Classic confinement for ubuntu-package-manifest snap

philroche · October 13, 2020, 2:55pm

I request permission to release ubuntu-package-manifest as a classic snap.

This is a simple utility to generate package version manifests like http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.manifest and will be used in conjunction with https://snapcraft.io/ubuntu-cloud-image-changelog .

It is not possible to achieve this as a strict snap as I can’t see any interface that would allow for listing currently installed deb packages and snap packages.

You can see the simple script being used @ https://github.com/CanonicalLtd/ubuntu-package-manifest/blob/main/snap/local/generate-manifest in the snap to generate the manifests.

ogra · October 13, 2020, 4:10pm

have you taken a look at the system-files interface, i imagine having read access to /var/lib/dpkg and shipping the dpkg/dpkg-query binaries inside the snap might work with strict confinement …

philroche · October 13, 2020, 4:12pm

Interesting. I will try

philroche · October 13, 2020, 9:44pm

Thanks @ogra I tried but I was not successful

plugs:
  dpkg-data:
    interface: system-files
    read:
    - /var/lib/dpkg/status

But I just get

dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory

errors. See https://pastebin.ubuntu.com/p/VKKQG9Ch2r/ for full snapcraft.yaml.

I connected the system-files interface using snap connect ubuntu-package-manifest:dpkg-data

Have I missed something obvious?

ogra · October 13, 2020, 10:18pm

this should be enough, did you try to use the toplevel dir instead of just the status file (i.e. /var/lib/dpkg)

philroche · October 13, 2020, 10:19pm

I did. Same issue unfortunately.

jamesh · October 14, 2020, 9:37am

You should be able to see the system package database as /var/lib/snapd/hostfs/var/lib/dpkg/status. Running dpkg --root /var/lib/snapd/hostfs ... would likely be enough to get a listing.

ogra · October 14, 2020, 9:43am

alternatively a layout might work too, so you do not need to change your source.

philroche · October 14, 2020, 10:21am

Thank you both.

I tried

dpkg-query --show --admindir=/var/lib/snapd/hostfs/var/lib/dpkg

from

snap run --shell ubuntu-package-manifest

but I get a permissions error

dpkg-query: error: failed to open package info file '/var/lib/snapd/hostfs/var/lib/dpkg/status' for reading: Permission denied

I also tried to use a layout:

layout:
  /var/lib/dpkg:
    bind-file: $SNAP/var/lib/dpkg

But I am then unable to install the snap

$ sudo snap install --dangerous ./ubuntu-package-manifest_0.1_amd64.snap 
error: cannot perform the following tasks:
- Setup snap "ubuntu-package-manifest" (unset) security profiles (cannot update mount namespace of snap "ubuntu-package-manifest": cannot update preserved namespace of snap "ubuntu-package-manifest": cannot update snap namespace: cannot use "/snap/ubuntu-package-manifest/x16/var/lib/dpkg" as bind-mount source: not a regular file)

ogra · October 14, 2020, 11:00am

you want bind: or symlink: the bind-file: literally tries to bind mount the dir to a file …

philroche · October 19, 2020, 12:24pm

Thank you both again.

Based on your advice I looked in toe layouts and also hostfs and found the https://snapcraft.io/docs/the-system-backup-interface which works great for reading dpkg data.

See https://github.com/CanonicalLtd/ubuntu-package-manifest/commit/a99da55fcee6659dfc6cb42b8068bf080ad02de2 for the required changes.

I’m not looking in to if this is possible for snaps too using a similar approach. Are you aware of a way to do this? Unfortunately snap list does not accept any argument or option like dpkg-query does with --admindir.

Also, is it possible to request auto connect for the system-backup interface?

philroche · October 20, 2020, 12:22pm

I have a potential solution for listing snaps using /var/lib/snapd/hostfs/ - see https://github.com/CanonicalLtd/ubuntu-package-manifest/blob/main/snap/local/list-snaps.py

I have created a new topic @ Reading tracking information of host installed snaps from another snap to try figure out how to read all info for each snap.

Even if I proceed as-is, is it possible to request auto connect for the system-backup interface for the ubuntu-package-manifest strict snap?

ogra · October 20, 2020, 12:41pm

all your local snap information should be in /var/lib/snapd/state.json

to properly get the track info you’d rather use the snapd API through the snapd-control interface, but this will prevent you from uploading your snap to the global store since this interface is pretty exclusively reserved for brand stores (it allows completely owning the device after all)

philroche · October 20, 2020, 1:03pm

Brilliant. Thank you.