Hello,
I am integrating the nhc health check application in to my hpc compute stack as a snap. The nhc snap requires classic confinement because the nhc application needs to access system resources to preform health checks.
Thank you!
did you try it in strict mode with all the necessary plugs yet ?
looks like most of these features in your health checks are covered by existing interfaces (hardware-observe, system-observe, mount-observe, network-observe, etc etc)
@ogra what interface should be used for calls to setsid, I was thinking it might be the system-trace interface, but it didn’t seem to help? Also, is there a way I can better find this out by myself?
Thanks!
not sure if there is any interface allowing setsid, perhaps @jdstrand can give more hints here …
what i tend to do to find interfaces is to keep a local copy of the snapd source and grep for a path or binary that i want to use in the interfaces/builtin subdir:
also: sudo snap install snappy-debug … and use snappy-debug.scanlog with the suggestion mode, it is really helpful.
1 Like
Can’t believe I didn’t know about this! What a useful tool. Thank you!
= AppArmor =
Time: Apr 17 15:35:34
Log: apparmor="DENIED" operation="exec" profile="snap.nhc.nhc" name="/usr/bin/setsid" pid=4497 comm="nhc" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/bin/setsid (exec)
= AppArmor =
Time: Apr 17 15:35:34
Log: apparmor="DENIED" operation="open" profile="snap.nhc.nhc" name="/usr/bin/setsid" pid=4497 comm="nhc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /usr/bin/setsid (read)
On the topic of the nhc snap release, do you think we can go ahead and get nhc approved with classic confinement for now?
well, i’m not in the @reviewers team … not sure what it would take (or if it is even possible) to allow setsid …
Update:
We have encapsulated the nhc software into our slurm snap itself. We no longer need to publish this snap at all.
Please disregard this request.
Thanks!