You should always use “snapcraft cleanbuild” and have it use a container, to make sure the right system libs get included …
1 Like
@ondra, @ogra, thank you very much, I did a cleanbuild now and have the two daemons (cupsd, cups-browsed) running (on port 10631 to not interfere with the system’s daemons. But Avahi is still not working, as otherwise the snap’s cups-browsed would pick up the system’s (CUPS on port 631) shared printers and make them available on the snap’s CUPS (port 10631).
The missing “lpadmin” group can be replaced by the always present “adm” group of the system. I simply build with
./configure --with-system-groups='sys adm root'
make
and then users in the “adm” group can do administrative tasks as creating a queue with the lpadmin command or logging into the admin part of the CUPS web interface. At least in a classic system the first created user is in the “adm” group.
Note that ‘adm’ is not the group you want to use; it is for monitoring tasks on Debian/Ubuntu. See https://wiki.debian.org/SystemGroups. Not to mention ‘adm’ may not exist on other distributions. What you really need is Multiple users and groups in snaps which is now designed, but not being worked on with priority (I am working on it in the background, so it is progressing, but slowly).
@jdstrand, thanks. I will keep using “adm” for the time being so that I can do testing and switch over to the real solution as soon as it is ready.
At least unrestricted Avahi is working correctly for me on Classic.
Important is that the system is connected to a router (somehow there must be a local network) and not be a single machine connected to a modem. So I installed my snap onto a virtual machine (running Bionic) as the Virtual Machine Manager works like a router with the VMs in their own LAN.
There, after installing my snap, the system’s CUPS with the system’s cups-browsed attached to it was running on port 631 and the snap’s CUPS with the snap’s cups-browsed attached to it on port 10631. The two are working happily in parallel and the both CUPS daemons are advertising their shared printers and both cups-browsed are picking up the DNS-SD broadcasts of the other CUPS daemon to add appropriate local queues to their own CUPS daemons.
So the system’s CUPS automatically got queues to print on the printers shared by the snap’s CUPS and vice-versa.
Now, after some bug fixes I got so far that when I install my snap on a classic system (in my case my Bionic VM) that the two CUPS daemons (System on port 631, snap on port 10631 with each having its own domain socket file and each its own attached cups-browsed) are running nicely in parallel. Each cups-browsed picks up the shared printers of the other cupsd. I can also print on the print queues of each cupsd and I can print from one cupsd on the other cupsd’s shared printers using the queues automatically created by cups-browsed.
To access via the command line I use the system’s commands (lp, lpstat, lpoptions, lpadmin, …) for the system’s cupsd and the snap’s commands (cups.lp, cups.lpstat, cups.lpoptions, cups,lpadmin, …) for the snap’s cupsd. They use the domain sockets and so I do not get asked for my password when using administrative commands.
You can also call the system’s commands with -h /var/snap/cups/current/var/run/cups.sock added for accessing the snap’s cupsd.
In addition, the web interfaces are available under http://localhost:631/ and http://localhost:10631/ and both are fully working.
Restriction is not yet applied and it is still used “adm” as makeshift lpadmin group.
I have updated the GitHub repository for everyone being able to test:
1 Like
Now I have tried to apply confinement. As a sudo snapcraft cleanbuild takes very long time as it always pulls 100s of MB from the internet, I used the --classic and --jailmode options together with --dangerous on the sudo snap install <options> <snapfile> command.
With
sudo snap install --classic --dangerous cups_0.1.0_amd64.snap
I get
error: cannot perform the following tasks:
- Mount snap "cups" (unset) (snap "cups" requires devmode or confinement override)
How do I do this correctly? I also have tried to set “confinement: classic”, rebuild the package and do
sudo snap install --dangerous cups_0.1.0_amd64.snap
getting the same error.
sudo snap install --jailmode --dangerous cups_0.1.0_amd64.snap
Installs without errors, but CUPS does not start. /var/log/syslog contains the following then:
Nov 10 21:04:00 virt-devel systemd[1]: Reloading.
Nov 10 21:04:01 virt-devel systemd[1]: Mounting Mount unit for cups...
Nov 10 21:04:01 virt-devel systemd[1]: Mounted Mount unit for cups.
Nov 10 21:04:01 virt-devel systemd[1]: Stopping Service for snap application cups.cups-browsed...
