Need an interface for kubernetes

Bug #1664638 reported by George Kraft on 2017-02-14
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Medium
Jamie Strandboge
snapd (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

Working on creating a confined snap for kubelet. We're seeing a lot of denials. At least the following is needed to make kubelet work with the attached script:

1. adjust kubelet to 'plugs: [ log-observe, mount-observe ]'

2. adjust kubelet to make /var/log/containers snap-specific

3. modprobe llc stp bridge br_netfilter

4. create a kubernetes-support interface that allows (at least):

# what is this for?
#include <abstractions/dbus-strict>

capability sys_resource,

@{PROC}/diskstats r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/cgroup r,
/sys/fs/cgroup/{,**} r,

/sys/kernel/mm/hugepages/ r,
@{PROC}/sys/kernel/random/boot_id r, # fixed already

@{PROC}/sys/kernel/panic_on_oops rw,
@{PROC}/sys/kernel/panic rw,
@{PROC}/sys/kernel/keys/root_maxbytes r,
@{PROC}/sys/kernel/keys/root_maxkeys r,
@{PROC}/sys/vm/panic_on_oom r,
@{PROC}/sys/vm/overcommit_memory rw,
@{PROC}/@{pid}/oom_score_adj rw,

# modprobe llc, stp, bridge, br_netfilter
/sys/module/llc/initstate r,
/sys/module/stp/initstate r,
/sys/module/bridge/initstate r,
/sys/module/br_netfilter/initstate r,
@{PROC}/sys/net/bridge/bridge-nf-call-iptables rw,
# seccomp blocks module loading, this is for listing
/sys/module/apparmor/parameters/enabled r,
/bin/kmod ixr,
/etc/modprobe.d/{,**} r,

ptrace (read, trace) peer=docker-default,
ptrace (read, trace) peer=unconfined, # hrmm
ptrace (read, trace) peer=snap.docker.dockerd,

/bin/journalctl ixr,

# make snap-specific
/var/log/containers/{,**} rw,

I'll put up a preliminary PR that implements the apparmor and kernel module policy so that people can play with this. In the meantime, after updating the kubelet snap to plugs log-observe and mount-observe and connect them, people can:

$ sudo modprobe llc stp bridge br_netfilter
# add the above policy to /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet the run:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet

Locally at this point kubelet is spinning look for the api service so I can't see what other accesses are required.

= Original description =
Working on creating a confined snap for kubelet. We're seeing a lot of errors trying to open files relating to cgroups:

/proc/self/cgroup
/sys/fs/cgroup/cpu,cpuacct/cpu.shares
/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
/sys/fs/cgroup/memory/memory.limit_in_bytes
/sys/fs/cgroup/memory/memory.soft_limit_in_bytes
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpuset

The last three result in a hard failure of kubelet. There may be other files as well.

Based on snappy-debug output, it looks like it's opening these files with the "r" flag, but I imagine it may need write access to some of these as well. I'm not sure.

For some context, kubelet is the main process that runs on each node in a Kubernetes cluster. Its main purpose is to orchestrate Docker containers, and it looks like it's using cgroups for tight control over the utilization of hardware resources.

Jamie Strandboge (jdstrand) wrote :

Manipulating cgroups is not currently supported by a generic interface. I suspect this will require a kubernetes specific interface, but do you have a simple reproducer to demonstrate the functionality you require?

tags: added: snapd-interface
Changed in snapd:
importance: Undecided → Medium
status: New → Incomplete
George Kraft (cynerva) wrote :

Attached a small script for installing and running the kubelet snap in a way that demonstrates the cgroup permission issues.

If you need to see how the snap was built, the repo is here:
https://github.com/juju-solutions/kubernetes-snaps/tree/gkk/confined-kubelet

Thanks!

summary: - Need an interface to access cgroups
+ Need an interface for kubernetes
Jamie Strandboge (jdstrand) wrote :

I took a look at this today and updated the description accordingly. I'll do a PR and then the conversation can move there while we iterate on the interface.

description: updated
Changed in snapd:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Incomplete → In Progress
Jamie Strandboge (jdstrand) wrote :

One thing that would speed up the development of this interface would be to provide devmode snaps that are correctly using paths in its(/their) snap area, with instructions on some basic manual tests. In this manner I could install the snap(s) in strict mode, run through the test cases and (advise how to or simply) update the interfaces accordingly.

description: updated
Jamie Strandboge (jdstrand) wrote :

https://github.com/snapcore/snapd/pull/3016 has the preliminary interface we can iterate on.

