Allow use of system-files interface for prometheus-apt-exporter

The prometheus-apt-exporter snap is developed by the Canonical Bootstack team.

The snaps will be part of our monitoring to check packages status across cluster.

We would like to request permission to use the system-files interface for the plug defined in snap snapcraft.yaml.

plugs:
  apt-exporter-files:
    interface: system-files
    read:
      - /usr/share/dpkg/cputable
      - /usr/share/dpkg/tupletable
      - /var/lib/snapd/hostfs/var/lib/apt/lists
      - /var/lib/snapd/hostfs/var/lib/dpkg/status
      - /var/lib/snapd/hostfs/var/lib/apt/extended_states
      - /var/lib/snapd/hostfs/var/cache/apt/srcpkgcache.bin
      - /var/lib/snapd/hostfs/etc/apt/apt.conf.d
      - /var/lib/snapd/hostfs/etc/apt/sources.list
      - /var/lib/snapd/hostfs/etc/apt/sources.list.d
      - /var/lib/snapd/hostfs/etc/apt/preferences.d
    write:
      - /var/lib/snapd/hostfs/var/cache/apt

Files /usr/share/dpkg/cputable and /usr/share/dpkg/tupletable are required by the python-apt package, others files are required by pkg-exporter

/var/lib/snapd/hostfs can be read using system-backup.

I would be surprised if the snap mount namespace contains the real host’s /usr/share/dpkg - so instead I think it would be best to use a layout and use stage-packages to include dpkg within your snap and then you can use that instead without needing system-files.

Finally, that only leaves /var/lib/snapd/hostfs/var/cache/apt - would it be possible to instead take a copy of this (via the access provided by system-backup) and place it in say $SNAP_COMMON/cache/apt or somesuch so that it is then writable and then use this snap-specific local path within your snap?

Thank for you suggestions, I applied them and was able to rewrite my charm without using system-files and to release my snap on Snapstore. The snap now use system-backup to access apt and dpkg files and generate Prometheus metric exposed through an HTTP server. Generating Prometheus metric needs the system-backup interface connected before first startup.

Please grant system-backup auto-connections for this snap.

Apologies @hicham - after looking at this a second time I wonder if perhaps the use of system-backup may be the wrong approach - since this grants read access to everything on the device including private data etc - so perhaps your original approach of using system-files for the contents required under /var/lib/ and /etc/apt etc would be better as it ensures that only these files can be read by the snap rather than everything on the device.

Would it be possible to change back to using system-files for these files?

In that case, +1 from me for use-of and auto-connect of a system-files named host-apt-contents with read access to:

      - /var/lib/snapd/hostfs/var/lib/apt/lists
      - /var/lib/snapd/hostfs/var/lib/dpkg/status
      - /var/lib/snapd/hostfs/var/lib/apt/extended_states
      - /var/lib/snapd/hostfs/var/cache/apt/srcpkgcache.bin
      - /var/lib/snapd/hostfs/etc/apt/apt.conf.d
      - /var/lib/snapd/hostfs/etc/apt/sources.list
      - /var/lib/snapd/hostfs/etc/apt/sources.list.d
      - /var/lib/snapd/hostfs/etc/apt/preferences.d

+1 on use of system-files for read access to the files mentioned by Alex:

• Daniel

+2 votes for, 0 votes against, granting auto-connect of system-files using the iface reference host-apt-contents with read access to:

This is now live.

@hicham what’s still needed for this to properly work is:

• Rename the interface reference from apt-exporter-files to host-apt-contents as suggested (so it better represents the access granted)

• Use a layout to access /usr/share/dpkg/cputable and /usr/share/dpkg/tupletable instead of system-files

Once you complete that, it should pass automated review. Let us know if you have any issues or concerns.

Thanks!

Hi @hicham,

I see the changes have been incorporated and the lasts revisions are successfully published. I am then removing this requests from our review queue. Let us know if you have any further question.

Thanks!