I’ve recently updated ncdu
and added some interfaces to provide greater access to read file sizes across the system and needed to get human review/approval to add them officially.
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, system-files)
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, personal-files)
@popey directed me to open a new thread for this request. Thanks Alan!
I’ve moved this to Store Requests category, which I believe is the most appropriate for this request.
2 Likes
@kz6fittycent can you please outline what specific files (and whether read or write access for each) are being requested via system-files
and personal-files
for ncdu
and why it requires these accesses?
Hi @alexmurray ,
Thanks for helping me out.
My request might be pretty basic in terms of what you’re looking for but here goes:
ncdu
is an improved version of du
and some files at the root level [as the snap currently ships] aren’t readable, even with sudo
My request is in hopes that ncdu
can get read-only
access to these files so that accurate sizes for each can be reported
For example, running ncdu /var/log/audit
should show sizes for audit logs on a server but if it can’t read it, it’s kind of useless.
Basically, ncdu
will need read-only
for anything in / (root)
.
Let me know if you need further input - I hope I can provide it.
Thanks again.
1 Like
Just touching base on this. Is there any more info needed?
If you require read-only for anything in / then I think the most feasible option would be to use the system-backup
interface
2 Likes
Hey @kz6fittycent ,
Could you analyze using the system-backup
interface as suggested by @alexmurray ?
Thanks!
1 Like
Let me check that out, will get back to you as soon as I can.
Not quite, sorry. This pattern repeats for anything requiring access to files from /
ogra
September 25, 2020, 8:47am
10
make sure to point your app config to /var/lib/snapd/hostfs/var/www
/
is mounted under /var/lib/snapd/hostfs
as described in https://snapcraft.io/docs/the-system-backup-interface
1 Like
Well, that sort-of worked but it can’t see my zfs
pools. And if this interface in incapable of seeing them, that’s a non-starter IMO.
This tool can be incredibly useful for sysadmins who want a quick and clean way of seeing what’s taking up space in various files/dirs. If it can’t see (read-only) into “everything”, then it’s not very useful.
1 Like
For the time being, I’m going to unpublish this snap since it’s not very useful “as-is”. Granted, it’s been in the store for a while now but I don’t think it’s any good - meaning that the snap I made isn’t any good.
@kz6fittycent other than zfs pools, is there anything else that you are not able to observe with system-backup
? Perhaps we can augment this interface to allow that other information as well. Also can you provide any more details regarding the inability to see zfs pools. Are there any AppArmor denials in dmesg / syslog? Thanks.
As far as what the snap is reporting, not much - see screenshot.
Here are my apparmor
entries for ncdu
when I tried to peer into my zfs
pool:
cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I included everything associated with ncdu
so you can see the when/where it gets DENIED
. Which is right here:
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Running sudo ncdu
renders the same result.
The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs
pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.
1 Like
Maybe it’s already covered but ncdu
should also be able to read anything including hidden files, links, in /home/$USER
or anywhere else.
ncdu
is a very handy tool !
2 Likes
Looks like we’re good there. I even checked several directories off root
and the hidden files are showing up as one would expect.
1 Like
@kz6fittycent it seems you were able to make your work snap as expected. Can you please confirm?
No, I still can’t view zfs
pools. This is really the last bit we need to address.
Can you provide any information on errors that you see when trying to access zfs pools, or AppArmor denials etc from the kernel log? What paths are needed to be able to see zfs pools?
@kz6fittycent - ping, can you please provide the requested information?