'plugs/system-files' for hostctl snap

Hi, I’m publishing my first snap. I’ve added system-files with read/write permission to /etc/hosts because is part of the main functionality of the package.

I’m getting this error on my github action pipeline:

Will need manual review...
The Store automatic review failed.
A human will soon review your snap, but if you can't wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:
  - override not found for 'plugs/system-files'. Use of the system-files interface is reserved for vetted publishers. [...]
  - human review required due to 'allow-installation' constraint (bool)

How should I proceed now to leave in place a fully automated release cycle?

Thanks!

Instead of system-files, please use ‘network-control’, which grants access to the file.

Hi, thanks for replying. I’ve updated the code to publish with network-control plug (version 0.5.5). When I try to publish it says its waiting for approval.

Is that correct?

Revision 1 was in the manual review queue due to system-files. I rejected that (and revision 2 was automatically rejected). Revision 3, the one with network-control, was rejected because the snap.yaml was malformed. Just remove this whole stanza:

plugs:
  network-control:
    read:
    - /etc/hosts
    write:
    - /etc/hosts

reupload and it should pass automated review.

Thanks! version 0.5.6 was published correctly and I was able to install it. But when I try to run it I get a permission error:

[sudo] hostctl list
Using hosts file: /etc/hosts
Error: open /etc/hosts: permission denied

The list action only reads the file, sudo should only be needed to update it. But I can’t perform either of them.

What else can I do?

UPDATE: If I run snap interface network-control it shows this info:

name:    network-control
summary: allows configuring networking and network namespaces
plugs:
  - hostctl
slots:
  - core

Maybe it helps

network-control is not automatically connected. See: https://snapcraft.io/docs/interface-management

You need to perform sudo snap connect hostctl:network-control, then it should work.

Follow Process for aliases, auto-connections and tracks and create a new topic if you want to request auto-connection.

Thanks, it works after manually connected. I’ll later check how to request the autoconnection.

Another feature of this tool is to add content to /etc/hosts by reading from some file on the user file system. Example: hostctl add --from /path/to/some/file -p myprofile. But I can get it to work because it seems the confinement restrict that.

Is there any workaround to read the file passed as argument to the CLI?

I suggest using ‘snappy-debug’ when developing your snap. It will make suggestions to you.

In this case, you probably need only to add ‘home’ to your plugs. You may want to allow reading from stdin as well (eg, hostctl add ... < /some/path) to handle any cases that the home interface does not cover. This is the recommended best practice in this circumstance.

Thanks @jdstrand I’ve already implemented stdin detection so it can be kept in strict confinement.

Also filed a new request for auto-connect to network-control here: Request auto-connect for hostctl with network-control