TemporaryDirectory() and how to manage access to /tmp

I have a python app that creates a tmp directory using TemporaryDirectory() to store a backup dump.

After creating the snap and test it I can see that it obviously fails as the snap doesn’t have access to /tmp folder.

Here is the part of the source code that creates and manages the temporary directory.

What is the best way to manage temp files/folders with snapcraft?

I’m thinking I need to implement something as generic as possible, as the app can be either installed using snap or manually compiled from source using python outside the snap scope.

Hey

Snaps should have free access to /tmp but you should keep in mind that each snap has a private view of that directory. Can you please tell me what the problem was, specifically, in your case?

Thanks for the clarification.

By taking a more in depth look it seems the app is failing not at creating the temp folder but rather when trying to run the command pg_dump, particularly at this line.

Is there any reason snap may be preventing this command to run?

If your script needs to call pg_dump it should be included in the snap. It’s probably as easy as adding postgresql to stage-packages.

Thank you. I added postgresql to stage-packages but still can’t get it through.

This is the error when the snap tried to use pg_dump.

2019-02-28 00:11:58,371 - yorokobi - INFO - End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f6b2fec3b00>
command: /snap/yorokobi/199/usr/bin/pg_dump
args: ['/snap/yorokobi/199/usr/bin/pg_dump', '-Fc', '--host=localhost', '--port=5432', '--username=postgres', '--password', 'shakespeare']
buffer (last 100 chars): b''
before (last 100 chars): b'pg_dump line 21.\r\nBEGIN failed--compilation aborted at /snap/yorokobi/199/usr/bin/pg_dump line 21.\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 255
flag_eof: True
pid: 8660
child_fd: 20
closed: False
timeout: None
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
    0: re.compile(b'Password')

and journalctl logged the following:

feb 28 00:34:52 martin-VirtualBox audit[9029]: AVC apparmor="DENIED" operation="open" profile="snap.yorokobi.yorokobi" name="/proc/9029/mounts" pid=9029 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
feb 28 00:34:52 martin-VirtualBox kernel: audit: type=1400 audit(1551324892.103:345): apparmor="DENIED" operation="open" profile="snap.yorokobi.yorokobi" name="/proc/9029/mounts" pid=9029 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
feb 28 00:34:52 martin-VirtualBox audit[9029]: AVC apparmor="DENIED" operation="open" profile="snap.yorokobi.yorokobi" name="/proc/9029/mounts" pid=9029 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
feb 28 00:34:52 martin-VirtualBox kernel: audit: type=1400 audit(1551324892.415:346): apparmor="DENIED" operation="open" profile="snap.yorokobi.yorokobi" name="/proc/9029/mounts" pid=9029 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Any idea what I am missing?

Looks like you need to use the mount-observe interface. Add a plug of this type to your snap and connect it after installing the snap.

Thanks for the feedback.

I just did that and but now I’m seeing the following error. I’m not sure what is happening here. Any help is much appreciated!

feb 28 13:46:15 martin-VirtualBox audit[17901]: AVC apparmor="DENIED" operation="capable" profile="snap.yorokobi.daemon" pid=17901 comm="python3" capability=23  capname="sys_nice"
feb 28 13:46:15 martin-VirtualBox kernel: audit: type=1400 audit(1551372375.981:380): apparmor="DENIED" operation="capable" profile="snap.yorokobi.daemon" pid=17901 comm="python3" capability=23  capname="sys_nice"
feb 28 13:46:19 martin-VirtualBox audit[17944]: AVC apparmor="DENIED" operation="file_mmap" profile="snap.yorokobi.daemon" name="/usr/lib/x86_64-linux-gnu/perl-base/auto/Fcntl/Fcntl.so" pid=17944 comm="pg_dump" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
feb 28 13:46:19 martin-VirtualBox kernel: audit: type=1400 audit(1551372379.329:381): apparmor="DENIED" operation="file_mmap" profile="snap.yorokobi.daemon" name="/usr/lib/x86_64-linux-gnu/perl-base/auto/Fcntl/Fcntl.so" pid=17944 comm="pg_dump" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

It looks like you may have additional missing requirements. pg_dump is trying to access a shared library out side of the snap.
feb 28 13:46:19 martin-VirtualBox audit[17944]: AVC apparmor="DENIED" operation="file_mmap" profile="snap.yorokobi.daemon" name="/usr/lib/x86_64-linux-gnu/perl-base/auto/Fcntl/Fcntl.so" pid=17944 comm="pg_dump" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

I’m pretty sure this library is not provided by the core snap. Have you tried running snappy-debug? I’ve found it very helpful for diagnosis these types of problems.

Thanks for the snappy-debug recommendation, I added the process-control plug there are no audit messages anymore. Great!

After passing this I found another bug, but decided to open it as a new topic instead as it is unrelated to the original question of this thread.