$HTTPS_PROXY"
+fi
 
 cleanup '/snap/bin/lxc info builder &> /dev/null' '/snap/bin/lxc delete builder --force' 'Cleanup LXD VM of previous run' 10
 
@@ -60,6 +68,20 @@ else
     retry '/snap/bin/lxc launch ubuntu-daily:jammy builder --vm --device root,size=8GiB' 'Starting LXD VM'
 fi
 retry '/snap/bin/lxc exec builder -- /usr/bin/who' 'Wait for lxd agent to be ready' 30
+if [[ -n "$HTTP_PROXY" ]]; then
+    /snap/bin/lxc exec builder -- echo "HTTP_PROXY=$HTTP_PROXY" >> /etc/environment
+    /snap/bin/lxc exec builder -- echo "http_proxy=$HTTP_PROXY" >> /etc/environment
+    /snap/bin/lxc exec builder -- echo "Acquire::http::Proxy \"$HTTP_PROXY\";" >> /etc/apt/apt.conf
+fi
+if [[ -n "$HTTPS_PROXY" ]]; then
+    /snap/bin/lxc exec builder -- echo "HTTPS_PROXY=$HTTPS_PROXY" >> /etc/environment
+    /snap/bin/lxc exec builder -- echo "https_proxy=$HTTPS_PROXY" >> /etc/environment
+    /snap/bin/lxc exec builder -- echo "Acquire::https::Proxy \"$HTTPS_PROXY\";" >> /etc/apt/apt.conf
+fi
+if [[ -n "$NO_PROXY" ]]; then
+    /snap/bin/lxc exec builder -- echo "NO_PROXY=$NO_PROXY" >> /etc/environment
+    /snap/bin/lxc exec builder -- echo "no_proxy=$NO_PROXY" >> /etc/environment
+fi
 retry '/snap/bin/lxc exec builder -- /usr/bin/nslookup github.com' 'Wait for network to be ready' 30
 
 /snap/bin/lxc exec builder -- /usr/bin/apt-get update

@@ -46,7 +46,7 @@ Construct RunnerManager object for creating and managing runners.
 
 ---
 
-<a href="../src/runner_manager.py#L641"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/runner_manager.py#L643"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `build_runner_image`
 
@@ -172,7 +172,7 @@ Bring runners in line with target.
 
 ---
 
-<a href="../src/runner_manager.py#L651"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/runner_manager.py#L653"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `schedule_build_runner_image`
 

@@ -130,7 +130,7 @@ class GithubRunnerCharm(CharmBase):
 
     service_token_path = Path("service_token")
     repo_check_web_service_path = Path("/home/ubuntu/repo_policy_compliance_service")
-    repo_check_web_service_script = Path("templates/repo_policy_compliance_service.py")
+    repo_check_web_service_script = Path("scripts/repo_policy_compliance_service.py")
     repo_check_systemd_service = Path("/etc/systemd/system/repo-policy-compliance.service")
     ram_pool_path = Path("/storage/ram")
 
@@ -324,8 +324,6 @@ def _on_install(self, _event: InstallEvent) -> None:
         """
         self.unit.status = MaintenanceStatus("Installing packages")
 
-        self._update_kernel()
-
         try:
             # The `_start_services`, `_install_deps` includes retry.
             self._install_deps()
@@ -370,6 +368,8 @@ def _on_start(self, _event: StartEvent) -> None:
         Args:
             event: Event of starting the charm.
         """
+        self._check_and_update_dependencies()
+
         runner_manager = self._get_runner_manager()
 
         self.unit.status = MaintenanceStatus("Starting runners")
@@ -672,6 +672,9 @@ def _reconcile_runners(self, runner_manager: RunnerManager) -> Dict[str, Any]:
         delta_virtual_machines = runner_manager.reconcile(
             virtual_machines, virtual_machines_resources
         )
+
+        self.unit.status = ActiveStatus()
+
         return {"delta": {"virtual-machines": delta_virtual_machines}}
 
     def _install_repo_policy_compliance(self) -> bool:

@@ -796,4 +796,9 @@ def _snap_install(self, snaps: Iterable[Snap]) -> None:
             cmd = ["snap", "install", snap.name, f"--channel={snap.channel}"]
             if snap.revision is not None:
                 cmd.append(f"--revision={snap.revision}")
-            self.instance.execute(cmd)
+            exit_code, stdout, stderr = self.instance.execute(cmd)
+
+            if exit_code != 0:
+                err_msg = stderr.read().decode("utf-8")
+                logger.error("Unable to install %s due to %s", snap.name, err_msg)
+                raise RunnerCreateError(f"Unable to install {snap.name}")
@@ -627,12 +627,14 @@ def _build_image_command(self) -> list[str]:
         """
         http_proxy = self.proxies.get("http", "")
         https_proxy = self.proxies.get("https", "")
+        no_proxy = self.proxies.get("no_proxy", "")
 
         cmd = [
             "/usr/bin/bash",
             BUILD_IMAGE_SCRIPT_FILENAME,
             http_proxy,
             https_proxy,
+            no_proxy,
         ]
         if LXD_PROFILE_YAML.exists():
             cmd += ["test"]
@@ -650,13 +652,16 @@ def build_runner_image(self) -> None:
 
