Snappy

locally installed snaps cannot be connected when base declaration constraints disallow it

Bug #1640874 reported by Alfonso Sanchez-Beato on 2016-11-10

22

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical System Image	Fix Released	High	Pat McGowan	Canonical System Image p2 "Ubuntu Personal"
	Snappy	Fix Released	High	Unassigned

Bug Description

When installing a local snap, it is not possible to connect interfaces that do not belong to the core (ie, 'type: app' slot implementations) due to the intended and designed security restrictions of the base declaration. For instance:

$ sudo snap install --dangerous ~/modem-manager_1.6.2-1_amd64.snap
$ sudo snap install --dangerous ~/network-manager_1.2.2-8_amd64.snap

$ sudo snap connect network-manager:modem-manager modem-manager:service
error: cannot perform the following tasks:
- Connect network-manager:modem-manager to modem-manager:service (connection denied by slot rule of interface "modem-manager")
$ sudo snap connect modem-manager:mmcli modem-manager:service
error: cannot perform the following tasks:
- Connect modem-manager:mmcli to modem-manager:service (connection denied by slot rule of interface "modem-manager")

The only way to be able to do so is to change basedeclaration.go in snapd sources and remove "deny-connection" for the needed interfaces. This is a pain point as a hacked snapd is needed when developing or updating slot implementation snaps. It should be possible to perform local testing of the snap before submitting to the store, even if we are doing so for the edge channel.

See original description

Tags:

Jamie Strandboge (jdstrand) on 2016-11-10

description:	updated
Changed in snappy:
status:	New → Confirmed
description:	updated
summary:	- It is not possible to inter-connect locally installed snaps + locally installed slot implementations cannot be connected due to base + declaration constraints causing a developer pain point

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-11-10: Re: locally installed slot implementations cannot be connected due to base declaration constraints

#1

@Gustavo - this is what I mentioned on the list as a developer pain point. The base declaration is operating as designed and currently requires a snap declaration from the store.

I'm not sure if you have designed this part of snap declarations yet, but one option to address this would be to support developer-signed snap declarations.

summary:	locally installed slot implementations cannot be connected due to base - declaration constraints causing a developer pain point + declaration constraints
summary:	- locally installed slot implementations cannot be connected due to base - declaration constraints + locally installed snaps cannot be connected when base declaration + constraints disallow it

Revision history for this message

Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote on 2016-11-14:

#2

This error when uploading to the store seems related:

"Store upload failed: not allowed by 'deny-connection/on-classic' in base declaration"

See https://launchpad.net/~snappy-hwe-team/+snap/modem-manager-daily/+build/10005

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-11-16:

#3

@Alfonso - that is related in that the base declaration requires that modem-manager have a corresponding snap declaration. There was an issue with the store that is now resolved where the store wasn't giving the review tools the snap declaration to override the base declaration which would allow the upload to pass review.

Revision history for this message

I Ahmad (iahmad) wrote on 2016-12-05:

#4

Currently snapweb CI is broken because of this bug as it install and tests the locally build snap before uploading to the edge, what is the latest on this bug please?

Pat McGowan (pat-mcgowan) on 2016-12-09

Changed in canonical-devices-system-image:
assignee:	nobody → Pat McGowan (pat-mcgowan)
importance:	Undecided → High
milestone:	none → p1
status:	New → Confirmed
tags:	added: personal

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-09:

#5

Per Gustavo, --dangerous is going to be adjusted to address this bug and it is targeted for snapd 2.20 aiui.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-09:

#6

I'll triage this up based on my understanding of the situation. Michael or Jamie Bennett, please adjust as necessary.

Changed in snappy:
status:	Confirmed → Triaged
importance:	Undecided → High
status:	Triaged → In Progress

Samuele Pedroni (pedronis) on 2016-12-09

Changed in canonical-devices-system-image:
status:	Confirmed → In Progress

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2017-01-11:

#7

Fixed by https://github.com/snapcore/snapd/pull/2415 in 2.20 afaict

Changed in canonical-devices-system-image:
milestone:	p1 → p2
status:	In Progress → Fix Released

Michael Vogt (mvo) on 2017-01-17

Changed in snappy:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.