workaround for connect no autoconnect interfaces without login on system

Jamie Strandboge jamie at canonical.com
Fri Mar 10 12:28:48 UTC 2017 

On Tue, 2017-03-07 at 13:41 -0600, Jamie Strandboge wrote:
> On Tue, 2017-03-07 at 15:05 +0000, Nicolino Curalli wrote:
> > 
> > Hi kyleN
> > thanks so much for the answer.
> > 
> > A question for go ahead from my side:
> > how can I request the store to add an auto connection statement to the
> > snap declaration assertion ?
> Just ask on this list. :)
> 
> Looking at your previous email, it seems you would like to have the nmap snap
> auto-connected. The nmap snap is requesting a lot of privilege by plugging the
> 'network-control' interface and the snap is not coming from a trusted upstream
> or publisher. I therefore think that it correctly requires the user to
> explicitly connect the interface by default.
> 
> Based on your previous email (and my previous response) it sounds like you are
> developing a gadget snap for a particular device though. The gadget auto-
> connect 
> mechanism is therefore what you want to use since gadget snaps have a voice in
> auto-connection. I expect someone to respond to my previous email on how you
> can
> do this.
> 

The above email mistakenly was discarded by the mailing list server. Hopefully
resending this now will allow the conversation to pick up again.

> > 
> > 
> > Il 07/03/2017 15:20, knitzsche ha scritto:
> > > 
> > > 
> > > I don't think the prepare-device script can be used to auto connect, 
> > > probably because it runs confined.
> > > 
> > > You can request the store to add an auto connection statement to the 
> > > snap declaration assertion.
> > > 
> > > Cheers
> > > kyleN
> > > 
> > > 
> > > On 03/07/2017 05:19 AM, Nicolino Curalli wrote:
> > > > 
> > > > 
> > > > Hi all,
> > > > I implemented hints from James but it doesn't works.
> > > > 
> > > > I create a new gadget snap based on pc gadget for amd64, adding a hook
> > > > directory with a prepare-device hook script.
> > > > I make this script executable.
> > > > I build  an image containg my gadget (domotz-pc), pc-kernel and nmap
> > > > snap
> > > > from store.
> > > > 
> > > > The layout of my new gadget snap ( named domotz-pc )  just installed is
> > > > :
> > > > 
> > > > ./
> > > > 
> > > > -rwxr-xr-x 1 root root 753 Mar  7 00:04 meta/gadget.yaml
> > > > -rw-r--r-- 1 root root 230 Mar  7 09:11 meta/snap.yaml
> > > > 
> > > > meta/gui:
> > > > 
> > > > -rwxr-xr-x 1 root root 39908 Nov 30 08:18 icon.png
> > > > 
> > > > meta/hooks:
> > > > 
> > > > -rwxr-xr-x 1 root root 134 Mar  7 09:09 prepare-device
> > > > 
> > > > The prepare-device script content is:
> > > > 
> > > > ----------
> > > > #!/bin/sh
> > > > 
> > > > # enabling network-control interface slot for nmap network-control plug
> > > > snap connect nmap:network-control :network-control
> > > > ----------
> > > > 
> > > > After the registration of board by console-conf i find the following I
> > > > find the following situation on interface side:
> > > > 
> > > > :network       nmap
> > > > :network-bind  nmap
> > > > -              nmap:network-control
> > > > 
> > > > instead
> > > > 
> > > > :network       nmap
> > > > :network-bind  nmap
> > > > :network-control  nmap
> > > > 
> > > > as I wish.
> > > > 
> > > > I also  have  the following error from Apparmor:
> > > > 
> > > > Mar  7 02:23:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353:
> > > > DEBUG: Running task 77 on Do: Run prepare-device hook
> > > > Mar  7 02:23:10 localhost kernel: [11351843419.508357] audit: type=1400
> > > > audit(1488853390.962:25): apparmor="DENIED" operation="exec"
> > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap"
> > > > pid=1428
> > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> > > > Mar  7 02:23:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG:
> > > > 2017-03-07T02:23:10Z ERROR run hook "prepare-device": /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-