Jamie Strandboge (jdstrand) wrote :

As mentioned in comment #6, there is a preliminary interface PR here: https://github.com/snapcore/snapd/pull/3016

Would it be possible to test that PR and leave feedback there? If not, do you have snaps (devmode or strict) that can be used and instructions on how to test the interface more fully?

Hello George, or anyone else affected,

Accepted snapd into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.25+17.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Changed in snapd (Ubuntu Zesty):
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Hello George, or anyone else affected,

Accepted snapd into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.25+17.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Jamie Strandboge (jdstrand) wrote :

@George, as mentioned in https://github.com/snapcore/snapd/pull/3016 (and in this bug), while 'kubernetes-support' qualifies as fulfilling 'Need an interface for kubernetes', it is not complete because I didn't get the requested devmode snaps and instructions on how to use them to complete the interface.

Now would be a great time to provide this information, but SRU team, please don't have the incompleteness of the interface block the 2.25 SRU. If a snap that plugs 'kubernetes-support' is installable with --dangerous and the apparmor policy is loaded into the kernel, that should be all that is required for verification-done.

George Kraft (cynerva) wrote :

Thanks for keeping this updated Jamie. Sorry for my lack of response, this has been on my list for a long time but other stuff keeps coming up. I am not able to devote time to testing this any time in the next week.

I'll do my best to describe testing steps in case you want to give it a go, but if not, I'm hopeful I can give it a shot in a couple weeks.

A full test of this will require a live Kubernetes cluster. I suspect the easiest way will be to deploy a cluster with Juju:

$ juju deploy kubernetes-core

Note there is a kubelet snap installed on kubernetes-worker/0 already, but it is classically confined.

Update snapd on kubernetes-worker/0 to include the kubernetes-support interface.

Build the strictly confined kubelet snap:

$ git clone https://github.com/juju-solutions/release.git --branch gkk/confined-kubelet
$ cd release/snap
$ make KUBE_VERSION=v1.6.1 kubelet
$ ls build

Use `juju scp` to copy the snap over, `juju ssh` in, and install it.

Run e2e tests against it:

$ juju deploy kubernetes-e2e
$ juju relate kubernetes-e2e easyrsa
$ juju relate kubernetes-e2e kubernetes-master

Once kubernetes-e2e is "Ready to test":

$ juju run-action kubernetes-e2e/0 test

Wait for the action to finish, check the output, and grab the .log file that it produces.

Back to kubernetes-worker/0, check `journalctl -u snap.kubelet.daemon` for errors.

Again, apologies for my lack of response and I will do my best to try these steps in a couple weeks or so.

Jamie Strandboge (jdstrand) wrote :

@George, no worries. I saw that classic confinement snaps were going into the store and figured that is what you were focused on atm. I've made a note of your comments in the card tracking this work. Thanks again.

I'll do a reduced test case for the SRU.

Jamie Strandboge (jdstrand) wrote :

$ apt-cache policy snapd
snapd:
  Installed: 2.25+17.04
  Candidate: 2.25+17.04
  Version table:
 *** 2.25+17.04 500
        500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.24.1+17.04 500
        500 http://us.archive.ubuntu.com/ubuntu zesty-updates/main amd64 Packages
     2.23.6+17.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 Packages

$ snap version
snap 2.25+17.04
snapd 2.25+17.04
series 16
ubuntu 17.04
kernel 4.10.0-20-generic

$ snap interfaces|grep kub
:kubernetes-support -

$ sudo snap install --dangerous ./test-kubernetes-support_0_all.snap
test-kubernetes-support 0 installed

$ snap interfaces|grep kub
:kubernetes-support -
- test-kubernetes-support:kubernetes-support

$ sudo snap connect test-kubernetes-support:kubernetes-support

$ snap interfaces|grep kub
:kubernetes-support test-kubernetes-support

$ sudo aa-status |grep kub
   snap.test-kubernetes-support.env
   snap.test-kubernetes-support.sh

# test something allowed by the kubernetes-support interface
$ snap run --shell test-kubernetes-support.sh
...
$ cat /sys/module/apparmor/parameters/enabled
Y

This is sufficient to mark this as verification-done.

tags: added: verification-done-zesty
removed: verification-needed
Jamie Strandboge (jdstrand) wrote :

Here is the test-kubernetes-support snap.

