** Description changed: [Impact] This netplan SRU contains a backport of the io.netplan.Netplan.Generate() DBus API, introduced in netplan.io 0.103, that allows calling 'netplan generate' from within a snap without being blocked by the apparmor strict-confinement. [Test Plan] The following development and SRU process was followed: https://wiki.ubuntu.com/NetplanUpdates Netplan contains an extensive integration test suite that is ran using the SRU package for each release. This test suite's results are available here: http://autopkgtest.ubuntu.com/packages/n/netplan.io A successful run is required before the proposed netplan.io package can be let into -updates. In addition to the autopkgtests, we want to make sure that a YAML config is (re-)generated when calling the io.netplan.Netplan.Generate() DBus API. root@bb:~# cat /run/systemd/network/10-netplan-eth0.network root@bb:~# vim /etc/netplan/50-cloud-init.yaml # modify something root@bb:~# busctl call io.netplan.Netplan /io/netplan/Netplan io.netplan.Netplan Generate b true root@bb:~# cat /run/systemd/network/10-netplan-eth0.network # verify the change was generated The netplan team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. Netplan team members will not mark ‘verification-done’ until this has happened. [Where problems could occur] This SRU is only adding auxiliary functionality and not modifying the netplan core at all, so the impact is expected to be pretty small – if at all. Netplan being a core package it could impact the whole networking stack of the operating system up to the point where servers would not be reachable anymore after a reboot, due to broken network config being generated by netplan at bootup. In order to mitigate the regression potential, the results of the aforementioned integration tests are attached to this bug: PPA pre-testing: - https://autopkgtest.ubuntu.com/results/autopkgtest-bionic-slyon-netplan/bionic/amd64/n/netplan.io/20210907_145243_9bb46@/log.gz + https://autopkgtest.ubuntu.com/results/autopkgtest-bionic-slyon-netplan/?format=plain Bionic: TBD bionic_amd64.log TBD bionic_i386.log TBD bionic_arm64.log TBD bionic_armhf.log TBD bionic_ppc64el.log TBD bionic_s390x.log [Other Info] The integration test logs will be attached to this bug, once the package has been accepted into -proposed and the tests have been executed on the real infrastructure. This change will land in Hirsute and Focal via the netplan.io 0.103 upgrade SRU (LP: #1938920) [Changelog] * d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch: - Implement the io.netplan.Netplan.Generate() DBus API, to allow calling - 'generate' from within a snap (LP: #1926442) + Implement the io.netplan.Netplan.Generate() DBus API, to allow calling + 'generate' from within a snap (LP: #1926442) * Update debian/gbp.conf === Original description === A snap, connected to the 'network-setup-control' interface can edit files in /etc/netplan/ but it is not able to execute 'netplan generate' command successfully. A call to '/usr/sbin/netplan generate' fails with apparmor errors like this: [ 529.034756] audit: type=1400 audit(1619611886.273:702): apparmor="DENIED" operation="exec" profile="snap.network-manager.networkmanager" name="/usr/lib/netplan/generate" pid=15227 comm="netplan" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Apr 28 12:13:55 foobar network-manager.networkmanager[2280]: PermissionError: [Errno 13] Permission denied: '/lib/netplan/generate It looks like the Python wrapper for netplan (in /usr/sbin/netplan) is whitelisted, but the actual netplan generator (in /usr/lib/netplan/generate) is not.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926442 Title: [SRU] cannot execute 'netplan generate' from within a snap To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1926442/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
