interfaces: support D-Bus activation

[jhenstridge]

This is a reworking of PR #2592, expanded to work for both system and session services. In addition to that generalisation, I've made a few changes to how things are handled:

1. The service activation files are now named after the bus names rather than snap names. This is required for system bus services, but it had the side effect of making it a lot easier to check for existing name ownership.

2. I renamed the new interface attribute from service to activatable. This was a suggested change on the old PR.

3. If the app associated with a dbus interface slot is a daemon, we add a SystemdService key to the service activation file, which causes the daemon to be launched via systemd. This currently only benefits system services, but it will be easy to generalise it to session services with PR wrappers: allow user mode systemd daemons #5822.

I do wonder whether it would make sense to limit activatable services to "daemons" and not "apps". Given that the snap needs to ask for activation support, there is no backward compatibility issue.

I'm still working through getting the spread tests ported forward, which is why I've marked this WIP.

[jhenstridge]

This branch relies on changes to the test-snapd-dbus-service snap. Those changes have been merged to the bzr branch and the build recipe has run, but I think they're either stuck in manual review, or need manual review requested:

https://launchpad.net/~mvo/+snap/test-snapd-dbus-service

I can't see the dashboard for the snap.

[jhenstridge]

I've run into a few problems trying to get my spread tests running on Ubuntu 14.04. I get the following from the dbus-activation-system test:

+ echo 'Making a method call wakes the service'
Making a method call wakes the service
+ MATCH hello
+ dbus-send --system --print-reply --dest=io.snapcraft.SnapDbusService /io/snapcraft/SnapDbusService io.snapcraft.ExampleInterface.ExampleMethod
Error org.freedesktop.DBus.Error.Spawn.FailedToSetup: Failed to setup environment correctly
error: pattern not found, got:
-----
.

On 14.04, the system bus is run by Upstart so it is starting the service manually via the Exec line in the .service file rather than asking systemd to start the service. This is done via the dbus-daemon-launch-helper process, which is passed a D-Bus service name. It uses a simplified config file parser that seems to ignore include directives, so doesn't find service files I'm stashing in /var/lib/snapd/dbus/system-services.

[note that session services work fine, since it doesn't use dbus-daemon-launch-helper to start them].

I suspect the same will happen on newer distros for system services presented as "apps" rather than "daemons" in snap.yaml. There are two ways I can see forward:

1. Consider 14.04 a lost cause. We are 4 months away from it's end of life after all.
2. Refactor the code to put service files in /usr/share/dbus-1/system-services along with non-snapd services. This would likely require making the directories writeable on Ubuntu Core systems, and I'm not sure what effect it would have on upgrades.

[jhenstridge]

There's currently a few failures in the spread tests:

2018-12-10 10:48:16 Failed tasks: 5
    - google:centos-7-64:tests/main/dbus-activation-system
    - google:ubuntu-14.04-64:tests/main/dbus-activation-system
    - google:ubuntu-core-16-64:tests/main/dbus-activation-system
    - google:ubuntu-core-18-64:tests/main/dbus-activation-system
2018-12-10 10:48:16 Failed project prepare: 4
    - google:opensuse-42.3-64:project
    - google:opensuse-42.3-64:project
    - google:opensuse-42.3-64:project
    - google:opensuse-42.3-64:project

It's not clear that the opensuse failures have anything to do with my branch: it looks like the Go compiler is being invoked with -std=something (a flag intended for gcc) and blowing up.

The ubuntu-14.04-64 failure is the one I mentioned in the previous comment: activating system services via dbus-daemon-launch-helper fails, and 14.04 does not configure the system bus to use systemd activation.

The ubuntu-core-16-64 failure is due to the test trying to talk to the dbus service from an unconfined context, which does not work on core systems. Updating the test to use a client snap with the interfaces connected should make it work on core+classic.

The ubuntu-core-18-64 failure is a ServiceUnknown error. I think the dbus-daemon config fragments I introduce in this PR aren't present on a core18 system. I'm not quite sure how it's meant to be exposed.

The centos-7-64 failure also reports ServiceUnknown. I'm not quite sure of the root cause here yet: there's no failure on Fedora or Amazon, which are using the same spec file.

[jhenstridge]

With the test modified to use a confined D-Bus client, I'm seeing failures on 18.04 and 18.10: when the service is inactive, the AppArmor rules block the method call before activation can occur. It's fine on 16.04, so I suspect there is something different in the kernel or dbus-daemon.