Changed in snapd:
status: In Progress → Fix Released
Changed in snapd (Ubuntu Artful):
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Hello George, or anyone else affected,

Accepted snapd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.25+16.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapd (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Andy Whitcroft (apw) wrote :

Hello George, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.25 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapd (Ubuntu Xenial):
status: New → Fix Committed
Changed in snapd (Ubuntu Trusty):
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Hello George, or anyone else affected,

Accepted snapd into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.25~14.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Jamie Strandboge (jdstrand) wrote :

For 16.10, verification passed:

$ apt-cache policy snapd
snapd:
  Installed: 2.25+16.10
  Candidate: 2.25+16.10
  Version table:
 *** 2.25+16.10 500
        500 http://archive.ubuntu.com/ubuntu yakkety-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.24.1+16.10 500
        500 http://us.archive.ubuntu.com/ubuntu yakkety-updates/main amd64 Packages
     2.16+16.10ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages

$ snap version
snap 2.25+16.10
snapd 2.25+16.10
series 16
ubuntu 16.10
kernel 4.8.0-49-generic

$ snap interfaces|grep kub
:kubernetes-support -

$ sudo snap install ./test-kubernetes-support_0_all.snap --dangerous
test-kubernetes-support 0 installed

$ snap interfaces|grep kub:kubernetes-support -
- test-kubernetes-support:kubernetes-support

$ sudo snap connect test-kubernetes-support:kubernetes-support

$ snap interfaces|grep kub
:kubernetes-support test-kubernetes-support

$ sudo aa-status |grep kub
   snap.test-kubernetes-support.env
   snap.test-kubernetes-support.sh

$ snap run --shell test-kubernetes-support.sh
...
$ cat /sys/module/apparmor/parameters/enabled
Y

tags: added: verification-done-yakkety
Jamie Strandboge (jdstrand) wrote :

For 16.04 LTS, verification passed:

$ apt-cache policy snapd
snapd:
  Installed: 2.25
  Candidate: 2.25
  Version table:
 *** 2.25 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.24.1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
     2.0.2 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

$ snap version
snap 2.25
snapd 2.25
series 16
ubuntu 16.04
kernel 4.4.0-75-generic

$ snap interfaces|grep kub
:kubernetes-support -

$ sudo snap install ./test-kubernetes-support_0_all.snap --dangerous
test-kubernetes-support 0 installed

$ snap interfaces|grep kub:
kubernetes-support -

$ snap interfaces|grep kub
:kubernetes-support -
- test-kubernetes-support:kubernetes-support

$ sudo snap connect test-kubernetes-support:kubernetes-support

$ snap interfaces|grep kub
:kubernetes-support test-kubernetes-support

$ sudo aa-status |grep kub
   snap.test-kubernetes-support.env
   snap.test-kubernetes-support.sh

$ snap run --shell test-kubernetes-support.sh
...
$ cat /sys/module/apparmor/parameters/enabled
Y

tags: added: verification-done-xenial
Jamie Strandboge (jdstrand) wrote :

For 14.04 LTS, verification passed:

$ apt-cache policy snapd
snapd:
  Installed: 2.25~14.04
  Candidate: 2.25~14.04
  Version table:
 *** 2.25~14.04 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     2.24.1~14.04 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages

$ snap version
snap 2.25~14.04
snapd 2.25~14.04
series 16
ubuntu 14.04
kernel 4.4.0-75-generic

$ snap interfaces|grep kub
:kubernetes-support -

$ sudo snap install ./test-kubernetes-support_0_all.snap --dangerous
test-kubernetes-support 0 installed

