I didn’t realize the implications of classic confinement, but did some homework after the warning message on upload. Since that message also says a human will review it, I’m posting to say that isn’t necessary. I’ll sort out the right permissions and upload it without classic confinement requested.
thanks!
Hey @timbutler,
If you explain here what your snap needs to do, we can help you understand the interfaces you could plug while keeping under strict confinement. You could use snappy-debug as well which will help you to do so: https://snapcraft.io/docs/debugging-building-snaps#heading--identifying-missing-interfaces.
If you end up figuring out you still need classic, please note there is a process to grant it: Process for reviewing classic confinement snaps
Hi, thanks for offering to help.
What my app does is tell you how much of a file is in memory. It does this by mmaping the file, and then using the mincore system call.
Someone would want to know this as part of a performance investigation. So if I want to know how much of my database in in memory, I could use this tool. What this means is that it needs read access to those DB files, which default to /var/lib but could be elsewhere.
This seems it should be the system-files interface (along with user-files so it can be used on your own files), but that requires you to explicitly list the files, which isn’t feasible.
In short: is there an option to allow a snap read access to files in an arbitrary path, based on your filesystem read permissions? Or an option to enable more specific access with the snap command? (sort of like “snap connect” but to specify file locations).
I could request classic confinement, but I’d rather try this first.
Hey @timbutler,
Apologize for the delay. As you probably read access to arbitrary files on the system is not typically a justification for requesting classic confinement.
For user files, I see you could plug home with the read:all attribute to get read access to non-hidden files in the home directories of all users as traditional file permissions allow.
For system-files you are correct that you need to specify the directories your snap needs to access, as it is typically used for providing read-only access to system configuration directories to snaps that are the clear owner of the directory in order to support importing from existing applications.
snap connect is used to connect interfaces, and there is no other snap command for a user to specify access to locations. Instead, accesses are granted through declarations on the store side.
Feel free to add further questions if needed.
Thanks!
Hi @emitorino, thanks for replying again.
So it seems snaps aren’t well suited for system management utilities, at least where there isn’t a finite list of locations.
Would it be reasonable to use system-files to list the default locations of mysql/mariadb/postgres, even though my app isn’t the owner of those locations? Even then the utility would be limited, as it’s common for databases to have non-default locations.
Below is an example use case, where I check to see how much of my mysql DB files are resident in memory. You can see that even as root, I can’t map the DB files. I can bypass the snap link and run the executable that way, but that defeats the purpose, and I wouldn’t want to include a hack like that in the man page.
Thanks for your help!
Tim
root@kinetic:~# type mincore
mincore is /snap/bin/mincore
root@kinetic:~# mincore /var/lib/mysql/ib*
pages pages not %
in core in core in file
---------- ---------- ---- --------------------
- /var/lib/mysql/ib_buffer_pool: No such file or directory
- /var/lib/mysql/ibdata1: No such file or directory
- /var/lib/mysql/ib_logfile0: No such file or directory
- /var/lib/mysql/ibtmp1: No such file or directory
---------- ---------- ---- --------------------
0 0 0 total pages
0.0 0.0 total MB (4kb pages)
root@kinetic:~# /snap/mincore/current/usr/bin/mincore /var/lib/mysql/ib*
pages pages not %
in core in core in file
---------- ---------- ---- --------------------
1 0 100 /var/lib/mysql/ib_buffer_pool
1520 1552 49 /var/lib/mysql/ibdata1
21 12267 0 /var/lib/mysql/ib_logfile0
3072 0 100 /var/lib/mysql/ibtmp1
---------- ---------- ---- --------------------
4614 26107 15 total pages
18.0 102.0 total MB (4kb pages)
root@kinetic:~#Hey @timbutler,
Thanks for the detailed explanation.
I would suggest yet another alternative which is to plug the system-backup interface which gives read access to all of the host filesystem, via /var/lib/snapd/hostfs (i.e. /var/lib/snapd/hostfs/var/lib/mysql)
Hopefully this works!
Yes, sorry, busy at work. I’ll try it over within the next week and report back. Thanks!
