Add support for reboot parameter

[alfonsosanchezbeato]

Add support for reboot parameter in system-shutdown program, and use it for the android bootloader.

[zyga]

I looked at the C parts mostly. CC @chipaca

[zyga]

Ugh

This doesn't look at max_size. Perhaps I'm skewed towards security sensitive code (from snap-confine) but I prefer defensive coding.

[zyga]

Where is this file name coming from? Is this our invention? If so, can we call it something like snapd.reboot-mode

[alfonsosanchezbeato]

Nope, it is the same way used by systemd:

https://github.com/systemd/systemd/blob/master/src/systemctl/systemctl.c#L8262

[morphis]

Can we get this properly documented with a link to the systemd source (a tagged version)? Also needs to be added in the go portion of this PR.

[zyga]

Please prefix this with sc_, the second argument should really be size_t

[chipaca]

why the prefix? it's got nothing to do with snap-confine (and nothing else in system-shutdown-utils.h has that prefix)

[alfonsosanchezbeato]

Agreed, don't really see the need for the prefix...

[alfonsosanchezbeato]

Re: size_t I always have mixed feelings wrt using natural integer size vs array sizes, it is a C language issue in the end. In fact, fgets uses "int", but in this case the advantage of using size_t is that you make sure that max_size is non-negative, so I will change the type.

[zyga]

The prefix is used on all non-private functions simply because you can just move code around from place to place without thinking about it too hard. It is also free to do it now.

[zyga]

I think we can reasonably say the size is something smaller, you don't need all of that space.

[zyga]

Can you please remove this?

[chipaca]

by "this" you mean the "hi there!", yes? :-)

[alfonsosanchezbeato]

Lol, some debugging leftover

[zyga]

Yes, I meant this change. :-)

[zyga]

Can you just always read this and not change the flow of the code?

[alfonsosanchezbeato]

Ok, in fact I oscillated between the two options...

[zyga]

Can you add error handling to both cases please. It doesn't have to be very sophisticated but I'd like to see it.

[pedronis]

if this is not systemd predefined shouldn't it go to /run/snapd/ instead?

[alfonsosanchezbeato]

It is defined by systemd:

https://github.com/systemd/systemd/blob/master/src/systemctl/systemctl.c#L8262

[pedronis]

should this use osutil.AtomicWrite ? are we writing over a systemd undocumented file, that sounds odd? can't we use our own file ? given that we are consuming it from our own code?

[alfonsosanchezbeato]

I prefer to use the same file because this way system-shutdown works properly not only for snapd, but also for the "reboot" command (there are those two ways to generate the file, so better to use the same interface, otherwise we would need to support two different ways of receiving the information in system-shutdown). Note also that we would not need the file if "shutdown +x -r" worked the same way as "reboot", which is a systemd inconsistency.

[alfonsosanchezbeato]

Re: using AtomicWrite this is an ephemeral archive, so no, it does not make much sense imo.

[pedronis]

given we are doing this, can we instead of hard coding +10 here, pass in a afterMins params to Reboot(afterMins int)

[morphis]

Shouldn't we have a proper fallback here when no bootloader is found and still call "shutdown"? Not sure if we can otherwise supports environments like docker or LXD.

[pedronis]

that's a much bigger issue than this place in the code (there various places assuming that if we are core system we will get a reboot in some situations), if we have such issues we need to think through them, this is probably not the right PR for that

[morphis]

Should have a unit test.

[alfonsosanchezbeato]

This one is tricky as it is writing in a global folder (/run/systemd) for which root permissions are needed, and I do not see an equivalent of MockCommand for this.

[pedronis]

don't hardcode the folder here but in dirs/dirs.go and follow the patterns there, then you can use dirs.SetRootDir in tests to have an alternate root dir

[alfonsosanchezbeato]

Not sure if we should do that, as this is not a snapd folder, but a systemd one.

