Cannot read preseed file when using snap in confined mode

Question

Cannot read preseed file when using snap in confined mode

roosterfish opened this issue a year ago · 8 comments

When following the microcloud/test/suites/basic.sh test suite you can run microcloud init --preseed /root/preseed.yaml in order to load the preseed file. If the snap is not installed using --devmode accessing this file fails with permission denied and the following error from apparmor:

[25737.777721] audit: type=1400 audit(1697721622.896:3717): apparmor="ALLOWED" operation="open" class="file" namespace="root//lxd-c1_<var-snap-lxd-common-lxd>" profile="snap.microcloud.microcloud" name="/root/preseed.yml" pid=1426161 comm="microcloud" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1001000

Is there a special directory for the preseed file so that it can be accessed by the snap?

Answer 1 · 2023-10-20T08:56:36.000Z

@masnax please can you check that preseed is working without --devmode thanks

Answer 2 · 2023-10-20T09:19:52.000Z

Shoot, yeah due to the snap confinement the preseed file would need to be read from /var/snap/microcloud. @tomponline are you familiar with how LXD handles reading files from outside the snap confinement?

Answer 3 · 2023-10-20T09:24:56.000Z

LXD has access to the host filesystem by /var/lib/snapd/hostfs and our associated shared.HostPath() function.
But I dont think MicroCloud has that sort of global access, so I suspect you'll need to talk to the snapd team about using a content interface - or can you not modify microcloud to accept the preseed via stdin (like lxd init does btw).:

      --preseed                 Pre-seed mode, expects YAML config from stdin

This would side step the issue and be consistent with LXD - two wins in my book.

Answer 4 · 2023-10-20T09:25:23.000Z

Also does this mean you've not run the tests on the actual latest/edge version?

Answer 5 · 2023-10-20T09:32:53.000Z

Yeah I wrote the tests expecting to build the snap each time, since the whole test-suite relies on snaps. Thanks to muscle memory I used --devmode, but it should really be --dangerous after installing the published snap so the confinement rules are maintained.

Answer 6 · 2023-10-20T09:33:29.000Z

Right ok please can you update and re-run to check for any other issues. Thanks

Answer 7 · 2023-10-20T09:34:04.000Z

The test suite should also have a default mode where it uses latest/edge like we do in lxd-ci so there's no need to have the actual microcloud source on the test system.

Answer 8 · 2023-11-16T09:19:02.000Z

I guess this can be closed as fixed by #197?