Ping @timbutler, just wondering if you had a chance to look at using system-backup as suggested above?
Looking at it now, the documentation is pretty thin, and I can’t find any examples on github either.
I think usage should look like below, then I’d use 'snap connect mincore:mysql-mincore` to enable read of mysql database files in their default location in /var/lib/mysql. Is that correct, and is including the DB directory in the plug enough to enable read of the directory and all files within the directory? (It isn’t possible to list the files by name, since there can be any number of them).
Snap doesn’t like the read attribute in the plug. I assume I have to list the files I want to read, or does this interface eliminate host fs isolation entirely?
Review Tools did not fully pass for this snap.
Specific measures might need to be taken on the Snap Store before this snap can be fully accepted.
Linting Issues:
- unknown attribute 'read' for interface 'system-backup' (plugs)
Can you tell me how I specify system files to be able to read?
thanks!
name: mincore
version: "1.0"
summary: CLI utility to use mincore(2) system call
description: |
mincore is a utility to show how much of a file is cached in system memory. For each file in argv,
it will mmap the file and use the mincore() system to count file pages in and out of memory.
This can be useful to understand performance where buffer cache and IO is a factor, as in databases.
confinement: strict
type: app
grade: stable
base: core18
parts:
mincore:
plugin: make
source: .
build-packages:
- gcc
- make
plugs:
mysql-mincore:
interface: system-backup
read:
- /var/lib/mysql
postgresql-mincore:
interface: system-backup
read:
- /var/lib/pgsql/data
apps:
mincore:
command: usr/bin/mincore
plugs: [system-observe,physical-memory-observe,system-backup]
remove that block, the system-backup interface has no "read " parameter, all it does is to mount the hosts filesystem under /var/lib/snapd/hostfs so you will be able to access i.e. mysql under /var/lib/snapd/hostfs/var/lib/mysql …
the mentioning of system-backup that you do in the apps plugs: section is enough for that (you need to connect it indeed)
Ok, thank you. That resolved the error. I mistakenly guessed that I had to list files specifically, but for a system-backup, I could see where that doesn’t makes sense.
EDIT: I failed to notice that my second command actually worked. So it looks like this approach will work for me.
Now I need to add information to the man page to explain how to use it.
Thanks!
root@kinetic:~/Projects/tools/mincore# ls -l /var/lib/mysql/ibdata1
-rw-r----- 1 mysql mysql 12582912 Jun 8 06:52 /var/lib/mysql/ibdata1
root@kinetic:~/Projects/tools/mincore# snap connections mincore
Interface Plug Slot Notes
physical-memory-observe mincore:physical-memory-observe - -
system-backup mincore:system-backup :system-backup manual
system-observe mincore:system-observe - -
root@kinetic:~/Projects/tools/mincore# mincore /var/lib/mysql/ibdata1
pages pages not %
in core in core in file
---------- ---------- ---- --------------------
- /var/lib/mysql/ibdata1: No such file or directory
---------- ---------- ---- --------------------
0 0 0 total pages
0.0 0.0 total MB (4kb pages)
root@kinetic:~/Projects/tools/mincore# mincore /var/lib/snapd/hostfs/var/lib/mysql/ibdata1
pages pages not %
in core in core in file
---------- ---------- ---- --------------------
3072 0 100 /var/lib/snapd/hostfs/var/lib/mysql/ibdata1
---------- ---------- ---- --------------------
3072 0 100 total pages
12.0 0.0 total MB (4kb pages)
root@kinetic:~/Projects/tools/mincore#you can perhaps use a layout (not really sure if that works with system-backup provided dirs, you need to test this) to map /var/lib/snapd/hostfs/var/lib/mysql to /var/lib/mysql
I’ll look into that, but I can live with usage having an obtuse path, as this utility would only have technical users. Alternately, I could detect that it’s running as a snap and add the prefix. But at a minimum I will need to document this.
@timbutler so it seems you could solve your needs without classic confinement. Can you please confirm? If that’s correct we will remove your request from our queue. You can always ask here any question anytime though.
Yes, you can remove it from the queue, thank you for your help.