Re: Connecting to Ubuntu SnapWeb; https://localhost:4201 shows Your connection is not secure
Hi Chris, We've started to use an HTTPS link on port 4201. The usual 4200 port is automatically redirected as well. The self-signed certificate warning is a temporary evil to protect a new token requested for access control. We are working on additional security parts for snapweb, like SSO/macaroon authentication in particular, to improve the usability. If something is unclear, please help us document it by filing a bug at: https://bugs.launchpad.net/snapweb/+filebug Thanks On Tue, Oct 25, 2016 at 2:26 AM, Chris wrote: > This is the first time I've noticed this happening and I keep SnapWeb > loaded in my browser. > > The owner of localhost has configured their website improperly. To > protect your information from being stolen, Firefox has not connected > to this website. > > localhost:4201 uses an invalid security certificate. The certificate is > not trusted because it is self-signed. The certificate is only valid > for 127.0.0.1 > > But, is the error caused by a setting I have not correct? > > Chris > > -- > Chris > KeyID 0xE372A7DA98E6705C > 31.11972; -97.90167 (Elev. 1092 ft) > 19:21:04 up 4 days, 10:45, 1 user, load average: 0.73, 0.31, 0.20 > Ubuntu 16.04.1 LTS, kernel 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 > 14:12:37 UTC 2016 > > -- > Snapcraft mailing list > Snapcraft@lists.snapcraft.io > Modify settings or unsubscribe at: https://lists.ubuntu.com/ > mailman/listinfo/snapcraft > > -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Problems trying to create a snap package for bioinformatics tools
El 24/10/16 a las 11:54, Didier Roche escribió: Also, I don't see any reason why we are preventing underscores in app name (nothing in yaml prevents key to be underscores). I don't link such command name in general, but I don't see any good reasons for this. Gustavo, is that deliberate? Jamie may be the best person to answer this and see if we can get out of it. If the restriction can be rid of then we should get to it, if not an askubuntu entry explaining this would be good for referring to later. -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Connecting to Ubuntu SnapWeb; https://localhost:4201 shows Your connection is not secure
On Tue, 2016-10-25 at 10:24 +0200, David Barth wrote: > Hi Chris, > > We've started to use an HTTPS link on port 4201. The usual 4200 port > is automatically redirected as well. > The self-signed certificate warning is a temporary evil to protect a > new token requested for access control. > > We are working on additional security parts for snapweb, like > SSO/macaroon authentication in particular, to improve the usability. > > If something is unclear, please help us document it by filing a bug > at: https://bugs.launchpad.net/snapweb/+filebug > > Thanks > Thanks David so what I need to do is add an exception for the self- signed certificate to be accepted by Firefox. I really see no reason, at the moment, to file a bug report since it appears to me you just adding another layer of security to snapweb. Chris > On Tue, Oct 25, 2016 at 2:26 AM, Chris > wrote: > > This is the first time I've noticed this happening and I keep > > SnapWeb > > loaded in my browser. > > > > The owner of localhost has configured their website improperly. To > > protect your information from being stolen, Firefox has not > > connected > > to this website. > > > > localhost:4201 uses an invalid security certificate. The > > certificate is > > not trusted because it is self-signed. The certificate is only > > valid > > for 127.0.0.1 > > > > But, is the error caused by a setting I have not correct? > > > > Chris > > > > -- > > Chris > > KeyID 0xE372A7DA98E6705C > > 31.11972; -97.90167 (Elev. 1092 ft) > > 19:21:04 up 4 days, 10:45, 1 user, load average: 0.73, 0.31, 0.20 > > Ubuntu 16.04.1 LTS, kernel 4.4.0-45-generic #66-Ubuntu SMP Wed Oct > > 19 14:12:37 UTC 2016 > > > > -- > > Snapcraft mailing list > > Snapcraft@lists.snapcraft.io > > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman > > /listinfo/snapcraft > > -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 07:58:28 up 4 days, 23:23, 1 user, load average: 0.91, 0.97, 1.08 Ubuntu 16.04.1 LTS, kernel 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 signature.asc Description: This is a digitally signed message part -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Problems trying to create a snap package for bioinformatics tools
On Mon, 2016-10-24 at 16:54 +0200, Didier Roche wrote: > Le 24/10/2016 à 16:13, Gordon Ball a écrit : > > > > > Hello > Hey Gordon, > > > > > I have been trying to create a snap package for the `cufflinks` [1] > > biofinformatics tools. These are packaged for debian/ubuntu, but the > > package is not built for xenial due to issues with boost 1.56-1.59. [2] > Nice way to ship latest to xenial users! Thanks for this > > > > > I tried building a snap package (see snapcraft.yaml below - just a > > simple `stage-packages` build) on yakkety in order to bundle the > > relevant dependencies and then install it on xenial, but I ran into the > > following issues: > > > > > > * Trying to run any of the binaries gives the error > > > > failed to create user data directory. errmsg: Permission denied > > > > This is presumably related to #1592696, but in this case $HOME is on > > an NFS mount under /mnt. Probably an uncommon case, but this probably > > isn't the only such configuration. > Interesting