Nov 10 21:04:01 virt-devel kernel: [39218.192077] audit: type=1107 audit(1510355041.149:2155): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/com/redhat/PrinterSpooler" interface="com.redhat.PrinterSpooler" member="PrinterRemoved" mask="send" name="org.freedesktop.DBus" pid=7103 label="snap.cups.cupsd" peer_pid=2102 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.192077] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.192332] audit: type=1107 audit(1510355041.149:2156): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/ColorManager" interface="org.freedesktop.ColorManager" member="FindDeviceById" mask="send" name="org.freedesktop.ColorManager" pid=7103 label="snap.cups.cupsd" peer_pid=926 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.192332] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.192761] audit: type=1107 audit(1510355041.150:2157): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/cups/cupsd/Notifier" interface="org.cups.cupsd.Notifier" member="PrinterDeleted" mask="send" name="org.freedesktop.DBus" pid=7134 label="snap.cups.cupsd" peer_pid=2102 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.192761] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.192889] audit: type=1107 audit(1510355041.150:2158): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/cups/cupsd/Notifier" interface="org.cups.cupsd.Notifier" member="PrinterDeleted" mask="send" name="org.freedesktop.DBus" pid=7134 label="snap.cups.cupsd" peer_pid=1885 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.192889] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.193038] audit: type=1107 audit(1510355041.150:2159): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/cups/cupsd/Notifier" interface="org.cups.cupsd.Notifier" member="PrinterDeleted" mask="send" name="org.freedesktop.DBus" pid=7134 label="snap.cups.cupsd" peer_pid=2676 peer_label="/usr/sbin/cups-browsed"
Nov 10 21:04:01 virt-devel kernel: [39218.193038] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.200235] audit: type=1107 audit(1510355041.157:2160): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/ColorManager" interface="org.freedesktop.ColorManager" member="DeleteDevice" mask="send" name="org.freedesktop.ColorManager" pid=7103 label="snap.cups.cupsd" peer_pid=926 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.200235] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.212054] audit: type=1107 audit(1510355041.169:2161): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/com/redhat/PrinterSpooler" interface="com.redhat.PrinterSpooler" member="QueueChanged" mask="send" name="org.freedesktop.DBus" pid=7103 label="snap.cups.cupsd" peer_pid=2102 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.212054] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.212319] audit: type=1107 audit(1510355041.169:2162): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/com/redhat/PrinterSpooler" interface="com.redhat.PrinterSpooler" member="PrinterRemoved" mask="send" name="org.freedesktop.DBus" pid=7103 label="snap.cups.cupsd" peer_pid=2102 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.212319] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.212506] audit: type=1107 audit(1510355041.169:2163): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/ColorManager" interface="org.freedesktop.ColorManager" member="FindDeviceById" mask="send" name="org.freedesktop.ColorManager" pid=7103 label="snap.cups.cupsd" peer_pid=926 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.212506] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel kernel: [39218.212831] audit: type=1107 audit(1510355041.170:2164): pid=752 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_signal" bus="system" path="/org/cups/cupsd/Notifier" interface="org.cups.cupsd.Notifier" member="PrinterStopped" mask="send" name="org.freedesktop.DBus" pid=7134 label="snap.cups.cupsd" peer_pid=2102 peer_label="unconfined"
Nov 10 21:04:01 virt-devel kernel: [39218.212831] exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Nov 10 21:04:01 virt-devel systemd[1]: Stopped Service for snap application cups.cups-browsed.
Nov 10 21:04:01 virt-devel systemd[1]: Stopping Service for snap application cups.cupsd...
Nov 10 21:04:01 virt-devel systemd[1]: Stopped Service for snap application cups.cupsd.
Nov 10 21:04:01 virt-devel gsd-color[1922]: failed to connect to device: Failed to connect to missing device /org/freedesktop/ColorManager/devices/cups_snaptest
Nov 10 21:04:01 virt-devel systemd[1]: Reloading.
Nov 10 21:04:02 virt-devel snapd[724]: 2017/11/10 21:04:02.812552 cmd.go:133: exe doesn't have snap mount dir prefix: "/usr/lib/snapd/snapd" vs "/snap"
Nov 10 21:04:03 virt-devel systemd[1]: Reloading.
Nov 10 21:04:03 virt-devel systemd[1]: Started Service for snap application cups.cups-browsed.
Nov 10 21:04:03 virt-devel systemd[1]: Started Service for snap application cups.cupsd.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Setting locale failed.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Please check that your locale settings:
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANGUAGE = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ALL = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TIME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MONETARY = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ADDRESS = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TELEPHONE = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NAME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MEASUREMENT = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_IDENTIFICATION = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NUMERIC = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_PAPER = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANG = "C.UTF-8"
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: are supported and installed on your system.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Falling back to a fallback locale ("C.UTF-8").
