Change SD-Core UPF snap confinement to classic

store-requests
1

Hello,

Can we please change the sdcore-upf snap confinement from devmode to classic.

The User Plane Function (UPF) in a 5G network is the component responsible for routing user plane traffic. Here the source code uses DPDK and requires full network control to route packets. The current available plugs are not enough for it to function correctly (ref here).

Thank you,

2

The network-control interface should actually give you full capabilities to manage every aspect of the network stack. Is there anything missing that might need to be added to it additionally?

Note that classic confinement will only be granted to snaps that fit into one of the “supported” categories on:

Which category would your snap fit in ?

3

If we can find a way to use plugs and strictly confine the snap I would be happy but this hasn’t worked so far. With the following plugs enabled:

plugs:
  var-run:
    interface: system-files
    write:
    - /var/run/bessd.pid
    - /run/bessd.pid

apps:
  bessd:
    daemon: simple
    install-mode: disable
    command: bin/bessd-start
    plugs:
      - var-run
      - io-ports-control
      - network-control

We would get those apparmor logs

= AppArmor =
Time: 2024-02-01T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=2134867 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)

As for the category, I’m not sure where it fits. This is a 5G user plane network traffic router.

4

Well, did you actually connect the network-control interface using the snap connect... command ? It does not auto-connect …

5

Hi @ogra , yes I did connect the interfaces.

The snapcraft reference is here.

Those are the application logs:

2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: Failed to create thread for interrupt handling
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: FATAL: Cannot init interrupt-handling thread
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: Cannot init interrupt-handling thread
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: F0606 10:04:26.300964 2605238 dpdk.cc:172] rte_eal_init() failed: ret = -1 rte_errno = 1 (Operation not permitted)
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: *** Check failure stack trace: ***
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: F0606 10:04:26.305177 2605238 debug.cc:407] Backtrace (recent calls first) ---
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x2012f2) [0x6246c9b982f2]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x72) [0x6246c9b98542]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x39) [0x6246c9bb6109]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x243) [0x6246c9b5f593]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (4): /lib/x86_64-linux-gnu/libc.so.6(+0x29d8e) [0x7849da2e3d8e]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (5): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7e) [0x7849da2e3e3e]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (6): /snap/sdcore-upf/x1/bin/bessd(_start+0x23) [0x6246c9b792c3]

And those are the snappy-debug logs:

= Seccomp =
Time: 2024-06-06T10:0
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2608284 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x70b9552e3531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= AppArmor =
Time: 2024-06-06T10:0
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" pid=2608296 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
6

This is odd since you say you connected the interface but are still getting the denials from AppArmor.

Can you post the full output of snap connections sdcore-upf as well as the full logs from snappy-debug --only-snap sdcore-upf when running the snap? Thanks

7

Hello @alexmurray

Snap connections

guillaume@potiron:~/code/sdcore-upf-snap$ snap connections sdcore-upf
Interface         Plug                         Slot               Notes
cpu-control       sdcore-upf:cpu-control       :cpu-control       manual
hardware-observe  sdcore-upf:hardware-observe  :hardware-observe  manual
io-ports-control  sdcore-upf:io-ports-control  :io-ports-control  manual
network-bind      sdcore-upf:network-bind      :network-bind      -
network-control   sdcore-upf:network-control   :network-control   manual
system-files      sdcore-upf:var-run           :system-files      manual

Snappy debug output

INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102321 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x79fd10bdd531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102569 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7d41132fc531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102653 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f9036122531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102684 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x733a381d8531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: 2024-06-26T13:5
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2102731 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7b3536ae9531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

