-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
snap: ensure security polices are re-created #3442
Conversation
Our snapd uses the systemd notify protocol and will only finish initialization when all security profiles have been re-generated. This allows us to check in `snap run` if snapd is still activating and if so to wait a little bit. This will wait for a maximum of 5s after that the old profiles will be used. Note that systemd itself will give up after ~100 seconds so the worst case is that snapd fails to start on boot. In this case all snaps will start with a delay of 5 seconds in the first 100 seconds. After that things will be "normal" (except that the old security profiles will be used).
ca17563
to
64a6c16
Compare
Codecov Report
@@ Coverage Diff @@
## master #3442 +/- ##
==========================================
- Coverage 77.23% 77.22% -0.02%
==========================================
Files 373 373
Lines 25645 25658 +13
==========================================
+ Hits 19808 19815 +7
- Misses 4087 4090 +3
- Partials 1750 1753 +3
Continue to review full report at Codecov.
|
cmd/snap/cmd_run.go
Outdated
// permanent failed state if it cannot be activated and at this | ||
// point the code will continue (with potentially stale profiles | ||
// but at least services will run). | ||
for i := 0; i < 500; i++ { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that 5 seconds is not very long on armhf. Touch profiles could take as long as 1 second to load each, so a system with many profiles on armhf could fallback to old profiles pretty regularly, depending on when the systemd unit started.
// XXX2: the backported systemd on 14.04 does not support | ||
// the dbus interface of systemd, only the private | ||
// socket which is only available as root, ignore | ||
// this error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to not being supported on 14.04, it occurred to me that performing a DBus call in snap run is overhead we could avoid with a stamp file. I'm not sure if this fits all the properties you are looking for, but if instead of this DBus call snap run checks for the existence of a file (eg /run/snapd/something-appropriate
) and waits on that, this would be a cheap check that would also work on 14.04. This stamp file would be created after profile generation finished and it could be removed on 'stop' so that 'snap run' during a core snap refresh would cause snap run to wait.
Closing for now, this needs some more work after the latest forum discussions |
Based on #3438
For easy review: mvo5@1dfa2ee