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Setting locale failed.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Please check that your locale settings:
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANGUAGE = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ALL = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TIME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MONETARY = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ADDRESS = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TELEPHONE = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NAME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MEASUREMENT = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_IDENTIFICATION = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NUMERIC = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_PAPER = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANG = "C.UTF-8"
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: are supported and installed on your system.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Falling back to a fallback locale ("C.UTF-8").
[...] (Several more times of "perl: warning: Setting locale failed.")
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Setting locale failed.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Please check that your locale settings:
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANGUAGE = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ALL = (unset),
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TIME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MONETARY = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_ADDRESS = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_TELEPHONE = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NAME = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_MEASUREMENT = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_IDENTIFICATION = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_NUMERIC = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LC_PAPER = "pt_BR.UTF-8",
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: #011LANG = "C.UTF-8"
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: are supported and installed on your system.
Nov 10 21:04:03 virt-devel cups.cupsd[7717]: perl: warning: Falling back to a fallback locale ("C.UTF-8").
Nov 10 21:04:04 virt-devel systemd[1]: Reloading.
Nov 10 21:04:04 virt-devel cups.cupsd[7717]: Bad system call (core dumped)
Nov 10 21:04:04 virt-devel systemd[1]: snap.cups.cupsd.service: Main process exited, code=exited, status=159/n/a
Nov 10 21:04:04 virt-devel systemd[1]: snap.cups.cupsd.service: Unit entered failed state.
Nov 10 21:04:04 virt-devel systemd[1]: snap.cups.cupsd.service: Failed with result 'exit-code'.
Nov 10 21:04:04 virt-devel systemd[1]: snap.cups.cupsd.service: Service hold-off time over, scheduling restart.
Nov 10 21:04:04 virt-devel systemd[1]: Stopped Service for snap application cups.cupsd.
Nov 10 21:04:04 virt-devel systemd[1]: Started Service for snap application cups.cupsd.
[...] (Several repetitions of the above)
What is going wrong here?
I have found it out now. One needs both confinement: classic in snapcraft.yaml AND installing with --classic. This way I get the snap installed and can test it with classic confinement.
Note that classic confinement is not supported in Ubuntu Core (and also not in many non-ubuntu distros).
@ogra, so should it be better then to ignore “classic” altogether and do strict confinement? Do you have any idea seeing my syslog in my message of Nov 11 why CUPS does not start in strict confinement mode?
sadly not … you seem to have an error message about color manager … and then the “Bad system call” … thats all i see there …
We can certainly create/update interfaces for color manager and any of the other dbus denials. I think the real issue is the ‘cups.cupsd[7717]: Bad system call (core dumped)’ error. Remember, in classic the snap will use the host libraries but in devmode/strict mode, it will use the snap’s runtime, which may be different from the host (today, that runtime is supplied by the ‘core’ snap, but that will change with base snaps). This bad system call issue sounds like cups was compiled on a newer than 16.04 system where the syscall exists, but then run on a system with series 16 core snap where the libc doesn’t have the syscall.
1 Like
check here:
https://code.launchpad.net/~ondrak/+snap/cups
I forked your snap and enable strict confinement and setup build for it. Also some housekeeping as you don’t need avahi-observer, control includes observer capabilities.
It runs in dev mode fine on core
It fails in strict confinement as it does syscall 93, possible more after….
As quick hack test, docker-control does give it enough privileges to run in strict confinement. So this should be your starting point, we possibly need dedicated interface which will give you enough privileges to run it confined. @jdstrand would be best person to comment about interface issue.
@jdstrand, @ondra: Some more info:
I am on an Artful system where I run
sudo snapcraft cleanbuild
to build the snap. This creates a container, downloads a distro into it, installs the build dependencies and then builds the snap. With unsquashfs -l I can see that the snap contains all the needed libraries.
The target system on which I am trying out the snap is an Ubuntu Desktop (classic) Bionic system on a QEMU virtual machine. The system is completely up-to-date as I updated it today.
He meant docker-support, but this isn’t something you should use in your snap because your snap is not running docker.
The syscall ‘93’ is for fchown and gets back to my comment here: Snapping CUPS Printing Stack: Avahi support, system users/groups.
hhh, just checked and he has --with-system-groups=‘sys adm root’ there, but it does not seem to make any difference. It is still calling that sys call.
hmm, don’t we allow “fchown to root” ? i wonder what happens if you make this -–with-system-groups=‘root’ and drop the useless sys and adm groups …