many: add _daemon_ as valid system username

[mvo5]

With the recent adoption of the _daemon_ user in the spec RK011 by the rocks team we should follow suite and also support the new _daemon_ user for snaps.

This commit implements this support.

We also need to update the documentation once this is in stable and deprecate snap_daemon in favor of _daemon_

[codecov-commenter]

Codecov Report

Merging #13052 (4e0207a) into master (22e1eb3) will increase coverage by 0.00%.
Report is 9 commits behind head on master.
The diff coverage is 100.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@           Coverage Diff            @@
##           master   #13052    +/-   ##
========================================
  Coverage   78.69%   78.70%            
========================================
  Files        1001     1002     +1     
  Lines      124324   124426   +102     
========================================
+ Hits        97839    97925    +86     
- Misses      20331    20343    +12     
- Partials     6154     6158     +4     

Flag	Coverage Δ
unittests	78.70% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
cmd/snap-seccomp/main.go	63.38% <100.00%> (ø)
osutil/user.go	84.61% <100.00%> (ø)
snap/validate.go	95.24% <100.00%> (ø)

... and 8 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[pedronis]

looking good, some comments

[pedronis]

do we still have use cases for this? do we need to expand its comment?

[mvo5]

Right now the thinking is that:
a) IsValidUsername is used to validate the name from osutil.AddUser() which is called by devicestate when adding users from the system-user assertion. Making this slightly more restrictive seems to be good to avoid that those names clash with the "system-usernames" from snap.yaml
b) IsValidSystemUsername is used to validate users from the "system-usernames" snap.yaml via "EnsureUserGroup". It needs to be always a superset of IsValudUsername because e.g. snap-seccomp will use it right now to validate users.

This all points to a problem with terminology though, we have a "system-user" assertion and a "system-usernames" piece in the snap.yaml. I was thinking to rename them to "IsValidAssertionUsername" and "IsValidSystemUsername" maybe? Or "IsValidAddUsername" and "IsValidEnsureUsername" (but the later feels weird).

[pedronis]

May leave the first alone and rename IsValidSystemUsername ro IsValidSnapSystemUsername. I think the doc comments of AddUser and EnsureUserGroup should also be updated to clarify their validation rules.

[mvo5]

Thanks for the great suggestion, I did this now.

[pedronis]

thanks, question about the preexisting spread tests

[pedronis]

should we change /tests/main/system-usernames to also test extensively daemon as snap_daemon is deprecated ?

[mvo5]

Yes, I think this would be a good idea. I will think a bit, either it needs to be a new snap or it needs to be a followup once the _daemon_ user is fully accepted (if we jsut add it as a second username to the existing snap).

[mvo5]

Actually I have an idea and prepared https://github.com/snapcore/snapd/compare/master...mvo5:new-daemon-user-rocks-more-tests?expand=1 to allow to test within this PR, I may still do it in a followup for easier reviewing.

[mvo5]

And indeed #13060 will be used to update system-usernames but as a separate PR as it adds quite a bit of churn (but could of course merge into this one if desired :)

[mvo5]

@degville we will need to update our docs once this is available in stable that this is the preferred way over snap_daemon.