Re: workaround for connect no autoconnect interfaces without login on system
Hi Jamie On 03/10/2017 07:20 AM, Jamie Strandboge wrote: Gadget developers are supposed to have a voice in what is autoconnected on their devices and it seems that Nicolino is asking for advice on how to make that happen. This comes up from time to time so once there is a definitive answer, this sounds like a great opportunity for some documentation. :) Do you, or does anyone, know how to auto connect from a gadget snap? Cheers, Kyle -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: workaround for connect no autoconnect interfaces without login on system
On Tue, 2017-03-07 at 13:41 -0600, Jamie Strandboge wrote: > On Tue, 2017-03-07 at 15:05 +, Nicolino Curalli wrote: > > > > Hi kyleN > > thanks so much for the answer. > > > > A question for go ahead from my side: > > how can I request the store to add an auto connection statement to the > > snap declaration assertion ? > Just ask on this list. :) > > Looking at your previous email, it seems you would like to have the nmap snap > auto-connected. The nmap snap is requesting a lot of privilege by plugging the > 'network-control' interface and the snap is not coming from a trusted upstream > or publisher. I therefore think that it correctly requires the user to > explicitly connect the interface by default. > > Based on your previous email (and my previous response) it sounds like you are > developing a gadget snap for a particular device though. The gadget auto- > connect > mechanism is therefore what you want to use since gadget snaps have a voice in > auto-connection. I expect someone to respond to my previous email on how you > can > do this. > The above email mistakenly was discarded by the mailing list server. Hopefully resending this now will allow the conversation to pick up again. > > > > > > Il 07/03/2017 15:20, knitzsche ha scritto: > > > > > > > > > I don't think the prepare-device script can be used to auto connect, > > > probably because it runs confined. > > > > > > You can request the store to add an auto connection statement to the > > > snap declaration assertion. > > > > > > Cheers > > > kyleN > > > > > > > > > On 03/07/2017 05:19 AM, Nicolino Curalli wrote: > > > > > > > > > > > > Hi all, > > > > I implemented hints from James but it doesn't works. > > > > > > > > I create a new gadget snap based on pc gadget for amd64, adding a hook > > > > directory with a prepare-device hook script. > > > > I make this script executable. > > > > I build an image containg my gadget (domotz-pc), pc-kernel and nmap > > > > snap > > > > from store. > > > > > > > > The layout of my new gadget snap ( named domotz-pc ) just installed is > > > > : > > > > > > > > ./ > > > > > > > > -rwxr-xr-x 1 root root 753 Mar 7 00:04 meta/gadget.yaml > > > > -rw-r--r-- 1 root root 230 Mar 7 09:11 meta/snap.yaml > > > > > > > > meta/gui: > > > > > > > > -rwxr-xr-x 1 root root 39908 Nov 30 08:18 icon.png > > > > > > > > meta/hooks: > > > > > > > > -rwxr-xr-x 1 root root 134 Mar 7 09:09 prepare-device > > > > > > > > The prepare-device script content is: > > > > > > > > -- > > > > #!/bin/sh > > > > > > > > # enabling network-control interface slot for nmap network-control plug > > > > snap connect nmap:network-control :network-control > > > > -- > > > > > > > > After the registration of board by console-conf i find the following I > > > > find the following situation on interface side: > > > > > > > > :network nmap > > > > :network-bind nmap > > > > - nmap:network-control > > > > > > > > instead > > > > > > > > :network nmap > > > > :network-bind nmap > > > > :network-control nmap > > > > > > > > as I wish. > > > > > > > > I also have the following error from Apparmor: > > > > > > > > Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: > > > > DEBUG: Running task 77 on Do: Run prepare-device hook > > > > Mar 7 02:23:10 localhost kernel: [11351843419.508357] audit: type=1400 > > > > audit(1488853390.962:25): apparmor="DENIED" operation="exec" > > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" > > > > pid=1428 > > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > > > > Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: > > > > 2017-03-07T02:23:10Z ERROR run hook "prepare-device": /snap/domotz- > > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz- > > > > pc/x1/meta/hooks/prepare- > > > > device: snap: Permission denied > > > > Mar 7 02:28:08 localhost systemd[1]: Starting Update resolvconf for > > > > networkd DNS... > > > > Mar 7 02:28:08 localhost systemd-timesyncd[795]: Network configuration > > > > changed, trying to establish connection. > > > > Mar 7 02:28:08 localhost systemd[1]: Started Update resolvconf for > > > > networkd DNS. > > > > Mar 7 02:28:08 localhost systemd-timesyncd[795]: Synchronized to time > > > > server 91.189.94.4:123 (ntp.ubuntu.com). > > > > Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: > > > > DEBUG: Running task 80 on Do: Run prepare-device hook > > > > Mar 7 02:28:10 localhost kernel: [11351843719.476882] audit: type=1400 > > > > audit(1488853690.938:26): apparmor="DENIED" operation="exec" > > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" > > > > pid=1455 > > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > > > > Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: > > > > 2017-03-07T02:28:10Z ERROR run hook
Re: workaround for connect no autoconnect interfaces without login on system
Resending since this (and a few other emails) got caught up in a filter that was recently activated for this list. On Tue, 2017-03-07 at 08:36 -0600, Jamie Strandboge wrote: > On Tue, 2017-03-07 at 09:19 -0500, knitzsche wrote: > > > > I don't think the prepare-device script can be used to auto connect, > > probably because it runs confined. > > > > You can request the store to add an auto connection statement to the > > snap declaration assertion. > Well, that is a technical solution but this is a big hammer since it means all > users of the snap don't have a say in the connection of the interface[1] > (things > are set to manually connect for a reason :). > > Gadget developers are supposed to have a voice in what is autoconnected on > their > devices and it seems that Nicolino is asking for advice on how to make that > happen. This comes up from time to time so once there is a definitive answer, > this sounds like a great opportunity for some documentation. :) > > [1] of course they can manually disconnect after the fact, but users need to > know to do this > > > > > > > On 03/07/2017 05:19 AM, Nicolino Curalli wrote: > > > > > > > > > Hi all, > > > I implemented hints from James but it doesn't works. > > > > > > I create a new gadget snap based on pc gadget for amd64, adding a hook > > > directory with a prepare-device hook script. > > > I make this script executable. > > > I build an image containg my gadget (domotz-pc), pc-kernel and nmap snap > > > from store. > > > > > > The layout of my new gadget snap ( named domotz-pc ) just installed is : > > > > > > ./ > > > > > > -rwxr-xr-x 1 root root 753 Mar 7 00:04 meta/gadget.yaml > > > -rw-r--r-- 1 root root 230 Mar 7 09:11 meta/snap.yaml > > > > > > meta/gui: > > > > > > -rwxr-xr-x 1 root root 39908 Nov 30 08:18 icon.png > > > > > > meta/hooks: > > > > > > -rwxr-xr-x 1 root root 134 Mar 7 09:09 prepare-device > > > > > > The prepare-device script content is: > > > > > > -- > > > #!/bin/sh > > > > > > # enabling network-control interface slot for nmap network-control plug > > > snap connect nmap:network-control :network-control > > > -- > > > > > > After the registration of board by console-conf i find the following I > > > find > > > the following situation on interface side: > > > > > > :network nmap > > > :network-bind nmap > > > - nmap:network-control > > > > > > instead > > > > > > :network nmap > > > :network-bind nmap > > > :network-control nmap > > > > > > as I wish. > > > > > > I also have the following error from Apparmor: > > > > > > Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: > > > DEBUG: Running task 77 on Do: Run prepare-device hook > > > Mar 7 02:23:10 localhost kernel: [11351843419.508357] audit: type=1400 > > > audit(1488853390.962:25): apparmor="DENIED" operation="exec" > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1428 > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > > > Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: > > > 2017-03-07T02:23:10Z ERROR run hook "prepare-device": /snap/domotz- > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare- > > > device: