overlord/ifacestate: remove connection state with discard-conns task, on the removal of last snap

[zyga]

This branch changes profile setup/remove logic so that:

• setup-profiles sets up profiles (and handles autoconnect as before)
• remove-profiles just removes profiles without touching persistent connections
• dicard-conns just discards persistent connections (and supports undo)

The snap manager now injects discard-conns when removing the last snap in the sequence (last as in the only one)

[niemeyer]

Okay, that is getting off limits. :) This is a function name, not documentation. Let's please come up with a name that is at most half the length of this one.

[niemeyer]

Feel free to add actual docs, though. (// blah blah blah).

[zyga]

Sorry, that's my python ancestry showing. Abbreviated now.

[niemeyer]

Same.

[zyga]

Abbreviated

[niemeyer]

Same.

[zyga]

Abbreviated

[niemeyer]

We cannot do this here. We need to be able to distinguish between removing the profiles, and discarding the connections. Otherwise we'll end up killing user data when deactivating a snap, or removing an old revision.

I suggest clarifying the security tasks we have, with the following set:

• setup-profiles
• remove-profiles
• discard-conns

[niemeyer]

Then, on snapstate.Remove, distinguish between last snap being removed and obsolete snap being removed, and conditionally inject discard-conns after remove-profiles.

[zyga]

This makes a lot of sense. Earlier when I was working on setup-snap-security I realized that it would be much easier if there were some more fine-grained tasks (e.g. setup that could be reused by connect) and it looks like the same is true for remove-snap-security.

So let's review how each of those would be used:

setup-profiles: on snap install, snap refresh and maybe snap activate
remove-profiles: on snap deactivate
discard-conns: on snap remove

@niemeyer @mvo5 ^^ does that make sense?

[niemeyer]

Almost.. snap remove may be used to remove one of several snaps. We cannot discard connections if we still have a snap with the same name installed (and perhaps even active!).

[zyga]

I see now how there can be multiple snaps with the same name but I'm not sure this correctly translates that to security. Security identifiers don't contain snap revision so removing security for a given snap (at any revision) will impact the security for other snaps with the same name (but with different revision)

I'm not sure how security-affecting tasks and snap-affecting tasks are related wrt multiple revisions now.

[zyga]

All sorted out now. I understand what has to happen

[niemeyer]

s/of a snap %q/for snap %q/

[zyga]

Done

[niemeyer]

// TODO Record removed connections in task state to recover it on undo.

[zyga]

Oh, great idea. I was wondering how to make this robust and I forgot that there's a reason each task has a state! Will do.

[zyga]

I've implemented a simple undo handler. I'm not sure if that's the right way so have look please.

[niemeyer]

Good direction. A couple of comments, and needs to update snapstate to match.

[mvo5]

retest this please

[niemeyer]

Please drop comment above about discard-snap being the last task.

[zyga]

Done

[niemeyer]

Let's please replace the comment by:

// snap-setup is in discard-snap above discard-conns.

[zyga]

Done

[zyga]

@niemeyer This is now ready for final review and landing. Tested locally with cap-test from the store and a side-loaded version and various sequences of install/remove/refresh tasks.