Snap Logs

2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: *** Check failure stack trace: ***
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: F0626 13:57:00.920173 2102684 debug.cc:407] Backtrace (recent calls first) ---
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x2012f2) [0x654e192692f2]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x72) [0x654e19269542]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x39) [0x654e19287109]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x243) [0x654e19230593]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (4): /lib/x86_64-linux-gnu/libc.so.6(+0x29d8e) [0x733a38166d8e]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (5): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7e) [0x733a38166e3e]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: (6): /snap/sdcore-upf/x1/bin/bessd(_start+0x23) [0x654e1924a2c3]
2024-06-26T13:57:00-04:00 sdcore-upf.bessd[2102684]: *** Check failure stack trace: ***
2024-06-26T13:57:00-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Main process exited, code=exited, status=1/FAILURE
2024-06-26T13:57:00-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Failed with result 'exit-code'.
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Scheduled restart job, restart counter is at 4.
2024-06-26T13:57:01-04:00 systemd[1]: Started snap.sdcore-upf.bessd.service - Service for snap application sdcore-upf.bessd.
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102710]: + export PYTHONPATH=/snap/sdcore-upf/x1/opt/bess/:
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102710]: + PYTHONPATH=/snap/sdcore-upf/x1/opt/bess/:
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102710]: + export CONF_FILE=/var/snap/sdcore-upf/common/upf.json
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102710]: + CONF_FILE=/var/snap/sdcore-upf/common/upf.json
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102710]: + /snap/sdcore-upf/x1/bin/bessd -f -grpc-url=0.0.0.0:10514 -m 0
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: I0626 13:57:01.384001 2102731 main.cc:64] Launching BESS daemon in process mode...
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: I0626 13:57:01.384053 2102731 main.cc:77] bessd v0.4.0-321-gdc7ef587
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: W0626 13:57:01.384079 2102731 main.cc:84] LoadPlugins() failed to load from directory: /snap/sdcore-upf/x1/bin/modules: No such file or directory [2]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: I0626 13:57:01.384102 2102731 dpdk.cc:169] Initializing DPDK EAL with options: ["bessd", "--main-lcore", "127", "--lcore", "127@0-11", "--no-shconf", "--legacy-mem", "--no-huge", "-m", "512"]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: Detected CPU lcores: 12
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: Detected NUMA nodes: 1
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: Detected shared linkage of DPDK
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: Failed to create thread for interrupt handling
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: FATAL: Cannot init interrupt-handling thread
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: EAL: Cannot init interrupt-handling thread
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: F0626 13:57:01.414136 2102731 dpdk.cc:172] rte_eal_init() failed: ret = -1 rte_errno = 1 (Operation not permitted)
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: *** Check failure stack trace: ***
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: F0626 13:57:01.418527 2102731 debug.cc:407] Backtrace (recent calls first) ---
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x2012f2) [0x5fa6b9b3b2f2]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x72) [0x5fa6b9b3b542]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x39) [0x5fa6b9b59109]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x243) [0x5fa6b9b02593]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (4): /lib/x86_64-linux-gnu/libc.so.6(+0x29d8e) [0x7b3536a77d8e]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (5): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7e) [0x7b3536a77e3e]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: (6): /snap/sdcore-upf/x1/bin/bessd(_start+0x23) [0x5fa6b9b1c2c3]
2024-06-26T13:57:01-04:00 sdcore-upf.bessd[2102731]: *** Check failure stack trace: ***
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Main process exited, code=exited, status=1/FAILURE
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Failed with result 'exit-code'.
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Scheduled restart job, restart counter is at 5.
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Start request repeated too quickly.
2024-06-26T13:57:01-04:00 systemd[1]: snap.sdcore-upf.bessd.service: Failed with result 'exit-code'.
2024-06-26T13:57:01-04:00 systemd[1]: Failed to start snap.sdcore-upf.bessd.service - Service for snap application sdcore-upf.bessd.
8

Until a decision is made, can we allow publishing to devmodeagain? Right now we can’t publish revisions of this snap because of the review process. Here you can see or failing CI:

9

Well, that doesn’t look like net_admin is in any way related anymore after you added and connected the plug… but rather that a function wants to twiddle with the scheduler which we seemingly do not have an interface for (perhaps @alexmurray has any idea/suggestion)

10

As @ogra said, the failure you now see doesn’t appear to be due to any specific denial caused by AppArmor or seccomp (unless your application crashes if it fails to call sched_setaffinity() - if it does this seems like a bug and it should gracefully handle this and continue as best it can).

We do not block publishing devmode snaps - what is the error you are seeing on your side when trying to publish this? The only rejections I can see on the store side is due to the use of system-files - which is blocked regardless of the confinement setting until approved here in the forum.

