Ignore upload with classic confinement for 'mincore'

I didn’t realize the implications of classic confinement, but did some homework after the warning message on upload. Since that message also says a human will review it, I’m posting to say that isn’t necessary. I’ll sort out the right permissions and upload it without classic confinement requested.

thanks!

Hey @timbutler,

If you explain here what your snap needs to do, we can help you understand the interfaces you could plug while keeping under strict confinement. You could use snappy-debug as well which will help you to do so: https://snapcraft.io/docs/debugging-building-snaps#heading--identifying-missing-interfaces.

If you end up figuring out you still need classic, please note there is a process to grant it: Process for reviewing classic confinement snaps

Hi, thanks for offering to help.

What my app does is tell you how much of a file is in memory. It does this by mmaping the file, and then using the mincore system call.

Someone would want to know this as part of a performance investigation. So if I want to know how much of my database in in memory, I could use this tool. What this means is that it needs read access to those DB files, which default to /var/lib but could be elsewhere.

This seems it should be the system-files interface (along with user-files so it can be used on your own files), but that requires you to explicitly list the files, which isn’t feasible.

In short: is there an option to allow a snap read access to files in an arbitrary path, based on your filesystem read permissions? Or an option to enable more specific access with the snap command? (sort of like “snap connect” but to specify file locations).

I could request classic confinement, but I’d rather try this first.

Hey @timbutler,

Apologize for the delay. As you probably read access to arbitrary files on the system is not typically a justification for requesting classic confinement.

For user files, I see you could plug home with the read:all attribute to get read access to non-hidden files in the home directories of all users as traditional file permissions allow.

For system-files you are correct that you need to specify the directories your snap needs to access, as it is typically used for providing read-only access to system configuration directories to snaps that are the clear owner of the directory in order to support importing from existing applications.

snap connect is used to connect interfaces, and there is no other snap command for a user to specify access to locations. Instead, accesses are granted through declarations on the store side.

Feel free to add further questions if needed.

Thanks!

Hi @emitorino, thanks for replying again.

So it seems snaps aren’t well suited for system management utilities, at least where there isn’t a finite list of locations.

Would it be reasonable to use system-files to list the default locations of mysql/mariadb/postgres, even though my app isn’t the owner of those locations? Even then the utility would be limited, as it’s common for databases to have non-default locations.

Below is an example use case, where I check to see how much of my mysql DB files are resident in memory. You can see that even as root, I can’t map the DB files. I can bypass the snap link and run the executable that way, but that defeats the purpose, and I wouldn’t want to include a hack like that in the man page.

Thanks for your help!
Tim

root@kinetic:~# type mincore
mincore is /snap/bin/mincore
root@kinetic:~# mincore /var/lib/mysql/ib*
  pages     pages not  %
 in core     in core   in          file
---------- ---------- ----  --------------------
		    -   /var/lib/mysql/ib_buffer_pool: No such file or directory
		    -   /var/lib/mysql/ibdata1: No such file or directory
		    -   /var/lib/mysql/ib_logfile0: No such file or directory
		    -   /var/lib/mysql/ibtmp1: No such file or directory
---------- ---------- ----  --------------------
     0          0   0   total pages
   0.0        0.0       total MB (4kb pages)
root@kinetic:~# /snap/mincore/current/usr/bin/mincore /var/lib/mysql/ib*
  pages     pages not  %
 in core     in core   in          file
---------- ---------- ----  --------------------
     1          0 100   /var/lib/mysql/ib_buffer_pool
  1520       1552  49   /var/lib/mysql/ibdata1
    21      12267   0   /var/lib/mysql/ib_logfile0
  3072          0 100   /var/lib/mysql/ibtmp1
---------- ---------- ----  --------------------
  4614      26107  15   total pages
  18.0      102.0       total MB (4kb pages)
root@kinetic:~#

Hey @timbutler,

Thanks for the detailed explanation.

I would suggest yet another alternative which is to plug the system-backup interface which gives read access to all of the host filesystem, via /var/lib/snapd/hostfs (i.e. /var/lib/snapd/hostfs/var/lib/mysql)

Hopefully this works!

@timbutler ping,

Could you analyze the system-backup iface alternative?

