** Description changed: - A snap, connected to the 'network-setup-control' interface can edit - files in /etc/netplan/ but it is not able to execute 'netplan generate' - command successfully. + [Impact] + This netplan SRU contains a backport of the io.netplan.Netplan.Generate() DBus API, introduced in netplan.io 0.103, that allows calling 'netplan generate' from within a snap without being blocked by the apparmor strict-confinement. + + [Test Plan] + The following development and SRU process was followed: + https://wiki.ubuntu.com/NetplanUpdates + + Netplan contains an extensive integration test suite that is ran using + the SRU package for each release. This test suite's results are available here: + http://autopkgtest.ubuntu.com/packages/n/netplan.io + + A successful run is required before the proposed netplan.io package + can be let into -updates. + + In addition to the autopkgtests, we want to make sure that a YAML config + is (re-)generated when calling the io.netplan.Netplan.Generate() DBus + API. + + root@bb:~# cat /run/systemd/network/10-netplan-eth0.network + root@bb:~# vim /etc/netplan/50-cloud-init.yaml # modify something + root@bb:~# busctl call io.netplan.Netplan /io/netplan/Netplan io.netplan.Netplan Generate + b true + root@bb:~# cat /run/systemd/network/10-netplan-eth0.network # verify the change was generated + + The netplan team will be in charge of attaching the artifacts and console + output of the appropriate run to the bug. Netplan team members will not + mark ‘verification-done’ until this has happened. + + [Where problems could occur] + This SRU is only adding auxiliary functionality and not modifying the netplan core at all, so the impact is expected to be pretty small – if at all. + Netplan being a core package it could impact the whole networking stack of the operating system up to the point where servers would not be reachable anymore after a reboot, due to broken network config being generated by netplan at bootup. In order to mitigate the regression potential, the results of the aforementioned integration tests are attached to this bug: + + PPA pre-testing: + https://autopkgtest.ubuntu.com/results/autopkgtest-bionic-slyon-netplan/bionic/amd64/n/netplan.io/20210907_145243_9bb46@/log.gz + + Bionic: + TBD bionic_amd64.log + TBD bionic_i386.log + TBD bionic_arm64.log + TBD bionic_armhf.log + TBD bionic_ppc64el.log + TBD bionic_s390x.log + + [Other Info] + The integration test logs will be attached to this bug, once the package has been accepted into -proposed and the tests have been executed on the real infrastructure. + This change will land in Hirsute and Focal via the netplan.io 0.103 upgrade SRU (LP: #1938920) + + [Changelog] + * d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch: + Implement the io.netplan.Netplan.Generate() DBus API, to allow calling + 'generate' from within a snap (LP: #1926442) + * Update debian/gbp.conf + + === Original description === + A snap, connected to the 'network-setup-control' interface can edit files in /etc/netplan/ but it is not able to execute 'netplan generate' command successfully. A call to '/usr/sbin/netplan generate' fails with apparmor errors like this: [ 529.034756] audit: type=1400 audit(1619611886.273:702): apparmor="DENIED" operation="exec" profile="snap.network-manager.networkmanager" name="/usr/lib/netplan/generate" pid=15227 comm="netplan" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Apr 28 12:13:55 foobar network-manager.networkmanager[2280]: PermissionError: [Errno 13] Permission denied: '/lib/netplan/generate It looks like the Python wrapper for netplan (in /usr/sbin/netplan) is whitelisted, but the actual netplan generator (in /usr/lib/netplan/generate) is not.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926442 Title: [SRU] cannot execute 'netplan generate' from within a snap To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1926442/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