11

@alexmurray

This is the error we see when publishing

/snap/bin/snapcraft upload sdcore-upf_1.4.0_amd64.snap --release 1.4/edge
Uploading... (--->)
Uploading... (<---)
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: processing
Status: error while processing
Issues while processing snap:
- Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.
Full execution log: '/home/runner/.local/state/snapcraft/log/snapcraft-20240620-093900.267311.log'
Error: The process '/snap/bin/snapcraft' failed with exit code 1- Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.

This version of the snap does not have the system-files plug yet, here’s its snapcraft.yaml

name: sdcore-upf
base: core22
version: '1.4.0'
summary: SD-Core User Plane Function (UPF)
description: |
  This project implements a 4G/5G User Plane Function (UPF) compliant with 3GPP TS23.501.
  It follows the 3GPP Control and User Plane Separation (CUPS) architecture,
  making use of the PFCP protocol for the communication between SMF (5G) / SPGW-C (4G) and UPF.

icon: icon.svg
grade: stable
confinement: devmode
license: Apache-2.0

apps:
  bessd:
    daemon: simple
    install-mode: disable
    command: bin/bessd-start
    environment:
      LD_LIBRARY_PATH: "$SNAP/usr/lib/x86_64-linux-gnu:$SNAP/usr/local/lib/x86_64-linux-gnu:$SNAP/usr/local/lib"
    plugs:
      - network-bind
      - network-control
  routectl:
    daemon: simple
    install-mode: disable
    command: bin/routectl-start
    plugs:
      - network-bind
  pfcpiface:
    daemon: simple
    install-mode: disable
    command: bin/pfcpiface-start
    plugs:
      - network-bind
  bessctl:
    command: opt/bess/bessctl/bessctl
    environment:
      CONF_FILE: /var/snap/sdcore-upf/common/upf.json
      LD_LIBRARY_PATH: "$SNAP/usr/lib/x86_64-linux-gnu:$SNAP/usr/local/lib/x86_64-linux-gnu:$SNAP/usr/local/lib"

layout:
  /usr/local/lib/x86_64-linux-gnu/dpdk/pmds-23.0:
    bind: $SNAP/usr/local/lib/x86_64-linux-gnu/dpdk/pmds-23.0

parts:
  xdp:
    plugin: autotools
    source: https://github.com/xdp-project/xdp-tools.git
    source-tag: v1.2.2
    build-packages:
      - clang
      - gcc-multilib
      - libelf-dev
      - libpcap-dev
      - linux-headers-generic
      - linux-libc-dev
      - llvm
    prime:
      - usr/local/lib/x86_64-linux-gnu/*

  cndp:
    after:
      - xdp
    plugin: meson
    source: https://github.com/CloudNativeDataPlane/cndp.git
    source-commit: d5ce4b9edc2e7ddb46a61b395deffafaf11a0500
    build-packages:
      - clang
      - golang
      - libbpf-dev
      - libbsd-dev
      - libnl-3-dev
      - libnl-cli-3-dev
      - libnuma-dev
      - lld
    meson-parameters:
      - -Dbuildtype=release
      - -Dmachine=haswell
      - -Ddefault_library=both
    prime:
      - usr/local/lib/x86_64-linux-gnu/*
      - usr/local/bin/cndpfwd

  dpdk:
    plugin: meson
    after:
      - cndp
    source: https://fast.dpdk.org/rel/dpdk-22.11.4.tar.gz
    source-type: tar
    build-packages:
      - ca-certificates
      - libbenchmark-dev
      - libbpf0
      - libc-ares-dev
      - libelf-dev
      - libgflags2.2
      - libgoogle-glog-dev
      - libgrpc++-dev
      - libgtest-dev
      - libjson-c-dev
      - libnuma-dev
      - libpcap-dev
      - libprotobuf-dev
      - libunwind-dev
      - meson
      - protobuf-compiler
      - protobuf-compiler-grpc
      - python3
      - python3-pyelftools
    meson-parameters:
      - --buildtype=release
      - -Denable_driver_sdk=true
      - -Dmachine=haswell
    override-pull: |
      snapcraftctl pull
      for file in ${SNAPCRAFT_PROJECT_DIR}/local/patches/dpdk/*
      do
        patch -i $file -p 1
      done
    prime:
      - usr/local/lib/x86_64-linux-gnu/*