use case > In that case, I would say open a separate bugs for it. The issue can be > encryptfs, or profiles not supporting $HOME set to /mnt (or something > else to /home/*). It worthes tracking it! > This has come up before in this bug: https://bugs.launchpad.net/snap-confine/+bug/1620771 See comments: https://bugs.launchpad.net/snap-confine/+bug/1620771/comments/5 https://bugs.launchpad.net/snap-confine/+bug/1620771/comments/6 in particular for how to configure apparmor for an alternate home location. Note that snapd could be adjusted to manage the home apparmor tunable (which is why the bug is still open). ... > Also, I don't see any reason why we are preventing underscores in app > name (nothing in yaml prevents key to be underscores). I don't link such > command name in general, but I don't see any good reasons for this. > Gustavo, is that deliberate? > Yes because the udev security backend uses underscores as delimiters for udev tags. The allowed character set for udev tagging is extremely limited and we must continue to use underscores for this. That said, since it is only the command name that has underscores, it is possible (though more brittle) to adjust things to only split on the first two underscores (eg, it would still be possible to parse 'snap_name_command_name' so long as 'name' isn't allowed to have underscores). A change like this would require more investigation and approval from Gustavo. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?
On Tue, 2016-10-25 at 08:24 +0200, Didier Roche wrote: > Le 24/10/2016 à 21:52, Dan Kegel a écrit : > > > > I'm trying to snap a largish package; works fine in devmode, > > but as the app likes to use unix sockets and fifos, it fails in > > confined mode with > > > > $ sudo /snap/bin/snappy-debug.security scanlog > > = AppArmor = > > Time: Oct 24 11:41:09 > > Log: apparmor="DENIED" operation="sendmsg" profile="snap.foo" pid=8536 > > comm="foo" family="unix" sock_type="dgram" protocol=0 > > requested_mask="send" denied_mask="send" addr=none > > peer_addr="@6E76696469613561653734343766 > > 00" > > peer="unconfined" > > > > = Seccomp = > > Time: Oct 24 11:41:09 > > Log: auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=8536 > > comm="foo" exe="/snap/foo/x7/bin/foo" sig=31 arch=c03e 133(mknod) > > compat=0 ip=0x7f17f6fb542d code=0x0 > > Syscall: mknod > > > > Any suggestions (other than 'don't do that')? > Unix sockets are definitively possible. I'm using sockets based on unix > files for some of my project and write them to $SNAP_DATA (for daemons, > the daemon creating the socket) and it works well. You may want to try this? > Instead of using an abstract or anonymous socket, use a named socket and put in SNAP_DATA and you won't get the apparmor denial. It's planned to allow applications to create abstract sockets for intra-snap communication, but it hasn't landed yet. > On mknod, I don't know if we have any plan for enabling this in some > ways. CCing Jamie for this. > mknod is intentionally and explicitly denied. It is planned to allow snaps via seccomp arg filtering policy the ability to create S_IFIFO and S_IFREG files (ie, pipes and regular files, but not character and block devices), but it hasn't landed yet. > > > > I imagine there's a way to configure both apparmor and seccomp for > > snaps, but haven't found it yet. > > https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement > > has some clues > > http://askubuntu.com/questions/796809/add-custom-apparmor-rules-to-snap > > seems on topic > > Should I be looking at the snapd source? (I see there's an apparmor > > interface, but maybe that's internal only...) > > > I don't think we want snaps to ship their own configuration. It's better > to collaborate on a snapd interface that can be reused between snaps, > rather than letting any snap defining its own confinement rules (or said > differently, the confinment may be useless if we allow this). > > Cheers, > Didier > -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Problems trying to create a snap package for bioinformatics tools
Hi Gordon, On Mon, Oct 24, 2016 at 12:13 PM, Gordon Ball wrote: > > * The package contains multiple binaries, and the links in /snap/bin > are named, eg `cufflinks.cuffdiff`, which makes them incompatible with > existing scripts. As you can imagine the problem here is namespacing. Unlike in traditional Linux distributions, the application names inside snaps are not curated to prevent conflicts, so the naming scheme we have put in place allows everybody to own the namespace under their own snaps with that scheme. That said, we understand this is not optimal because, as you say, it breaks existing scripts. We have two alternative plans for how to sort this out, and will put one of them in place very soon. Additionally, I can't declare `apps:` keys with > underscores in them, so some come out completely misnamed. > This is related but slightly orthogonal. We indeed restrict the charset used to name commands, both to enable predictable delimiters in some contexts, and also to make the system feel saner to the user. The vast majority of application names fit in the current constraints, so the question is whether it's best to have a consistent naming scheme for the user, or whether it's best to attempt to support more cases for the developer (underscores, uppercases, dots, ...). We don't have an answer yet. gustavo @ http://niemeyer.net -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?
