-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add snapcraft packaging #597
Conversation
Hey @devec0, thanks for the pull request. I'm a bit relunctant to store external packaging files in the repo ( |
Hi @devec0,
James, if I understand you correctly, Snapcraft works a little bit differently and expects the packaging machinery to be maintained within upstream sources. It is obviously not mandatory, but it is expected. Now if I follow you the pros would be that snaps would be created automatically instead of requiring human intervention. Human intervention looks like a bottleneck in the Snapcraft process, which would explain why the openfortivpn snap remains stuck at 1.3.0. Is that correct? I rather agree with @adrienverge as was already the case in #138. On the other hand if it's the price to pay to have up-to-date packages of openfortivpn perhaps we should consider an exception. Can you please help us a little bit by expanding on these questions?
|
A more technical question: Note that openfortivpn 1.13.0 not only execs See also #590. |
Finally in these times of lockdown, @m33m33 has created a |
@DimitriPapadopoulos to answer this question:
Snapcraft seems to be owned by Canonical, the company behind Ubuntu (see for example the footer of the snapcraft web pages) |
The current snap package is managed by Canonical, they host pretty much everything and gives a lot of ressources to the community. I tried to contact the package manager, to update his package, with no response yet: I guess this is not a good time anyway, perfectly understandable. So I was forced to create my own snap package receipe. The openfortivpn projet should reclaim the snap package ownership at some point, and integrate it to the release process on github. |
James Hedden (@devec0) seems to be the maintainer of the snap for openfortivpn at Canonical. He has opened this pull request here |
Haha, I hadn't noticed oO |
We would rather avoid adding Canonical's On the other hand we do appreciate the universal nature of snaps and acknowledge user demand. For example we have seen strong demand from @m33m33. @devec0 @m33m33 As a first step, may I suggest one of the following:
|
@devec0 I have created this repo on GitHub: Also I have a Snapcraft developer account (already had an Ubuntu One account): I am willing to maintain the openfortivpn snap. Since the name "openfortivpn" is already registered, I would need your help to have access to it - if you're OK with this solution of course. |
@DimitriPapadopoulos great, you should be able to integrate the snap build to travis ( https://docs.travis-ci.com/user/deployment/snaps/ ) What yaml file look best for a start ? Need help on this ? Sent with GitHawk |
@m33m33 I could integrate the snap build to Travis CI but isn't the goal to integrate directly to Snapcraft? |
Well, to my understanding: you have to build a snap package and upload it to snapcraft.io depot. Travis can do both it says " Travis CI can automatically upload and release your app to the Snap Store after a successful build. " |
@m33m33 I'll try that, but then isn't this pull request missing the necessary Travis CI integration in |
I'll try this: |
I've tried but it fails ("built but failed to release" whatever that means): No error messages. The whole process is rather complicated. Don't know whether I will have time to finalize in the near future. |
OK, changed
to:
and it works now ('Built and released'). |
There's a problem though. Script
This is OK on Fedora but not what we want on Ubuntu. I might be missing something here (please enlighten me) but it looks like the concept of "snaps" doesn't really apply to software tightly coupled to vendor-specific mechanisms like modifying DNS parameters. Options are configured at build-time and depend on the Linux vendor. Snaps on the other hand are built once for all vendors. The only solution would be to support |
@m33m33 Would you be willing to test the Note that |
Then we need to add a "stable" channel with version 1.13.2 in addition to the current "edge" channel. |
Wow, OK - so this certainly started some conversation. Firstly, I figure I should state my intention and my intended outcome here, and then will try to address questions. I wrote a snapcraft package for openfortivpn some time ago for a specific requirement, that didn't materialise. So, I am not using this snap myself in production - but based on metrics, roughly 2000 people around the world are using it - so I've had it on my TODO list to get it up to date and merged upstream for some time, especially given I occasionally get emails and various other requests to do so. So this isn't a 'Canonical' snap, and should not be used as an example of how well (or how poorly!) snaps are maintained by Canonical. I am also in a position to, and totally happy to, transfer the openfortivpn snap namespace to whomever would like to maintain it, especially now that I have provided updated packaging sources I can do so with a clean conscience :) Now, with that said, I do work for Canonical and do use Snaps and Snapcraft a lot in my work, so hopefully I can address a few of the questions raised -
|
@devec0 Hi James, thank you very much for the thorough answers! I have created an openfortivpn-test snap based on your I would be interested in taking over the maintenance of the snap if that's OK with you. Before this happens:
|
Signed-off-by: James Hebden <[email protected]>
Tested on an ubuntu derivative:
I guess the version should be set with an adopt-info directive in https://github.com/DimitriPapadopoulos/snapcraft_openfortivpn/blob/master/snap/snapcraft.yaml like in https://github.com/m33m33/snapcraft_openfortivpn/blob/master/snap/snapcraft.yaml so the package shows what is pulled from git at build time. You will follow the "releases" versions right ? |
@m33m33 I have been inferring the openfortivpn version a little bit differently, based on Git tags and commits: There are a couple other issues:
|
@devec0 Hi James, I think the snap for openfortivpn 1.13.3 is ready. The snap sources are here: The snap is currently available from: I'll wait a few days before I promote I think I am ready to take over maintenance, if you're still OK with that. I'll move the snap from: |
Hey @DimitriPapadopoulos - I've invited you as a collaborator on the openfortivpn snap, which should give you access to push to the snap on the store. There's no option to totally transfer ownership without engaging the snapcraft team, and I think this level of access will work perfectly. Please be mindful that the current snap has been installed by roughly 2,000 users, so any push to the stable channel on this snap will be rolled out automatically, so it would be good to promote through edge and beta first. I'd be very glad to have you take over maintenance, as I honestly don't have the spare cycles to look after this snap properly - so thank you! |