snap: Permission denied > > > Mar 7 02:28:08 localhost systemd[1]: Starting Update resolvconf for > > > networkd DNS... > > > Mar 7 02:28:08 localhost systemd-timesyncd[795]: Network configuration > > > changed, trying to establish connection. > > > Mar 7 02:28:08 localhost systemd[1]: Started Update resolvconf for > > > networkd > > > DNS. > > > Mar 7 02:28:08 localhost systemd-timesyncd[795]: Synchronized to time > > > server 91.189.94.4:123 (ntp.ubuntu.com). > > > Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: > > > DEBUG: Running task 80 on Do: Run prepare-device hook > > > Mar 7 02:28:10 localhost kernel: [11351843719.476882] audit: type=1400 > > > audit(1488853690.938:26): apparmor="DENIED" operation="exec" > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1455 > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > > > Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: > > > 2017-03-07T02:28:10Z ERROR run hook "prepare-device": /snap/domotz- > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare- > > > device: snap: Permission denied > > > Mar 7 02:33:07 localhost systemd[1]: Starting Update resolvconf for > > > networkd DNS... > > > Mar 7 02:33:07 localhost systemd-timesyncd[795]: Network configuration > > > changed, trying to establish connection. > > > Mar 7 02:33:07 localhost systemd[1]: Started Update resolvconf for > > > networkd > > > DNS. > > > Mar 7 02:33:07 localhost systemd-timesyncd[795]: Synchronized to time > > > server 91.189.94.4:123 (ntp.ubuntu.com). > > > Mar 7 02:33:10 localhost /usr/lib/snapd/snapd[936]:
Re: workaround for connect no autoconnect interfaces without login on system
On 07/03/17 07:05, Nicolino Curalli wrote: > A question for go ahead from my side: > how can I request the store to add an auto connection statement to the > snap declaration assertion ? On this list, just outline: * the top-level binary name you think should be claimed * why that is unlikely to conflict with other potential snaps As an example, something like 'etcdctl' is very unlikely to conflict with anything other than a snap of etcd. And something like 'vi' is very likely to have a LOT of people thinking hard about how to manage conflicts. If in doubt, snap.command is still the best way to avoid conflicts altogether. Mark -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: workaround for connect no autoconnect interfaces without login on system
Hi all, I implemented hints from James but it doesn't works. I create a new gadget snap based on pc gadget for amd64, adding a hook directory with a prepare-device hook script. I make this script executable. I build an image containg my gadget (domotz-pc), pc-kernel and nmap snap from store. The layout of my new gadget snap ( named domotz-pc ) just installed is : ./ -rwxr-xr-x 1 root root 753 Mar 7 00:04 meta/gadget.yaml -rw-r--r-- 1 root root 230 Mar 7 09:11 meta/snap.yaml meta/gui: -rwxr-xr-x 1 root root 39908 Nov 30 08:18 icon.png meta/hooks: -rwxr-xr-x 1 root root 134 Mar 7 09:09 prepare-device The prepare-device script content is: -- #!/bin/sh # enabling network-control interface slot for nmap network-control plug snap connect nmap:network-control :network-control -- After the registration of board by console-conf i find the following I find the following situation on interface side: :network nmap :network-bind nmap - nmap:network-control instead :network nmap :network-bind nmap :network-control nmap as I wish. I also have the following error from Apparmor: Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: DEBUG: Running task 77 on Do: Run prepare-device hook Mar 7 02:23:10 localhost kernel: [11351843419.508357] audit: type=1400 audit(1488853390.962:25): apparmor="DENIED" operation="exec" profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1428 comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Mar 7 02:23:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: 2017-03-07T02:23:10Z ERROR run hook "prepare-device": /snap/domotz-pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare-device: snap: Permission denied Mar 7 02:28:08 localhost systemd[1]: Starting Update resolvconf for networkd DNS... Mar 7 02:28:08 localhost systemd-timesyncd[795]: Network configuration changed, trying to establish connection. Mar 7 02:28:08 localhost systemd[1]: Started Update resolvconf for networkd DNS. Mar 7 02:28:08 localhost systemd-timesyncd[795]: Synchronized to time server 91.189.94.4:123 (ntp.ubuntu.com). Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: DEBUG: Running task 80 on Do: Run prepare-device hook Mar 7 02:28:10 localhost kernel: [11351843719.476882] audit: type=1400 audit(1488853690.938:26): apparmor="DENIED" operation="exec" profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1455 comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Mar 7 02:28:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: 2017-03-07T02:28:10Z ERROR run hook "prepare-device": /snap/domotz-pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare-device: snap: Permission denied Mar 7 02:33:07 localhost systemd[1]: Starting Update resolvconf for networkd DNS... Mar 7 02:33:07 localhost systemd-timesyncd[795]: Network configuration changed, trying to establish connection. Mar 7 02:33:07 localhost systemd[1]: Started Update resolvconf for networkd DNS. Mar 7 02:33:07 localhost systemd-timesyncd[795]: Synchronized to time server 91.189.94.4:123 (ntp.ubuntu.com). Mar 7 02:33:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: DEBUG: Running task 83 on Do: Run prepare-device hook Mar 7 02:33:10 localhost kernel: [11351844019.491749] audit: type=1400 audit(1488853990.964:27): apparmor="DENIED" operation="exec" profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1475 comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Mar 7 02:33:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: 2017-03-07T02:33:10Z ERROR run hook "prepare-device": /snap/domotz-pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare-device: snap: Permission denied Mar 7 02:38:07 localhost systemd[1]: Starting Update resolvconf for networkd DNS... Mar 7 02:38:07 localhost systemd-timesyncd[795]: Network configuration changed, trying to establish connection. Mar 7 02:38:07 localhost systemd[1]: Started Update resolvconf for networkd DNS. Mar 7 02:38:07 localhost systemd-timesyncd[795]: Synchronized to time server 91.189.94.4:123 (ntp.ubuntu.com). Mar 7 02:38:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353: DEBUG: Running task 86 on Do: Run prepare-device hook Mar 7 02:38:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG: 2017-03-07T02:38:10Z ERROR run hook "prepare-device": /snap/domotz-pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-pc/x1/meta/hooks/prepare-device: snap: Permission denied Mar 7 02:38:10 localhost kernel: [11351844319.456207] audit: type=1400 audit(1488854290.935:28): apparmor="DENIED" operation="exec" profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap" pid=1496 comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 It seems that is not
workaround for connect no autoconnect interfaces without login on system
Hi, Can anyone give me advices about the following problem? I am porting an application for network monitoring to snap format for packaging and distribution. The applicazion should use the following interfaces provided from the core/ubuntu-core snap: - network ( autoconnect) - network-bind (autoconnect) - network-control (no autoconnect) - network-observe (no autoconnect) - network-control (no autoconnect) - network-manager (no autoconnect) - network-observe (no autoconnect) - network-setup-observe (no autoconnect) - gpio (no autoconnect) The current user experience for our appliance requires that user don't login on it for make operations aboout network configuration: a solution with snap connect tool on login console don't works for us. I should replicate the user experience on snap version of our package. On this whitepaper [1] I can read the following sentence: "the gadget developer may autoconnect preinstalled snaps". Unfortunetaly i don't see a standard tool on gadget documentation for the setup of my use case. Can anyone suggest a possibile solution/workaround built with snap and core tools? Note: the use case is similar to the canonical wifi-ap snap. Thanks for each advice. Nicolino [1] http://people.canonical.com/~davidcalle/core/Whitepaper:%20Ubuntu%20Core%2016%20-%20Security.pdf -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft