~mvo/snapd/+git/snapd-mvo:release-2.37.1

Last commit made on 2019-01-29
Get this branch:
git clone -b release-2.37.1 https://git.launchpad.net/~mvo/snapd/+git/snapd-mvo

Branch merges

Branch information

Name:
release-2.37.1
Repository:
lp:~mvo/snapd/+git/snapd-mvo

Recent commits

47e4280... by Michael Vogt

Merge remote-tracking branch 'upstream/master' into release-2.37.1

1a7dda8... by Michael Vogt

debian: add placeholder 2.37.1 changelog

bec0d1c... by Zygmunt Krynicki

Merge pull request #6446 from zyga/feature/home-for-jenkins

cmd/snap-confine: add special case for Jenkins

57694e9... by Michael Vogt

Merge pull request #6448 from mvo5/fix-x-builddeb-harder

snapcraft.yaml: fix XBuildDeb PATH for go-1.10

4a0dbb5... by Michael Vogt

releasing package snapd version 2.37.1

631666c... by Zygmunt Krynicki

Merge branch 'master' into feature/home-for-jenkins

f56545c... by Zygmunt Krynicki

cmd/snap-confine: add special case for Jenkins

The 2.37 release has dropped the "quirk" system responsible for the
special layout of /var/lib. The /var/lib directory was a tmpfs, with
empty directories and bind mount re-creating the original contents of
/var/lib from the base snap. This feature made it possible to mkdir
/var/lib/lxd, which was *not* present in the core snap, and bind mount
it to /var/lib/lxd from the host.

This used to be a part of a backwards compatibility fix for the time
when LXD was installed as a classic package on the host. LXD has since
moved over to a snap and that directory lost any relevance, culminating
with the removal of the quirk system in the 2.37 development cycle.

The removal of the quirk system also removed permissions that
snap-confine used to have, that gave it wide access to /var/lib.
The Jenkins system is often packaged using classic packages. The classic
package adds a "jenkins" user and sets its home directory to
/var/lib/jenkins. A system using Jenkins CI that internally uses snap
commands would invoke snap applications from the context of that user.

This brings us to the problem: snapd doesn't fully support users with
their home directories outside of /home. Due to complexity of the mount
namespace handling and the apparmor based sandbox with path-based
permissions, adding support for arbitrary home directories is
challenging. It was also untested in the snapd CI system.

In 2.36 and earlier, using snaps from the Jenkins user and its home
directory of /var/lib/jenkins only worked by accident, because the quirk
system granted relevant permissions to snap-confine, enabling it to
create $SNAP_USER_DATA directories. With the release of 2.37 we started
observing users reporting that their Jenkins CI systems can no longer
use snap applications.

While support for arbitrary home directories is desirable, it it needs
much more code to enable properly. An isolated special-case for Jenkins
is manageable and allows us to buy more time to explore proper support
for more cases in subsequent releases.

Signed-off-by: Zygmunt Krynicki <email address hidden>

79bceb5... by Michael Vogt

Merge pull request #6449 from mvo5/feature/home-for-jenkins-just-fix

cmd/snap-confine: add special case for Jenkins

b42f728... by Zygmunt Krynicki

cmd/snap-confine: explain SNAP_USER_DATA for jenkins

Signed-off-by: Zygmunt Krynicki <email address hidden>

f4bd293... by Zygmunt Krynicki

tests: make more this pass

Signed-off-by: Zygmunt Krynicki <email address hidden>