~mvo/snapd/+git/snapd-mvo:feature/home-for-jenkins-just-fix

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

dd3c2f4... by Zygmunt Krynicki on 2019-01-29

cmd/snap-confine: add special case for Jenkins

The 2.37 release has dropped the "quirk" system responsible for the
special layout of /var/lib. The /var/lib directory was a tmpfs, with
empty directories and bind mount re-creating the original contents of
/var/lib from the base snap. This feature made it possible to mkdir
/var/lib/lxd, which was *not* present in the core snap, and bind mount
it to /var/lib/lxd from the host.

This used to be a part of a backwards compatibility fix for the time
when LXD was installed as a classic package on the host. LXD has since
moved over to a snap and that directory lost any relevance, culminating
with the removal of the quirk system in the 2.37 development cycle.

The removal of the quirk system also removed permissions that
snap-confine used to have, that gave it wide access to /var/lib.
The Jenkins system is often packaged using classic packages. The classic
package adds a "jenkins" user and sets its home directory to
/var/lib/jenkins. A system using Jenkins CI that internally uses snap
commands would invoke snap applications from the context of that user.

This brings us to the problem: snapd doesn't fully support users with
their home directories outside of /home. Due to complexity of the mount
namespace handling and the apparmor based sandbox with path-based
permissions, adding support for arbitrary home directories is
challenging. It was also untested in the snapd CI system.

In 2.36 and earlier, using snaps from the Jenkins user and its home
directory of /var/lib/jenkins only worked by accident, because the quirk
system granted relevant permissions to snap-confine, enabling it to
create $SNAP_USER_DATA directories. With the release of 2.37 we started
observing users reporting that their Jenkins CI systems can no longer
use snap applications.

While support for arbitrary home directories is desirable, it it needs
much more code to enable properly. An isolated special-case for Jenkins
is manageable and allows us to buy more time to explore proper support
for more cases in subsequent releases.

Signed-off-by: Zygmunt Krynicki <email address hidden>

2ada43e... by Maciej Borzecki on 2019-01-29

Merge pull request #6394 from sergiocazzolato/tests-fix-logs-daemon-notify

tests: iterate getting journal logs to support delay on boards on daemon-notify test

9fb9a17... by Paweł Stołowski on 2019-01-29

Merge pull request #6440 from sparkiegeek/patch-1

cmd/snap: fix typo in cmd_wait.go

5027f64... by Maciej Borzecki on 2019-01-29

Merge pull request #6437 from bboozzoo/bboozzoo/improve-channel-parsing

snap/channel: improve channel parsing

cecb02a... by Maciej Borzecki on 2019-01-29

Merge remote-tracking branch 'origin/master' into pull/6440

6a05658... by "John R. Lenton" <email address hidden> on 2019-01-29

Merge pull request #6443 from chipaca/pids-are-signed

daemon, polkit: pid_t is signed

e9e9c05... by Maciej Borzecki on 2019-01-29

Merge pull request #6333 from bboozzoo/bboozzoo/snap-connections-api-endpoint

daemon: introduce /v2/connections snapd API endpoint

a819ae7... by John Lenton on 2019-01-28

daemon, polkit: pid_t is signed

We were using uint32 for pids in daemon and polkit, when they're
actually signed. This would be mostly transparent to snapd, but could
lead to spurious denials from polkit in some situations.

740eec8... by Michael Vogt on 2019-01-29

Merge pull request #6389 from chipaca/snap-info-refactor-1

cmd/snap: small refactor of cmd_info's channel handling

f5fa0ca... by Michael Vogt on 2019-01-29

Merge pull request #6400 from chipaca/store-unresponsive

overlord/snapstate: use an ad-hoc error when no results