Calling app in configure script

fiber · November 21, 2020, 8:15pm

How do I call one of the apps in my snap in the configure script?

I need to (re)authorize to a Backblaze B2 bucket whenever the user changes their keys, the keys are stored via the snap set/get system so it makes sense the configure script would take care of this.

My snapcraft.yaml:

# ---- 8< snip ---
  b2:
    command: usr/bin/python3 $SNAP/bin/b2
    plugs:
      - network-bind
# ---- 8< snip ---

In my executable hooks/configure script:

#!/bin/sh -e
KEY="$(snapctl get key)"
snap run "$SNAP_NAME".b2 authorize-account $KEY

But when installing the snap via --dangerous I get /snap/xxx/x1/meta/hooks/configure: /snap/xxx/x1/meta/hooks/configure: snap: Permission denied.

This command needs network access, does the configure hook get network access?

ogra · November 22, 2020, 9:21am

you can give the hook itself the reqiored permissions, try adding (at the toplevel of your snapcraft.yaml):

hooks:
  configure:
    plugs: [ network ]

(perhaps also ```network-bind``)

and indeed the hook script needs to be executable

fiber · November 22, 2020, 11:42am

Thanks for the help but it still doesn’t work. I simplified my snapacraft.yaml and configure script a bit more.

The snapcraft.yaml:

name: xxx
version: xxx
summary: xxx
description: xxx
base: core18
grade: stable
confinement: strict
hooks:
  configure:
     plugs: [ network, network-bind ]
apps:
  b2:
    command: usr/bin/python3 $SNAP/bin/b2
    plugs: [ network-bind ]
parts:
  b2:
    plugin: python
    python-packages: [ b2 ]

And super simple hooks/configure script:

#!/bin/sh -e
ping -c 1 example.com

A clean rebuild still gives me a

/snap/xxx/x1/meta/hooks/configure: /snap/xxx/x1/meta/hooks/configure: ping: Permission denied` error

ogra · November 22, 2020, 11:50am

ah, ping is special … not sure you can overcome this, ping requires to be suid root, but none of the confinement rules will allow that … (you could try to ship ping yourself and call it from inside the $SNAP path but i’m not sure if it will work (snapcraft would strip the suid bit))

fiber · November 22, 2020, 2:03pm

Stupid me, I don’t really need ping, I was just looking for the smallest example I could use to illustrate the problem. I would like to us the Backblaze B2 CLI.

I don’t think it’s related to the network access. How do I call an application from the snap in the configure script?

name: test
version: "0.1"
summary: Test
description: Test
base: core18
grade: stable
confinement: strict
apps:
  b2:
    command: usr/bin/python3 $SNAP/bin/b2
    plugs: [ network-bind ]
hooks:
  configure:
    plugs: [ network ]
parts:
  b2:
    plugin: python
    python-packages: [ b2 ]

And the configure script:

#!/bin/sh -e
snap run "$SNAP_NAME".b2 -h

Gives a permission denied even though the b2 -h simply prints the help, without accessing the network.

lucyllewy · November 22, 2020, 3:26pm

You cannot use snap run from inside a Snap package’s world-view. You should instead use the direct path inside your snap to call b2 directly. e.g. $SNAP/usr/bin/python3 $SNAP/bin/b2

fiber · November 22, 2020, 5:12pm

Thank you both. I had 2 issues: one was the missing hooks: authorization in my snapcraft.yaml, the other was trying to use snap run in my configure script.

Off-topic but @ogra and @lucyllewy, I see both of your names in almost every single thread in this forum. Thank you for the countless hours you both undoubtedly spent helping people out.