[00:51] <Guest41> does anyone know how to remove apparmor allowed spam like this: audit: type=1400 audit(1678323057.184:98107001): apparmor="ALLOWED" operation="exec" profile="snap.controlenv.controlenv" name="/usr/bin/ss" pid=132150 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.controlenv.controlenv//null-/usr/bin/ss
=== benfrancis9 is now known as benfrancis
[01:06] <amurray> Guest41: it looks like the snap is installed as devmode - in that case most actions get logged by AppArmor (as it is intended to be used during development so the developer can identify what access is required within the snap sandbox)
[01:07] <amurray> so you could try installing the snap in strict mode instead - in which case only things that would be blocked by the apparmor policy get logged
[01:11] <Guest41> amurray does the snap grade have to be changed from devel? I already changed the confinement to strict
[01:12] <amurray> Guest41: no, you can leave it as devel - that is separate (a devel snap can only be published to the edge and beta channels, so to publish something to candidate/stable it has to be grade: stable)
[01:16] <Guest41> ok then why does it have that problem if confinement is already strict
[01:17] <Guest41> when I type snap list it still says devmode
[01:54] <mup> PR snapcraft#4059 closed: lint: update and freeze codespell <Created by lengau> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4059>
[03:02] <Guest41> oh ok never mind I had devmode in the install script
[03:04] <Guest41> is there a way to grant a plug full access to everything without devmode
[03:04] <Guest41> i just want a snap of python with certain packages i can run on any version of ubuntu
[03:05] <amurray> Guest41: that is what classic confinement is for - but this is not recommended as only if this is absolutely required would it be granted by the store review team https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460
[03:06] <Guest41> I'm just going to use it for myself so I wouldn't publish it in the store
[03:09] <Guest41> I changed the confinement to classic and then did snap install --classic --dangerous and now it won't run anymore
[03:09] <Guest41> says "cannot snap-exec: cannot exec "/snap/controlenv/x7/bin/python3": no such file or directory"
[03:26] <jamesh> Guest41: it might seem unintuitive, but it's generally easier to get a snap working reliably over a range of distro releases in strict mode than it is in classic mode
[03:28] <jamesh> classic mode might remove many of the restrictions and give you full access to the host system, but that's also disabling many of the features designed to present a consistent runtime environment across distros.
[04:01] <amurray> Guest41: does the file /snap/controlenv/x7/bin/python3 exist?
[04:02] <amurray> also I agree with jamesh too - if possible it is much better to get a snap working in strict mode than classic especially when targeting different OS releases
[04:04] <Guest41> yes it exists but it points to /usr/bin/python3.8
[04:05] <Guest41> which doesn't exist on the host
[04:06] <Guest41> is there an plug that unlocks access to everything?
[04:18] <jamesh> again: classic confinement gives you "access to everything", but the problem is that "everything" will be different on each system your snap is installed on.
[04:19] <jamesh> For strict confined snaps, there will be a /usr/bin/python3.8 if your snap is built with "base: core20". If you use "base: core22", there is a /usr/bin/python3.10
[04:52] <Guest41> ok well it seems weird to me that it would be harder to get working than strict
[04:53] <Guest41> it's kind of annoying to have to install and use snappy-debug and figure out 1 by 1 which plugs to add
[04:53] <Guest41> would be nice to have an everything plug
[05:06] <amurray> Guest41: classic is the "everything plug" (ie. no confinement, so you have access to everything)
[05:07] <jamesh> Guest41: one thing that might help you get a feel for the system is to run "snap run --shell controlenv". This will start a shell running within the same sandbox your application would.
[05:08] <Guest41> but why does it break when I change to classic then
[05:08] <jamesh> In particular, you'll notice that e.g. the contents of /usr/bin is totally different to the host system.
[05:08] <Guest41> or you meanthere's a plug called classic?
[05:09] <jamesh> since you're instead seeing an application runtime that will be the same on every system your snap runs on.
[05:09] <jamesh> If you can make your app work with that runtime on one machine, it'll likely work the same everywhere else.
