Request for waagent

jrtknauer · June 24, 2025, 3:14pm

name: waagent
description: description of the snap
snapcraft: snap-waagent/snap/snapcraft.yaml at main · canonical/snap-waagent · GitHub
upstream: GitHub - Azure/WALinuxAgent: Microsoft Azure Linux Guest Agent
upstream-relation: Canonical Public Cloud is producing the waagent Snap for Ubuntu Core on Azure.
interfaces:
- system-files:
  - request-type: installation and auto-connection
  - reasoning: required for Snap functionality and communicating with the Azure control plane.
- mount-control:
  - request-type: installation and auto-connection
  - reasoning: required for Snap functionality and communicating with the Azure control plane.

The agent is required for an analogous experience between Ubuntu Classic and Ubuntu Core on Azure, and without these interfaces the Snap is non-functional (the agent will not communicate with the Azure control plane, the Virtual Machine UI will produce no telemetry, and integration with other Azure features will be limited).

store-requests-bot · June 24, 2025, 4:00pm

This request has been added to the queue for review by the @reviewers team.

jslarraz · June 26, 2025, 9:01am

Hey @jrtknauer

Starting with system files:

/sys/bus/vmbus/devices is certainly expected as it is how Hyper-V exposes the control plane to its guests (See https://docs.kernel.org/virt/hyperv/vmbus.html).
/sys/devices/LNXSYSTM:00: could you please specify what is currently needed? If only access to uevent and power is required maybe power-control interface will work.

Regarding mount-control, could you please provide more details about why is it needed and which DENIALs you find if the interface is not connected?

(#askForInfo)

Thanks

jrtknauer · June 26, 2025, 2:35pm

One of the denials which stood out:

May 16 06:15:12 jrtknauer-walinuxagent walinuxagent.waagent[98596]: PermissionError: [Errno 13] Permission denied: '/mnt/cdrom'

There is also the related mount configuration for the WALinuxAgent:

ResourceDisk.MountPoint
Type: String
Default: /mnt/resource

This specifies the path at which the resource disk is mounted.

ResourceDisk.MountOptions
Type: String
Default: None

Specifies disk mount options to be passed to the mount -o command. This is a comma separated list of values, ex. 'nodev,nosuid'. See mount(8) for details.

Note that it is not trivial to comprehensively test the full surface area of the WALinuxAgent’s execution (and there are still many issues to address in the future).

ogra · June 26, 2025, 6:55pm

The access to /mnt and /media is handled via the removable-media interface, mount-control only handles the mount systemcall (which indeed requires root permissions by the kernel (not a snap related thing))

jrtknauer · June 30, 2025, 2:44am

mount is called by waagent. Here is waagent running in an Ubuntu Core VM on Azure with all interfaces connected except for mount-control:

Connections:

$ snap connections waagent
Interface         Plug                           Slot               Notes
firewall-control  waagent:firewall-control       :firewall-control  manual
mount-control     waagent:mntctl                 -                  -
mount-observe     waagent:mount-observe          :mount-observe     manual
network           waagent:network                :network           -
network-bind      waagent:network-bind           :network-bind      -
network-observe   waagent:network-observe        :network-observe   manual
removable-media   waagent:removable-media        :removable-media   manual
system-files      waagent:sys-bus-vmbus-devices  :system-files      manual

Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]: 2025-06-30T02:05:27.731986Z ERROR Daemon Daemon Event: name=WALinuxAgent, op=UnhandledError, message=[Errno 13] Permission denied: 'mount'
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]: Traceback (most recent call last):
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/daemon/main.py", line 83, in run
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     self.daemon(child_args)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/daemon/main.py", line 144, in daemon
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     self.provision_handler.run()
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/pa/provision/default.py", line 79, in run
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     ovf_env = self.protocol_util.copy_ovf_env()
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/protocol/util.py", line 81, in copy_ovf_env
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     self.osutil.mount_dvd()
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/osutil/default.py", line 452, in mount_dvd
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     return_code, err = self.mount(dvd_device,
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:                        ^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/osutil/default.py", line 537, in mount
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     output = shellutil.run_command(cmd, log_error=chk_err)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/utils/shellutil.py", line 288, in run_command
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     return __run_command(command_action=command_action, command=command, log_error=log_error, encode_output=encode_output)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/utils/shellutil.py", line 190, in __run_command
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     return_code, stdout, stderr = command_action()
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:                                   ^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/utils/shellutil.py", line 255, in command_action
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     process = _popen(command, stdin=popen_stdin, stdout=stdout, stderr=stderr, shell=False)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/snap/waagent/x1/lib/python3.12/site-packages/azurelinuxagent/common/utils/shellutil.py", line 398, in _popen
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     process = subprocess.Popen(*args, **kwargs)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/usr/lib/python3.12/subprocess.py", line 1026, in __init__
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     self._execute_child(args, executable, preexec_fn, close_fds,
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:   File "/usr/lib/python3.12/subprocess.py", line 1955, in _execute_child
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]:     raise child_exception_type(errno_num, err_msg, err_filename)
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]: PermissionError: [Errno 13] Permission denied: 'mount'
Jun 30 02:06:08 jrtknauer-waagent waagent.waagent[973]: , duration=0