$ snap interfaces|grep kub
:kubernetes-support -
- test-kubernetes-support:kubernetes-support

$ sudo snap connect test-kubernetes-support:kubernetes-support

$ snap interfaces|grep kub
:kubernetes-support test-kubernetes-support

$ sudo aa-status |grep kub
   snap.test-kubernetes-support.env
   snap.test-kubernetes-support.sh

$ snap run --shell test-kubernetes-support.sh
$ cat /sys/module/apparmor/parameters/enabled
Y

tags: added: verification-done-trusty
removed: verification-needed
George Kraft (cynerva) wrote :

Finally had a chance to try running confined kubelet with the kubernetes-support interface in a live Kubernetes cluster. Attached a script that more or less captures what I did.

Kubelet fails to come up with the following error:

error: failed to run Kubelet: failed to create kubelet: mkdir /var/lib/dockershim: permission denied

This path doesn't appear to be configurable today, although they are adding a hidden --experimental-dockershim-root-directory flag in Kubernetes 1.7 that should cover it. Seems like we'll need to either wait for the new flag, or add write access to /var/lib/dockershim in the kubernetes-support interface.

Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package snapd - 2.26.1+17.10

---------------
snapd (2.26.1+17.10) artful; urgency=medium

  * New upstream release, LP: #1690083
    - store: fix panic error in auth
    - tests: the new ubuntu-image snap needs classic confinement, adjust
      tests
    - cmd/snap-confine: don't fail on pre 3.8 kernel

snapd (2.26) xenial; urgency=medium

  * New upstream release, LP: #1690083
    - timeutil: avoid panicking when the window is very small
    - image: fix go vet issue
    - overlord/ifacestate: don't spam logs with harmless auto-connect
      messages
    - interfaces/builtin: add network-status interface
    - interfaces/builtin: add online-accounts-service interface
    - interfaces/builtin: distribute code of touching allInterfaces
    - interfaces: API additions for interface hooks
    - interfaces/builtin: add storage-framework-service interface
    - tests: disable create-key test on ppc64el for artful (expect not
      working)
    - snap: make `snap prepare-image --extra-snaps` derive side info
    - tests: unify tests/{main/completion,completion}/lib.exp0
    - cmd/snap: tweak info channels output
    - interfaces: ensure that legacy interface methods are unused
    - packaging: cleanup how built-using is generated
    - tests: extend kernel-module-control interface test
    - interfaces/network: workaround Go's need for NETLINK_ROUTE with
      'net'.
    - cmd/snap-confine: use defensive argument parser
    - tests: add test for empty snap name on revert
    - overlord/hookstate: remove unused Context.timeout
    - tests: additional setup in docker test for core systems
    - configstate: return error if patch is invalid
    - interfaces: add random interface
    - store, daemon, client, cmd/snap: handle PASSWORD_POLICY_ERROR
    - cmd/snap, client: add "whoami" command
    - cmd/snap: iterate interface tab completion
    - snap: move locale-control to only be present on classic
    - interfaces/browser-support: deny read on squashfs backing files
      and LVM vg names
    - tests: wait for the docker socket to be listening
    - snap: add `snap refresh --time` option
    - tests: re-enable and moderninze /media sharing test
    - cmd: make rst2man optional
    - tests: remove quoting from [[ ]] when globs
    - interfaces: allow plugging DBus clients to introspect the slot
      service
    - packaging/ubuntu*/changelog: drop extra dash
    - snap-confine: init the ENTRY variable, coverity is unhappy
      otherwise
    - cmd/snap-confine/spread-tests: discard useless --version test
    - spread: add spread target qemu:debian-9-64
    - interfaces: mediate netlink sockets via seccomp
    - tests,cmd/snap-confine: port older snapd-discard-ns tests
    - cmd/snap-confine/tests: fix shellcheck on recently added files
    - tests/upgrade: force install core snap from beta for debian
    - overlord/snapstate/backend,interfaces/mount: move ns management
      code.
    - tests: extend network-control spread test to cope with network
      namespaces
    - tests: fail early in the spread suite if trying to run it inside a
      container
    - tests: set ownership of $PROJECT_PATH for the external backend
    ...

Read more...