     def schedule_build_runner_image(self) -> None:
         """Install cron job for building runner image."""
+        # Replace empty string in the build image command list and form a string.
+        build_image_command = " ".join(
+            [part if part else "''" for part in self._build_image_command()]
+        )
+
         cron_file = self.cron_path / "build-runner-image"
         # Randomized the time executing the building of image to prevent all instances of the charm
         # building images at the same time, using up the disk, and network IO of the server.
         # The random number are not used for security purposes.
         minute = random.randint(0, 59)  # nosec B311
         base_hour = random.randint(0, 5)  # nosec B311
         hours = ",".join([str(base_hour + offset) for offset in (0, 6, 12, 18)])
-        cron_file.write_text(
-            f"{minute} {hours} * * * ubuntu {' '.join(self._build_image_command())}"
-        )
+        cron_file.write_text(f"{minute} {hours} * * * ubuntu {build_image_command}")
@@ -197,21 +197,30 @@ async def run_in_unit(unit: Unit, command: str, timeout=None) -> tuple[int, str
 
 
 async def run_in_lxd_instance(
-    unit: Unit, name: str, command: str, cwd=None, timeout=None
+    unit: Unit,
+    name: str,
+    command: str,
+    env: dict[str, str] | None = None,
+    cwd: str | None = None,
+    timeout: int | None = None,
 ) -> tuple[int, str | None]:
     """Run command in LXD instance of a juju unit.
 
     Args:
         unit: Juju unit to execute the command in.
         name: Name of LXD instance.
         command: Command to execute.
+        env: Mapping of environment variable name to value.
         cwd: Work directory of the command.
         timeout: Amount of time to wait for the execution.
 
     Returns:
         Tuple of return code and stdout.
     """
     lxc_cmd = f"/snap/bin/lxc exec {name}"
+    if env:
+        for key, value in env.items():
+            lxc_cmd += f"--env {key}={value}"
     if cwd:
         lxc_cmd += f" --cwd {cwd}"
     lxc_cmd += f" -- {command}"

@@ -3,7 +3,9 @@
 
 """Test the usage of a proxy server."""
 import subprocess
+from asyncio import sleep
 from typing import AsyncIterator
+from urllib.parse import urlparse
 
 import pytest
 import pytest_asyncio
@@ -15,6 +17,7 @@
     get_runner_names,
     run_in_lxd_instance,
 )
+from tests.status_name import ACTIVE_STATUS_NAME
 from utilities import execute_command
 
 PROXY_PORT = 8899
@@ -44,22 +47,81 @@ async def proxy_fixture() -> AsyncIterator[str]:
 
 @pytest_asyncio.fixture(scope="module", name="app_with_aproxy")
 async def app_with_aproxy_fixture(
-    model: Model, app_no_runner: Application, proxy: str
+    model: Model,
+    charm_file: str,
+    app_name: str,
+    path: str,
+    token: str,
+    proxy: str,
 ) -> Application:
-    """Application configured to use aproxy"""
-
+    """Application with aproxy setup and firewall to block all other network access."""
     await model.set_config(
         {
+            "apt-http-proxy": proxy,
+            "apt-https-proxy": proxy,
+            "apt-no-proxy": "127.0.0.1,localhost,::1",
             "juju-http-proxy": proxy,
             "juju-https-proxy": proxy,
-            "juju-no-proxy": "",
+            "juju-no-proxy": "127.0.0.1,localhost,::1",
+            "snap-http-proxy": proxy,
+            "snap-https-proxy": proxy,
+            "snap-no-proxy": "127.0.0.1,localhost,::1",
             "logging-config": "<root>=INFO;unit=DEBUG",
         }
     )
 
-    await app_no_runner.set_config({"experimental-use-aproxy": "true"})
+    machine = await model.add_machine(constraints={"root-disk": 15}, series="jammy")
+    # Wait until juju agent has the hostname of the machine.
+    for _ in range(120):
+        if machine.hostname is not None:
+            break
+        await sleep(10)
+    else:
+        assert False, "Timeout waiting for machine to start"
+
+    # Disable external network access for the juju machine.
+    proxy_url = urlparse(proxy)
+    await machine.ssh(f"sudo iptables -I OUTPUT -d {proxy_url.hostname} -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 0.0.0.0/8 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 10.0.0.0/8 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 100.64.0.0/10 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 127.0.0.0/8 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 169.254.0.0/16 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 172.16.0.0/12 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 192.0.0.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 192.0.2.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 192.88.99.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 192.168.0.0/16 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 198.18.0.0/15 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 198.51.100.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 203.0.113.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 224.0.0.0/4 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 233.252.0.0/24 -j ACCEPT")
+    await machine.ssh("sudo iptables -I OUTPUT -d 240.0.0.0/4 -j ACCEPT")
+    await machine.ssh("sudo iptables -P OUTPUT DROP")
+    # Test the external network access is disabled.
+    await machine.ssh("ping -c1 canonical.com 2>&1 | grep '100% packet loss'")
+
+    # Deploy the charm in the juju machine with external network access disabled.
+    application = await model.deploy(
+        charm_file,
+        application_name=app_name,
+        series="jammy",
+        config={
+            "path": path,
+            "token": token,
+            "virtual-machines": 1,
+            "denylist": "10.10.0.0/16",
+            "test-mode": "insecure",
+            "reconcile-interval": 60,
+            "experimental-use-aproxy": "true",
+        },
+        constraints={"root-disk": 15},
+        to=machine.id,
+    )
+    await model.wait_for_idle(status=ACTIVE_STATUS_NAME, timeout=60 * 60)
 
-    return app_no_runner
+    return application
 
 
 @pytest.mark.asyncio
@@ -76,7 +138,12 @@ async def test_usage_of_aproxy(model: Model, app_with_aproxy: Application) -> No
     assert names
     runner_name = names[0]
 
-    return_code, stdout = await run_in_lxd_instance(unit, runner_name, "curl http://canonical.com")
+    return_code, stdout = await run_in_lxd_instance(
+        unit,
+        runner_name,
+        "curl http://canonical.com",
+    )
+
     assert return_code == 0
 
     return_code, stdout = await run_in_lxd_instance(