[05:11] <Guest41> i'm just making a snap out of python so I can have the same version of python with same packages on different versions of ubuntu
[05:12] <Guest41> I added classic to the plugs, and when trying to connect it, it says "error: snap "controlenv" has no plug named "classic""
[05:13] <amurray> classic is not a plug - it is a confinement type - also if your snap is using classic confinement then you should remove any and all plugs as they are not relevant to classic confinement, only strict confinement
[05:44] <Guest41> well I did try classic confinement, but when I try to run my published command "controlenv" it says "cannot snap-exec: cannot exec "/snap/controlenv/x11/bin/python3": no such file or directory"
[05:46] <Guest41> so I can't get classic confinement working at all or it does not respect published commands
[05:55] <amurray> Guest41: it respects your command fine - you just need to ensure that the things you are shipping are valid - in this case your /snap/controlenv/x11/bin/python3 points to a non-existing file - so instead you should redirect this to point to something that does exist within your snap
[06:56] <Guest41> amurray I don't understand though, why would it stop working when i switch the confinement from strict or devel to classic?
[06:59] <amurray> snapd sets up a new mount namespace for a snap when it is under strict / devmode confinement - which is isolated from the rest of the system - but under classic this is not done - and so a classic snap operates quite differently to a strictly confined one
[08:28] <Guest41> is there a manual somewhere that tells how to access/export commands in a classic snap?
[08:44] <jamesh> the "apps:" section of your snapcraft.yaml describes all the commands your snap exports.
[08:57] <Guest41> it doesn't work when i use classic confinement
[09:15] <mup> PR snapd#12628 closed: tests: skip snapd-reexec-prompt on arm devices as it is excluded in amd64 <Simple 😃> <Test Robustness> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12628>
[11:15] <mup> PR snapcraft#4062 opened: fix(clean): non host cleaning shouldn't load the project <Created by Guillaumebeuzeboc> <https://github.com/snapcore/snapcraft/pull/4062>
[11:35] <mup> PR snapd#12631 opened: golang: remove deadcode linter <Simple 😃> <Flaky Test> <Created by Meulengracht> <https://github.com/snapcore/snapd/pull/12631>
[11:50] <mup> PR snapd#12632 opened: tests: update interfaces-account-control test to use snapd with the UC base <Test Robustness> <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632>
[12:25] <mup> PR snapcraft#4063 opened: lint: update and freeze codespell (#4059) <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063>
[13:46] <mup> PR snapd#12631 closed: golang: remove deadcode linter and bump version <⚠ Critical> <Simple 😃> <Flaky Test> <Created by Meulengracht> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12631>
[14:01] <mup> PR snapd#12633 opened: tests/main: added test for dynamic snapshot data exclusion functionality <⛔ Blocked> <Created by ernestl> <https://github.com/snapcore/snapd/pull/12633>
[14:11] <mup> PR snapcraft#4064 opened: Make sure that software-properties-common package is installed … <Created by dbruno74> <https://github.com/snapcore/snapcraft/pull/4064>
[14:46] <mup> PR snapcraft#4063 closed: lint: update and freeze codespell (#4059) <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4063>
[15:21] <mup> PR snapcraft#4065 opened: cli: fix help message for the "upload" command <Created by cjdcordeiro> <https://github.com/snapcore/snapcraft/pull/4065>
[15:26] <mup> PR snapd#12634 opened: docs: Updates to CONTRIBUTING.md and HACKING.md <Created by degville> <https://github.com/snapcore/snapd/pull/12634>
[16:07] <mup> PR snapd#12629 closed: interfaces/account-control: grant access to files needed by pam <Created by alfonsosanchezbeato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/12629>
[16:26] <mup> PR snapcraft#4060 closed: extensions: fix neon-extension issues for core22 <Created by sergiusens> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/4060>
[16:37] <mup> PR snapd#12635 opened: NEWS.md: new file and updated for 2.59 <Skip spread> <Created by mvo5> <https://github.com/snapcore/snapd/pull/12635>
[16:56] <mup> PR snapcraft#4061 closed: ci: ensure workflows are cancellable <Created by lengau> <Merged by mr-cal> <https://github.com/snapcore/snapcraft/pull/4061>
[16:57] <mup> PR snapd#12632 closed: tests: update interfaces-account-control test to use snapd with the UC base <⚠ Critical> <Test Robustness> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12632>
[20:23] <mup> PR snapd#12517 closed: tests: update lxd-state tool to install and prepare the lxd snap <Run nested> <Run Nested -auto-> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/12517>