Request for personal-files confinement for k9s + Popeye


#1

Hi,
I am very new to snapcraft but think I need to request special review for 2 of my projects currently hosted here. I think my previous releases are snap duds since they can’t r/w for the user home directory and hence causing failures. I’ve changed my snap manifest to either specify edge or devel or a personal-file plug but getting a message that the release must have a human review for both projects. Please advise on how to best proceed so I can make my releases working and available as snaps.

Thank you!

Here is the errors I can see in my dashboard.

human review required due to ‘allow-installation’ constraint (bool) declaration-snap-v2_plugs_installation (popeye, personal-files)

Here are the links to the repos:

popeye
k9s


#2

First off, please understand that snaps have $HOME set to ~/snap/<snapname>/current so if you simply use the $HOME environment variable, your snap should work. Secondly, the ‘home’ interface allows access to all of the user’s actual home where the user owns the files, except for toplevel dot files/directories. Typically this combination is sufficient for applications as I understand your description.

The personal-files interface is special and is typically used to provide read-only access to select toplevel dot files/directories, where the snap is the clear owner of that directory.

Your request doesn’t have enough information to proceed. What specific accesses are blocked and why does your application need them?


#3

@jdstrand Thank you for your response! Sorry, I will clarify my initial request.

Both my applications k9s and popeye leverage the user’s home directory to read/write configuration files they own ie .k9s and .popeye dirs respectively. These configuration files are needed to direct the application on how it should run/behave. Hence they need to access top level .dotfile in the user’s home directory. Both applications also need read access to .kube directory in the user’s home to access Kubernetes configurations. Lastly my applications leverage logging which typically goes out to /tmp which I do not believe I need special provisions for??

My limited understanding, is to build the snap by adding the personal-files interface to enable these to be included in the snap sandbox. In which case I would need special approval from someone on your team. Is this correct? If there are better ways to achieve this please advise.

Thank you for your time and for this great tool!


#4

Please note that the snap’s $HOME is set to ~/snap/<snap name>/<current snap revision> and snaps are allowed to created any files they desire within this directory, so the use of personal-files here does not seem needed. From https://forum.snapcraft.io/t/the-personal-files-interface/9357: “this interface is typically used to provide read-only access to top-level hidden data directories within a user’s home directory in order to support importing data from existing applications where the snap is the clear owner of the target directory.”

Example text for when the snap wants access but isn’t the clear owner: "This snap is not the clear owner but it does seem clear from the application’s intended usage that the application should have at least read-only access to the directory with auto-connection, so long as the interface reference is clear. Please use the following:

plugs:
  config-DIR:
    interface: personal-files
    read:
    - $HOME/.config/DIR

It is less clear that write-access is required, and if it is, it should probably be manually connected; with read-only access, the snap can import/sync to its per-snap area and not interfere with the target directory which is more in-line for the use of this interface and is much safer and robust. Can you provide more information?

As for /tmp, yes, there is nothing more you need to do.


#5

@jdstrand Thank you so much for the explanation and example! I’ll switch over to enable personal-files as you’ve described here on the next release for both projects. K9s and Popeye currently only need read access to .kube/config to read Kubernetes clusters information.

What else would you need from me to make sure I can successfully drop the next snaps?


#6

@derailed - there is a voting process for this. Now that you’ve stated you want access to ~/.kube/config. Currently your snap is using:

plugs:
  personal-files:
    read:
    - $HOME/.kube

but you said above that you need $HOME/.kube/config. Would changing the above to use $HOME/.kube/config be sufficient for the application? (I don’t know what else might be in $HOME/.kube).


#7

@derailed - your response is needed to proceed with this request. Thanks


#8

@jdstrand Sorry for the delay and thank you for your reply! I think $HOME/,kube is indeed what we want here as there can be many configs in there that a user may want to choose. These can be set directly via the command line or via $KUBECONFIG env var. Thus $HOME/.kube directory should indeed be accessible for both projects.

Please let me know if you need anything else from me.

Thank you!


#9

+1 to allow use of personal-files with read-only access to $HOME/.kube with the interface reference of ‘kube-config’ for both k9s and popeye.

@derailed - since there is an additional requirement that the interface reference be meaningful to users of your snap, please adjust your snaps to use:

name: ...
plugs:
  kube-config:
    interface: personal-files
    read:
    - $HOME/.kube
apps:
  <cmd>:
    plugs:
    - kube-config
    ...

@reviewers - can some of you vote on these requests?


#10

+1 from me as well with snap using as described in @jdstrand reply above. The kube-config interface is limited to read only to $HOME/.kube for k9s and popeye.


#11

@jdstrand @Igor - Thank you both for looking into it! I do have a question.: I’ve noticed that kubectl snap is using classic confinement. Given K9s and Popeye are is essence using the same configuration do you guys feel that I should be using this confinement instead and force users to specify --classic?


#12

@jdstrand - I’ve just tried to push a new K9s snap based on your recommended snap config updates. Can you please verify my changes to make sure I did this correctly based on your recommendation?

Guessing I’ve missed something here based on the following message:

The Store automatic review failed.
A human will soon review your snap, but if you can’t wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:

  • override not found for ‘plugs/kube-config’. Use of the personal-files interface is reserved for vetted publishers. If your snap legitimately requires this access, please make a request in the forum using the ‘store-requests’ category (https://forum.snapcraft.io/c/store-requests), or if you would prefer to keep this private, the ‘sensitive’ category.
  • human review required due to ‘allow-installation’ constraint (bool)