/srv/irclogs.ubuntu.com/2023/03/09/#snappy.txt

Guest41does anyone know how to remove apparmor allowed spam like this: audit: type=1400 audit(1678323057.184:98107001): apparmor="ALLOWED" operation="exec" profile="snap.controlenv.controlenv" name="/usr/bin/ss" pid=132150 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.controlenv.controlenv//null-/usr/bin/ss00:51
=== benfrancis9 is now known as benfrancis
amurrayGuest41: it looks like the snap is installed as devmode - in that case most actions get logged by AppArmor (as it is intended to be used during development so the developer can identify what access is required within the snap sandbox)01:06
amurrayso you could try installing the snap in strict mode instead - in which case only things that would be blocked by the apparmor policy get logged01:07
Guest41amurray does the snap grade have to be changed from devel? I already changed the confinement to strict01:11
amurrayGuest41: no, you can leave it as devel - that is separate (a devel snap can only be published to the edge and beta channels, so to publish something to candidate/stable it has to be grade: stable)01:12
Guest41ok then why does it have that problem if confinement is already strict01:16
Guest41when I type snap list it still says devmode01:17
mupPR snapcraft#4059 closed: lint: update and freeze codespell <Created by lengau> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4059>01:54
Guest41oh ok never mind I had devmode in the install script03:02
Guest41is there a way to grant a plug full access to everything without devmode03:04
Guest41i just want a snap of python with certain packages i can run on any version of ubuntu03:04
amurrayGuest41: that is what classic confinement is for - but this is not recommended as only if this is absolutely required would it be granted by the store review team https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/146003:05
Guest41I'm just going to use it for myself so I wouldn't publish it in the store03:06
Guest41I changed the confinement to classic and then did snap install --classic --dangerous and now it won't run anymore03:09
Guest41says "cannot snap-exec: cannot exec "/snap/controlenv/x7/bin/python3": no such file or directory"03:09
jameshGuest41: it might seem unintuitive, but it's generally easier to get a snap working reliably over a range of distro releases in strict mode than it is in classic mode03:26
jameshclassic mode might remove many of the restrictions and give you full access to the host system, but that's also disabling many of the features designed to present a consistent runtime environment across distros.03:28
amurrayGuest41: does the file /snap/controlenv/x7/bin/python3 exist?04:01
amurrayalso I agree with jamesh too - if possible it is much better to get a snap working in strict mode than classic especially when targeting different OS releases04:02
Guest41yes it exists but it points to /usr/bin/python3.804:04
Guest41which doesn't exist on the host04:05
Guest41is there an plug that unlocks access to everything?04:06
jameshagain: classic confinement gives you "access to everything", but the problem is that "everything" will be different on each system your snap is installed on.04:18
jameshFor strict confined snaps, there will be a /usr/bin/python3.8 if your snap is built with "base: core20". If you use "base: core22", there is a /usr/bin/python3.1004:19
Guest41ok well it seems weird to me that it would be harder to get working than strict04:52
Guest41it's kind of annoying to have to install and use snappy-debug and figure out 1 by 1 which plugs to add04:53
Guest41would be nice to have an everything plug04:53
amurrayGuest41: classic is the "everything plug" (ie. no confinement, so you have access to everything)05:06
jameshGuest41: one thing that might help you get a feel for the system is to run "snap run --shell controlenv". This will start a shell running within the same sandbox your application would.05:07
Guest41but why does it break when I change to classic then05:08
jameshIn particular, you'll notice that e.g. the contents of /usr/bin is totally different to the host system.05:08
Guest41or you meanthere's a plug called classic?05:08
jameshsince you're instead seeing an application runtime that will be the same on every system your snap runs on.05:09
jameshIf you can make your app work with that runtime on one machine, it'll likely work the same everywhere else.05:09
Guest41i'm just making a snap out of python so I can have the same version of python with same packages on different versions of ubuntu05:11
