packaging: add strict snapcraft packaging for Netdata on Ubuntu Core#21785
Open
Half-Silver wants to merge 16 commits intonetdata:masterfrom
Open
packaging: add strict snapcraft packaging for Netdata on Ubuntu Core#21785Half-Silver wants to merge 16 commits intonetdata:masterfrom
Half-Silver wants to merge 16 commits intonetdata:masterfrom
Conversation
|
|
Contributor
There was a problem hiding this comment.
3 issues found across 4 files
Confidence score: 3/5
snapcraft.yamlenables debugfs.plugin under strict confinement without an interface, so it will be denied at runtime and functionality relying on it may fail.snapcraftignoreexcludes the SNMP metadata overrides directory, which can cause SNMP overrides to be missing at runtime- The issues are user-impacting for strict snaps, which raises regression risk despite no other major concerns noted
- Pay close attention to
snapcraft.yaml,.snapcraftignore- confinement and runtime data access behavior.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".snapcraftignore">
<violation number="1" location=".snapcraftignore:14">
P2: The snapcraft ignore list excludes the SNMP metadata overrides directory, but the SNMP utilities load YAML overrides from this path at runtime. Removing it from the snap will cause SNMP overrides to be missing, degrading SNMP profile detection/normalization.</violation>
</file>
<file name="snapcraft.yaml">
<violation number="1" location="snapcraft.yaml:60">
P2: debugfs.plugin is enabled under strict confinement without any interface granting access to /sys/kernel/debug, which the plugin requires; it will be denied at runtime. Disable the plugin or add an appropriate interface.</violation>
</file>
<file name="packaging/snap/README.md">
<violation number="1" location="packaging/snap/README.md:67">
P2: Smoke-test instructions use `--devmode`, which disables strict confinement and can hide missing interface/permission issues for a strict snap. This undermines the purpose of testing strict confinement.</violation>
</file>
Architecture diagram
sequenceDiagram
participant Builder as Build Env (LXD/CI)
participant Git as External Repos
participant snapd as Ubuntu Core (snapd)
participant Wrapper as bin/run-netdata
participant Daemon as Netdata Daemon
participant Sys as System (Kernel/debugfs)
Note over Builder,Git: NEW: Managed Build Flow (core24)
Builder->>Builder: override-pull: Read packaging/version
opt Submodules Missing
Builder->>Git: NEW: Fetch pinned aclk-schemas
Builder->>Git: NEW: Fetch pinned lm-sensors
end
Builder->>Builder: CMake: Enable apps.plugin & debugfs.plugin
Builder-->>snapd: Produce .snap (Strict Confinement)
Note over snapd,Sys: NEW: Runtime Control Flow
snapd->>Wrapper: Start Service (daemon)
rect rgb(23, 37, 84)
Note right of Wrapper: Environment Initialization
Wrapper->>Wrapper: Set writable paths ($SNAP_DATA, $SNAP_COMMON)
Wrapper->>Wrapper: NEW: Initialize sensors.conf for thermal support
Wrapper->>Wrapper: Set PATH to include snap binaries
end
Wrapper->>Daemon: NEW: exec with -W path overrides
rect rgb(5, 46, 22)
Note right of Daemon: Strict Monitoring (Interface Plugs)
Daemon->>Sys: NEW: system-observe (Process monitoring)
Daemon->>Sys: NEW: hardware-observe (Thermal/debugfs)
Daemon->>Sys: network-observe (TCP/UDP sockets)
end
alt Data Request
Sys-->>Daemon: Return metrics (thermal, app cpu, etc.)
Daemon-->>Daemon: Aggregate metrics
else Unauthorized Access
Sys-->>Daemon: Blocked by Strict Confinement
end
Note over Daemon: Listener: 19999
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| # Exclude large Go collector docs and test fixtures not needed for release builds. | ||
| src/go/plugin/go.d/collector/*/integrations/ | ||
| src/go/plugin/go.d/collector/*/testdata/ | ||
| src/go/plugin/go.d/config/go.d/snmp.profiles/metadata/ |
Contributor
There was a problem hiding this comment.
P2: The snapcraft ignore list excludes the SNMP metadata overrides directory, but the SNMP utilities load YAML overrides from this path at runtime. Removing it from the snap will cause SNMP overrides to be missing, degrading SNMP profile detection/normalization.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .snapcraftignore, line 14:
<comment>The snapcraft ignore list excludes the SNMP metadata overrides directory, but the SNMP utilities load YAML overrides from this path at runtime. Removing it from the snap will cause SNMP overrides to be missing, degrading SNMP profile detection/normalization.</comment>
<file context>
@@ -0,0 +1,15 @@
+# Exclude large Go collector docs and test fixtures not needed for release builds.
+src/go/plugin/go.d/collector/*/integrations/
+src/go/plugin/go.d/collector/*/testdata/
+src/go/plugin/go.d/config/go.d/snmp.profiles/metadata/
+src/go/plugin/ibm.d/samples.d/
</file context>
| - -DENABLE_DBENGINE=ON | ||
| - -DENABLE_PLUGIN_APPS=ON | ||
| - -DENABLE_PLUGIN_GO=OFF | ||
| - -DENABLE_PLUGIN_DEBUGFS=ON |
Contributor
There was a problem hiding this comment.
P2: debugfs.plugin is enabled under strict confinement without any interface granting access to /sys/kernel/debug, which the plugin requires; it will be denied at runtime. Disable the plugin or add an appropriate interface.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At snapcraft.yaml, line 60:
<comment>debugfs.plugin is enabled under strict confinement without any interface granting access to /sys/kernel/debug, which the plugin requires; it will be denied at runtime. Disable the plugin or add an appropriate interface.</comment>
<file context>
@@ -0,0 +1,107 @@
+ - -DENABLE_DBENGINE=ON
+ - -DENABLE_PLUGIN_APPS=ON
+ - -DENABLE_PLUGIN_GO=OFF
+ - -DENABLE_PLUGIN_DEBUGFS=ON
+ - -DENABLE_LIBBACKTRACE=OFF
+ - -DENABLE_BUNDLED_PROTOBUF=OFF
</file context>
| ## Install and smoke test (optional, admin) | ||
|
|
||
| ```bash | ||
| sudo snap install --dangerous --devmode ./netdata_*.snap |
Contributor
There was a problem hiding this comment.
P2: Smoke-test instructions use --devmode, which disables strict confinement and can hide missing interface/permission issues for a strict snap. This undermines the purpose of testing strict confinement.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packaging/snap/README.md, line 67:
<comment>Smoke-test instructions use `--devmode`, which disables strict confinement and can hide missing interface/permission issues for a strict snap. This undermines the purpose of testing strict confinement.</comment>
<file context>
@@ -0,0 +1,73 @@
+## Install and smoke test (optional, admin)
+
+```bash
+sudo snap install --dangerous --devmode ./netdata_*.snap
+sudo snap start netdata.netdata
+snap services netdata
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details
Validation
Notes
Summary by cubic
Adds strict Snapcraft packaging for Netdata on Ubuntu Core (core24), with thermal sensors and apps.plugin enabled. Builds use versioning from packaging/version and recover if submodules are missing.
New Features
Migration
Written for commit 980667e. Summary will update on new commits.