feat: mknod intercepts now configurable from LXDProvider (#717)

* feat: mknod intercepts now configurable from LXDProvider

* fix: unit test

* fix: lint

* docs: update changelog (also includes item from #710)

Author: mattculler

craft_providers/lxd/lxd_instance.py

@@ -24,6 +24,7 @@
 import shutil
 import subprocess
 import tempfile
+import warnings
 from typing import Any, Dict, List, Optional
 
 from craft_providers.const import TIMEOUT_SIMPLE
@@ -54,6 +55,7 @@ def __init__(
         project: str = "default",
         remote: str = "local",
         lxc: Optional[LXC] = None,
+        intercept_mknod: bool = True,
     ) -> None:
         """Create an LXD executor.
 
@@ -65,6 +67,7 @@ def __init__(
         :param project: The name of the LXD project.
         :param remote: The name of the LXD remote.
         :param lxc: The LXC wrapper to use.
+        :param intercept_mknod: If the host can, tell LXD instance to intercept mknod
 
         :raises LXDError: If the name is invalid.
         """
@@ -79,6 +82,7 @@ def __init__(
         self.instance_name = get_instance_name(name, LXDError)
         self.project = project
         self.remote = remote
+        self._intercept_mknod = intercept_mknod
 
         if lxc is None:
             self.lxc = LXC()
@@ -363,8 +367,14 @@ def launch(
                 uid = os.getuid()
             config_keys["raw.idmap"] = f"both {uid!s} 0"
 
-        if self._host_supports_mknod():
-            config_keys["security.syscalls.intercept.mknod"] = "true"
+        if self._intercept_mknod:
+            if not self._host_supports_mknod():
+                warnings.warn(
+                    "Application configured to intercept guest mknod calls, "
+                    "but the host OS does not support intercepting mknod."
+                )
+            else:
+                config_keys["security.syscalls.intercept.mknod"] = "true"
 
         self.lxc.launch(
             config_keys=config_keys,

craft_providers/lxd/lxd_provider.py

@@ -45,6 +45,7 @@ class LXDProvider(Provider):
     :param lxc: Optional lxc client to use.
     :param lxd_project: LXD project to use (default is default).
     :param lxd_remote: LXD remote to use (default is local).
+    :param intercept_mknod: If the host can, tell LXD instance to intercept mknod
     """
 
     def __init__(
@@ -53,10 +54,12 @@ def __init__(
         lxc: LXC = LXC(),
         lxd_project: str = "default",
         lxd_remote: str = "local",
+        intercept_mknod: bool = True,
     ) -> None:
         self.lxc = lxc
         self.lxd_project = lxd_project
         self.lxd_remote = lxd_remote
+        self._intercept_mknod = intercept_mknod
 
     @property
     def name(self) -> str:
@@ -98,6 +101,7 @@ def create_environment(self, *, instance_name: str) -> Executor:
             name=instance_name,
             project=self.lxd_project,
             remote=self.lxd_remote,
+            intercept_mknod=self._intercept_mknod,
         )
 
     @contextlib.contextmanager

docs/reference/changelog.rst

@@ -4,6 +4,13 @@ Changelog
 See the `Releases page`_ on GitHub for a complete list of commits that are
 included in each version.
 
+2.2.0 (2025-Jan-16)
+-------------------
+- ``hookutil.py`` now available for dependent projects to clean up lxd
+  instances.
+- Dependent projects can now disable lxd ``mknod`` interception via
+  ``LXDProvider``'s ``__init__``.
+
 2.1.0 (2025-Jan-10)
 -------------------
 - Require Multipass>=1.14.1

tests/unit/lxd/test_lxd_provider.py

@@ -121,7 +121,7 @@ def test_create_environment(mocker):
     provider.create_environment(instance_name="test-name")
 
     mock_lxd_instance.assert_called_once_with(
-        name="test-name", project="default", remote="local"
+        name="test-name", project="default", remote="local", intercept_mknod=True
     )