Changed in snapd (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package snapd - 2.25+17.04

---------------
snapd (2.25+17.04) zesty; urgency=medium

  * New upstream release, LP: #1686713
    - interfaces/default: allow mknod for regular files, pipes and
      sockets
    - many: use "SNAP.APP as ALIAS" instead of => when listing
      added/removed aliases
    - cmd/snap-confine: write current mount profile
    - cmd/snap-discard-ns: remove current profile when cleaning up
    - many: support debian in our CI
    - tests: tweak time for econnreset test a bit more
    - cmd/snap-confine: re-enable re-assciate fix for CE
    - many: aliases v2 cleanups
    - cmd/snap-confine: don't use apparmor if it is disabled on boot
    - many: implement `snap prefer <snap>` (aliases v2)
    - many: adjust /aliases and "snap aliases" to aliases v2, also some
      cleanup
    - snapstate: normalize gadget defaults
    - many: allow core refresh.schedule setting
    - many: show alias changes on snap alias/unalias (aliases v2)
    - client,cmd/snap: improve messaging on --devmode and --classic
    - many: implement `snap unalias <alias-or-snap>` (aliases v2)
    - store: retry on connection reset
    - interfaces/mount: add Change.Perform
    - tests: add openvswitch interface spread test
    - interfaces/i2c: allow modifying device-specific sysfs entries
    - interfaces: allow writing to /run/systemd/journal/stdout by
      default
    - tests: ensure travis fails early if static checks fail
    - store,daemon: make store interpret channel="" as stable in most
      cases
    - overlord/snapstate: make UpdateAliases idempotent, simplify the
      backend interface bits for aliases not used anymore (aliases v2)
    - many: implement snap alias <snap.app> <alias> (aliases v2)
    - snap-confine: add code to ensure that / or /snap is mounted
      "shared"
    - many: show available "tracks" in `snap info`
    - cmd/snap: make users Xauthority file available in snap environment
    - interfaces/mount: write current fstab files with mode 0644
    - overlord: switch to aliases v2 tasks for install/refresh etc ops
      plus transition
    - tests: parameterize gadget snap channel (#3117)
    - tests: copy .real profile as .real
    - tests: add empty initrd failover test
    - many: mount squashfs as read-only
    - cmd: make locking around namespaces explicit
    - tests: address review comments from #3186
    - tests: add dbus interface spread test
    - interfaces/mount: add ReadMountInfo and LoadMountInfo
    - snap: require snap name for 'revert'
    - overlord: maintain per-revision snapshots of snap configuration
    - tests: relax network-bind interface regexps
    - interfaces: re-add reverted ioctl and quotactl (revert 21bc6b9f)
    - store: retry once on hashsum mismatches in a Download()
    - interfaces/builtin: don't panic if content plug has nil attrs
    - interfaces/mount: pass mount.Profile to mount.NeededChanges
    - packaging: add `built-using` header for 16.04 packaging
    - interfaces: add media-hub interface
    - interfaces/builtin: allow full access to properties iface of the
      udisks service
    - tests: handle case when both .real and plain are present
    - inte...

Read more...

Changed in snapd (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for snapd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package snapd - 2.25+16.10

