Can you give us the exact output you get from nmcli?
I have resolved my issues now. It was to do with the connection id being incorrectly parsed (i.e. a problem in the java code).
Thanks for your help.
To connect the network interface you need to run the command “snap connect SNAPNAME:network-manager network-manager:service” in Ubuntu Core!
1 Like
Can anyone explain to me WHY does snapcraft need to bundle the network-manager binary with my snap package, even though all I need is to execute nmcli command on the target machine?
The resulting snap package is some 22 MB, even though my actual stuff is tiny.
Thanks!
the network-manager interface only allows access to network-managers dbus (for added security i belive, @jdstrand might have deeper insight), while you could indeed poke dbus directly from your snap shipping nmcli is more convenient … note though that you dont need to ship the full network manager package, you could as well write a part that singles out the nmcli command only, runs an ldd on it and makes sure the correct libs to run it are included in your snap, i guess that would be significantly smaller.
@ogra, that assumption still valid? We are working in a project we started developing under classic Ubuntu Server 20.04.01 for armhf while we are preparing our images to migrate to Core, but we are having serious problems using snap based Network-Manager, suddenly I saw your comments here, which sync with what I have been seeing using Network-Manager deb on Classic, so, Is it true, classic should relay on network-manager deb if we need to talk to network-manager from inside our application confinement (DBUS or nmcli )?
i actually believe both should work (NM deb as well as snap) on classic … from inside your snap env you will only be able to talk through dbus to the outside world, i do not think anything changed in the network-manager interface in that regard, so yes, it is still direct dbus calls or using nmcli (which actually just acts as frontend to dbus here).
@ogra, thanks for your reply, on classic, we are not able to talk to Network-Manager snap, always getting the “AppArmour” denying, although if I try Network-Manager deb it works fine. I am having the following plugins, do you thing anything is missing? We also are talking with modem-manager with no problem at all, only network-manager is being denied.
plugs:
- network-control
- firewall-control
- network-bind
- network-manager
- network-setup-control
- hardware-observe
- network-setup-observe
- network-observe
- ppplets ask @abeato (as the NM specialist here) if this is supposed to work then …
do you have the deb still installed when trying with the snap or do you cleanly remove it ?
All tests were done in a clear image, no network-manager deb install, we later on installed to check the results and re-flashed back the unite. But what really called my attention was the fact that AppArmor Network Manager has the lines for accessing NetworkManager1 and ObjectManager and they seams to be denied by the AppArmor:
AppArmor network-manager profile
`# Allow traffic to/from our DBus path
dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager{,/**}
peer=(label=“snap.xxx-application.{ModemProxy,nmcli}”),
# Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager
# for clients to easily obtain all (and be alerted to added/removed) objects
# from the service.
dbus (receive, send)
bus=system
path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
peer=(label=“snap.xxx-application.{ModemProxy,nmcli}”),
`
Execution from the xxx-application.nmcli
Apr 13 08:56:15 ubuntu kernel: audit: type=1326 audit(1618304175.467:785): auid=1000 uid=0 gid=0 ses=5 pid=24647 comm="nmcli" exe="/snap/xxx-application/x3/bin/nmcli" sig=0 arch=40000028 syscall=380 compat=0 ip=0xb6b5c692 code=0x50000 Apr 13 08:56:15 ubuntu audit[1549]: USER_AVC pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name=":1.62" pid=24647 label="snap.xxx-application.nmcli" peer_pid=24175 peer_label="snap.network-manager.networkmanager" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu audit[1549]: USER_AVC pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" name=":1.75" mask="receive" pid=24175 label="snap.network-manager.networkmanager" peer_pid=24647 peer_label="snap.xxx-application.nmcli" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu kernel: audit: type=1107 audit(1618304175.479:786): pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name=":1.62" pid=24647 label="snap.xxx-application.nmcli" peer_pid=24175 peer_label="snap.network-manager.networkmanager" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu kernel: audit: type=1107 audit(1618304175.479:787): pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" name=":1.75" mask="receive" pid=24175 label="snap.network-manager.networkmanager" peer_pid=24647 peer_label="snap.xxx-application.nmcli" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu kernel: audit: type=1107 audit(1618304175.479:788): pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetPermissions" mask="send" name=":1.62" pid=24647 label="snap.xxx-application.nmcli" peer_pid=24175 peer_label="snap.network-manager.networkmanager" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu audit[1549]: USER_AVC pid=1549 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetPermissions" mask="send" name=":1.62" pid=24647 label="snap.xxx-application.nmcli" peer_pid=24175 peer_label="snap.network-manager.networkmanager" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Apr 13 08:56:15 ubuntu systemd[1]: snap.xxx-application.nmcli.6071dd25-5f8f-4419-a4ed-2ccd6db40747.scope: Succeeded. Apr 13 08:56:15 ubuntu sudo[24643]: pam_unix(sudo:session): session closed for user root Apr 13 08:56:44 ubuntu sudo[24677]: avnet : TTY=pts/0 ; PWD=/home/avnet ; USER=root ; COMMAND=/usr/bin/vi /var/lib/snapd/apparmor/profiles/snap.network-manager.networkmanager Apr 13 08:56:44 ubuntu sudo[24677]: pam_unix(sudo:session): session opened for user root by avnet(uid=0)
I added nmcli to create a example to demonstrate our error, even though there is a clear session on Network-Manager on Classic Ubuntu, our application is not being able to communicate. Although, the same is not true on core, soon as I connect to network-manager:service everything starts to work.
