Set snapd proxy via core configuration

mvo 2017-05-03 20:37:32 UTC #1

One topic that came up during the sprint is that there is no easy way to set the proxy for snapd. On a classic system this is easy via editing /etc/environment. However on an ubuntu-core system this file is read-only. Providing an easy way to set the proxy on core this way would be beneficial.

Improve proxy configuration for snapd

Local mirror for snaps?

niemeyer 2017-05-03 20:42:40 UTC #2

Sounds reasonable. Perhaps something like proxy.http for the option name, so we group all system proxies under the same document?

chipaca 2017-05-03 21:02:59 UTC #3

On the one hand, we probably want /etc/environment to be writable anyway.
On the other hand, while it might not be easy, copying /lib/systemd/system/snapd.service to /etc/systemd/system and adding the appropriate Environment= line is not exactly hard.
On the other hand, yeah we probably want it to be a setting anyway.

mvo 2017-05-03 21:10:44 UTC #4

It depends a little bit what we want, if we limit the option to only snapd, we could easily create a /etc/systemd/system/snapd.service.d/proxy.conf with just Environment=http_proxy://thing. However if we want the proxy to be system-wide, then /etc/environment is the place to go. I think we want the later but I’m open for discussion.

chipaca 2017-05-03 21:11:44 UTC #5

Yeah. Having something that just works for snapd but not for, say, snap download, would suck.

mwhudson 2017-05-03 23:02:39 UTC #6

I’ve been working on the console-conf side of this but I was assuming that /etc/environment would be editable. If not, then we need something else… (creating a drop-in file would be easy but as @chipaca says, not necessarily the most complete fix)

ogra 2017-05-04 09:23:44 UTC #7

lets ask @jdstrand if he thinks that adds any additional attack vector, we can surely make it writable if there are no concerns from the security team.

how will we deal with that on classic installs though ? does snapd already pick up a global proxy setting without fiddling with the systemd unit manually today ?

mwhudson 2017-05-04 09:37:12 UTC #8

I don’t think we provide any particularly nice experience for people who
need to use proxies on classic either, just editing /etc/environment or
systemd drop in files.

ogra 2017-05-04 09:57:04 UTC #9

there is a setting in the control-center on desktops that makes it rather easy to set (on servers you need to edit /etc/environment though), my question was rather if snapd picks that up without having to add an additional Environment= line to the snapd systemd unit.

mwhudson 2017-05-04 19:58:19 UTC #10

Well the snapd service file has EvironmentFile=/etc/environment, I don’t
know what setting the proxy “system wide” in control-center actually does,
if it’s edit /etc/environment then I guess we’re sorted.

jdstrand 2017-05-05 16:13:57 UTC #11

Feel free to mark this as writable. I agree that using this file for system-wide proxy makes a ton of sense-- if we only put it in the snapd service files, then we’ll just get another request to allow managing /etc/environment for everything else. I’m not sure if there are use cases for having both /etc/environment editable and having snapd use a different proxy, but that would be an easy enough change in snapd to ignore environ if configured to use something else via ‘snap set core …’ or similar.

The security policy for snaps currently does not allow writing /etc/environment. It being readonly now doesn’t provide a ton of security protection: only root can edit it, and if you are root on the system (including in a devmode snap) you could adjust systemd units for proxy, perform a bind mount on /etc/environment, etc.

ogra 2017-05-06 10:56:28 UTC #12

i added

awe 2017-05-26 21:04:38 UTC #13

Are there still plans to make this configurable via ‘snap set core proxy.http=…’ per the original thread subject? Doing so would allow the proxy to be configured via an agent that’s allowed to talk to snapd via the snapd-control interface.

ogra 2017-05-29 11:00:51 UTC #14

in progress … https://github.com/snapcore/core/pull/48

mvo 2017-08-15 12:16:13 UTC #15

In progress in https://github.com/snapcore/snapd/pull/3594

niemeyer 2017-08-15 16:28:44 UTC #16

@mvo Anything else there or can we merge this? Two +1s and other comments there seem to be on the positive side.

mvo 2017-08-15 16:31:41 UTC #17

Nothing on my side pending, we may improve it later via asking snapctl for a json doc with all the settings but that can be done in a followup (its the same as the current shellscript).