Human review required nvme-z

Hi @review-team ,

For snap push, I am getting below error

$ snapcraft push nvme-z_0.1.0_amd64.snap
Issues while processing snap:
- human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (nvme-z, block-devices)

I would like to request auto-connect for plugs,

  • name: nvme-z

  • description: NVMe device information and monitoring tool

  • interfaces:

  • block-devices:

    • request-type: auto-connection
    • reasoning: app displays nvmes information
  • hardware-observe:

    • request-type: auto-connection
    • reasoning: app displays nvmes information
  • mount-observe:

    • request-type: auto-connection
    • reasoning: app displays nvmes information
  • raw-usb:

    • request-type: auto-connection
    • reasoning: app displays nvmes information
  • home:

    • request-type: auto-connection
    • reasoning: app displays nvmes information
  • system-observe:

    • request-type: auto-connection
    • reasoning: app displays nvmes information

Thank you very much!

This request has not been added to the review queue. It should be placed in the appropriate store-requests subcategory using the subcategory template for classic-confinement, privileged-interfaces and aliases requests.

This request has been added to the queue for review by the @reviewers team.

Hi there,

Request you to please approve auto-connect for plugs

Hello @bharatubuntu,

As far as I understand, this is a monitoring snap for NVMe devices, so the following interfaces make sense to me:

  • hw-observe
  • mount-observe
  • system-observe

Could you please provide more information regarding the need for the block-devices and raw-usb and home interfaces?

What do other @reviewers think?

(#askForInfo)

Hey Chris, @yomonokio

Thank for the reply, NVMe-Z snap is also show health report for nvme devices

Regarding raw-usb, block-devices

  1. raw-usb (if accessing NVMe via USB adapters)
  • Needed if your NVMe device is connected via USB (e.g., an external NVMe enclosure).
  1. block-devices
  • Grants access to raw block devices (e.g., /dev/nvme*).

Request you to discard the home interface

Thanks

Hi there, @review-team

Request you to please approve auto-connect for plugs

Hi @review-team , @yomonokio

Request you to please approve auto-connect for plugs

Hey @bharatubuntu

Could you be a bit more specific about why each of the requested interfaces is needed by your application? It feels that hardware-observe should be enough for a NVMe device information and monitoring tool. Could you please also share the denials you find when running the application only with hardware-observe connected?

Use of most of the requested interfaces might still be reasonable for nvme-z if their need is properly justified, but I think use of block-devices is not in this case. If we find that there is any required permission that is currently only granted by block-devices we should probably consider to add these permissions to something like hardware-observe instead.

Moreover, block-devices is a super privileged interface that effectively grants device ownership. As such, it is reserved for a very limited set of snaps. Requirements to opt for it includes:

  • the application itself is a mature, well-known application
  • the snap’s (vetted) publisher is a mature, well-known entity

I searched for nvme-z references and/or code repositories but could not found anything. Could you point us to the right sources?

(#askForInfo) Thanks

Hey @jslarraz

Thanks for the info,

nvme-z snap backend uses “nvme cli” GitHub - linux-nvme/nvme-cli: NVMe management command line interface., to get data

When i run following cmd, i get below error

$ nvme smart-log /dev/nvme0n1 --output-format=json
{
  "error":"/dev/nvme0n1: Permission denied"
}
Usage: nvme smart-log <device> [OPTIONS]

Request you to help me with this

And you do not get this when running nvme smart-log /dev/nvme0n1 outside of the snap ?

I surely do since a normal user is not allowed to access that device directly unless they are in the disk group (which normal users are not) or you do use sudo with the command …

Note that snap interfaces do not touch or override any existing system permissions for users, the general ones still apply inside a snap as they would do outside of it …

Hey @ogra

Thanks for the info,

Request you to approve hardware-observe ,

plz discard the other requested interfaces

Thanks

As I said before, hardware-observe looks reasonable to me for a NVMe device information and monitoring tool. Thus, I #voteFor (+1) granting nvme-z auto-connection to hardware-observe interface

1 Like

Hey @review-team

Request you to approve auto-connect for hardware-observe ,

plz discard the other requested interfaces

Thanks

Hey @review-team @jslarraz

like mentioned here https://snapcraft.io/docs/hardware-observe-interface, it provides access to many utility files and binaries such as lspci, lsusb, and hwinfo

can we add access to utility nvme cli ? GitHub - linux-nvme/nvme-cli: NVMe management command line interface.

is it possible?

Thanks

The tools you list all carry out readonly operations on devices to give you info, nvme also allows write operations and setting values, so without patching the tool to allow limiting it to do only read operations it will not be suitable for any -observe interface which by definition of the interface naming only allows reading of things on the system … (by default -observe in a slot/plug name means reading only while -control usually points to an interface that can manipulate things)

Hey Oliver @ogra,

Thanks for the info!

is it possible to add only read operations for "nvme cli’ in hardware-observe interface

Request you to approve auto-connect to hardware-observe

Thanks

not without patching the nvme utility itself as i said above … the interface declaration does not limit what a tool can do so the tool would have to care for that itself (i.e. if there was an additional nvme-ro binary that has all write operations patched out it could be added) if you would add the nvme binary as is you would have to have a very excessive interface definition to make sure it can only read (and would end up with errors for users expecting it to fully work causing extra developer discussions for everyone using it, such cases would better be covered by dedicated nvme-observe and nvme-control interfaces someone would have to create)

PS: I’m not in the reviewers team, you will have to wait for a second reviewer to get to this post in their queue and approve it…

Hey Oliver, @ogra

Thanks for the info!

Hey @review-team ,

Request you to approve auto-connect to hardware-observe