Plugs.system-files.read wildcard

xavpaice · November 11, 2021, 8:05pm

Hi,

I’m attempting to make a snap for https://github.com/greenpau/ovn_exporter which requires read access to /run/openvswitch/ovsdb-server.14232.ctl where 14232 is the pid of the openvswitch process. Unfortunately, this changes each time the service runs and so I can’t simply add the whole path to the read attribute of the system-files plug. I also don’t have the option of changing openvswitch, this is purely a monitoring tool to observe and/or query it. Is there a facility for a wildcard or regex where I can specify, say, /run/openvswitch/ovsdb-server.*.ctl?

The plugs sections so far:

apps:
  ovn-exporter:
    command: 'bin/ovn-exporter.wrapper'
    plugs:
      - network-bind
      - openvswitch
      - log-observe
      - system-observe
    daemon: simple
plugs:
  system-files:
    interface: system-files
    read:
      - /etc/openvswitch/system-id.conf
      - /var/run/ovn/ovnnb_db.ctl
      - /var/run/ovn/ovnnb_db.sock
      - /var/run/ovn/ovnsb_db.ctl
      - /var/run/ovn/ovnsb_db.sock
      - /var/run/openvswitch/ovsdb-server
      - /run/openvswitch/ovsdb-server.thisiswhereineedawildcard

ijohnson · November 15, 2021, 12:16pm

Wildcards are not supported in system-files by design unfortunately. You are probably better off with a new interface specific to openvswitch instead of using system-files for this purpose. If you need help creating the interface, providing the denials you see here would help to figure out what is needed, but if it’s just those files you mentioned with the wildcard on /run/oppenvswitch/ovsdb-server.* then it should be fairly straight forward

xavpaice · November 15, 2021, 7:56pm

Thanks for that. There’s an existing openvswitch interface but it doesn’t do all that I need this one to do - perhaps you could point me at the source so I can see if it’s viable to modify it or write a fresh one.

After some revisions the final list of files is:

plugs:
  system-files:
    interface: system-files
    read:
      - /etc/openvswitch/system-id.conf
      - /var/run/ovn/ovnnb_db.ctl
      - /var/run/ovn/ovnnb_db.sock
      - /var/run/ovn/ovnsb_db.ctl
      - /var/run/ovn/ovnsb_db.sock
      - /var/run/openvswitch/ovsdb-server
      - /run/openvswitch/ovsdb-server
      - /run/ovn/ovn-northd.pid
      - /run/ovn/ovnsb_db.pid
      - /run/ovn/ovnsb_db.ctl
      - /run/ovn/ovnsb_db.sock
      - /run/ovn/ovnnb_db.pid
      - /run/ovn/ovnnb_db.ctl
      - /run/ovn/ovnnb_db.sock
      - /run/openvswitch/ovsdb-server.14232.ctl # PID changes, need wildcard
    write:
      - /var/run/ovn/ovnnb_db.ctl
      - /run/ovn/ovnnb_db.ctl
      - /var/run/ovn/ovnnb_db.sock
      - /run/ovn/ovnnb_db.sock
      - /var/run/ovn/ovnsb_db.ctl
      - /run/ovn/ovnsb_db.ctl
      - /var/run/ovn/ovnsb_db.sock
      - /run/ovn/ovnsb_db.sock
      - /run/openvswitch/ovsdb-server.14232.ctl # PID changes, need wildcard

The snpacraft.yaml also lists the openvswitch plug (among others).

ijohnson · November 15, 2021, 10:15pm

Ah I hadn’t even realized there is an existing openvswitch interface, in that case just add the files you need to this variable in this file and create a PR:

github.com

snapcore/snapd/blob/e6af838505a04bbca3ba5a724cb8a2827fda0447/interfaces/builtin/openvswitch.go#L36-L42


const openvswitchConnectedPlugAppArmor = `
/run/openvswitch/db.sock rw,
/run/openvswitch/*.mgmt rw,
# ovs-appctl allows sending commands to Open vSwitch daemons at runtime
/run/openvswitch/ovs-vswitchd.*.ctl rw,
/run/openvswitch/ovs-vswitchd.pid rw,
`

xavpaice · November 16, 2021, 12:01am

Thanks - https://github.com/snapcore/snapd/pull/11062. If preferred, I could make a fresh interface for OVN based on this, just duplicating the openvswitch interface but with different files. I think they’re well connected enough to one another to have these in the same interface though.