| Guest41 | does anyone know how to remove apparmor allowed spam like this: audit: type=1400 audit(1678323057.184:98107001): apparmor="ALLOWED" operation="exec" profile="snap.controlenv.controlenv" name="/usr/bin/ss" pid=132150 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.controlenv.controlenv//null-/usr/bin/ss | 00:51 |
|---|---|---|
| === benfrancis9 is now known as benfrancis | ||
| amurray | Guest41: it looks like the snap is installed as devmode - in that case most actions get logged by AppArmor (as it is intended to be used during development so the developer can identify what access is required within the snap sandbox) | 01:06 |
| amurray | so you could try installing the snap in strict mode instead - in which case only things that would be blocked by the apparmor policy get logged | 01:07 |
| Guest41 | amurray does the snap grade have to be changed from devel? I already changed the confinement to strict | 01:11 |
| amurray | Guest41: no, you can leave it as devel - that is separate (a devel snap can only be published to the edge and beta channels, so to publish something to candidate/stable it has to be grade: stable) | 01:12 |
| Guest41 | ok then why does it have that problem if confinement is already strict | 01:16 |
| Guest41 | when I type snap list it still says devmode | 01:17 |
| mup | PR snapcraft#4059 closed: lint: update and freeze codespell <Created by lengau> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4059> | 01:54 |
| Guest41 | oh ok never mind I had devmode in the install script | 03:02 |
| Guest41 | is there a way to grant a plug full access to everything without devmode | 03:04 |
| Guest41 | i just want a snap of python with certain packages i can run on any version of ubuntu | 03:04 |
| amurray | Guest41: that is what classic confinement is for - but this is not recommended as only if this is absolutely required would it be granted by the store review team https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460 | 03:05 |
| Guest41 | I'm just going to use it for myself so I wouldn't publish it in the store | 03:06 |
| Guest41 | I changed the confinement to classic and then did snap install --classic --dangerous and now it won't run anymore | 03:09 |
| Guest41 | says "cannot snap-exec: cannot exec "/snap/controlenv/x7/bin/python3": no such file or directory" | 03:09 |
| jamesh | Guest41: it might seem unintuitive, but it's generally easier to get a snap working reliably over a range of distro releases in strict mode than it is in classic mode | 03:26 |
| jamesh | classic mode might remove many of the restrictions and give you full access to the host system, but that's also disabling many of the features designed to present a consistent runtime environment across distros. | 03:28 |
| amurray | Guest41: does the file /snap/controlenv/x7/bin/python3 exist? | 04:01 |
| amurray | also I agree with jamesh too - if possible it is much better to get a snap working in strict mode than classic especially when targeting different OS releases | 04:02 |
| Guest41 | yes it exists but it points to /usr/bin/python3.8 | 04:04 |
| Guest41 | which doesn't exist on the host | 04:05 |
| Guest41 | is there an plug that unlocks access to everything? | 04:06 |
| jamesh | again: classic confinement gives you "access to everything", but the problem is that "everything" will be different on each system your snap is installed on. | 04:18 |
| jamesh | For strict confined snaps, there will be a /usr/bin/python3.8 if your snap is built with "base: core20". If you use "base: core22", there is a /usr/bin/python3.10 | 04:19 |
| Guest41 | ok well it seems weird to me that it would be harder to get working than strict | 04:52 |
| Guest41 | it's kind of annoying to have to install and use snappy-debug and figure out 1 by 1 which plugs to add | 04:53 |
| Guest41 | would be nice to have an everything plug | 04:53 |
| amurray | Guest41: classic is the "everything plug" (ie. no confinement, so you have access to everything) | 05:06 |
| jamesh | Guest41: one thing that might help you get a feel for the system is to run "snap run --shell controlenv". This will start a shell running within the same sandbox your application would. | 05:07 |
| Guest41 | but why does it break when I change to classic then | 05:08 |
| jamesh | In particular, you'll notice that e.g. the contents of /usr/bin is totally different to the host system. | 05:08 |
| Guest41 | or you meanthere's a plug called classic? | 05:08 |
| jamesh | since you're instead seeing an application runtime that will be the same on every system your snap runs on. | 05:09 |
| jamesh | If you can make your app work with that runtime on one machine, it'll likely work the same everywhere else. | 05:09 |
| Guest41 | i'm just making a snap out of python so I can have the same version of python with same packages on different versions of ubuntu | 05:11 |