[jhenstridge]

From what I can tell, dbus-daemon passes an empty destination security label to the kernel when checking a method call to a not-yet-activated service. Manually adjusting the rule to

# allow connected snaps to io.snapcraft.SnapDbusService
dbus (receive, send)
    bus=session
    peer=(name=io.snapcraft.SnapDbusService, label="{snap.test-snapd-dbus-service.session,}"),

... seems to allow the client to activate the service. That doesn't seem to allow communication with unconfined peers, or activation of names other than the one specified in the rule. @jdstrand: can you think of any problems with this change to the rule?

[jhenstridge]

With the changes to the AppArmor rule, we're down to two failures:

2018-12-12 05:18:01 Failed tasks: 2
    - google:ubuntu-14.04-64:tests/main/dbus-activation-system
    - google:ubuntu-core-18-64:tests/main/dbus-activation-system

The 14.04 failure is the dbus-daemon-launch-helper issue, and core-18 failure is due to missing the configuration needed to point at the service files I'm writing. Perhaps adding some symlinks to the core18 snap would be the most appropriate option.

I've got no idea why centos-7-64 is now working. I wouldn't have thought any of the changes I made would affect that.

[jdstrand]

See previous comment for a way to assign a label to the activated service.

my key point was about AssumedAppArmorLabel, which was addressed. I've not reviewed the remaining PR to block on it

[jhenstridge]

I realised that with some small changes, my code for managing service files could be made to avoid service files not managed by snapd. The last commit on this branch makes use of this to place system services to /usr/share/dbus-1/system-services on Ubuntu 14.04. With that, the tests are passing everywhere except Ubuntu Core 18 (which snapcore/core18#98 should solve).

However, this does introduce a potential problem with upgrades. What if I install a snap providing an activatable system service on 14.04, then upgrade the host to xenial or bionic? It will likely leave a stale .service file in /usr. I can see three options here:

1. back out the change and simply document that activatable system services are not supported on 14.04.
2. Have snapd clear out services from /usr if dirs.SnapDBusSystemServicesDir is not under /usr.
3. Have all classic distros put services under /usr, and only use /var/lib/snapd/dbus/... on core.

I'm not sure which option is best.

[zyga]

In the case of other similar files we create we the trigger point is installation of either core or snapd. I wonder if we could behave similarly there, so that at least all that code is in one place.

[pedronis]

what's the relation of this code vs the one in wrappers/core18.go ? the latter will be used only core, this one is for all systems, but wondering what are the various scenarios, will the files not be there early enough in some cases? also should we share code between the two paths?

[jhenstridge]

I'd written this code way back before the wrappers/core18.go code. The intention was the same as the code installing user'd service activation files: ensure things work on a system with an old .deb installed snapd functions if it receives a new version via the core snap.

If we don't need that any more, then I guess we can remove this. I wasn't sure the wrappers/core18.go code did anything on systems without the snapd snap.

[pedronis]

yes, wrappers/core18.go is for core >= 18 only, but maybe there's a way to have a helper in wrappers.go that is used in both cases

[zyga]

This is not using the root directory from dirs.go so it will be harder to test.

[zyga]

Partial review. Will continue after the call today.

[zyga]

Perhaps we could just return an error here.

[zyga]

Suggested change

	logger.Noticef("could not get 'name' attribute of dbus slot %q: %v", slot.Name, err)
	logger.Noticef("Cannot get 'name' attribute of dbus slot %q: %v", slot.Name, err)

[zyga]

Should this be validated earlier and essentially impossible here?

[zyga]

Is this meant to test how this behaves on Ubuntu 16.04?

[jhenstridge]

Yes. Ubuntu 16.04, CentOS 7, and anything else where the session bus is not managed by systemd.

[zyga]

I'm not super fond of seeing this code. Could we run it in a systemd service so that, at least, we can reliably shut it down, along with all children?

[zyga]

Having gone through the exercise I would like you to do something like this instead: https://github.com/zyga/snapd/blob/tweak/detect-stray-dbus-daemon/tests/main/invariant-tool/task.yaml#L64

[zyga]

This is now preinstalled in all systems. I think you can drop it.
In addition, the restore side is missing.

[zyga]

Is this similar to setupHostDBusConf?

[zyga]

It looks like this is still pending

[zyga]

Should we not ship this on 14.04?

[zyga]

And a related question, if we choose not to ship it on 14.04 - should we make it so that on re-exec, this feature is not supported?

Perhaps we should add a function to the each feature, that checks if this is supported by the running system? Not sure

[zyga]

What's the idea with _Test?

[pedronis]

I did a first pass, some initial comments/questions mostly concentrating on the snap package, but also with some questions about other bits.

[pedronis]

will there be dbus-2 ? should this be dbus-1? or no chance of that being an issue?

[zyga]

I think this was some forward thinking by DBus authors. There might be dbus-2 eventually or never, depending on how things evolve.

