Hi @alexmurray ,
Thanks for helping me out.
My request might be pretty basic in terms of what you’re looking for but here goes:
ncdu is an improved version of du and some files at the root level [as the snap currently ships] aren’t readable, even with sudo
My request is in hopes that ncdu can get read-only access to these files so that accurate sizes for each can be reported
For example, running ncdu /var/log/audit should show sizes for audit logs on a server but if it can’t read it, it’s kind of useless.
Basically, ncdu will need read-only for anything in / (root).
Let me know if you need further input - I hope I can provide it.
Thanks again.
1 Like
Just touching base on this. Is there any more info needed?
If you require read-only for anything in / then I think the most feasible option would be to use the system-backup interface
2 Likes
Hey @kz6fittycent ,
Could you analyze using the system-backup interface as suggested by @alexmurray ?
Thanks!
1 Like
Let me check that out, will get back to you as soon as I can.
Not quite, sorry. This pattern repeats for anything requiring access to files from /
ogra
September 25, 2020, 8:47am
10
make sure to point your app config to /var/lib/snapd/hostfs/var/www
/ is mounted under /var/lib/snapd/hostfs as described in https://snapcraft.io/docs/the-system-backup-interface
1 Like
Well, that sort-of worked but it can’t see my zfs pools. And if this interface in incapable of seeing them, that’s a non-starter IMO.
This tool can be incredibly useful for sysadmins who want a quick and clean way of seeing what’s taking up space in various files/dirs. If it can’t see (read-only) into “everything”, then it’s not very useful.
1 Like
For the time being, I’m going to unpublish this snap since it’s not very useful “as-is”. Granted, it’s been in the store for a while now but I don’t think it’s any good - meaning that the snap I made isn’t any good.
@kz6fittycent other than zfs pools, is there anything else that you are not able to observe with system-backup? Perhaps we can augment this interface to allow that other information as well. Also can you provide any more details regarding the inability to see zfs pools. Are there any AppArmor denials in dmesg / syslog? Thanks.
As far as what the snap is reporting, not much - see screenshot.
Here are my apparmor entries for ncdu when I tried to peer into my zfs pool:
cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I included everything associated with ncdu so you can see the when/where it gets DENIED. Which is right here:
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Running sudo ncdu renders the same result.
The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.
1 Like
Maybe it’s already covered but ncdu should also be able to read anything including hidden files, links, in /home/$USER or anywhere else.
ncdu is a very handy tool !
2 Likes
Looks like we’re good there. I even checked several directories off root and the hidden files are showing up as one would expect.
1 Like
@kz6fittycent it seems you were able to make your work snap as expected. Can you please confirm?
No, I still can’t view zfs pools. This is really the last bit we need to address.
Can you provide any information on errors that you see when trying to access zfs pools, or AppArmor denials etc from the kernel log? What paths are needed to be able to see zfs pools?
@kz6fittycent - ping, can you please provide the requested information?
@alexmurray @msalvatore I have provided those errors above. Not sure what else you’re needing. I just cannot access the pools. I’ve provided apparmor logs that I can see, etc.
Just grabbed the only log associated with ncdu from kern.log:
Dec 6 20:26:39 $HOST kernel: [42387.129055] audit: type=1400 audit(1607307999.826:105): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=200410 comm="snap-confine" capability=4 capname="fsetid"
@kz6fittycent can you please describe in more detail what your setup is so I can try and reproduce it? ie. create a zfs pool as follows (please include commands etc), launch ncdu and browse to … and expect to see <something> etc.
Since I expect that during this process there should be some denials showing up in dmesg which indicate what access is missing for ncdu. Also could you please verify that it works when using the ncdu deb? This should then allow us to finally get to the bottom of this issue. Thanks.
@kz6fittycent could you please provide the requested information? Apologize for this long discussion, but this is needed to reproduce it on our side and hopefully help with the ncdu snap.
