libvirt: Support Ubuntu 23.04+

[stevenhorsman]

In newer versions of Ubuntu running pip3 install kcli results in the following error:

error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.
...

Solutions seem to be either use a virtual environment, install the package with apt (which isn't available for us as we need), or use pipx if installing an application, which we are.

This attempts to use the logic to install with pipx, including a shell reload at the end of the script to force the PATH to be updated

[stevenhorsman]

I've manually tested this on 22.04 and 24.04 and it all (non-kbs) test passed for me

[stevenhorsman]

It looks like in the CI the shell reload to pick up the new path isn't working, which might be to do with GHA isolating PATH between steps, so we might need some PATH update in the workflow, so putting this in draft for now.

[stevenhorsman]

It looks like in the CI the shell reload to pick up the new path isn't working, which might be to do with GHA isolating PATH between steps, so we might need some PATH update in the workflow, so putting this in draft for now.

I hope my workflow commit will do the trick. I'm not sure we can test it though, so maybe the best plan is to split out the workflow change and deliver it separately?

[stevenhorsman]

Now we can run the libvirt x86 tests on a github hosted runner. I'm able to test this in my fork and it passes: https://github.com/stevenhorsman/cloud-api-adaptor/actions/runs/12047365356/job/33590586948, so this is ready to review and merge directly.

[stevenhorsman]

I rebased this and tested it on a ubuntu 24.04 VM:

root@sh-2404-test:~/go/src/github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
root@sh-2404-test:~/go/src/github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor# ./libvirt/config_libvirt.sh
SECURE_COMMS is none.
Installing Go...
Installing latest yq
...
info: Adding user `root' to group `libvirt' ...
Installing kcli...
Installing kcli
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-argcomplete python3-packaging python3-pip-whl python3-pkg-resources python3-platformdirs python3-psutil python3-setuptools python3-setuptools-whl
  python3-userpath python3-venv python3.12-venv
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  pipx python3-argcomplete python3-packaging python3-pip-whl python3-platformdirs python3-psutil python3-setuptools-whl python3-userpath python3-venv python3.12-venv
The following packages will be upgraded:
  python3-pkg-resources python3-setuptools
2 upgraded, 10 newly installed, 0 to remove and 54 not upgraded.
Need to get 4072 kB of archives.
After this operation, 7835 kB of additional disk space will be used.
Get:1 http://mirrors.adn.networklayer.com/ubuntu noble-updates/main amd64 python3-setuptools all 68.1.2-2ubuntu1.1 [396 kB]
Get:2 http://mirrors.adn.networklayer.com/ubuntu noble-updates/main amd64 python3-pkg-resources all 68.1.2-2ubuntu1.1 [168 kB]
Get:3 http://mirrors.adn.networklayer.com/ubuntu noble-updates/universe amd64 python3-pip-whl all 24.0+dfsg-1ubuntu1.1 [1703 kB]
Get:4 http://mirrors.adn.networklayer.com/ubuntu noble-updates/universe amd64 python3-setuptools-whl all 68.1.2-2ubuntu1.1 [716 kB]
Get:5 http://mirrors.adn.networklayer.com/ubuntu noble-updates/universe amd64 python3.12-venv amd64 3.12.3-1ubuntu0.3 [5678 B]
Get:6 http://mirrors.adn.networklayer.com/ubuntu noble-updates/universe amd64 python3-venv amd64 3.12.3-0ubuntu2 [1034 B]
