group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <1664638@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package snapd - 2.25

---------------
snapd (2.25) xenial; urgency=medium

  * New upstream release, LP: #1686713
    - interfaces/default: allow mknod for regular files, pipes and
      sockets
    - many: use "SNAP.APP as ALIAS" instead of => when listing
      added/removed aliases
    - cmd/snap-confine: write current mount profile
    - cmd/snap-discard-ns: remove current profile when cleaning up
    - many: support debian in our CI
    - tests: tweak time for econnreset test a bit more
    - cmd/snap-confine: re-enable re-assciate fix for CE
    - many: aliases v2 cleanups
    - cmd/snap-confine: don't use apparmor if it is disabled on boot
    - many: implement `snap prefer <snap>`  (aliases v2)
    - many: adjust /aliases and "snap aliases" to aliases v2, also some
      cleanup
    - snapstate: normalize gadget defaults
    - many: allow core refresh.schedule setting
    - many: show alias changes on snap alias/unalias (aliases v2)
    - client,cmd/snap: improve messaging on --devmode and --classic
    - many: implement `snap unalias <alias-or-snap>` (aliases v2)
    - store: retry on connection reset
    - interfaces/mount: add Change.Perform
    - tests: add openvswitch interface spread test
    - interfaces/i2c: allow modifying device-specific sysfs entries
    - interfaces: allow writing to /run/systemd/journal/stdout by
      default
    - tests: ensure travis fails early if static checks fail
    - store,daemon: make store interpret channel="" as stable in most
      cases
    - overlord/snapstate: make UpdateAliases idempotent, simplify the
      backend interface bits for aliases not used anymore (aliases v2)
    - many: implement snap alias <snap.app> <alias> (aliases v2)
    - snap-confine: add code to ensure that / or /snap is mounted
      "shared"
    - many: show available "tracks" in `snap info`
    - cmd/snap: make users Xauthority file available in snap environment
    - interfaces/mount: write current fstab files with mode 0644
    - overlord: switch to aliases v2 tasks for install/refresh etc ops
      plus transition
    - tests: parameterize gadget snap channel (#3117)
    - tests: copy .real profile as .real
    - tests: add empty initrd failover test
    - many: mount squashfs as read-only
    - cmd: make locking around namespaces explicit
    - tests: address review comments from #3186
    - tests: add dbus interface spread test
    - interfaces/mount: add ReadMountInfo and LoadMountInfo
    - snap: require snap name for 'revert'
    - overlord: maintain per-revision snapshots of snap configuration
    - tests: relax network-bind interface regexps
    - interfaces: re-add reverted ioctl and quotactl (revert 21bc6b9f)
    - store: retry once on hashsum mismatches in a Download()
    - interfaces/builtin: don't panic if content plug has nil attrs
    - interfaces/mount: pass mount.Profile to mount.NeededChanges
    - packaging: add `built-using` header for 16.04 packaging
    - interfaces: add media-hub interface
    - interfaces/builtin: allow full access to properties iface of the
      udisks service
    - tests: handle case when both .real and plain are present
    - interfaces/mount: add Change.String for readable output
    - tests: ensure we mock force dev mode as well to fix FTBFS in
      sbuild
    - store: add more logs around retry in download
    - interfaces/mount: add stub Change.{Needed,Perform}
    - tests: allow installing snapd from -proposed for SRU validation
    - interfaces/mount: parse mount options to map[string]string
    - snap: added tasks subcommand
    - tests: copy snap-confine apparmor profile into testbed
    - interfaces/mount: improve go identifier names of mountinfo, parse
      optional fields
    - - Arch Linux wants to respect FHS
      (https://bugs.archlinux.org/task/53656),
    - daemon: do not set RemoveSnapPath flag when doing a try
    - debian: add maintscript helper to remove usr.lib.snapd.snap-
      confine in snap-confine
    - cmd/snap-confine: don't use plain "classic" term
    - cmd/snap-confine: set TMPDIR and TEMPDIR each time
    - many: fixes for `go vet` in go 1.7
    - tests: add kernel-module-control interface test
    - overlord/snapstate: introduce tasks for aliases v2 semantics with
      temporary names for now (aliases v2)
    - overlord/devicestate: switch to ssh-keygen for device key
      generation
    - snap: skip /dev/ram from auto-import assertions to make it less
      noisy (#3010)
    - interfaces: add kubernetes-support interface and adjust related
      interfaces (LP: #1664638)
    - tests: download previous snapd package from published versions
      instead of specific PPA
    - snap: run snap-confine from core if snap is also running from core
    - overlord/ifacestate: automatically rename connections on core snap
    - many: break the /aliases mutation API with a clean 400 (aliases
      v2)
    - interfaces/builting: allow read-only access to /sys/module
    - tests: add extra test after the core transition for snap get/set
      core
    - store: misc cleanups in tests
    - interfaces/mount: add parser for mountinfo entries
    - store: tests for unexpected EOF
    - tests: fix unity test
    - interfaces,overlord: log interface auto-connection failures
    - cmd/snap-update-ns: add C preamble for setns
    - interfaces: validate plug/slot uniqueness

