snapd

[SRU] cannot execute 'netplan generate' from within a snap

Bug #1926442 reported by Lukas Märdian
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Confirmed
Medium
Unassigned
netplan.io (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Won't Fix
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
This netplan SRU contains a backport of the io.netplan.Netplan.Generate() DBus API, introduced in netplan.io 0.103, that allows calling 'netplan generate' from within a snap without being blocked by the apparmor strict-confinement.

[Test Plan]
The following development and SRU process was followed:
https://wiki.ubuntu.com/NetplanUpdates

Netplan contains an extensive integration test suite that is ran using
the SRU package for each release. This test suite's results are available here:
http://autopkgtest.ubuntu.com/packages/n/netplan.io

A successful run is required before the proposed netplan.io package
can be let into -updates.

In addition to the autopkgtests, we want to make sure that a YAML config is (re-)generated when calling the io.netplan.Netplan.Generate() DBus API.

root@bb:~# cat /run/systemd/network/10-netplan-eth0.network
root@bb:~# vim /etc/netplan/50-cloud-init.yaml # modify something
root@bb:~# busctl call io.netplan.Netplan /io/netplan/Netplan io.netplan.Netplan Generate
b true
root@bb:~# cat /run/systemd/network/10-netplan-eth0.network # verify the change was generated

The netplan team will be in charge of attaching the artifacts and console
output of the appropriate run to the bug. Netplan team members will not
mark ‘verification-done’ until this has happened.

[Where problems could occur]
This SRU is only adding auxiliary functionality and not modifying the netplan core at all, so the impact is expected to be pretty small – if at all.
Netplan being a core package it could impact the whole networking stack of the operating system up to the point where servers would not be reachable anymore after a reboot, due to broken network config being generated by netplan at bootup. In order to mitigate the regression potential, the results of the aforementioned integration tests are attached to this bug:

PPA pre-testing:
https://autopkgtest.ubuntu.com/results/autopkgtest-bionic-slyon-netplan/?format=plain

Bionic:
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_amd64.log
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_i386.log
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_arm64.log
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_armhf.log
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_ppc64el.log
https://git.launchpad.net/~slyon/+git/files/diff/LP1926442/bionic_s390x.log

[Other Info]
The integration test logs will be attached to this bug, once the package has been accepted into -proposed and the tests have been executed on the real infrastructure.
This change will land in Hirsute and Focal via the netplan.io 0.103 upgrade SRU (LP: #1938920)

[Changelog]
* d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch:
  Implement the io.netplan.Netplan.Generate() DBus API, to allow calling
  'generate' from within a snap (LP: #1926442)
* Update debian/gbp.conf

=== Original description ===
A snap, connected to the 'network-setup-control' interface can edit files in /etc/netplan/ but it is not able to execute 'netplan generate' command successfully.

A call to '/usr/sbin/netplan generate' fails with apparmor errors like this:
[ 529.034756] audit: type=1400 audit(1619611886.273:702): apparmor="DENIED" operation="exec" profile="snap.network-manager.networkmanager" name="/usr/lib/netplan/generate" pid=15227 comm="netplan" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Apr 28 12:13:55 foobar network-manager.networkmanager[2280]: PermissionError: [Errno 13] Permission denied: '/lib/netplan/generate

It looks like the Python wrapper for netplan (in /usr/sbin/netplan) is whitelisted, but the actual netplan generator (in /usr/lib/netplan/generate) is not.

See original description
Revision history for this message
Oliver Grawert (ogra) wrote :

there is no direct access to the command, only the dbus service is allowed for security reasons, you can call:

  dbus-send --system \
    --type=method_call \
    --print-reply \
    --dest=io.netplan.Netplan \
    /io/netplan/Netplan io.netplan.Netplan.Apply

when the network-setup-control interface is connected ...

https://github.com/ogra1/config-snap/blob/master/snap/hooks/connect-plug-network-setup-control

is a working example ...

Revision history for this message
Lukas Märdian (slyon) wrote :

Thanks for your reply.
Unfortunately, I need to run 'netplan generate' not 'netplan apply', which is a subset of the Apply() call (i.e. only validating the YAML configs and generating the corresponding NetworkManager / networkd / OVS / ... configs), but not restarting the systemd-networkd and/or NetworkManager services.

I saw that the Netplan.Apply() command contains some SNAP special handling, forwarding the command through multiple layers of DBus / busctl commands, finally ending up to call 'netplan apply' on the host/base system (which doesn't seem optimal – but works).
The same is not true for 'netplan generate', as there is no Netplan.Generate() DBus method and no special handling for running 'netplan generate' inside snaps.