[pedronis]

what's the relation of this code vs the one in wrappers/core18.go ? the latter will be used only core, this one is for all systems, but wondering what are the various scenarios, will the files not be there early enough in some cases? also should we share code between the two paths?

[pedronis]

this should be close to the definition of Sockets I think, also I would kind of expect ti to be a ActivatesOn []*SlotInfo

[pedronis]

this should go close to sockets stuff

[pedronis]

if Info.ActivatesOn is a []*SlotInfo then this should be probably be setup close to where we set AppInfo.Slots.

As we discussed we should make activates-on imply these slots as being listed as if they were in the "slots" field for the app. Repetition between the two should be ok though.

[pedronis]

shouldn't we check somehow that the app is a daemon: dbus or is that orthogonal?

[pedronis]

perhaps:

"..: slot interface is not of the currently supported type (dbus) for activation"

there's a chance will add more types that are supported in activates-on

[zyga]

This made me realize that the proper spelling is indeed D-Bus and not DBus. We could later do a pass and make the tree consistent.

[zyga]

Should this be a constant in dbusutil somewhere? Might avoid some chance of typos.

[zyga]

Is this really used in practice?

[zyga]

Should all of this not be done by validation in the snap package instead?

[zyga]

A more complete pass.

My main worry: using non-state disk files in interfaces/backend/dbus
Minor comments throughout the code, on validation, 14.04 support, some testing.

[zyga]

Super late design nitpick time: could we use daemon-scope: user to derive that a snap uses the session bus? Is there a valid reason for a user session app to grab a name on the system bus?

[zyga]

This highlights my suggestion to handle this via snap validation. It would come up early (at snapcraft time) and does not require any dynamic connection state to determine.

[zyga]

Hmm, this makes me somewhat worried we are duplicating state facilities. Instead of looking at the disk snapd should determine this via the state. This also frees us from parsing D-Bus service files as a authoritative source of information.

This also probably suggests that bus names should be something snapd models with regards to name clashes, similar to aliases and eventually man pages. I'm not sure how to structure this yet, though.

[zyga]

Should this be a snap warning instead?

[zyga]

Do we need to tell DBus daemon that something has changed or is it entirely based on file system notification? Similar question for the case above, where we alter content.

[jhenstridge]

There is a ReloadConfig method on the bus, but dbus-daemon also performs an inotify watch on its config and service directories and automatically reload.

Debian packaging currently issues a ReloadConfig method call to the system bus when installing/removing services. It leaves session buses to fend for themselves though. At this point, it could all be seen as hold over from pre-inotify Linux systems, or to support Debian's non-Linux ports.

[zyga]

Should this be validated earlier and essentially impossible here?

[zyga]

We've since learned that removing user session service keeps that service in the memory of systemd --user, while the test user is managed automatically, I wonder if snapd should orchestrate communication with snapd.session-agent.service of each user to ensure this happens.

[zyga]

Does the snap need to come from the store for some assertions?

[jhenstridge]

The snap is a Python daemon making use of packages not included in the base snap, so couldn't simply be built with snap pack. So it is instead built with Snapcraft and the result published to the store.

[zyga]

I think you could expand that to support core20 now.

[jhenstridge]

In PR #8943, I've made this test conditional on tests.session has-session-systemd-and-dbus.

[zyga]

Having gone through the exercise I would like you to do something like this instead: https://github.com/zyga/snapd/blob/tweak/detect-stray-dbus-daemon/tests/main/invariant-tool/task.yaml#L64

[zyga]

Could you please update the spread test to the new command syntax:

session-tool --prepare => tests.session prepare
session-tool <cmd> => tests.session exec <cmd>
session-tool --restore => tests.session restore

[jhenstridge]

I've created PR #8837 that splits out the yaml changes from this branch as a first step towards merging this.

[jhenstridge]

I've split more code out from this PR: PR #8860 includes the logic to prevent installing snaps with conflicting activatable D-Bus services, and PR #8861 includes the changes to the D-Bus bus configuration to extend the activation file search paths.

[jhenstridge]

After #8943 was merged to master, and I merged master into this old branch, the remaining changes are:

1. The old interfaces/dbus.Specification.AddService method of adding service files, which is obsoleted by the newer approach in wrappers.
2. Removal of the AppInfo.BusName field. I didn't bother with this in the newer PR, since there are legitimate reasons why a service not using dbus activation might want to use daemon: dbus. NetworkManager is an obvious example, where it needs to be running from boot, but could use ownership of the bus name to signal that it has started (as the upstream systemd unit does).
3. Some Ubuntu 14.04 packaging changes that we decided not to bother with after it became clear that system dbus activatable services would not function correctly on that distro.

So I'm marking this PR as closed.