[Bug 1926442] Re: [SRU] cannot execute 'netplan generate' from within a snap

Launchpad Bug Tracker 1926442 at bugs.launchpad.net
Tue Oct 5 16:21:44 UTC 2021 

This bug was fixed in the package netplan.io - 0.99-0ubuntu3~18.04.5

---------------
netplan.io (0.99-0ubuntu3~18.04.5) bionic; urgency=medium

  * d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch:
    Implement the io.netplan.Netplan.Generate() DBus API, to allow calling
    'generate' from within a snap (LP: #1926442)
  * Update debian/gbp.conf

 -- Lukas Märdian <slyon at ubuntu.com>  Tue, 07 Sep 2021 17:19:37 +0200

** Changed in: netplan.io (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netplan.io in Ubuntu.
Matching subscriptions: foundations-bugs
https://bugs.launchpad.net/bugs/1926442

Title:
  [SRU] cannot execute 'netplan generate' from within a snap

Status in Snappy:
  Confirmed
Status in netplan.io package in Ubuntu:
  Fix Released
Status in netplan.io source package in Bionic:
  Fix Released
Status in netplan.io source package in Focal:
  Fix Released
Status in netplan.io source package in Groovy:
  Won't Fix
Status in netplan.io source package in Hirsute:
  Fix Released
Status in netplan.io source package in Impish:
  Fix Released

Bug description:
  [Impact]
  This netplan SRU contains a backport of the io.netplan.Netplan.Generate() DBus API, introduced in netplan.io 0.103, that allows calling 'netplan generate' from within a snap without being blocked by the apparmor strict-confinement.

  [Test Plan]
  The following development and SRU process was followed:
  https://wiki.ubuntu.com/NetplanUpdates

  Netplan contains an extensive integration test suite that is ran using
  the SRU package for each release. This test suite's results are available here:
  http://autopkgtest.ubuntu.com/packages/n/netplan.io

  A successful run is required before the proposed netplan.io package
  can be let into -updates.

  In addition to the autopkgtests, we want to make sure that a YAML
  config is (re-)generated when calling the
  io.netplan.Netplan.Generate() DBus API.

  root at bb:~# cat /run/systemd/network/10-netplan-eth0.network
  root at bb:~# vim /etc/netplan/50-cloud-init.yaml # modify something
  root at bb:~# busctl call io.netplan.Netplan /io/netplan/Netplan io.netplan.Netplan Generate
  b true
  root at bb:~# cat /run/systemd/network/10-netplan-eth0.network # verify the change was generated

  The netplan team will be in charge of attaching the artifacts and console
  output of the appropriate run to the bug. Netplan team members will not
  mark ‘verification-done’ until this has happened.

  [Where problems could occur]
  This SRU is only adding auxiliary functionality and not modifying the netplan core at all, so the impact is expected to be pretty small – if at all.
  Netplan being a core package it could impact the whole networking stack of the operating system up to the point where servers would not be reachable anymore after a reboot, due to broken network config being generated by netplan at bootup. In order to mitigate the regression potential, the results of the aforementioned integration tests are attached to this bug:

  PPA pre-testing:
  https://autopkgtest.ubuntu.com/results/autopkgtest-bionic-slyon-netplan/?format=plain

  Bionic:
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_amd64.log
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_i386.log
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_arm64.log
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_armhf.log
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_ppc64el.log
  https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_s390x.log

  [Other Info]
  The integration test logs will be attached to this bug, once the package has been accepted into -proposed and the tests have been executed on the real infrastructure.
  This change will land in Hirsute and Focal via the netplan.io 0.103 upgrade SRU (LP: #1938920)

  [Changelog]
  * d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch:
    Implement the io.netplan.Netplan.Generate() DBus API, to allow calling
    'generate' from within a snap (LP: #1926442)
  * Update debian/gbp.conf

  === Original description ===
  A snap, connected to the 'network-setup-control' interface can edit files in /etc/netplan/ but it is not able to execute 'netplan generate' command successfully.

  A call to '/usr/sbin/netplan generate' fails with apparmor errors like this:
  [  529.034756] audit: type=1400 audit(1619611886.273:702): apparmor="DENIED" operation="exec" profile="snap.network-manager.networkmanager" name="/usr/lib/netplan/generate" pid=15227 comm="netplan" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  Apr 28 12:13:55 foobar network-manager.networkmanager[2280]: PermissionError: [Errno 13] Permission denied: '/lib/netplan/generate

  It looks like the Python wrapper for netplan (in /usr/sbin/netplan) is
  whitelisted, but the actual netplan generator (in
  /usr/lib/netplan/generate) is not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1926442/+subscriptions

More information about the foundations-bugs mailing list