[pedronis]

I'm telling you to do that! there's a lot of system directories already listed there because of similar reasons, for example

LocaleDir = filepath.Join(rootdir, "/usr/share/locale")

otoh see my comment about being a bit strange to write over a systemd file

[morphis]

Needs a unit test

[morphis]

Also I think we should give this a better name. like regularSystemReboot() so it name expresses a bit more that this is the std. way of doing a reboot.

[alfonsosanchezbeato]

I thought about that, but how do you unit-test something that reboots the system (or fails if not root)?...

[morphis]

By mocking the actual exec call :-)

We do this elsewhere in the snapd code base already. https://github.com/snapcore/snapd/blob/master/systemd/systemd_test.go is a good reference.

[pedronis]

testutil.MockCommand there

[ogra1]

as i mentioned on IRC, i'd prefer to do all this on a lower level simply through systemd configuration so that every reboot gets us into recovery regardless ...

that said, i dont mind if you add a super complex function to snapd like above instead, if it fulfills the same purpose as hardcoding "reboot recovery" on a systemd level for all reboot calls, i just think it is overkill.

[alfonsosanchezbeato]

PR refreshed, thanks for all the comments from the different reviewers!

[pedronis]

this should return osutil.OutputErr directly and the logging moved back to daemon.go I think

[pedronis]

can we test the argument to shutdown as well here ? we should have examples how to do that

[mvo5]

Thanks for doing this work! It looks good, I have some comments inline

[mvo5]

Curious why strcspn oder a simple strchr()?

[alfonsosanchezbeato]

strchr() would need a check for NULL pointer on failure to find '\n', which is not needed by strcspn()

[mvo5]

I would prefer it bootloader.RebootForUpdate() takes a time.Time - this way it is more clear what the parameter means and the code is easier to read (even without a comment).

[mvo5]

I think we also want to c.Check(systemdCmd.Calls(), DeepEquals, [][]string{ {"shutdown", "+10"} }) (or similar) here just to ensure that a) shutdown got really called b) it was called with the right parameters.

[mvo5]

If we could use c.Assert(err, ErrorMatches, "the actual error") that would be great.

[mvo5]

This (and the one for uboot) are untested currently and this will reduce the test-coverage. Not a big deal, we can do a followup branch but if we can get a test for this cheaply that would be great.

[alfonsosanchezbeato]

Please consider this branch on hold, as I have added a comment in the android support thread in the forum and the way to do this might change: https://forum.snapcraft.io/t/android-support-in-snapd/327/34

[alfonsosanchezbeato]

After some discussion in the forum thread, we are probably not going to use the snapd parts of this PR. I have repushed just the changes to system-shutdown, which are good to have anyway so we fulfill systemd interface for the reboot argument.

@pedronis please consider the PR unblocked and ready for review again.

[codecov-io]

Codecov Report

Merging #3353 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3353      +/-   ##
==========================================
- Coverage   77.56%   77.56%   -0.01%     
==========================================
  Files         371      371              
  Lines       25519    25519              
==========================================
- Hits        19794    19793       -1     
- Misses       3975     3976       +1     
  Partials     1750     1750

Impacted Files	Coverage Δ
interfaces/sorting.go	93.33% <0%> (-3.34%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d65d03...fbb8107. Read the comment docs.

[zyga]

This is ignoring the error code.

[alfonsosanchezbeato]

Yes, because no action would be taken if there is a failure to read the file, we will simply have reboot_arg untouched, which is checked later when choosing how to reboot. If you want we can print something here, but just an info log, as the file not being present would be actually quite frequent.

[zyga]

Nitpick, can you please reword this: kmsg(cannot reboot the system: %s", strerror(errno));

[chipaca]

you could also use reboot(2) from linux/reboot.h instead of sys/reboot.h, but not both of these at the same time.

[alfonsosanchezbeato]

Not sure what you mean, /usr/include/linux/reboot.h only shows some macros, and does not have any include directive.

[chipaca]

ah, I misread reboot(2), then.

[alfonsosanchezbeato]

MP refreshed after addressing comments.

[mvo5]

Looks good to me now, thanks for your work on this PR!