  bess:
    plugin: nil
    after:
      - dpdk
    source: https://github.com/omec-project/bess.git
    source-commit: dc7ef58702b3013a0b149b113340082dfbdca7cd
    source-type: git
    build-packages:
      - ca-certificates
      - libbenchmark-dev
      - libbpf0
      - libc-ares-dev
      - libelf-dev
      - libgflags2.2
      - libgoogle-glog-dev
      - libgrpc++-dev
      - libgtest-dev
      - libjson-c-dev
      - libnuma-dev
      - libpcap-dev
      - libprotobuf-dev
      - libssl-dev
      - libunwind-dev
      - meson
      - pkg-config
      - protobuf-compiler
      - protobuf-compiler-grpc
      - python3
    stage-packages:
      - libatomic1
      - libbenchmark1
      - libbpf0
      - libbsd0
      - libc-ares2
      - libelf1
      - libgflags2.2
      - libgoogle-glog0v5
      - libgraph-easy-perl
      - libgrpc++1
      - libjson-c5
      - libnl-3-200
      - libnl-cli-3-200
      - libnuma1
      - libpcap0.8
      - libprotobuf-c1
      - libssl3
      - libunwind8
      - iproute2
      - iptables
      - iputils-ping
      - jq
      - tcpdump
      - ethtool
    build-environment:
      - BESS_LINK_DYNAMIC: 1
      - CPU: x86-64-v3
      - CXXFLAGS: "-Wno-error=nonnull -Wno-error=maybe-uninitialized"
    override-build: |
      for file in $(find ./protobuf -name *.proto -print)
      do
        protoc "$file" --proto_path=protobuf --python_out=pybess/builtin_pb --grpc_out=pybess/builtin_pb --plugin=protoc-gen-grpc=$(which grpc_python_plugin)
      done
      make -j $(nproc) -C core bessd modules
      mkdir -p $SNAPCRAFT_PART_INSTALL/bin
      cp bin/bessd $SNAPCRAFT_PART_INSTALL/bin/bessd
      mkdir -p $SNAPCRAFT_PART_INSTALL/opt/bess/bessctl
      mkdir -p $SNAPCRAFT_PART_INSTALL/opt/bess/pybess
      cp -r bessctl/* $SNAPCRAFT_PART_INSTALL/opt/bess/bessctl/
      cp -r pybess/* $SNAPCRAFT_PART_INSTALL/opt/bess/pybess/

  bess-python-deps:
    plugin: python
    after:
      - bess
    source: .
    python-packages:
      - flask
      - grpcio
      - iptools
      - jsoncomment
      - mitogen
      - protobuf==3.20.0
      - psutil
      - pyroute2
      - scapy
    stage-packages:
      - python3-venv
    override-build: |
      snapcraftctl build
      ln -srf $SNAPCRAFT_PART_INSTALL/bin/python3 $SNAPCRAFT_PART_INSTALL/bin/python

  config:
    plugin: dump
    after:
      - bess
    source: https://github.com/omec-project/upf.git
    source-tag: v1.4.0
    source-subdir: conf
    organize:
      "*": opt/bess/bessctl/conf/
    override-build: |
      for file in ${SNAPCRAFT_PROJECT_DIR}/local/patches/bessctl/*
      do
        patch -i $file -p 1
      done
      snapcraftctl build

  service-files:
    plugin: dump
    source: service

  pfcpiface:
    plugin: go
    source: https://github.com/omec-project/upf.git
    source-tag: v1.4.0
    build-snaps:
      - go
    prime:
      - -bin/p4info_code_gen
12

And the workload crashes when trying to call rte_eal_init() with an Operation not permitted error.

13 
Waiting for previous upload(s) to complete their review process. If you want to prioritize this last one, go to the other upload(s) page in https://dashboard.snapcraft.io/ and click on the 'Reject and remove from review queue' button.

Just follow the instructions from the feedback message of your upload