On Tue, Oct 25, 2016 at 6:33 AM, Jamie Strandboge wrote: > Instead of using an abstract or anonymous socket, use a named socket and put > in > SNAP_DATA Sounds very doable, I'll try. > It is planned to allow snaps via > seccomp arg filtering policy the ability to create S_IFIFO and S_IFREG files > (ie, pipes and regular files, but not character and block devices), but it > hasn't landed yet. Is this it? https://bugs.launchpad.net/ubuntu/+source/ubuntu-core-launcher/+bug/1446748 Thanks! - Dan -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Host tools in snap shell
Hi all! I've a weird issue in my snap which needs some debugging. I understand that snap run --shell is the command I want to use in order to start a shell with the same confinement and environment of my snap (which BTW is in --devmode), and so far so good. But now I want to use "strace" on my application, and it seems that while "strace" is available on my host system, it's not accessible from the snap shell (or I didn't find a way to reach it). Is adding strace and gdb to my snap the only way to go, or is there some trick that would allow me to use these tools without modifying my snap? Ciao, Alberto -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?
On Tue, 2016-10-25 at 07:53 -0700, Dan Kegel wrote: > On Tue, Oct 25, 2016 at 6:33 AM, Jamie Strandboge wrote: > > > > It is planned to allow snaps via > > seccomp arg filtering policy the ability to create S_IFIFO and S_IFREG files > > (ie, pipes and regular files, but not character and block devices), but it > > hasn't landed yet. > Is this it? https://bugs.launchpad.net/ubuntu/+source/ubuntu-core-launcher/+b > ug/1446748 > That is the bug tracking the feature to implement seccomp arg filtering, yes. I just filed a bug for using that feature to allow mknod with pipes here: https://bugs.launchpad.net/snappy/+bug/1636540 -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Host tools in snap shell
El 25/10/16 a las 12:05, Alberto Mardegan escribió: Hi all! I've a weird issue in my snap which needs some debugging. I understand that snap run --shell is the command I want to use in order to start a shell with the same confinement and environment of my snap (which BTW is in --devmode), and so far so good. But now I want to use "strace" on my application, and it seems that while "strace" is available on my host system, it's not accessible from the snap shell (or I didn't find a way to reach it). Is adding strace and gdb to my snap the only way to go, or is there some trick that would allow me to use these tools without modifying my snap? This is how I do it on the fly (there was a session at the sprint for this to be easier)... ``` snapcraft prime snap try prime --devmode cp /usr/bin/strace prime snap shell --shell (sudo) ./strace ... ``` -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Problems trying to create a snap package for bioinformatics tools
On Mon, Oct 24, 2016 at 8:54 AM, Didier Roche wrote: > > Also, I don't see any reason why we are preventing underscores in app > name (nothing in yaml prevents key to be underscores). I don't link such > command name in general, but I don't see any good reasons for this. > Gustavo, is that deliberate? > > fwiw, here's a link to the bug: https://bugs.launchpad.net/snappy/+bug/1616507 -- ¡paz y baile! http://www.ubuntu.com -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Host tools in snap shell
On Tue, Oct 25, 2016 at 2:37 PM, Sergio Schvezov < sergio.schve...@canonical.com> wrote: > This is how I do it on the fly (there was a session at the sprint for this > to be easier)... > > ``` > snapcraft prime > snap try prime --devmode > cp /usr/bin/strace prime > snap shell --shell > This is $ snap run --shell (shell => run, and order of --shell also matters) (sudo) ./strace ... > ``` gustavo @ http://niemeyer.net -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Host tools in snap shell
On 25/10/2016 21:42, Gustavo Niemeyer wrote: > On Tue, Oct 25, 2016 at 2:37 PM, Sergio Schvezov > mailto:sergio.schve...@canonical.com>> > wrote: > > This is how I do it on the fly (there was a session at the sprint > for this to be easier)... [...] Thanks guys! :-) Ciao, Alberto -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