given the fact that the current production snap is on 1.3.0 I'd consider it a good thing, that Possible other changes that might break so-far working snaps:
|
@DimitriPapadopoulos - the currently publish snapped is based on the sources here The one I have provided has been re-done to enable proper git versioning, and to use the new bases keyword to be compatible with newer snapcraft. There's not huge functional differences. Regarding confinement, classic confinement is not recommended, and requires an exception to be granted for the snap, if required it function. The snapcraft forums would be the right place to request that if needed, but I can't think of a reason that openfortivpn would need it - even considering the above new changes since the 1.3 release. You might want to look at snap layouts if anything you need for the above is not already being made available inside the snap. (you could, for example, use a layout to bind-mount the resolconf directory into the snap filesystem for this snap, I believe). Strict confinement however is the better of the two options from a security and user UX perspective. You're less likely to interfere with things on the host system, the openfortivpn process is better contained in its own namespaces, and you don't require any special flags on install or store exceptions to publish and push updates to the snap. |
Oh, and for using the host pppd - you'd want to add the More information on plugs and interfaces: https://snapcraft.io/docs/supported-interfaces |
About confinement: openfortivpn works out-of-the-box even without the |
Ah, it's not because of
I'll add more plugs like |
Even the current 1.3.0 snap fails with:
I'll add the |
Mmmh... The
but this doesn't :
Hardly what we want... I can remove |
@devec0 I'm starting to doubt it is possible to create a snap of openfortivpn: openfortivpn needs to modify DNS parameters and IP routing and it forks pppd which should itself be able to change DNS parameters. It is interacting too closely with the system.
|
Well, I'm no expert in snap packages (yet ;) but it works pretty well here https://github.com/m33m33/snapcraft_openfortivpn/blob/master/snap/snapcraft.yaml with classic confinment and a local installation (this package is not published on snapcraft.io, it may be the big difference ?) |
@m33m33 I may be wrong but I understand snap executables live in and should be run from
Instead you have to be directly running the openfortivpn executable bundled in the snap's internal directory which is not a snap but a simple executable. On Ubuntu 18.04 it would be here:
It works of course, but then you're misusing the snap. The snap itself doesn't work and had probably never worked. openfortivpn is so closely knit with the system that it probably doesn't make sense to deploy it as a snap. |
I'm building the snap locally now, much easier to experiment than on Snapcraft. I can even use More on pppd:
I'm not certain about this |
Looks like a good direction. To me the whole point of a snap vs a simple deb is to guarantee that it works no matter what. So including dependices like pppd or whatever library needed is just fine. |
The
|
Then there's this strange build issue (at least when building locally):
|
The
Googling these error messages does not bring anything useful. I am at a loss how to fix this. |
@m33m33 - installing locally would require --devmode, which disables all confinement, so you will not have any issues accessing any part of the host machine in that scenario, and the classic confinement will not present you any issues either, because that too is ignored in devmode. @DimitriPapadopoulos my understanding is that the ppp plug should be giving you access to host PPP kernel modules, so regardless of where pppd is running, you should be setting up interfaces on the host. This leaves DNS, which I believe you can do with a layout, if it doesn't work already. I've mentioned before that I don't use this snap myself, that I am just providing it given there are a number of people using it at the published 1.3 version (presumably without issue) and that one was not classic confined. Regarding the ppp plug, did you connect it on the host? Remember that ppp is not auto-connected, so you would need to do The openfortivpn binary placed in |
@devec0 Ah indeed
|
Do you get the same if you don't run it with sudo? Or is sudo generally required by openfortivpn? |
Unfortunately Perhaps it would be worth revisiting this |
Got an answer on the forum An additional plug is need: I think we now have something that is equivalent to the existing snap. I'll move from my test snap to channel latest/beta of the definitive production snap soon. |
@devec0 James, I cannot find a way to plug my Git repo to your snap so as to automate this process: I had to file a "dispute" and ask for help on how to achieve that. The only other alternative I can think of is maintaining the snap in your existing Git repo and following this process: Unless you have a clue, I'll wait for for feedback from Snapcraft on how to best achieve the transition. |
Until you have a response on transitioning the name, you should simply be able to use the snapcraft cli to push releases to the openfortivpn snap. Pointing it at the Git repo is only required for automatic builds. I think maintaining the snap sources here, rather than out of my launchpad account makes it easier for existing developers and maintainers to commit changes to and manage changes to the snap. The current launchpad git repo is not actually registered with the snapcraft store at all. |
@devec0 I've tried to follow Making your snaps available to the store using snapcraft:
So it does look like something needs to be modified on the Store. Other than using the Launchpad Git repo is fine with me. Will you be able to give me write access to https://git.launchpad.net/~ec0/+git/snap-openfortivpn? |
An snap of openfortivpn 1.13.3 is available from the latest/edge channel: |
I have moved the repository to openfortivpn/snap. |
For what it's worth: Maybe a Flatpak package would be useful. |
Flathub is for graphical applications only:
|
Adds snapcraft packaging for openfortivpn.
I currently have an older snap published on the snapcraft store.
I have updated this snap to use the new core18 base, and have made it build directly from the git repository so it can use annotated tags as version information for the snap automatically.
If this is merged, it will also be possible to register this repo with the snap store (would require someone with access to this repo directly to register it) to enable automatic builds based on repository pushes, if there is desire for that. Otherwise, I can push a new version manually as requested.
Signed-off-by: James Hebden [email protected]