Get:7 http://mirrors.adn.networklayer.com/ubuntu noble-updates/universe amd64 python3-argcomplete all 3.1.4-1ubuntu0.1 [33.8 kB]
Get:8 http://mirrors.adn.networklayer.com/ubuntu noble/main amd64 python3-packaging all 24.0-1 [41.1 kB]
Get:9 http://mirrors.adn.networklayer.com/ubuntu noble/main amd64 python3-platformdirs all 4.2.0-1 [16.1 kB]
Get:10 http://mirrors.adn.networklayer.com/ubuntu noble/universe amd64 python3-userpath all 1.9.1-1 [9416 B]
Get:11 http://mirrors.adn.networklayer.com/ubuntu noble/universe amd64 pipx all 1.4.3-1 [787 kB]
Get:12 http://mirrors.adn.networklayer.com/ubuntu noble/main amd64 python3-psutil amd64 5.9.8-2build2 [195 kB]
Fetched 4072 kB in 6s (710 kB/s)
(Reading database ... 97425 files and directories currently installed.)
Preparing to unpack .../00-python3-setuptools_68.1.2-2ubuntu1.1_all.deb ...
Unpacking python3-setuptools (68.1.2-2ubuntu1.1) over (68.1.2-2ubuntu1) ...
Preparing to unpack .../01-python3-pkg-resources_68.1.2-2ubuntu1.1_all.deb ...
Unpacking python3-pkg-resources (68.1.2-2ubuntu1.1) over (68.1.2-2ubuntu1) ...
Selecting previously unselected package python3-pip-whl.
Preparing to unpack .../02-python3-pip-whl_24.0+dfsg-1ubuntu1.1_all.deb ...
Unpacking python3-pip-whl (24.0+dfsg-1ubuntu1.1) ...
Selecting previously unselected package python3-setuptools-whl.
Preparing to unpack .../03-python3-setuptools-whl_68.1.2-2ubuntu1.1_all.deb ...
Unpacking python3-setuptools-whl (68.1.2-2ubuntu1.1) ...
Selecting previously unselected package python3.12-venv.
Preparing to unpack .../04-python3.12-venv_3.12.3-1ubuntu0.3_amd64.deb ...
Unpacking python3.12-venv (3.12.3-1ubuntu0.3) ...
Selecting previously unselected package python3-venv.
Preparing to unpack .../05-python3-venv_3.12.3-0ubuntu2_amd64.deb ...
Unpacking python3-venv (3.12.3-0ubuntu2) ...
Selecting previously unselected package python3-argcomplete.
Preparing to unpack .../06-python3-argcomplete_3.1.4-1ubuntu0.1_all.deb ...
Unpacking python3-argcomplete (3.1.4-1ubuntu0.1) ...
Selecting previously unselected package python3-packaging.
Preparing to unpack .../07-python3-packaging_24.0-1_all.deb ...
Unpacking python3-packaging (24.0-1) ...
Selecting previously unselected package python3-platformdirs.
Preparing to unpack .../08-python3-platformdirs_4.2.0-1_all.deb ...
Unpacking python3-platformdirs (4.2.0-1) ...
Selecting previously unselected package python3-userpath.
Preparing to unpack .../09-python3-userpath_1.9.1-1_all.deb ...
Unpacking python3-userpath (1.9.1-1) ...
Selecting previously unselected package pipx.
Preparing to unpack .../10-pipx_1.4.3-1_all.deb ...
Unpacking pipx (1.4.3-1) ...
Selecting previously unselected package python3-psutil.
Preparing to unpack .../11-python3-psutil_5.9.8-2build2_amd64.deb ...
Unpacking python3-psutil (5.9.8-2build2) ...
Setting up python3-pkg-resources (68.1.2-2ubuntu1.1) ...
Setting up python3-setuptools-whl (68.1.2-2ubuntu1.1) ...
Setting up python3-setuptools (68.1.2-2ubuntu1.1) ...
Setting up python3-pip-whl (24.0+dfsg-1ubuntu1.1) ...
Setting up python3-platformdirs (4.2.0-1) ...
Setting up python3-psutil (5.9.8-2build2) ...
Setting up python3-packaging (24.0-1) ...
Setting up python3-argcomplete (3.1.4-1ubuntu0.1) ...
Setting up python3-userpath (1.9.1-1) ...
Setting up python3.12-venv (3.12.3-1ubuntu0.3) ...
Setting up python3-venv (3.12.3-0ubuntu2) ...
Setting up pipx (1.4.3-1) ...
Processing triggers for man-db (2.12.0-4build2) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Running kernel seems to be up-to-date.