---------------
snapd (2.25+16.10) yakkety; urgency=medium

  * New upstream release, LP: #1686713
    - interfaces/default: allow mknod for regular files, pipes and
      sockets
    - many: use "SNAP.APP as ALIAS" instead of => when listing
      added/removed aliases
    - cmd/snap-confine: write current mount profile
    - cmd/snap-discard-ns: remove current profile when cleaning up
    - many: support debian in our CI
    - tests: tweak time for econnreset test a bit more
    - cmd/snap-confine: re-enable re-assciate fix for CE
    - many: aliases v2 cleanups
    - cmd/snap-confine: don't use apparmor if it is disabled on boot
    - many: implement `snap prefer <snap>` (aliases v2)
    - many: adjust /aliases and "snap aliases" to aliases v2, also some
      cleanup
    - snapstate: normalize gadget defaults
    - many: allow core refresh.schedule setting
    - many: show alias changes on snap alias/unalias (aliases v2)
    - client,cmd/snap: improve messaging on --devmode and --classic
    - many: implement `snap unalias <alias-or-snap>` (aliases v2)
    - store: retry on connection reset
    - interfaces/mount: add Change.Perform
    - tests: add openvswitch interface spread test
    - interfaces/i2c: allow modifying device-specific sysfs entries
    - interfaces: allow writing to /run/systemd/journal/stdout by
      default
    - tests: ensure travis fails early if static checks fail
    - store,daemon: make store interpret channel="" as stable in most
      cases
    - overlord/snapstate: make UpdateAliases idempotent, simplify the
      backend interface bits for aliases not used anymore (aliases v2)
    - many: implement snap alias <snap.app> <alias> (aliases v2)
    - snap-confine: add code to ensure that / or /snap is mounted
      "shared"
    - many: show available "tracks" in `snap info`
    - cmd/snap: make users Xauthority file available in snap environment
    - interfaces/mount: write current fstab files with mode 0644
    - overlord: switch to aliases v2 tasks for install/refresh etc ops
      plus transition
    - tests: parameterize gadget snap channel (#3117)
    - tests: copy .real profile as .real
    - tests: add empty initrd failover test
    - many: mount squashfs as read-only
    - cmd: make locking around namespaces explicit
    - tests: address review comments from #3186
    - tests: add dbus interface spread test
    - interfaces/mount: add ReadMountInfo and LoadMountInfo
    - snap: require snap name for 'revert'
    - overlord: maintain per-revision snapshots of snap configuration
    - tests: relax network-bind interface regexps
    - interfaces: re-add reverted ioctl and quotactl (revert 21bc6b9f)
    - store: retry once on hashsum mismatches in a Download()
    - interfaces/builtin: don't panic if content plug has nil attrs
    - interfaces/mount: pass mount.Profile to mount.NeededChanges
    - packaging: add `built-using` header for 16.04 packaging
    - interfaces: add media-hub interface
    - interfaces/builtin: allow full access to properties iface of the
      udisks service
    - tests: handle case when both .real and plain are present
    - in...

Read more...

Changed in snapd (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.3 KiB)

This bug was fixed in the package snapd - 2.25

---------------
snapd (2.25) xenial; urgency=medium

  * New upstream release, LP: #1686713
    - interfaces/default: allow mknod for regular files, pipes and
      sockets
    - many: use "SNAP.APP as ALIAS" instead of => when listing
      added/removed aliases
    - cmd/snap-confine: write current mount profile
    - cmd/snap-discard-ns: remove current profile when cleaning up
    - many: support debian in our CI
    - tests: tweak time for econnreset test a bit more
    - cmd/snap-confine: re-enable re-assciate fix for CE
    - many: aliases v2 cleanups
    - cmd/snap-confine: don't use apparmor if it is disabled on boot
    - many: implement `snap prefer <snap>` (aliases v2)
    - many: adjust /aliases and "snap aliases" to aliases v2, also some
      cleanup
    - snapstate: normalize gadget defaults
    - many: allow core refresh.schedule setting
    - many: show alias changes on snap alias/unalias (aliases v2)
    - client,cmd/snap: improve messaging on --devmode and --classic
    - many: implement `snap unalias <alias-or-snap>` (aliases v2)
    - store: retry on connection reset
    - interfaces/mount: add Change.Perform
    - tests: add openvswitch interface spread test
    - interfaces/i2c: allow modifying device-specific sysfs entries
    - interfaces: allow writing to /run/systemd/journal/stdout by
      default
    - tests: ensure travis fails early if static checks fail
    - store,daemon: make store interpret channel="" as stable in most
      cases
    - overlord/snapstate: make UpdateAliases idempotent, simplify the
      backend interface bits for aliases not used anymore (aliases v2)
    - many: implement snap alias <snap.app> <alias> (aliases v2)
    - snap-confine: add code to ensure that / or /snap is mounted
      "shared"
    - many: show available "tracks" in `snap info`
    - cmd/snap: make users Xauthority file available in snap environment
    - interfaces/mount: write current fstab files with mode 0644
    - overlord: switch to aliases v2 tasks for install/refresh etc ops
      plus transition
    - tests: parameterize gadget snap channel (#3117)
    - tests: copy .real profile as .real
    - tests: add empty initrd failover test
    - many: mount squashfs as read-only
    - cmd: make locking around namespaces explicit
    - tests: address review comments from #3186
    - tests: add dbus interface spread test
    - interfaces/mount: add ReadMountInfo and LoadMountInfo
    - snap: require snap name for 'revert'
    - overlord: maintain per-revision snapshots of snap configuration
    - tests: relax network-bind interface regexps
    - interfaces: re-add reverted ioctl and quotactl (revert 21bc6b9f)
    - store: retry once on hashsum mismatches in a Download()
    - interfaces/builtin: don't panic if content plug has nil attrs
    - interfaces/mount: pass mount.Profile to mount.NeededChanges
    - packaging: add `built-using` header for 16.04 packaging
    - interfaces: add media-hub interface
    - interfaces/builtin: allow full access to properties iface of the
      udisks service
    - tests: handle case when both .real and plain are present
    - interfaces/moun...

