System-files interface for epa-orchestrator snap

hassahma · August 26, 2025, 8:23am

name: epa-orchestrator
description: The snap designed to introspect isolcpu and hugepages from the node.
snapcraft: https://github.com/canonical/snap-epa-orchestrator/blob/889e687ccc30ef4d7e74da680c4e23dfaa76e8d5/snap/snapcraft.yaml#L38
upstream-relation: Developer for snap and upstream
interfaces:
- system-files::epa-sys-read:
  - request-type: node introspection
  - reasoning: why is this interface needed
- …

Snap needs to introspect isolcpus and hugepages for each numa node on the given node. Currently apparmor denies the access due to permission issue

cc @wolsen @hemanth

store-requests-bot · August 26, 2025, 9:00am

This request has been added to the queue for review by the @reviewers team.

jslarraz · August 26, 2025, 9:37am

As per your snapcraft.yaml, I assume you are requesting read access to:

  - /sys/devices/system/cpu/isolated
  - /sys/devices/system/cpu/present
  - /sys/devices/system/node

The default template already grants read access to:

/sys/devices/system/cpu/** r, which certainly should grant access to:

- /sys/devices/system/cpu/isolated
- /sys/devices/system/cpu/present

/sys/devices/system/node/node[0-9]*/* r, may also do the work for /sys/devices/system/node .

Could you please share the denials you find when running you snap without this interface connected?

hassahma · August 26, 2025, 11:18am

hey @jslarraz here are the denials I am seeing

[18873.146660] audit: type=1400 audit(1756207044.078:1084): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.146744] audit: type=1400 audit(1756207044.078:1085): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.146789] audit: type=1400 audit(1756207044.078:1086): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-2048kB/surplus_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.146880] audit: type=1400 audit(1756207044.078:1087): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.146925] audit: type=1400 audit(1756207044.078:1088): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/free_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.146967] audit: type=1400 audit(1756207044.078:1089): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/surplus_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.147122] audit: type=1400 audit(1756207044.078:1090): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node1/hugepages/hugepages-2048kB/nr_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.147166] audit: type=1400 audit(1756207044.078:1091): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node1/hugepages/hugepages-2048kB/free_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.147208] audit: type=1400 audit(1756207044.078:1092): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node1/hugepages/hugepages-2048kB/surplus_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0 [18873.147285] audit: type=1400 audit(1756207044.078:1093): apparmor=“DENIED” operation=“open” class=“file” profile=“snap.epa-orchestrator.daemon” name=“/sys/devices/system/node/node1/hugepages/hugepages-1048576kB/nr_hugepages” pid=1339484 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

jslarraz · August 26, 2025, 12:24pm

Thanks @hassahma,

All apparmor denial seems to be related to /sys/devices/system/node/node[0-9]*/hugepages/** r. I wonder if we should add this rule to the default template or to a new hugepages-observe interface.

In the meantime, only /sys/devices/system/node would be needed in your system-files interface and it should be named following the usual naming convention (sys-devices-system-node).

hassahma · August 27, 2025, 6:48am

Hi @jslarraz I have added this one here https://github.com/canonical/snap-epa-orchestrator/pull/5/commits/6fe918a596ec83ee355f236630df43b5acd7f96e

Please let me know if I can publish this snap now?

jslarraz · August 27, 2025, 9:59am

Looks good to me now. +1 from me for granting read access to /sys/devices/system/node via system-files interface (#voteFor)

To grant the request we need to get the required votes from other reviewers and wait for the voting period, which typically is 7 days.

cav · September 1, 2025, 12:04am

+1 from me for granting read access to /sys/devices/system/node as well given the default template doesn’t have it and it makes sense for the snap (#voteFor)

store-requests-bot · September 2, 2025, 12:00am

Voting period has ended. This request is approved with 2 votes for and 0 votes against.

hassahma · September 2, 2025, 6:21am

@jslarraz Can I publish the snap now, please ?

jslarraz · September 2, 2025, 8:46am

This request has been approved and the publisher is vetted. This is now live.