Auto-connection request for deskconnd

om26er · September 23, 2019, 9:52am

My snap deskconnd need to auto connect to runtime-dir interface provided by the crossbar snap.

I am the upstream for both snaps

Here is a pull request that added runtime-dir interface to crossbar snap https://github.com/crossbario/crossbar/pull/1635

roadmr · September 24, 2019, 7:58pm

+1 from me as reviewer, but we’d need to validate om26er’s ownership of the two snaps which I’d prefer to have more eyes from @reviewers on.

Also, cross-publisher auto-connects are somewhat tricky, I’d like Jamie’s take on that.

Cheers,

Daniel

jdstrand · September 26, 2019, 3:17pm

Since you are (effectively) the same publisher, I have granted auto-connect to deskconnd. This is now live. Please verify the auto-connect is working correctly as well as auto-connection for the socket directories these snaps provide.

om26er · September 26, 2019, 3:55pm

@jdstrand, thanks for looking into this. I just tried to install deskconnd, it installed and connected to the interface successfully but there is an issue, the runtime-dir interface shares two directories as you can see here https://github.com/crossbario/crossbar/blob/master/snap/snapcraft.yaml#L61, the first one appears correctly but for the second one, snapd fails to create the directory, I have pasted the relevant logs

(venv) om26er@chaotic:~$ snap logs deskconnd
2019-09-26T15:49:36Z deskconnd.deskconnd[9348]: 2019-09-26T20:49:36+0500 [Controller   9380] Checking for node shutdown: worker_exit_success=True, shutdown_requested=False, node_shutdown_triggers=['shutdown_on_worker_exit']
2019-09-26T15:49:36Z deskconnd.deskconnd[9348]: 2019-09-26T20:49:36+0500 [Controller   9380] Node worker ended, and trigger 'shutdown_on_worker_exit' is active: will shutdown node ..
2019-09-26T15:49:36Z deskconnd.deskconnd[9348]: 2019-09-26T20:49:36+0500 [Controller   9380] Node shutdown requested (restart=False, mode=None, reactor.running=True) ..
2019-09-26T15:49:36Z systemd[1]: snap.deskconnd.deskconnd.service: Succeeded.
2019-09-26T15:49:36Z systemd[1]: Stopped Service for snap application deskconnd.deskconnd.
2019-09-26T15:49:52Z systemd[1]: Started Service for snap application deskconnd.deskconnd.
2019-09-26T15:49:52Z deskconnd.deskconnd[10146]: update.go:96: cannot change mount namespace according to change mount (/snap/crossbar/988/bin /var/snap/deskconnd/common/crossbar-runtime-dir-2 none bind,ro 0 0): cannot create directory "/var/snap/deskconnd/common/crossbar-runtime-dir-2": permission denied
2019-09-26T15:49:52Z deskconnd.deskconnd[10146]: /snap/deskconnd/46/server.sh: line 5: crossbar: command not found
2019-09-26T15:49:52Z systemd[1]: snap.deskconnd.deskconnd.service: Main process exited, code=exited, status=127/n/a
2019-09-26T15:49:52Z systemd[1]: snap.deskconnd.deskconnd.service: Failed with result 'exit-code'.

If I disconnect and reconnect the interface manually the second directory gets created as well, so I assume the issue is on the store side.

jdstrand · September 26, 2019, 5:02pm

Thanks for checking. Note there is only one slot and the slot is granted auto-connect. Here is the relevant snap declaration:

$ snap download deskconnd
$ cat ./deskconnd_28.assert
...
type: snap-declaration
format: 2
authority-id: canonical
revision: 2
series: 16
snap-id: Jta8XHniqGVhSHyRu7p17mgXP40wFT1Y
plugs:
  avahi-control:
    allow-auto-connection: true
  content:
    allow-auto-connection:
      -
        plug-attributes:
          content: $SLOT(content)
        slot-attributes:
          content: avahi-services
        slot-snap-id:
          - dVK2PZeOLKA7vf1WPCap9F8luxTk9Oll
      -
        plug-attributes:
          content: $SLOT(content)
        slot-attributes:
          content: runtime-dir
        slot-snap-id:
          - CQABYoGge9Vs2HVu3GqpPrH1NloZyML2
      -
        plug-attributes:
          content: $SLOT(content)
        plug-publisher-id:
          - $SLOT_PUBLISHER_ID
...

@zyga-snapd, there seems to be a bug in that only one of the two directories specified for the single content slot is created.

@om26er - are there any security policy violations at the time of the permission denied error?

om26er · September 26, 2019, 6:11pm

Just checked and there is nothing “DENIED” in dmesg’s latest.

[430260.758764] audit: type=1400 audit(1569521390.173:1222): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.deskconnd" pid=15364 comm="apparmor_parser"
[430260.804260] audit: type=1400 audit(1569521390.221:1223): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.deskconnd.pair" pid=15366 comm="apparmor_parser"
[430260.804569] audit: type=1400 audit(1569521390.221:1224): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.deskconnd.deskconnd" pid=15365 comm="apparmor_parser"
[430261.230657] audit: type=1400 audit(1569521390.645:1225): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7713/usr/lib/snapd/snap-confine" pid=15404 comm="apparmor_parser"
[430261.230659] audit: type=1400 audit(1569521390.645:1226): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7713/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=15404 comm="apparmor_parser"
[430261.234359] audit: type=1400 audit(1569521390.649:1227): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=15406 comm="apparmor_parser"
[430261.235048] audit: type=1400 audit(1569521390.649:1228): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=15407 comm="apparmor_parser"
[430261.685004] audit: type=1400 audit(1569521391.101:1229): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.deskconnd.pair" pid=15423 comm="apparmor_parser"
[430261.685812] audit: type=1400 audit(1569521391.101:1230): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.deskconnd.deskconnd" pid=15422 comm="apparmor_parser"
[430261.689363] audit: type=1400 audit(1569521391.105:1231): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.deskconnd" pid=15425 comm="apparmor_parser"

om26er · September 26, 2019, 6:12pm

@jdstrand I triggered a build for deskconnd and the build was rejected after building https://dashboard.snapcraft.io/snaps/deskconnd/revisions/49/

declaration malformed (unknown constraint key 'plug-publisher-id') declaration-snap-v2_valid_plugs (content, allow-auto-connection_plug-publisher-id)

om26er · September 26, 2019, 7:13pm

The same applies to deskconn and piconn snaps.

jdstrand · September 26, 2019, 7:59pm

Fixed these and gpiod and everything now passes automated review. We had an internal documentation typo that caused the issue with the review (which I’ve fixed).

Sorry for the hiccup (snap declarations of this sort can be rather delicate. Thanks for reporting it!)

oberstet · September 27, 2019, 5:33am

thanks guys for fixing!

rgd snap ownership:

deskconnd: that is Omers’ baby - he fully owns it personally
crossbar (https://github.com/crossbario/crossbar): Omer is part of our developer team and (also) took responsibility for the crossbar snap release managment (and other snaps we publish) - IOW: no worries, this is fine (I am original dev of and ceo at crossbar)