How to connect to localhost MongoDB in Snap? AppArmor prevents

snapcraft
1

Hi,
I have this snapcraft.yaml using MongoDB 4.0.3:
https://github.com/wekan/wekan/blob/edge/snapcraft.yaml

It’s Wekan https://wekan.github.io using meteor-1.8.1-beta.0 with Node 8.12.0.

By default MongoDB is listening 127.0.0.1:27019
https://github.com/wekan/wekan/blob/edge/snap-src/bin/config

But it seems AppArmor denies Node connecting to MongoDB:

loka 10 21:04:03 user kernel: audit: type=1400 audit(1539194642.995:2287): apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/netstat" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
loka 10 21:04:03 user kernel: audit: type=1400 audit(1539194642.999:2288): apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/snmp" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
loka 10 21:04:03 user audit[15195]: AVC apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/netstat" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
loka 10 21:04:03 user audit[15195]: AVC apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/snmp" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
loka 10 21:04:04 user kernel: audit: type=1400 audit(1539194643.999:2289): apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/netstat" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
loka 10 21:04:04 user kernel: audit: type=1400 audit(1539194643.999:2290): apparmor="DENIED" operation="open" profile="snap.wekan.mongodb" name="/proc/15195/net/snmp" pid=15195 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

How I can make Node connect to MongoDB correctly? Do I need to add some permission to snap?

2

It seems that I can connect to mongo this way:

 sudo mongo mongodb://%2Fvar%2Fsnap%2Fwekan%2Fx1%2Fshare%2Fmongodb-27017.sock

And this could be correct unix socket setting:

sudo snap set wekan mongodb-bind-unix-socket='share'

I’m still trying to figure out how to get it to work, for example with unix socket.

3

FYI, the apparmor denials can be solved in wekan.mongodb by connecting the ‘network-observe’ interface.

1 Like
4

@jdstrand

How? What should I add to snapcraft.yaml or snap directories?
https://github.com/wekan/wekan/tree/edge

5

I wonder if those denials are a red herring. If you set the socket to a relative directory, I doubt it will work properly. Here on line 10, the mongodb url is being created, but on line 22, it cd’s to a new directory before starting the application. Try setting the absolute path. Or try using the socket file name mongodb-27017.sock and line 12 will create a full absolute path.

But I coudl be wrong… that’s just a first glance.

6

I tried those tips and did not get Wekan connecting to MongoDB correctly in Snap.

So currently only Source and Docker version works.

7

I was able to it running with this config:

sudo snap set wekan mongodb-bind-unix-socket='/var/snap/wekan/current/share/'

At least it appears to be running. I got a log in page, and could register and login.

8

@ryanjyoder

Thanks! Because it seems that I get with that only Meteor 1.6.0.1 and MongoDB 3.2.21 working, I’ll continue with it, until some day I get Meteor 1.8.x and MongoDB 4.0.3 working in Snap.