Request intel-qat approval + auto-connect in OpenSearch snap

medib · March 23, 2025, 11:12pm

Hi there,

We are adding QAT support to our opensearch snap - and for that we need approval for using the intel-qat interface and having it auto-connectable.

In addition to this, since we are running our opensearch daemon as the snap_daemon:snap_daemon user as shown here, we would need rw access to both:

/dev/vfio/devices/*
/dev/vfio/*

for the snap_daemon user.

In addition to this, when uploading to the store, I’m getting:

Issues while processing snap:
- interface 'intel-qat' not found in base declaration
- Error found while validating snap.json::$.plugs.intel-qat.interface: 'intel-qat' is not one of ['account-control', 'accounts-service', ..., 'intel-mei', ...]

Thank you, Mehdi

name: opensearch
description: OpenSearch database snap
snapcraft: snapcraft.yaml
upstream: github.com/opensearch-project/opensearch
interfaces:
- intel-qat:
  - request-type: installation and auto-connection
  - reasoning: Upstream recently added QAT support for OpenSearch and we need this interface for enabling QAT

store-requests-bot · March 23, 2025, 11:42pm

This request has been added to the queue for review by the @reviewers team.

medib · March 27, 2025, 2:21pm

Hi @review-team - any news on this?

pfsmorigo · March 27, 2025, 8:14pm

Hello @medib , the review-tools is still not using the updated base declaration that includes ‘intel-qat’. I’ll check with the team to update it.

medib · March 28, 2025, 11:16am

Hi @pfsmorigo, thanks for the response.

Given that our service starts with the snap_daemon:snap_daemon user. Would this interface used as-is also allow the snap_daemon to have full read/write access to:

/dev/vfio/devices/*
/dev/vfio/*

?

jslarraz · March 31, 2025, 10:56am

I don’t think so. The interface itself does not seem to allow anything under /dev/vfio/devices/*. Also, DAC rules still apply normally.

Thanks

ogra · March 31, 2025, 11:03am

Interfaces never adjust existing permissions of any underlying nodes/files, what you possibly can do is to ship a oneshot daemon in your snap that alters the group permissions of the device node to allow the snap_daemon group access to it or some similar workaround…

jslarraz · April 21, 2025, 3:20pm

hey @medib

Anything we can do here? (#askForInfo)

medib · April 22, 2025, 5:20pm

Hi @jslarraz Yes - the following:

Patching the review-tools so that it includes intel-qat, as we’re currently unable to publish new revisions of the snap with a reference to this interface
approve the auto-connect of this interface for the opensearch snap

Thank you, Mehdi

medib · April 25, 2025, 2:52pm

@review-team any news on this?

jslarraz · April 30, 2025, 10:23am

Hey @medib

Sorry for the delay. A new review-tools version has been deployed to the store including the intel-qat interface, so you should be able to publish the new revision including this interface.

+1 from me for (#voteFor) granting opensearch auto-connection to the intel-qat interface.

Thanks

yomonokio · May 2, 2025, 11:56am

+1 from me as well for (#voteFor) granting opensearch auto-connection to the intel-qat interface.

This is going to be live, after you submit a new revision, including the interface

store-requests-bot · May 2, 2025, 12:00pm

Voting period has ended. This request is approved with 2 votes for and 0 votes against.

medib · May 2, 2025, 3:01pm

Thank you @jslarraz & @yomonokio

jslarraz · June 4, 2025, 7:41am

Adding tag for the automation #askForInfo. Please let us know once the new revision using the intel-qatis uploaded to the store

medib · June 19, 2025, 10:43am

@jslarraz it was uploaded today, revision 75

jslarraz · June 19, 2025, 1:05pm

Perfect, this is now live!