Guest41I added classic to the plugs, and when trying to connect it, it says "error: snap "controlenv" has no plug named "classic""05:12
amurrayclassic is not a plug - it is a confinement type - also if your snap is using classic confinement then you should remove any and all plugs as they are not relevant to classic confinement, only strict confinement05:13
Guest41well I did try classic confinement, but when I try to run my published command "controlenv" it says "cannot snap-exec: cannot exec "/snap/controlenv/x11/bin/python3": no such file or directory"05:44
Guest41so I can't get classic confinement working at all or it does not respect published commands05:46
amurrayGuest41: it respects your command fine - you just need to ensure that the things you are shipping are valid - in this case your /snap/controlenv/x11/bin/python3 points to a non-existing file - so instead you should redirect this to point to something that does exist within your snap05:55
Guest41amurray I don't understand though, why would it stop working when i switch the confinement from strict or devel to classic?06:56
amurraysnapd sets up a new mount namespace for a snap when it is under strict / devmode confinement - which is isolated from the rest of the system - but under classic this is not done - and so a classic snap operates quite differently to a strictly confined one06:59
Guest41is there a manual somewhere that tells how to access/export commands in a classic snap?08:28
jameshthe "apps:" section of your snapcraft.yaml describes all the commands your snap exports.08:44
Guest41it doesn't work when i use classic confinement08:57
mupPR snapd#12628 closed: tests: skip snapd-reexec-prompt on arm devices as it is excluded in amd64 <Simple 😃> <Test Robustness> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12628>09:15
mupPR snapcraft#4062 opened: fix(clean): non host cleaning shouldn't load the project <Created by Guillaumebeuzeboc> <https://github.com/snapcore/snapcraft/pull/4062>11:15
mupPR snapd#12631 opened: golang: remove deadcode linter <Simple 😃> <Flaky Test> <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/12631>11:35
mupPR snapd#12632 opened: tests: update interfaces-account-control test to use snapd with the UC base <Test Robustness> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632>11:50
mupPR snapcraft#4063 opened: lint: update and freeze codespell (#4059) <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063>12:25
mupPR snapd#12631 closed: golang: remove deadcode linter and bump version <⚠ Critical> <Simple 😃> <Flaky Test> <Created by Meulengracht> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12631>13:46
mupPR snapd#12633 opened: tests/main: added test for dynamic snapshot data exclusion functionality <⛔ Blocked> <Created by ernestl> <https://github.com/snapcore/snapd/pull/12633>14:01
mupPR snapcraft#4064 opened: Make sure that software-properties-common package is installed … <Created by dbruno74> <https://github.com/snapcore/snapcraft/pull/4064>14:11
mupPR snapcraft#4063 closed: lint: update and freeze codespell (#4059) <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063>14:46
mupPR snapcraft#4065 opened: cli: fix help message for the "upload" command <Created by cjdcordeiro> <https://github.com/snapcore/snapcraft/pull/4065>15:21
mupPR snapd#12634 opened: docs: Updates to CONTRIBUTING.md and HACKING.md <Created by degville> <https://github.com/snapcore/snapd/pull/12634>15:26
mupPR snapd#12629 closed: interfaces/account-control: grant access to files needed by pam <Created by alfonsosanchezbeato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12629>16:07
mupPR snapcraft#4060 closed: extensions: fix neon-extension issues for core22 <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4060>16:26
mupPR snapd#12635 opened: NEWS.md: new file and updated for 2.59 <Skip spread> <Created by mvo5> <https://github.com/snapcore/snapd/pull/12635>16:37
mupPR snapcraft#4061 closed: ci: ensure workflows are cancellable <Created by lengau> <Merged by mr-cal> <https://github.com/snapcore/snapcraft/pull/4061>16:56
mupPR snapd#12632 closed: tests: update interfaces-account-control test to use snapd with the UC base <⚠ Critical> <Test Robustness> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632>16:57
mupPR snapd#12517 closed: tests: update lxd-state tool to install and prepare the lxd snap <Run nested> <Run Nested -auto-> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12517>20:23

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!