Enable/Disable systemd services


#1

Hello,

We are using snap in our Project. We need to stop/start/mask/unmask some of the systemd services inside our snap. So, we have gone ahead of using dbus.

Below is the Plug definition:

  dbus-systemd:
    bus: system
    interface: dbus
    name: org.freedesktop.systemd1

apps:
  app_name:
  plugs:
      - dbus-systemd

But we couldn’t able to find a right slot for connecting our plug.

Error Message:
dbus-send --system --dest=org.freedesktop.systemd1 --type=method_call /org/freedesktop/systemd1 --print-reply org.freedesktop.systemd1.Manager.StopUnit string:“ssh.service” string:“fail”
Error org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type=“method_call”, sender=":1.177" (uid=0 pid=6968 comm=“dbus-send --system --dest=org.freedesktop.systemd1”) interface=“org.freedesktop.systemd1.Manager” member=“StopUnit” error name="(unset)" requested_reply=“0” destination=“org.freedesktop.systemd1” (uid=0 pid=1 comm="/lib/systemd/systemd fixrtc ")

Let me know if there are ways to solve this issue.


#2

using dbus to talk to systemd from inside a confined snap won’t work. What you should be doing instead is snapctl stop --disable the-service (analogous to what you do “outside” the snap, snap stop --disable the-snap.the-service.


#3

Hello @chipaca,

Hope snapctl is for controlling only snap services not systemd services. The service which we need to enable/disable is a pure systemd service.


#4

Hey @prasath, where did you find such an interface? Here is a list of all the supported interfaces, dbus-systemd is not one of them… You may be able to use the dbus interface with the appropriate attributes, though.


#5

IIRC the dbus interface doesn’t provide access to host dbus interfaces.


#6

Hello @Lin-Buo-Ren and @Saviq,

Our intention is to enable/disable the ssh service.

As we seen, its controlled by systemd with the service name sshd.service, we have tried by below methods, but none of the worked for me.

  1. Using systemctl stop/start sshd.service (We have integrated systemctl into the snap).
  2. Using start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec $SNAP/bin/sshd (In this we have integrated the start-stop-daemon and sshd into the snap, but running sshd results in various errors like chmod, setgroups, etc,… Need permissions to access them.
  3. Using direct $SNAP/etc/init.d/ssh start, results in same failure cases as mentioned in method 2.
  4. DBUS: As mentioned in my previous post.

Also the dbus interface supported by snap has no slot for communicating with systemd dbus api’s.


#7

if your snap has the snapd-control interface you can PUT {"service.ssh.disable": true} to /v2/snaps/system/conf via /run/snapd.socket.

I don’t know of a way of doing what you want to do without it granting device ownership though.


#8

Is that a valid use case for granting classic confinement?


#9

I’m assuming they’re targeting a core device, here.


#10

@Lin-Buo-Ren and @chipaca,

Our snap should ship with strict confinement.

@chipaca, the suggestion which you have mentioned works for a non-snappy service? Because ssh is not controlled by snap and its shipped with the OS and running as a separate systemd service as mentioned earlier.


#11

On core devices you can run snap set system service.ssh.disable=true to disable sshd (and similarly for rsyslog); it’s considered part of the system’s configuration (and you can default it to disabled via the gadget iirc). You can’t run snap from inside a snap, so you can’t do that, but the snapd-control interface lets you talk to the /run/snapd.socket socket, so you can use the API.


Accessing snap socket via rest api
#12

Hello @chipaca,

Thanks for the command! It works in the shell with no issues to a great extent.!

Is it possible to use the nc command to achieve that? If so, could you share some examples for the same?

Thanks!


#13

this works:

nc -U /run/snapd.socket <<EOF
PUT /v2/snaps/system/conf HTTP/1.0
Content-Length: 31

{"service.ssh.disable": false}
EOF

Accessing snap socket via rest api
#15

Hello @chipaca,

Its works!

Thanks for the support! It really appreciated!!!


#16

Hello @chipaca,

Is it possible to disable/enable the service at system startup ?


#17

What, exactly, are you trying to do? What are you building?


#18

@chipaca,

The command provided by you will start/stop the running ssh service.

But if the system gets booted for the next time, will it be in the same state?

Example: If i have disabled the running ssh service, will it be still disabled during the next system bootup?


#19

@prasath It’s equivalent to systemctl disable. You can easily find out with systemctl status ssh.


#20

Hello @Saviq,

It works!

Thanks for the clarification!.