`network-control` + `network-setup-control` doesn't enable running `netplan generate` on classic

During my investigation in to confining cloud-init (snapcraft.yaml here), I found that I needed to add the following system-files interface for networking configuration to run successfully (and without DENIED log messages from AppArmor):

    interface: system-files
        # This was getting DENIED when running ip
        - /etc/iproute2/rt_tables.d
        # udevadm reads this, and cloud-init uses udevadm to make
        # sure networking is fully applied before it goes any
        # further
        - /etc/systemd/network
        # netplan generate writes config to each of these dirs
        - /run/NetworkManager/conf.d
        - /run/systemd/network
        - /run/udev/rules.d

In addition, for netplan generate to run successfully, I had to add netplan.io to my stage-packages, and set NETPLAN_GENERATE_PATH: $SNAP/lib/netplan/generate in the cloud-init app’s environment. My snap is using a core18 base, so ideally I would be able to use the netplan that’s shipped in there.

Is this only generate and not apply?

I believe so, yes. (AIUI, this part of cloud-init runs before networking is applied to the system during boot, precisely so that when the networking comes up, the right config is in place.)

I’ve adjusted network-observe and network-setup-observe for the /etc/iproute2/rt_tables.d and /etc/systemd/network access. I’m investigating the write accesses now.

1 Like

FYI, https://github.com/snapcore/snapd/pull/7019 implements additional rules for write access.

1 Like