| Guest41 | I added classic to the plugs, and when trying to connect it, it says "error: snap "controlenv" has no plug named "classic"" | 05:12 |
| amurray | classic is not a plug - it is a confinement type - also if your snap is using classic confinement then you should remove any and all plugs as they are not relevant to classic confinement, only strict confinement | 05:13 |
| Guest41 | well I did try classic confinement, but when I try to run my published command "controlenv" it says "cannot snap-exec: cannot exec "/snap/controlenv/x11/bin/python3": no such file or directory" | 05:44 |
| Guest41 | so I can't get classic confinement working at all or it does not respect published commands | 05:46 |
| amurray | Guest41: it respects your command fine - you just need to ensure that the things you are shipping are valid - in this case your /snap/controlenv/x11/bin/python3 points to a non-existing file - so instead you should redirect this to point to something that does exist within your snap | 05:55 |
| Guest41 | amurray I don't understand though, why would it stop working when i switch the confinement from strict or devel to classic? | 06:56 |
| amurray | snapd sets up a new mount namespace for a snap when it is under strict / devmode confinement - which is isolated from the rest of the system - but under classic this is not done - and so a classic snap operates quite differently to a strictly confined one | 06:59 |
| Guest41 | is there a manual somewhere that tells how to access/export commands in a classic snap? | 08:28 |
| jamesh | the "apps:" section of your snapcraft.yaml describes all the commands your snap exports. | 08:44 |
| Guest41 | it doesn't work when i use classic confinement | 08:57 |
| mup | PR snapd#12628 closed: tests: skip snapd-reexec-prompt on arm devices as it is excluded in amd64 <Simple 😃> <Test Robustness> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12628> | 09:15 |
| mup | PR snapcraft#4062 opened: fix(clean): non host cleaning shouldn't load the project <Created by Guillaumebeuzeboc> <https://github.com/snapcore/snapcraft/pull/4062> | 11:15 |
| mup | PR snapd#12631 opened: golang: remove deadcode linter <Simple 😃> <Flaky Test> <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/12631> | 11:35 |
| mup | PR snapd#12632 opened: tests: update interfaces-account-control test to use snapd with the UC base <Test Robustness> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632> | 11:50 |
| mup | PR snapcraft#4063 opened: lint: update and freeze codespell (#4059) <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063> | 12:25 |
| mup | PR snapd#12631 closed: golang: remove deadcode linter and bump version <⚠Critical> <Simple 😃> <Flaky Test> <Created by Meulengracht> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12631> | 13:46 |
| mup | PR snapd#12633 opened: tests/main: added test for dynamic snapshot data exclusion functionality <â›” Blocked> <Created by ernestl> <https://github.com/snapcore/snapd/pull/12633> | 14:01 |
| mup | PR snapcraft#4064 opened: Make sure that software-properties-common package is installed … <Created by dbruno74> <https://github.com/snapcore/snapcraft/pull/4064> | 14:11 |
| mup | PR snapcraft#4063 closed: lint: update and freeze codespell (#4059) <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063> | 14:46 |
| mup | PR snapcraft#4065 opened: cli: fix help message for the "upload" command <Created by cjdcordeiro> <https://github.com/snapcore/snapcraft/pull/4065> | 15:21 |
| mup | PR snapd#12634 opened: docs: Updates to CONTRIBUTING.md and HACKING.md <Created by degville> <https://github.com/snapcore/snapd/pull/12634> | 15:26 |
| mup | PR snapd#12629 closed: interfaces/account-control: grant access to files needed by pam <Created by alfonsosanchezbeato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12629> | 16:07 |
| mup | PR snapcraft#4060 closed: extensions: fix neon-extension issues for core22 <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4060> | 16:26 |
| mup | PR snapd#12635 opened: NEWS.md: new file and updated for 2.59 <Skip spread> <Created by mvo5> <https://github.com/snapcore/snapd/pull/12635> | 16:37 |
| mup | PR snapcraft#4061 closed: ci: ensure workflows are cancellable <Created by lengau> <Merged by mr-cal> <https://github.com/snapcore/snapcraft/pull/4061> | 16:56 |
| mup | PR snapd#12632 closed: tests: update interfaces-account-control test to use snapd with the UC base <âš Critical> <Test Robustness> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632> | 16:57 |
| mup | PR snapd#12517 closed: tests: update lxd-state tool to install and prepare the lxd snap <Run nested> <Run Nested -auto-> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12517> | 20:23 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!