Thanks!

Yes, sorry, busy at work. I’ll try it over within the next week and report back. Thanks!

1 Like

Ping @timbutler, just wondering if you had a chance to look at using system-backup as suggested above?

Looking at it now, the documentation is pretty thin, and I can’t find any examples on github either.

I think usage should look like below, then I’d use 'snap connect mincore:mysql-mincore` to enable read of mysql database files in their default location in /var/lib/mysql. Is that correct, and is including the DB directory in the plug enough to enable read of the directory and all files within the directory? (It isn’t possible to list the files by name, since there can be any number of them).

Snap doesn’t like the read attribute in the plug. I assume I have to list the files I want to read, or does this interface eliminate host fs isolation entirely?

Review Tools did not fully pass for this snap.
Specific measures might need to be taken on the Snap Store before this snap can be fully accepted.
Linting Issues:
- unknown attribute 'read' for interface 'system-backup' (plugs)

Can you tell me how I specify system files to be able to read?

thanks!

name: mincore
version: "1.0"
summary: CLI utility to use mincore(2) system call
description: |
  mincore is a utility to show how much of a file is cached in system memory. For each file in argv,
  it will mmap the file and use the mincore() system to count file pages in and out of memory.
  This can be useful to understand performance where buffer cache and IO is a factor, as in databases.
confinement: strict
type: app
grade: stable
base: core18

parts:
  mincore:
    plugin: make
    source: .
    build-packages:
      - gcc
      - make

plugs:
  mysql-mincore:
    interface: system-backup
    read:
    - /var/lib/mysql
  postgresql-mincore:
    interface: system-backup
    read:
    - /var/lib/pgsql/data

apps:
  mincore:
    command: usr/bin/mincore
    plugs: [system-observe,physical-memory-observe,system-backup]

remove that block, the system-backup interface has no "read " parameter, all it does is to mount the hosts filesystem under /var/lib/snapd/hostfs so you will be able to access i.e. mysql under /var/lib/snapd/hostfs/var/lib/mysql

the mentioning of system-backup that you do in the apps plugs: section is enough for that (you need to connect it indeed)

Ok, thank you. That resolved the error. I mistakenly guessed that I had to list files specifically, but for a system-backup, I could see where that doesn’t makes sense.

EDIT: I failed to notice that my second command actually worked. So it looks like this approach will work for me.

Now I need to add information to the man page to explain how to use it.

Thanks!

root@kinetic:~/Projects/tools/mincore# ls -l /var/lib/mysql/ibdata1
-rw-r----- 1 mysql mysql 12582912 Jun  8 06:52 /var/lib/mysql/ibdata1
root@kinetic:~/Projects/tools/mincore# snap connections mincore
Interface                Plug                             Slot            Notes
physical-memory-observe  mincore:physical-memory-observe  -               -
system-backup            mincore:system-backup            :system-backup  manual
system-observe           mincore:system-observe           -               -
root@kinetic:~/Projects/tools/mincore# mincore /var/lib/mysql/ibdata1
  pages     pages not  %
 in core     in core   in          file
---------- ---------- ----  --------------------
                        -   /var/lib/mysql/ibdata1: No such file or directory
---------- ---------- ----  --------------------
         0          0   0   total pages
       0.0        0.0       total MB (4kb pages)
root@kinetic:~/Projects/tools/mincore# mincore /var/lib/snapd/hostfs/var/lib/mysql/ibdata1
  pages     pages not  %
 in core     in core   in          file
---------- ---------- ----  --------------------
      3072          0 100   /var/lib/snapd/hostfs/var/lib/mysql/ibdata1
---------- ---------- ----  --------------------
      3072          0 100   total pages
      12.0        0.0       total MB (4kb pages)
root@kinetic:~/Projects/tools/mincore#

you can perhaps use a layout (not really sure if that works with system-backup provided dirs, you need to test this) to map /var/lib/snapd/hostfs/var/lib/mysql to /var/lib/mysql

I’ll look into that, but I can live with usage having an obtuse path, as this utility would only have technical users. Alternately, I could detect that it’s running as a snap and add the prefix. But at a minimum I will need to document this.

1 Like