Help needed: accessing systemd journal from strictly confined snap?!

Greetings All,

Is there any sane, accepted way for a strictly confined snap to read systemd journal logs? Specifically, the logs that are tagged by it’s systemd unit designation?

I’ve tried the following:

  1. Augmenting the snap’s systemd service file via a drop-in to redirect stdout and stderr to a file or fd in $SNAP_DATA/$SNAP_COMMON.

    • This is not ideal as manual log rotation would be required, journalctl access for the unit would no longer be available, and the drop-in would need to be provided elsewhere and thus would require end-user intervention, as snap install hooks don’t have access that deep into the system.
  2. Using a separate snap to read the logs, then share via the preferred IPC mechanism (a named pipe for example) along with the content interface.

    • Since journalctl calls are not permitted (nor is using the systemd journal API directly) from a strict snap, the secondary snap would need to be classically confined. This, according to docs and my own experience, prevents sharing via the content interface.
  3. Augmenting the systemd journal config to forward to syslog, then augment the syslog config to drop the logs of interest into a file in $SNAP_DATA/$SNAP_COMMON

    • This “works”, and presumably would handle log rotation, but again requires end-user intervention.
  4. Frankensteining it with a secondary snap, classically confined, (or at this point a script, .deb, whatever) that dumps logs directly to a fifo that it creates inside the primary snap’s $SNAP_DATA.

    • Dirty, end-user intervention required to install additional packages and I doubt this would pass peer review if we released to the snap store.

At this point I’m banging my head, quite literally, against my desk :smiley: Any ideas would be greatly appreciated. While I’m on the topic, is there any reason for not allowing access to journalctl from a strictly confined snap? Could it simply be that it’s apparently not a common use case?

Thanks, -K.

the log-observe interface gives your confined snap access to journalctl from the host and to the log files it reads …

if you want to write anything to the logs from your snap, the logger command should help …


Thanks for the response. I believe I looked at log-observe, but ended up dropping it as it requires end-user action to connect the interface. I just refreshed my memory, and it appears that auto-connect is possible on request from snap-store staff. Are you aware if this kind of approval is difficult to come by?

Thanks, -K.

no, i do not think it is difficult at all :slight_smile:

log-observe is rather harmless so i dont think it will be hard to get an ack from the reviewers …

:+1: Thanks very much!


1 Like

Also looking for a help regarding somehow same issue facing for 2 days. anyone there now?

Hi @HudsonElias,

As @ogra mentioned, using the log-observe interface is the way to go. Details for using such interfaces can be found here:

In my snapcraft.yaml, I added log-observe to the appropriate application plugs line. ie:

        command: foo
        plugs: [..., log-observe]

Then, as the interface management page points out, you need to manually connect the interface once you install your built snap.

Once connected, the application with the connected log-observe interface can access the systemd journal (ie. via journalctl, APIs etc).

1 Like