Requesting 'classic' confinement for yq

yq (https://github.com/mikefarah/yq) is a command line utility tool for processing Yaml documents.

Users frequently want to access root-only files as part of their work-flow (https://github.com/mikefarah/yq/issues/148)

1 Like

Note that for at least some of the permission denied errors from that github issue, you could switch to using the home plug with the read: all attribute specified such that then when the snap is run as root, it can still read non-root users home folders. This requires a new snap declaration however but that can be requested right here in the store category of the forum.
This wouldn’t solve situations like yq -r /etc/netplan/50-cloud-init.yaml network.version but for those situations IMHO doing sudo cat /etc/netplan/50-cloud-init.yaml | yq r - network.version is a better workaround.

Cool - that workaround would technically work. I’m not a snap user, however the users that raised and commented on the github issue are - and they intuitively expect the yq to simply work.

I’d be reluctant to use the ‘read: all’ as from what you’re implying it wouldn’t work in all cases and so would therefore still confuse people and cause issues.

The sudo piping solution makes sense, but only once you understand what the problem is caused by - it’s not an intuitive thing to do. You could update root files using this trick too, but the command would get messy - and again I think people would have trouble with it.

As this is a file processing tool, I think it makes sense to give ‘yq’ classic confinement so that it works as people would expect it too.

Note that this will make the home interface non auto-connect.

You can still make it auto-connect with a snap declaration requested through the same process as auto-connection.

1 Like

The similar ‘jq’ command is currently strict mode. I’ve not used ‘yq’ but it seems like a very similar use case. It also seems that with a little documentation (perhaps first use of the snap) one could describe snap usage. Would that work for you?

Yep - yq is pretty much the same as jq.

I’m happy with putting specific snap instructions / troubleshooting.

Is the sudo piping that @ijohnson suggested the best way to go about it?

I’d recommend also pointing out that the simplest way of updating a file this way with tee doesn’t work well due to the asynchronous nature of bash stream. So don’t recommend something like this:

sudo cat /etc/myfile | yq -r - somecommand | sudo tee /etc/myfile

Instead you should recommend users to use something like sponge instead of tee:

sudo cat /etc/myfile | yq -r - somecommand | sudo sponge /etc/myfile

Alternatively you could just recommend putting the output in a temporrary file and move it like so:

sudo cat /etc/myfile | yq -r - somecommand | sudo tee /etc/myfile.tmp
sudo mv /etc/myfile.tmp /etc/myfile
rm /etc/myfile.tmp
1 Like

I thought utilities that are widely used to read/manipulate classic system files is a valid use case of classic confinement?

IMHO jq should also be in classic confinement as well as users might process classic system files using it.

1 Like

I’d rather be able to use jq from the snap in a pure-snap device though.

1 Like

It would be great if a classic confinement snap on store can be installed in either confinement mode if it can run properly out of it.

@mikefarah - can you comment on the direction you’d like to take with your snap (others have commented and it isn’t clear if this request is still needed).

To me it makes sense for yq (and for that matter jq) to be installed in ‘classic’ confinement modes - as they are file processing tools and I would intuitively expect them to work with sudo.

disclaimer: I’m not a snap user.

1 Like

The requirements are understood. @popey, @Wimpress, @igor, @evan: can one of you perform the vetting?

jq works with sudo just fine (why wouldn’t it?). While the strict confinement does come with some caveats, I’m happy to work with them, given the alternative is unconstrained access to the system…

Like @chipaca I use both yq (and jq) a lot on Ubuntu Core systems and would be very sad if the snaps were transitioned to only classic support as then I can’t use it with Core anymore and would probably have to resort to maintaining a fork of the snap that is strict so I can use it on my Core systems.

@mikefarah if you’re sure that you want classic support, would you consider only publishing classic revisions of the yq snap in a classic channel much like how @popey recommended @Lin-Buo-Ren do for the nano snap? Then in the normal stable channel you could still publish the current version of yq that is using strict confinement so we can use it on Ubuntu Core still.

2 Likes

Oh didn’t realise ‘classic’ confinement would mean you can’t use it with Core.

I don’t feel that strongly about it tbh - I’m a bit confused by the whole snap confinement and all the implications haha, and unfortunately I don’t have much time in the moment to delve into it.

I’m happy to leave it as is if that’s recommended, I’ve put some instructions on the Readme for snap users so hopefully that’s enough for them to see how to access root files.

2 Likes

Based on this I am closing this request. Please feel free to reopen if this is in error or you change your mind.