Hey @kz6fittycent,
Could you analyze using the system-backup
interface as suggested by @alexmurray?
Thanks!
Hey @kz6fittycent,
Could you analyze using the system-backup
interface as suggested by @alexmurray?
Thanks!
Let me check that out, will get back to you as soon as I can.
Not quite, sorry. This pattern repeats for anything requiring access to files from /
make sure to point your app config to /var/lib/snapd/hostfs/var/www
/
is mounted under /var/lib/snapd/hostfs
as described in https://snapcraft.io/docs/the-system-backup-interface
Well, that sort-of worked but it can’t see my zfs
pools. And if this interface in incapable of seeing them, that’s a non-starter IMO.
This tool can be incredibly useful for sysadmins who want a quick and clean way of seeing what’s taking up space in various files/dirs. If it can’t see (read-only) into “everything”, then it’s not very useful.
For the time being, I’m going to unpublish this snap since it’s not very useful “as-is”. Granted, it’s been in the store for a while now but I don’t think it’s any good - meaning that the snap I made isn’t any good.
@kz6fittycent other than zfs pools, is there anything else that you are not able to observe with system-backup
? Perhaps we can augment this interface to allow that other information as well. Also can you provide any more details regarding the inability to see zfs pools. Are there any AppArmor denials in dmesg / syslog? Thanks.
As far as what the snap is reporting, not much - see screenshot.
Here are my apparmor
entries for ncdu
when I tried to peer into my zfs
pool:
cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I included everything associated with ncdu
so you can see the when/where it gets DENIED
. Which is right here:
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Running sudo ncdu
renders the same result.
The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs
pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.
Maybe it’s already covered but ncdu
should also be able to read anything including hidden files, links, in /home/$USER
or anywhere else.
ncdu
is a very handy tool !
Looks like we’re good there. I even checked several directories off root
and the hidden files are showing up as one would expect.
No, I still can’t view zfs
pools. This is really the last bit we need to address.
Can you provide any information on errors that you see when trying to access zfs pools, or AppArmor denials etc from the kernel log? What paths are needed to be able to see zfs pools?
@alexmurray @msalvatore I have provided those errors above. Not sure what else you’re needing. I just cannot access the pools. I’ve provided apparmor logs that I can see, etc.
Just grabbed the only log associated with ncdu
from kern.log
:
Dec 6 20:26:39 $HOST kernel: [42387.129055] audit: type=1400 audit(1607307999.826:105): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=200410 comm="snap-confine" capability=4 capname="fsetid"
@kz6fittycent can you please describe in more detail what your setup is so I can try and reproduce it? ie. create a zfs pool as follows (please include commands etc), launch ncdu and browse to … and expect to see <something>
etc.
Since I expect that during this process there should be some denials showing up in dmesg which indicate what access is missing for ncdu. Also could you please verify that it works when using the ncdu deb? This should then allow us to finally get to the bottom of this issue. Thanks.
@kz6fittycent could you please provide the requested information? Apologize for this long discussion, but this is needed to reproduce it on our side and hopefully help with the ncdu
snap.
@alexmurray I’m ready to close this. It would be nice to have ncdu as a snap, but it’s just not worth it (to me) to continue.
If another developer would like to take it, I’m absolutely willing to move ownership.
Ok, I will remove this request from our queue - let me know if you change your mind @kz6fittycent