Request intel-qat approval + auto-connect in OpenSearch snap

Hi there,

We are adding QAT support to our opensearch snap - and for that we need approval for using the intel-qat interface and having it auto-connectable.

In addition to this, since we are running our opensearch daemon as the snap_daemon:snap_daemon user as shown here, we would need rw access to both:

/dev/vfio/devices/*
/dev/vfio/*

for the snap_daemon user.

In addition to this, when uploading to the store, I’m getting:

Issues while processing snap:
- interface 'intel-qat' not found in base declaration
- Error found while validating snap.json::$.plugs.intel-qat.interface: 'intel-qat' is not one of ['account-control', 'accounts-service', ..., 'intel-mei', ...]

Thank you, Mehdi

• name: opensearch
• description: OpenSearch database snap
• snapcraft: snapcraft.yaml
• upstream: github.com/opensearch-project/opensearch
• interfaces:
  • intel-qat:
    • request-type: installation and auto-connection
    • reasoning: Upstream recently added QAT support for OpenSearch and we need this interface for enabling QAT

This request has been added to the queue for review by the @reviewers team.

Hi @review-team - any news on this?

Hello @medib , the review-tools is still not using the updated base declaration that includes ‘intel-qat’. I’ll check with the team to update it.

Hi @pfsmorigo, thanks for the response.

Given that our service starts with the snap_daemon:snap_daemon user. Would this interface used as-is also allow the snap_daemon to have full read/write access to:

/dev/vfio/devices/*
/dev/vfio/*

?

I don’t think so. The interface itself does not seem to allow anything under /dev/vfio/devices/*. Also, DAC rules still apply normally.

Thanks

Interfaces never adjust existing permissions of any underlying nodes/files, what you possibly can do is to ship a oneshot daemon in your snap that alters the group permissions of the device node to allow the snap_daemon group access to it or some similar workaround…