About out application, we have a brand store and app with strict confinement.
Thanks in advance,
what is snap connections xxx-application in both cases ?
For confining the problem I was only connecting
sudo snap connect xxx-application:network-manager network-manager:service
sudo snap connect xxx-application:ppp
sudo snap connect xxx-application:network-setup-observe
sudo snap connect xxx-application:wpa
sudo snap connect xxx-application:firewall-control
sudo snap connect xxx-application:hardware-observe
sudo snap connect xxx-application:network-setup-control
sudo snap connect xxx-application:login-session-observe
sudo snap connect xxx-application:network-observe
but I teste network-connection connecting to core:network-connect and both core:network.connect and network-manager:service
no other connection was done to confining the problem.
Did you use --devmode when installing any of the snaps? A catch here is that for complex reasons, actually installing NM in devmode can be problem instead of helping. Also, check all connections of both snaps (see Network-manager broken for desktop Ubuntu)
yeah, you are right, --devmode could be problematic for that, there is even a note about it, that is why we do not use --devmode to develop at this stage only --dangerous or snap try in some cases, here I tested with --dangerous and asserted snaps download from the store (I was using a branch from a edge channel on our brand store to upload and download the assert and snap file for that test as well) both with the same results
I did check the connections from network-manager, I use to connect the network-manager:nmcli -> network-manager:service so I will know if it is working or not.
Interface Plug Slot Notes
dbus network-manager:wpa - -
firewall-control network-manager:firewall-control :firewall-control -
hardware-observe network-manager:hardware-observe :hardware-observe -
login-session-observe network-manager:login-session-observe :login-session-observe -
modem-manager network-manager:modem-manager :modem-manager -
network network-manager:network :network -
network-manager xxx-application:network-manager network-manager:service manual
network-manager network-manager:nmcli network-manager:service manual
network-observe network-manager:network-observe :network-observe -
network-setup-control network-manager:network-setup-control :network-setup-control -
network-setup-observe network-manager:network-setup-observe :network-setup-observe -
ppp network-manager:ppp :ppp -
From my last test on ubuntu classic 20.04.01 armhf
To illustrate what I am saying, create a snap out of:
title: XXX Application
name: xxx-application
base: core20
version: 0.0.1-dev
summary: Provide a summary
description: |
Provide a description
grade: stable
confinement: strict
apps:
nmcli:
command: bin/nmcli
plugs:
- network-manager
mmcli:
command: usr/bin/mmcli
plugs:
- modem-manager
parts:
nmlci:
plugin: nil
stage-packages:
- network-manager
- modemmanager
organize:
usr/bin/nmcli: bin/nmcli
After installing connect only
sudo snap connect xxx-application:network-manager network-manager:service
sudo snap connect xxx-application:modem-manager modem-manager:service
In my case I have a gsm on my unit:
$ sudo xxx-application.mmcli -L
/org/freedesktop/ModemManager1/Modem/0 [Generic] MBIM [8087:0911]
but nothing is returned from network-manager
$ xxx-application.nmcli g
STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN
unknown unknown disabled disabled disabled disabled
but doing the same at Ubuntu Core, both works
Best regards,