Can we please change the sdcore-upf snap confinement from devmode to classic.
The User Plane Function (UPF) in a 5G network is the component responsible for routing user plane traffic. Here the source code uses DPDK and requires full network control to route packets. The current available plugs are not enough for it to function correctly (ref here).
The network-control interface should actually give you full capabilities to manage every aspect of the network stack. Is there anything missing that might need to be added to it additionally?
Note that classic confinement will only be granted to snaps that fit into one of the “supported” categories on:
= AppArmor =
Time: 2024-02-01T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=2134867 comm="snap-confine" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
As for the category, I’m not sure where it fits. This is a 5G user plane network traffic router.
= Seccomp =
Time: 2024-06-06T10:0
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2608284 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x70b9552e3531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= AppArmor =
Time: 2024-06-06T10:0
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" pid=2608296 comm="snap-confine" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
This is odd since you say you connected the interface but are still getting the denials from AppArmor.
Can you post the full output of snap connections sdcore-upf as well as the full logs from snappy-debug --only-snap sdcore-upf when running the snap? Thanks
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102321 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x79fd10bdd531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102569 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7d41132fc531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102653 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f9036122531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102684 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x733a381d8531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102731 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7b3536ae9531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
Until a decision is made, can we allow publishing to devmodeagain? Right now we can’t publish revisions of this snap because of the review process. Here you can see or failing CI:
Well, that doesn’t look like net_admin is in any way related anymore after you added and connected the plug… but rather that a function wants to twiddle with the scheduler which we seemingly do not have an interface for (perhaps @alexmurray has any idea/suggestion)
As @ogra said, the failure you now see doesn’t appear to be due to any specific denial caused by AppArmor or seccomp (unless your application crashes if it fails to call sched_setaffinity() - if it does this seems like a bug and it should gracefully handle this and continue as best it can).
We do not block publishing devmode snaps - what is the error you are seeing on your side when trying to publish this? The only rejections I can see on the store side is due to the use of system-files - which is blocked regardless of the confinement setting until approved here in the forum.
/snap/bin/snapcraft upload sdcore-upf_1.4.0_amd64.snap --release 1.4/edge
Uploading... (--->)
Uploading... (<---)
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: error while processing
Issues while processing snap:
- Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.
Full execution log: '/home/runner/.local/state/snapcraft/log/snapcraft-20240620-093900.267311.log'
Error: The process '/snap/bin/snapcraft' failed with exit code 1- Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.
This version of the snap does not have the system-files plug yet, here’s its snapcraft.yaml
Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.
Just follow the instructions from the feedback message of your upload
Thank you for the late reply, we can ignore this at the moment, things work at the moment and figuring this out is not at the top of our priority list. Have a great weekend!