Furthermore, the Azure Portal still reports:

virtual machine agent status is not ready

Agent status     Not Ready
Agent version    Unknown

This error will loop and persist every 15 seconds until connecting the mount-control interface:

$ sudo snap connect waagent:mntctl

From the Azure Portal:

Agent status     Ready
Agent version    2.13.1.1

There are a multitude of other issues we still need to address, but this appears to be the minimal set of interfaces required to enable communication between the agent and the Azure control plane.

jslarraz · June 30, 2025, 7:37am

Hey @jrtknauer

Thanks for the info. According to WALinuxAgent/azurelinuxagent/common/protocol/util.py at master · Azure/WALinuxAgent · GitHub it seems that ovf env file is copied from the DVD, which needs to be mounted during start up. Thus, mount-control looks fine to me.

Could you also please double check (#askForInfo):

/sys/devices/LNXSYSTM:00: could you please specify what is currently needed? If only access to uevent and power is required maybe power-control interface will work.

jrtknauer · June 30, 2025, 4:22pm

The relevant errors when removing /sys/devices/LNXSYSTM:00:

Jun 30 15:58:23 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:58:08.165008Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/'
Jun 30 15:58:23 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:58:23.204134Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/'
Jun 30 15:58:53 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:58:38.248371Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/'
Jun 30 15:58:53 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:58:53.320513Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/'
Jun 30 15:59:08 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:59:08.387003Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/2dd1ce17-079e-403c-b352-a1921ee207ee/device_id'
Jun 30 15:59:49 jrtknauer-core-power-control waagent.waagent[3102]: 2025-06-30T15:59:23.454386Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/2dd1ce17-079e-403c-b352-a1921ee207ee/device_id'

jslarraz · July 1, 2025, 9:18am

All the errors you shared seems to be related to /sys/bus/vmbus/devices/, which should still be permitted by the system-files interface. Could you please double check that the system-files interfaces is also connected for jrtknauer-core-power-control?

jrtknauer · July 2, 2025, 5:10pm

Yes I have confirmed that the interface is still present:

$ snap connections
Interface         Plug                           Slot               Notes
firewall-control  waagent:firewall-control       :firewall-control  manual
mount-control     waagent:mntctl                 :mount-control     manual
mount-observe     waagent:mount-observe          :mount-observe     manual
network           waagent:network                :network           -
network-bind      waagent:network-bind           :network-bind      -
network-observe   waagent:network-observe        :network-observe   manual
removable-media   waagent:removable-media        :removable-media   manual
system-files      waagent:sys-bus-vmbus-devices  :system-files      manual

This is one of the very first issues we had to resolve when snapping the agent. For example, the original logs from a prototype snap which only included /sys/bus/vmbus/devices:

May 16 08:38:26 jrtknauer-walinuxagent walinuxagent.waagent[144715]: 2025-05-16T08:38:26.227556Z WARNING Daemon Daemon Error getting device for 00000000-0001 or f8b3781a-1e82-4818-a1c3-63d806ec15bb: [Errno 13] Permission denied: '/sys/bus/vmbus/devices/2dd1ce17-079e-403c-b352-a1921ee207ee/device_id'

The issue specifically comes from some of the devices being symlinks to things under sys/devices/LNXSYSTM\:00/LNXSYBUS\:00. Official guidance at the time was:

apparmor resolves the symlinks, the final directories need to be in the system-files plug. Otherwise iirc the permissions are recursive

jrtknauer · July 10, 2025, 4:44am

Are there any updates on the review for this request?

jslarraz · July 10, 2025, 7:50am

Considering all the information, +1 from me for granting waagent auto-connection to the requested system-files and mount-control interfaces (#voteFor).

The only thing missing from my side is that the system-files interface should be split in two interfaces matching the usual naming convention:

sys-bus-vmbus-devices
sys-devices-LNXSYSTM00

Thanks