We should consider whitelisting the relevant netplan binary, as it is executed anyways after calling several layers of DBus commands in between, but without all the special handling needed. I've prepared a PR for that:

https://github.com/snapcore/snapd/pull/10212

Revision history for this message
Oliver Grawert (ogra) wrote :

well, there is a clear reluctance from the security team to allowing direct calling of the netplan binary as it needs a lot of additional paths opened in the interface for all the different backend bits the apply call needs to execute ... there have been many discussions around this topic over the years and the permitting of the d-bus call was the outcome ...

https://forum.snapcraft.io/t/network-related-interfaces-dont-permit-to-execute-netplan/1079

https://forum.snapcraft.io/t/netplan-apply-inside-snaps/12411

Revision history for this message
Ian Johnson (anonymouse67) wrote :

What is the use case for running netplan generate from a strict snap? Probably if you need this and as commented in the PR you need access to /run/systemd/system, the way forward is to add a Generate D-Bus call to netplan and make netplan generate do the same trick that apply does, so that netplan generate in snapd policy is just allowed as a d-bus call to Generate() which just executes the real `netplan generate` outside of confinement

Ian Johnson (anonymouse67)
Changed in snappy:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Lukas Märdian (slyon) wrote :

The new io.netplan.Netplan.Generate() DBus API has been implemented in netplan upstream:
https://github.com/canonical/netplan/pull/208
https://github.com/canonical/netplan/pull/209

It needs to be released and SRUed down to Bionic for the snapd change to be accepted (https://github.com/snapcore/snapd/pull/10212)

Changed in netplan.io (Ubuntu):
status: New → In Progress
summary: - cannot execute 'netplan generate' from within a snap
+ [SRU] cannot execute 'netplan generate' from within a snap
tags: added: fr-1382
Lukas Märdian (slyon)
Changed in netplan.io (Ubuntu Groovy):
status: New → Won't Fix
Lukas Märdian (slyon)
Changed in netplan.io (Ubuntu Impish):
status: In Progress → Fix Released
Lukas Märdian (slyon)
description: updated
Lukas Märdian (slyon)
description: updated
Lukas Märdian (slyon)
Changed in netplan.io (Ubuntu Hirsute):
status: New → Fix Committed
Changed in netplan.io (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Lukas, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.99-0ubuntu3~18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Lukas Märdian (slyon)
Changed in netplan.io (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Changed in netplan.io (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (netplan.io/0.99-0ubuntu3~18.04.5)

All autopkgtests for the newly accepted netplan.io (0.99-0ubuntu3~18.04.5) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

netplan.io/0.99-0ubuntu3~18.04.5 (ppc64el, i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#netplan.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Lukas Märdian (slyon) wrote :

Hello Brian, thanks for accepting this SRU into bionic-proposed.

I've tested netplan.io 0.99-0ubuntu3~18.04.5
root@bb:~# dpkg -l | grep netplan
ii libnetplan0:amd64 0.99-0ubuntu3~18.04.5 amd64
ii netplan.io 0.99-0ubuntu3~18.04.5 amd64

The autopkgtests at https://autopkgtest.ubuntu.com/packages/netplan.io ran successfully (after a retry for i386 and ppc64el) and the logs are attached to the bug description.
Additionally, I tested the new io.netplan.Netplan.Generate() DBus API to be working as well:

root@bb:~# cat /run/systemd/network/10-netplan-eth0.network
[Match]
Name=eth0

[Network]
DHCP=ipv4
LinkLocalAddressing=ipv6

[DHCP]
RouteMetric=100
UseMTU=true

root@bb:~# vim /etc/netplan/50-cloud-init.yaml # adding "dhcp6: true"
root@bb:~# busctl call io.netplan.Netplan /io/netplan/Netplan io.netplan.Netplan Generate
b true
root@bb:~# cat /run/systemd/network/10-netplan-eth0.network
[Match]
Name=eth0

[Network]
DHCP=yes
LinkLocalAddressing=ipv6

[DHCP]
RouteMetric=100
UseMTU=true

=> DHCP=ipv4 changed to DHCP=yes (i.e. IPv4 & IPv6)

description: updated
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.99-0ubuntu3~18.04.5

---------------
netplan.io (0.99-0ubuntu3~18.04.5) bionic; urgency=medium

  * d/p/0006-dbus-cli-implement-io.netplan.Netplan.Generate-208.patch:
    Implement the io.netplan.Netplan.Generate() DBus API, to allow calling
    'generate' from within a snap (LP: #1926442)
  * Update debian/gbp.conf

 -- Lukas Märdian <email address hidden> Tue, 07 Sep 2021 17:19:37 +0200

Changed in netplan.io (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for netplan.io has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Michael Vogt (mvo)
affects: snappy → snapd
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.