Requesting auto-connect of personal-files for skpr

kimpepper · September 24, 2020, 8:40am

Skpr is a container-based hosting platform. The skpr snap is the CLI client used for deployments, configuration etc. that talks to the remote service.

The skpr client needs to read a number of different configuration files from a .skpr/ directory in each project root that uses the tool.

These files differ from project to project.

Therefore it cannot use strict confinement.

Regards,

Kim

NB I have also made another request to move this tool to an organisation account named ‘skpr’. See Please transfer skpr snap to skpr org

Lin-Buo-Ren · September 24, 2020, 8:47am

As long as the so-called project root is under the user’s home directory or regular mount paths (e.g. /media, /mnt) it is not a valid reason to grant classic confinement.

Note that the home interface allows access to hidden directories as long as they are not direct children of $HOME.

My 2 cents.

emitorino · September 24, 2020, 4:58pm

Hi @kimpepper, thanks for your post.

If you check our Process for reviewing classic confinement snaps, the access to arbitrary files on the system isn’t typically a justification for classic. Strictly confined snaps can access users’ files with the home and the removable-media interfaces. personal-files and system-files may be used as well if needed. I have inspected skpr declaration and I see you have not plugged any interface yet. You can use snappy-debug to get suggestions/understand missing interfaces and denials. If you run into problems, post the snappy-debug output here along with your questions and we are happy to help.

I hope plugging some of the suggested interfaces support your platform use cases. This way you can keep your snap strict and enjoy all the benefits of a stable runtime environment. Please remember classic snaps are not installable on Ubuntu Core devices and also run in the global mount namespace, which means great care must be taken for the snap to work reliably across distributions.

kimpepper · September 24, 2020, 10:16pm

A user could have many different projects all in different locations. These are typically separate git repos. It’s not one project located in the users home directory.

Lin-Buo-Ren · September 25, 2020, 3:12am

Can you please elaborate the paths that the project may mostly reside, which are not covered by the home and removable-media interfaces?

kimpepper · September 25, 2020, 3:26am

For example:

$HOME/dev/project1
$HOME/dev/project2
$HOME/dev/project3

Unless that is covered by home?? Sorry, first time at submitting, so I may have missed that.

Kim

Lin-Buo-Ren · September 25, 2020, 6:47am

Those paths are definitely covered by the home interface

kimpepper · September 26, 2020, 1:34am

Thanks for clarifying.

I am still not able to read personal files in the users $HOME directory.

Here’s my config:

apps:
  skpr:
    command: skpr
    plugs:
      - skpr-config
      - home
  skpr-rsh:
    command: skpr-rsh
    plugs:
      - skpr-config
      - home

plugs:
  skpr-config:
    interface: personal-files
    read:
      - $HOME/.skpr

I’m installing the snap locally using sudo snap install skpr_v0.8.0_amd64.snap --devmode, then running sudo snap connect skpr:skpr-config :personal-files.

However, the command doesn’t seem to find the config files in the $HOME/.skpr directory.

Any tips?

Thanks Kim

kimpepper · September 26, 2020, 1:40am

When I run snap run --shell skpr then list the $HOME dir I don’t see the .skpr/ dir:

 ls -la $HOME
total 12
drwxr-xr-x 2 kim kim 4096 Sep 26 11:38 .
drwxr-xr-x 5 kim kim 4096 Sep 26 11:34 ..
-rw------- 1 kim kim    6 Sep 26 11:38 .bash_history

kimpepper · September 26, 2020, 1:54am

…and $HOME is set to /home/<USER>/snap/skpr/<VERSION>

I thought the whole point of the personal-files interface was to grant access to the real $HOME directory?

ogra · September 26, 2020, 9:02am

nobody said anything about setting $HOME to it though

there is a workaround mentioned in:

use it with a command-chain wrapper in your apps to export $HOME and you should be good

alexmurray · September 29, 2020, 4:34am

This thread now appears to be requesting auto-connect of personal-files for skpr - can the title please be updated accordingly?

Also @kimpepper for consistency, could you please rename the personal-files instance to dot-skpr?

Finally, +1 from me for auto-connect of the dot-skpr personal-files instance providing read access to $HOME/.skpr for skpr from me - this is one of the primary purposes of the personal-files interface.

kimpepper · September 29, 2020, 4:38am

Thanks @alexmurray I have updated the title and pushed a new revision with the rename personal-files instance to dot-skpr.

kimpepper · October 6, 2020, 1:49am

Just bumping this request for a review please! Thx

kimpepper · October 9, 2020, 3:50am

Not sure I need a separate forum post, but the latest release is still at ‘ManualReviewPending’. Can anyone help?

roadmr · October 9, 2020, 12:05pm

+1 for personal-files.

@kimpepper no need for action on your part on the manual review, once the personal-files update to the snap declaration is ready your snaps should pass automated review. Thanks for your patience

Daniel

kimpepper · October 12, 2020, 12:50am

I’ve uploaded a newer release and still says it needs manual review:

human review required due to ‘allow-installation’ constraint (bool) declaration-snap-v2_plugs_installation (dot-skpr, personal-files)

emitorino · October 13, 2020, 10:35pm

+1 from me for auto-connect of the dot-skpr personal-files instance providing read access to $HOME/.skpr for skpr

+3 votes for, 0 votes against, granting auto-connect of personal-files to skpr. This is now live.