Restarting services...

Service restarts being deferred:
 /etc/needrestart/restart.d/dbus.service
 systemctl restart systemd-logind.service
 systemctl restart unattended-upgrades.service

No containers need to be restarted.

User sessions running outdated binaries:
 root @ user manager service: systemd[1111]

No VM guests are running outdated hypervisor (qemu) binaries on this host.
  installed package kcli 99.0.202407031308, installed using Python 3.12.3
  These apps are now globally available
    - ekstoken
    - gketoken
    - ignitionmerger
    - kcli
    - klist.py
    - ksushy
    - kweb
⚠️  Note: '/root/.local/bin' is not on your PATH environment variable. These apps will not be globally accessible until your PATH is updated. Run `pipx ensurepath` to
    automatically add it, or manually modify your PATH in your shell's config file (i.e. ~/.bashrc).
done! ✨ 🌟 ✨
Success! Added /root/.local/bin to the PATH environment variable.

Consider adding shell completions for pipx. Run 'pipx completions' for instructions.

You will need to open a new terminal or re-login for the PATH changes to take effect.

Otherwise pipx is ready to go! ✨ 🌟 ✨
Installing kubectl...
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:iQCIyFSyrg1/Dbj4ekQhxDs94/fCXBuVZw5xeftR3W0 root@sh-2404-test
The key's randomart image is:
+---[RSA 3072]----+
|B=o.        .   +|
|=o+.     . o .  E|
| oo..     + . ...|
|.o.= . . = o . . |
|.o+ + . S =   . .|
|.=.o + o   .   . |
|o.+ = + o        |
| ... + o         |
|.o.   .          |
+----[SHA256]-----+
~/go/src/github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/install/overlays/libvirt ~/go/src/github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor
Verifing libvirt connection...
CPU model:           x86_64
CPU(s):              2
CPU frequency:       2494 MHz
CPU socket(s):       1
Core(s) per socket:  1
Thread(s) per core:  2
NUMA cell(s):        1
Memory size:         8133204 KiB

~/go/src/github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor
processing none

[wainersm]

Hi @stevenhorsman ! Sorry for taking longer to review it. LGTM. Thanks!

[mkulke]

i'm curious. why don't we need this at line 87? and if we do, why don't we source the env directly after installation of pipx?

[stevenhorsman]

Good question - I wrote this code in August, so can't complete remember the reason. I think it was because pipx ensurepath meant the path was only updated in the script's shell, which works for inside this script, but meant that the follow steps didn't have an updated path with the exec bash. Let me play with this again and try and refresh my memory to confirm.

I can just put this exec into line 87 instead of the ensurepath and see is that works as well?

[mkulke]

maybe I'm missing something, but the code looks like a noop. it re-sources .profile or something and then it's just discarded because the script (and the sh process, I assume).

[stevenhorsman]

So I think I'm remembering the issues I saw that lead me to this:
When we run pipx ensurepath the output is:

/root/.local/bin has been been added to PATH, but you need to open a new terminal or re-login for this PATH change
    to take effect.

You will need to open a new terminal or re-login for the PATH changes to take effect.

Otherwise pipx is ready to go! ✨ 🌟 ✨

If we check our PATH then:

# echo $PATH
/usr/local/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

It isn't added, but if we reload the shell and re-do it then it works:

# exec $SHELL
# echo $PATH
/usr/local/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.local/bin

However re-loading the shell within the script means that all further output doesn't show up, so that's why I added the reload to the end of the script to avoid that loss of output.

I could remove it entirely and we'd then need to ask the user to reload their shell, so I chose to do it for them to remove a step.

[stevenhorsman]

I don't fully understand this, so I've tried to give a cut down version of the script to demo:

# cat test.sh
pipx ensurepath
echo "PATH before reload: $PATH"
exec $SHELL
echo "We don't see this"

# ./test.sh
/root/.local/bin has been been added to PATH, but you need to open a new terminal or re-login for this PATH change
    to take effect.

You will need to open a new terminal or re-login for the PATH changes to take effect.

Otherwise pipx is ready to go! ✨ 🌟 ✨
PATH before reload: /usr/local/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

# echo $PATH
/usr/local/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.local/bin

[stevenhorsman]

Sorry, I still don't follow - when I leave the scope of the script why would it (without running exec $SHELL in that script) have a reload as I'm just returning to the shell scope I was already in before calling it?

[mkulke]

my point would be:

you can run exec $SHELL in the script, but that will only be valid in the child process that evaluates the script, not the script-invoking shell.

[stevenhorsman]

So my point is that (as I've explained and showed example commands above), I would expect that behaviour, but it's not the case, hence the exec $SHELL is not a no-op

[mkulke]

we will probably not get to the bottom off this mystery in this PR 😅 but what I suspect happens in your example above:

in the script you open a new shell (and by that you replace your current process with it). this new shell has the PATH set. if you ctrl-d out of that shell, however, the PATH will be lost again because you're back at the shell that called the script initially. Now, that' s admittedly not a full noop, at least not in a TTY, because it opens a new shell, but if we emulate a github action step calling your script by shortfusing stdin the new shell will immediately exit:

$ bash test.sh < /dev/null
~/.local/bin has been been added to PATH, but you need to open a new terminal or re-login for this
    PATH change to take effect.

You will need to open a new terminal or re-login for the PATH changes to take effect.

Otherwise pipx is ready to go! ✨ 🌟 ✨
$ echo $PATH | grep "local/bin$"
$ # ☁️
$ bash # new shell
magnuskulke@DESKTOP-2KAPMGM:~$ echo $PATH | grep -oh "local/bin$"
local/bin
$ # 🌞 

[stevenhorsman]

Yeah this behaviour is for the local install, not the GHA, which is more straightforward as there is clear shell separation!

[huoqifeng]

LGTM
I guess other distro like centos/rhel can also use pipx, maybe we can change it later. Thanks! @stevenhorsman

[stevenhorsman]

LGTM I guess other distro like centos/rhel can also use pipx, maybe we can change it later. Thanks! @stevenhorsman

Yeah, I was just trying to unblock David's development with this fix, so targeted ubuntu as the distro he had issues with, but it might also be useful for newer versions of fedora and similar. Maybe someone like @wainersm who I think uses it might be able to comment?