Investigate and fix CI create DB error (#511)

* println debug * lint * More lines * Debug and try a hypothesis * Fix error parsing * Fix nsjail error, surface non-AybErrors more effectively * lint * Remove prints * Remove unnecessary checkout
marcua · Jan 20, 2025 · 86d990e · 86d990e
1 parent 55ebcd7
commit 86d990e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/src/error.rs b/src/error.rs
@@ -21,11 +21,12 @@ pub enum AybError {
     CantSetOwnerPermissions { message: String },
     DurationParseError { message: String },
     NoWriteAccessError { message: String },
+    QueryError { message: String },
+    RecordNotFound { id: String, record_type: String },
     S3ExecutionError { message: String },
     S3ConnectionError { message: String },
     SnapshotError { message: String },
     SnapshotDoesNotExistError,
-    RecordNotFound { id: String, record_type: String },
     Other { message: String },
 }
 

diff --git a/src/hosted_db/sqlite.rs b/src/hosted_db/sqlite.rs
@@ -89,12 +89,22 @@ pub async fn potentially_isolated_sqlite_query(
     if let Some(isolation) = isolation {
         let result =
             run_in_sandbox(Path::new(&isolation.nsjail_path), path, query, query_mode).await?;
-
         if !result.stderr.is_empty() {
-            let error: AybError = serde_json::from_str(&result.stderr)?;
-            return Err(error);
+            let error: Result<AybError, _> = serde_json::from_str(&result.stderr);
+            // If the error could be deserialized into an AybError,
+            // return that. Otherwise, create a more generic AybError
+            // to at least surface an issue.
+            return match error {
+                Ok(error) => Err(error),
+                Err(_error) => Err(AybError::QueryError {
+                    message: format!(
+                        "Error message from sandboxed query runner: {}",
+                        result.stderr
+                    ),
+                }),
+            };
         } else if result.status != 0 {
-            return Err(AybError::Other {
+            return Err(AybError::QueryError {
                 message: format!(
                     "Error status from sandboxed query runner: {}",
                     result.status
@@ -104,7 +114,7 @@ pub async fn potentially_isolated_sqlite_query(
             let query_result: QueryResult = serde_json::from_str(&result.stdout)?;
             return Ok(query_result);
         } else {
-            return Err(AybError::Other {
+            return Err(AybError::QueryError {
                 message: "No results from sandboxed query runner".to_string(),
             });
         }

diff --git a/tests/set_up_e2e_env.sh b/tests/set_up_e2e_env.sh
@@ -18,3 +18,8 @@ DOCKER_FLAGS="-v ${SCRIPT_PATH}:/etc/localstack/init/ready.d/init-aws.sh" locals
 # On Ubuntu, assumes these requirements: sudo apt-get install -y libprotobuf-dev protobuf-compiler libnl-route-3-dev
 scripts/build_nsjail.sh
 mv nsjail tests/
+
+# Starting with Ubuntu 24.x, nsjail won't run with default permissions
+# (https://github.com/google/nsjail/issues/236).
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0