Weeks 22 and 23 of 2017 in snapd

Hello all,

These are some of the interesting things taking place in snapd development over the last couple of weeks:

  • Versionized profiles
    Good discussions and coding took place to evolve the concept of rebuilding profiles when necessary to ensure that the system is compatible as a whole with the security profiles that are being used. Initial discussions indicated the possibility of having multiple versions of profiles in parallel in the system, but that ended up not solving all angles of the problem, so the final solution was to introduce the concept of a “system key” which indicates an aggregated feature-set of the system, and then rebuild profiles whenever that key changes. We’ll also rebuild profiles when booting, but only if strictly necessary (e.g. a kernel changes unexpectedly). Work is now taking place towards these goals.

  • Validations
    2.26.4 was validated, with passing regression tests for the core revert issue that plagued 2.25 and 2.26.

  • More interface tests
    More tests for alsa, auto-pilot, upower-observe.

  • Prefer IPv4 over IPv6 on integration tests
    This fixes some issues observed in our suite which is caused mainly by network flakiness outside of the local environment,

  • Improvements for interface CLI
    A new interface command, with the respective backing API, is being added to report details of a particular interface in a more useful way. In the future we’ll likely see improvements related to the current snap interfaces output as well.

  • FIgured “cannot create lock directory” error
    We finally understand why the “cannot create lock directory” error observed in the tracker is taking place. It’s a pretty atypical and somewhat convoluted environment where LXC is being used to deploy snaps internally with apparmor disabled, while an external system has apparmor enabled. More details in the topic.

  • Check channels on refresh
    snapd no longer takes non-existent channels as valid for refresh

  • No duplicated syslog entries
    snapd no longer logs to both journald and syslog

  • More work on exec/clone kernel race
    Work continues on a workaround in Go for the kernel bug related to the race on exec and clone. Review on Go tracker is in progress.

  • Work on seccomp BPF generation
    Instead of using the text representation of seccomp profiles and generating the final profile at runtime, snapd will start generating the BPF version of them, which will both improve performance and reduce compatibility issues. Work on this has started.

  • Fedora and OpenSUSE integration testing
    The first changes have landed to introduce Fedora and OpenSUSE testing as part of every modification performed in snapd.

  • snapd service is now of inotify type
    The snapd systemd service is now of type inotify, and will report itself as activated only once security profiles are up-to-date, potentially re-generating them when necessary.

  • password-manager-service interface
    Work started to support kwallet / gnome-keyring as an interface.

  • Improved snap not found errors
    Better information is now offered via the API so that the snap command can now report more details about when a snap isn’t found on a particular channel.

  • Using snapctl outside of hooks landed
    That was coming for quite a while, and it’s now landed, meaning that in future releases snapctl will be usable by the snap outside of hooks.