Snapping sos, issues with timeout command

Hi all,

I am in the process of creating a snap for sos, which is a tool that is typically used for support organisations within Canonical and RedHat and others.

In this particular scenario, we want the snap to be strictly confined so that we can potentially push this to Ubunto Core.

My current progress is here, https://github.com/arif-ali/sos/commit/5aed2286535d58d30d319d5c4c0f76f1a3b6f0be, this allows me to create the snap, and install without a problem (I have gone through an iterative process of taking things out of the equation)

When running the command, I get the following error

$ sudo sos report
Could not initialize 'report': [Errno 13] Permission denied: 'timeout'

This is pointing to https://github.com/sosreport/sos/blob/master/sos/utilities.py#L133 part of the sos code. So the timeout command is hardcoded.

Running snappy-debug gives me the following details on the issue.

= AppArmor =
Time: Jul 16 14:31:32
Log: apparmor="DENIED" operation="exec" profile="snap.sos.sosreport" name="/usr/bin/timeout" pid=599219 comm="python3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/bin/timeout (exec)
Suggestions:
* adjust snap to ship 'timeout'
* adjust program to use relative paths if the snap already ships 'timeout'

What I have tried to rectify this, but without any success

  • Update the code to use the full path
  • Update the code to the the full path from the core20 snap
  • Tried adding coreutils under stage-packages, but as coreutils is already part of the core20 snap, the build does not install this, and hence the timeout command doesn’t get packaged within the sos snap

What I would like to understand is how we can try to get over this hurdle, and get this working? without actually changing the sos code.

you could try to put coreutils in your stage packages and use a layout:

layout:
  /usr/bin/timeout:
    bind-file: $SNAP/usr/bin/timeout

that should make the command point to your shipped binary

okie, tried that, that kind of mimicked the second bullet point I mentioned. As per you suggestion, I added coreutils into the stage-packages, but as that is already included in core20 snap it doesn’t actually install it. So I tested with both not having it in the snapcraft.yaml as well as adding it in, and we have exactly the same issue.

Adding the suggested layout, then directly points to the binary in the core20 snap, however, I still get the permission denied issue, and below is the new snappy-debug output

= AppArmor =
Time: Jul 20 18:40:20
Log: apparmor="DENIED" operation="exec" profile="snap.sos.sos" name="/snap/core20/1026/usr/bin/timeout" pid=1966855 comm="python3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /snap/core20/1026/usr/bin/timeout (exec)
Suggestions:
* adjust snap to ship 'timeout'
* adjust program to use relative paths if the snap already ships 'timeout'

hmm, something is clearly wrong here since i highly doubt your snap is called core20 :wink: (from the POV of your snap /usr/bin/timeout is identical to /snap/core20/1026/usr/bin/timeout … snaps get run on top of their base snap so /snap/core20/1026/ becomes your / at runtime)

adding coreutils explicitly to stage-packages should actually install it in your snap, unless that has changed recently ? @sergiusens is that new behavior ?

my bad, seems like that has overcome this particular issue.

I’ve got loads others now, lol (i’ll go through these one-by-one now)