> > > > device: snap: Permission denied
> > > > Mar  7 02:28:08 localhost systemd[1]: Starting Update resolvconf for
> > > > networkd DNS...
> > > > Mar  7 02:28:08 localhost systemd-timesyncd[795]: Network configuration
> > > > changed, trying to establish connection.
> > > > Mar  7 02:28:08 localhost systemd[1]: Started Update resolvconf for
> > > > networkd DNS.
> > > > Mar  7 02:28:08 localhost systemd-timesyncd[795]: Synchronized to time
> > > > server 91.189.94.4:123 (ntp.ubuntu.com).
> > > > Mar  7 02:28:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353:
> > > > DEBUG: Running task 80 on Do: Run prepare-device hook
> > > > Mar  7 02:28:10 localhost kernel: [11351843719.476882] audit: type=1400
> > > > audit(1488853690.938:26): apparmor="DENIED" operation="exec"
> > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap"
> > > > pid=1455
> > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> > > > Mar  7 02:28:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG:
> > > > 2017-03-07T02:28:10Z ERROR run hook "prepare-device": /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-
> > > > device: snap: Permission denied
> > > > Mar  7 02:33:07 localhost systemd[1]: Starting Update resolvconf for
> > > > networkd DNS...
> > > > Mar  7 02:33:07 localhost systemd-timesyncd[795]: Network configuration
> > > > changed, trying to establish connection.
> > > > Mar  7 02:33:07 localhost systemd[1]: Started Update resolvconf for
> > > > networkd DNS.
> > > > Mar  7 02:33:07 localhost systemd-timesyncd[795]: Synchronized to time
> > > > server 91.189.94.4:123 (ntp.ubuntu.com).
> > > > Mar  7 02:33:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353:
> > > > DEBUG: Running task 83 on Do: Run prepare-device hook
> > > > Mar  7 02:33:10 localhost kernel: [11351844019.491749] audit: type=1400
> > > > audit(1488853990.964:27): apparmor="DENIED" operation="exec"
> > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap"
> > > > pid=1475
> > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> > > > Mar  7 02:33:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG:
> > > > 2017-03-07T02:33:10Z ERROR run hook "prepare-device": /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-
> > > > device: snap: Permission denied
> > > > Mar  7 02:38:07 localhost systemd[1]: Starting Update resolvconf for
> > > > networkd DNS...
> > > > Mar  7 02:38:07 localhost systemd-timesyncd[795]: Network configuration
> > > > changed, trying to establish connection.
> > > > Mar  7 02:38:07 localhost systemd[1]: Started Update resolvconf for
> > > > networkd DNS.
> > > > Mar  7 02:38:07 localhost systemd-timesyncd[795]: Synchronized to time
> > > > server 91.189.94.4:123 (ntp.ubuntu.com).
> > > > Mar  7 02:38:10 localhost /usr/lib/snapd/snapd[936]: taskrunner.go:353:
> > > > DEBUG: Running task 86 on Do: Run prepare-device hook
> > > > Mar  7 02:38:10 localhost /usr/lib/snapd/snapd[936]: task.go:303: DEBUG:
> > > > 2017-03-07T02:38:10Z ERROR run hook "prepare-device": /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-device: 4: /snap/domotz-
> > > > pc/x1/meta/hooks/prepare-
> > > > device: snap: Permission denied
> > > > Mar  7 02:38:10 localhost kernel: [11351844319.456207] audit: type=1400
> > > > audit(1488854290.935:28): apparmor="DENIED" operation="exec"
> > > > profile="snap.domotz-pc.hook.prepare-device" name="/usr/bin/snap"
> > > > pid=1496
> > > > comm="prepare-device" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> > > > 
> > > > 
> > > > It seems that is not possible exec a core apps from gadget, then what is
> > > > the path to the solution for my use case? Perhaps I miss some important
> > > > thing in prepare-device script?
> > > > 
> > > > Thanks in advance for each hints and contribution to solve this use
> > > > case.
> > > > 
> > > > 
> > > > Nicolino
> > > > 
> > > > 
-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170310/a46c713c/attachment.sig>

More information about the Snapcraft mailing list