Read more...

Changed in snapd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package snapd - 2.25~14.04

---------------
snapd (2.25~14.04) trusty; urgency=medium

  * New upstream release, LP: #1686713
    - interfaces/default: allow mknod for regular files, pipes and
      sockets
    - many: use "SNAP.APP as ALIAS" instead of => when listing
      added/removed aliases
    - cmd/snap-confine: write current mount profile
    - cmd/snap-discard-ns: remove current profile when cleaning up
    - many: support debian in our CI
    - tests: tweak time for econnreset test a bit more
    - cmd/snap-confine: re-enable re-assciate fix for CE
    - many: aliases v2 cleanups
    - cmd/snap-confine: don't use apparmor if it is disabled on boot
    - many: implement `snap prefer <snap>` (aliases v2)
    - many: adjust /aliases and "snap aliases" to aliases v2, also some
      cleanup
    - snapstate: normalize gadget defaults
    - many: allow core refresh.schedule setting
    - many: show alias changes on snap alias/unalias (aliases v2)
    - client,cmd/snap: improve messaging on --devmode and --classic
    - many: implement `snap unalias <alias-or-snap>` (aliases v2)
    - store: retry on connection reset
    - interfaces/mount: add Change.Perform
    - tests: add openvswitch interface spread test
    - interfaces/i2c: allow modifying device-specific sysfs entries
    - interfaces: allow writing to /run/systemd/journal/stdout by
      default
    - tests: ensure travis fails early if static checks fail
    - store,daemon: make store interpret channel="" as stable in most
      cases
    - overlord/snapstate: make UpdateAliases idempotent, simplify the
      backend interface bits for aliases not used anymore (aliases v2)
    - many: implement snap alias <snap.app> <alias> (aliases v2)
    - snap-confine: add code to ensure that / or /snap is mounted
      "shared"
    - many: show available "tracks" in `snap info`
    - cmd/snap: make users Xauthority file available in snap environment
    - interfaces/mount: write current fstab files with mode 0644
    - overlord: switch to aliases v2 tasks for install/refresh etc ops
      plus transition
    - tests: parameterize gadget snap channel (#3117)
    - tests: copy .real profile as .real
    - tests: add empty initrd failover test
    - many: mount squashfs as read-only
    - cmd: make locking around namespaces explicit
    - tests: address review comments from #3186
    - tests: add dbus interface spread test
    - interfaces/mount: add ReadMountInfo and LoadMountInfo
    - snap: require snap name for 'revert'
    - overlord: maintain per-revision snapshots of snap configuration
    - tests: relax network-bind interface regexps
    - interfaces: re-add reverted ioctl and quotactl (revert 21bc6b9f)
    - store: retry once on hashsum mismatches in a Download()
    - interfaces/builtin: don't panic if content plug has nil attrs
    - interfaces/mount: pass mount.Profile to mount.NeededChanges
    - packaging: add `built-using` header for 16.04 packaging
    - interfaces: add media-hub interface
    - interfaces/builtin: allow full access to properties iface of the
      udisks service
    - tests: handle case when both .real and plain are present
    - int...

Read more...

Changed in snapd (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers