Request for classic confinement for haysell-pos

HaySell PoS

HaySell is a cloud based Trade Automation Modern System which includes Web based back office and PoS (Point of Sale) application written in Qt/C++. Our market is currently only Armenia, and recently we began to intensively switch to Ubuntu (since we were very tired of Windows :grinning:)

Since PoS software ( in other words cash register machine ) works directly with hardware, with different equipments with various interfaces - USB, Serial Ports, all types of sockets - TCP, UDP, Websockets, uses system printing service ( Winspool before, maybe cups also in the future ), calls different system processes, uses a network…in other words, everything…it is very difficult to imagine how it would work in a restricted environment…

I know, (or rather I hope) that all listed problems (or maybe some of them) can be resolved playing with snapcraft.yaml file (or maybe somehow else), but Cash register machine is some kind of critical mission solution, so, if there is a chance to “make it work as before,” then this option should be considered first…

P.S. I realize that I haven’t given the exact reason why the classic mode is needed and what exactly the program does… Believe me, it will be easier to list what the program does not do. (at least for self update call `snap refresh haysell-pos’. In some cases it is critical to update before operate )

1 Like

Hi @delphi251189

Do you have any more details on the specific issues encountered when using strict mode?

I see that revision #29 some interfaces to handle networking, hardware, printing (serial-port, raw-usb, cups, network.., etc). Let us know the details and we can assist to still get the benefits of strict confinement.

Thanks!

Yes. In general calling external processes. Some device vendors ( for example Ingenico payment terminals ) provides standalone binary executable files to interact with their devices ( for example call ‘ingenico.exe --bill 2.56$’ ) All such cases wrapped in so called run_process(…) function which doesn’t work in snap build.

Also there are many cases to access host OS filesystem…even sometimes need to edit system config files ( for example udev.conf files to make USB or Serial devices read-writable. In many cases there is no read-write permissions out of box, so PoS software takes care about modifying some system config files, just because users are unable to do it themselves. All they need to type password, or click Yes in Windows Admin prompt )

Also there are many cases of traditional file exchange with other systems (some other device vendors provides executables and the only way to interact with them is XML file exchange ), so, isolated FS is not much usable.

In basic cases PoS software can work without all of listed below capabilities, but the full functionality needs classic mode I think…or huge effort…

Thanks in advance Karapet Khachoyan

1 Like

Also not such critical case. There are some predefined information of known devices( for examples list of MAC address ranges of known device vendors ). If user adds some device and edits config (for example typing IP address), application hints/suggests/autofills some fields, preventing user to fill wrong info ( for example it can prevent assigning 192.168.3.68 IP address to Ingenico terminal, if MAC address of that address doesn’t belongs to Vendor )

Application scans ARP cache from system ( calling arp -a or in OS specific ways ) and hepls user to config devices correctly.

This functionality is not critical, but very desirable.

In general, there are a lot of cases, and interoperability of each one taken separately is not critical. But interoperability of all cases together is critical.

We tested our app in Ubuntu in a few dozen clients ( just by copying and extracting zip archive ) and it works good.

The only thing is to decide what to choose as a deployment tool ( Debian APT repository, snap or custom/3rd-party Installers ), as it is impossible to maintain thousands of instances by copy and extracting zip archives.

The best choice I think is SNAP, as it easiest to install, provides Admin page, analytics tools and marketplace to make our app discoverable to all.

The only issue is…restricted mode :anguished:

To get classic granted (which is by many margins harder to package and maintain correctly than a strict snap FWIW) your app needs to fit into one of the supported categories from:

(Which i doubt it does)

It should not actually be too hard to properly package such an app as strictly confined snap utilizing the existing snap interfaces though…

(Note also that since money is involved here, strict confinement would surely be the better choice from a security POV)

Ok In that case, is there any way to call external process from strict mode, as at this point, it is the biggest issue that we faced?

Maybe some slot named ‘raw-process’ or something like that???

No, but you can bundle whatever you need with your snap, the interfaces will give you access to required system resources…

BTW, there are quite a few POS apps in the store already, all strictly confined:

Perhaps it helps looking at their snapcraft.yaml (if publicly available) to get an idea…

3 Likes

Hey @delphi251189

Any progress on that? Did @ogra suggestion worked for you?

Hi. Basically everything works fine with limited functionality… Also I faced another problem, when some slots (like raw-usb ) needs to enable manually.

But deploying with snap is still expiremental, we just testing in office environment. In clients PCs we insalling via Qt Installer Framework like classic app due to sandboxed nature of snap.

Hey @delphi251189

I’m removing this topic from our queue.

Please feel free to open a new topic to request auto-connection for those interfaces that are needed by they snap.

Thanks!