Request classic mode for Visual LVM

The Visual LVM is remote GUI LVM manager, it needs to access/modify lvm information of host. So we have to run it on classic mode.
The information page of visual lvm is https://www.welees.com/visual-lvm.html

Thanks

The requirements for access / modify arbitrary files on the host are not sufficient for the granting of classic confinement (as per Process for reviewing classic confinement snaps). Can you please be more specific on what exactly your snap needs to access / modify on the host as I suspect system-files or another interface may allow you to achieve this. Thanks.

Hi, it needs to access
/etc/lvm/backup/* //The lvm configure files
/dev/[sdx|fdx|hdx|nvme??] //The disk/partition device for reading/modifying/fixing lvm information
In fact it must run as root.

for the latter one there are already existing interfaces like raw-volume, block-device, mount-observe and probably also hardware-observe and system-observe … try running in strict confinement with the snappy-debug tool from the snappy-debug snap running in a second terminal to see where the roadblocks are.

together with the use of system-files to read the files in /etc/lvm* that should get you going with strict confinement … perhaps some of the above interfaces might need enhancement though …

Hi ogra,
I write a test snap with followed config

name: my-test
version: ‘1.1’
summary: Single-line elevator pitch for your amazing snap
description: ‘This is a test snap’

grade: stable
confinement: strict

plugs:

  • lvm-info:*
  • interface: system-files*
  • read:*
    • /etc/**
  • write:*
    • /etc/**

parts:

  • my-test:*
  • See ‘snapcraft plugins’*

  • plugin: dump*
    apps:
  • ver:*
  • command: bin/ver*
  • show:*
  • command: bin/show*
  • test:*
  • plugs:*
  •  - lvm-info*
    
  • command: bin/test $1 $2 $3*

and the command test is :
#!/bin/bash
if [ “$1” == “read” ]; then
cat $2
fi

if [ “$1” == “write” ]; then
echo heheh >$2
fi

when I install the snap, it shows:
2021-07-27T18:22:05+08:00 INFO snap “test-common” has bad plugs or slots: lvm-info (cannot add system-files plug: “/etc/" contains a reserved apparmor char from
?
[]{}^”)

i don’t think you can use globing (*) in the interface path at the system-files definition, put the full path into the write block instead, delete the read block (write implies read) and name the interface like the actual file path like:

plugs:
  etc-lvm-backup:
    interface: system-files
    write:
      - /etc/lvm/backup

then, in your apps: declaration you use etc-lvm-backup in the plugs: section …

(also, make sure to put three backticks ``` at the lines above and below text you paste in a post, that way the formatting persists)

1 Like

I Modify as your advise, still access denied. :frowning:

the snapcraft.ymal: name: my-test version: ‘4.1’ summary: Single-line elevator pitch for your amazing snap description: ‘This is a test snap’

grade: stable confinement: strict

plugs: etc-lvm-backup: interface: system-files write: - /etc/lvm/backup

parts: my-test: # See ‘snapcraft plugins’ plugin: dump apps: ver: command: bin/ver show: command: bin/show test: plugs: - etc-lvm-backup command: bin/test $1 $2 $3

bin/test: #!/bin/bash if [ “$1” == “read” ]; then cat $2 fi

if [ “$1” == “write” ]; then echo heheh >$2 fi

run result: my-test.test write /etc/lvm/backup/test /snap/test-common/x1/bin/test: line 7: /etc/lvm/backup/test: Permission denied

did you connect the interface with sudo snap connect ... ?

Oops, I forget it! And it works!
Thank you!
and another question : how to know what interface(s) needed by a snap?
Thank you again!

1 Like

you do snap install snappy-debug and run the snappy-debug command from it in a second terminal while running your application, the output from it should give you some hints about missing interfaces …

Sorry, I mean that how does the user know?

Thanks!

the user does not know, you could use a wrapper script that uses “snapctl is-connected …” to check if the interface is connected and show a message in case it is not …

you can also try to ask for auto-connection of the plugs at install time (just change the topic of this thread to become an auto-connection request), note though that for system-files plugs your app needs to be the clear owner of the dir/file the plug permits to get auto connection granted …

@weLees - can you please update this thread on the status for visual-lvm? It would appear from the discussion above that you may have got it working under strict confinement - can you confirm? Thanks.

We are trying to let it works in strict confinement, but more time needed.

Finally we’ve transfer it to strict mode.
How to update the status?

There is nothing you need to do - thanks for confirming it is working with strict confinement, I will consider this request for classic confinement closed then as it is no longer necessary.

Hi alexmurray, We have tried all methods to make visual-lvm-remote works on strict mode but failed. it needs to works with /dev/sdx, /proc/{@id}/mounts, seeks mkfs.xxx to implement all features. I have to request classic mode for visual-lvm-remote again. We can’t make it work in strict mode. T_T

As per the Process for reviewing classic confinement snaps, unfortunately the inability to get a snap working under strict confinement is not a sufficient precondition to be granted the use of classic confinement.

Not every application is able to be packaged as a strictly confined snap, and for those that are not, they must have a requirement for classic confinement as per that page - but again, this snap doesn’t seem to need to execute arbitrary binaries from the host or access things outside the snap’s runtime etc. Instead it would seem to need an interface that provides direct access to underlying disk devices. This does not currently exist but perhaps the block-devices interface which provides partition level access may be sufficient?

Also for /proc/$id/mounts you could try using mount-observe.

Thanks

Hi alex, It seems that we can ignore the mount case now. But we’ve found the new case : My snap can not open /dev/mapper/control. It shows “Operation not permitted”.

:smiling_face_with_tear:

It looks like it should be possible to access /dev/mapper/control by using the dm-crypt interface - next time can you try using snappy-debug which should automatically suggest such things. Thanks.

2 Likes