 -- Michael Vogt <michael.vogt@xxxxxxxxxx>  Fri, 28 Apr 2017 07:57:49
+0200

** Changed in: snapd (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1664638

Title:
  Need an interface for kubernetes

Status in snapd:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in snapd source package in Trusty:
  Fix Released
Status in snapd source package in Xenial:
  Fix Released
Status in snapd source package in Yakkety:
  Fix Released
Status in snapd source package in Zesty:
  Fix Released
Status in snapd source package in Artful:
  Fix Released

Bug description:
  Working on creating a confined snap for kubelet. We're seeing a lot of
  denials. At least the following is needed to make kubelet work with
  the attached script:

  1. adjust kubelet to 'plugs: [ log-observe, mount-observe ]'

  2. adjust kubelet to make /var/log/containers snap-specific

  3. modprobe llc stp bridge br_netfilter

  4. create a kubernetes-support interface that allows (at least):

  # what is this for?
  #include <abstractions/dbus-strict>

  capability sys_resource,

  @{PROC}/diskstats r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/cgroup r,
  /sys/fs/cgroup/{,**} r,

  /sys/kernel/mm/hugepages/ r,
  @{PROC}/sys/kernel/random/boot_id r, # fixed already

  @{PROC}/sys/kernel/panic_on_oops rw,
  @{PROC}/sys/kernel/panic rw,
  @{PROC}/sys/kernel/keys/root_maxbytes r,
  @{PROC}/sys/kernel/keys/root_maxkeys r,
  @{PROC}/sys/vm/panic_on_oom r,
  @{PROC}/sys/vm/overcommit_memory rw,
  @{PROC}/@{pid}/oom_score_adj rw,

  # modprobe llc, stp, bridge, br_netfilter
  /sys/module/llc/initstate r,
  /sys/module/stp/initstate r,
  /sys/module/bridge/initstate r,
  /sys/module/br_netfilter/initstate r,
  @{PROC}/sys/net/bridge/bridge-nf-call-iptables rw,
  # seccomp blocks module loading, this is for listing
  /sys/module/apparmor/parameters/enabled r,
  /bin/kmod ixr,
  /etc/modprobe.d/{,**} r,

  ptrace (read, trace) peer=docker-default,
  ptrace (read, trace) peer=unconfined, # hrmm
  ptrace (read, trace) peer=snap.docker.dockerd,

  /bin/journalctl ixr,

  # make snap-specific
  /var/log/containers/{,**} rw,

  I'll put up a preliminary PR that implements the apparmor and kernel
  module policy so that people can play with this. In the meantime,
  after updating the kubelet snap to plugs log-observe and mount-observe
  and connect them, people can:

  $ sudo modprobe llc stp bridge br_netfilter
  # add the above policy to /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet the run:
  $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet

  Locally at this point kubelet is spinning look for the api service so
  I can't see what other accesses are required.

  = Original description =
  Working on creating a confined snap for kubelet. We're seeing a lot of errors trying to open files relating to cgroups:

  /proc/self/cgroup
  /sys/fs/cgroup/cpu,cpuacct/cpu.shares
  /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
  /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
  /sys/fs/cgroup/memory/memory.limit_in_bytes
  /sys/fs/cgroup/memory/memory.soft_limit_in_bytes
  /sys/fs/cgroup/blkio
  /sys/fs/cgroup/memory
  /sys/fs/cgroup/cpuset

  The last three result in a hard failure of kubelet. There may be other
  files as well.

  Based on snappy-debug output, it looks like it's opening these files
  with the "r" flag, but I imagine it may need write access to some of
  these as well. I'm not sure.

  For some context, kubelet is the main process that runs on each node
  in a Kubernetes cluster. Its main purpose is to orchestrate Docker
  containers, and it looks like it's using cgroups for tight control
  over the utilization of hardware resources.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1664638/+subscriptions