Skip to content

Commit d2dfdb5

Browse files
committed
fix(snap): isolate CLI XDG paths from host environment
The Ubuntu Snap release canary is failing because GitHub-hosted runners set `XDG_CONFIG_HOME=/home/runner/.config`, and the strict OpenShell snap currently honors that host path. As a result, `openshell gateway add` tries to persist gateway metadata under `/home/runner/.config/openshell/...` instead of the snap-owned user directory, and strict snap confinement blocks the write. The snap should set its user-facing app XDG paths explicitly to snap-owned locations under `$SNAP_USER_COMMON`, so host-defined `XDG_*` variables cannot redirect CLI or TUI state outside the snap sandbox. The docs update also removes stale `--classic` Snap install examples, since the OpenShell snap is strict-confined rather than classic-confined. Signed-off-by: Kris Hicks <khicks@nvidia.com>
1 parent 62b03f0 commit d2dfdb5

3 files changed

Lines changed: 38 additions & 2 deletions

File tree

docs/about/installation.mdx

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ sudo loginctl enable-linger $USER
8080
Install the OpenShell snap from the Snap Store:
8181

8282
```shell
83-
sudo snap install openshell --classic
83+
sudo snap install openshell
8484
```
8585

8686
The snap defines two apps: the `openshell` CLI and the `openshell.gateway`
@@ -89,6 +89,12 @@ stores its database at `$SNAP_COMMON/gateway.db` (typically
8989
`/var/snap/openshell/common/gateway.db`). Create `$SNAP_COMMON/gateway.toml`
9090
when you need to override gateway settings.
9191

92+
The snap CLI stores per-user config, data, and state under
93+
`$SNAP_USER_COMMON/xdg-*`, typically `~/snap/openshell/common/xdg-*`.
94+
Gateway registrations live under
95+
`$SNAP_USER_COMMON/xdg-config/openshell/gateways/` instead of
96+
`~/.config/openshell/gateways/`.
97+
9298
### Snap store installs
9399

94100
When installing from the Snap Store, snapd automatically connects the `home`,
@@ -108,7 +114,7 @@ manually.
108114
When installing a locally built `.snap` file, no plugs are connected by default:
109115

110116
```shell
111-
sudo snap install ./openshell_*.snap --dangerous --classic
117+
sudo snap install ./openshell_*.snap --dangerous
112118
sudo snap connect openshell:home
113119
sudo snap connect openshell:network
114120
sudo snap connect openshell:network-bind

snapcraft.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,10 @@ platforms:
6262
apps:
6363
openshell:
6464
command: bin/openshell
65+
environment:
66+
XDG_CONFIG_HOME: "$SNAP_USER_COMMON/xdg-config"
67+
XDG_DATA_HOME: "$SNAP_USER_COMMON/xdg-data"
68+
XDG_STATE_HOME: "$SNAP_USER_COMMON/xdg-state"
6569
plugs:
6670
- home
6771
- network
@@ -70,6 +74,10 @@ apps:
7074
term:
7175
command: bin/openshell term
7276
desktop: meta/gui/term.desktop
77+
environment:
78+
XDG_CONFIG_HOME: "$SNAP_USER_COMMON/xdg-config"
79+
XDG_DATA_HOME: "$SNAP_USER_COMMON/xdg-data"
80+
XDG_STATE_HOME: "$SNAP_USER_COMMON/xdg-state"
7381
plugs:
7482
- home
7583
- network

tasks/scripts/test-packaging-assets.sh

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,21 @@ assert_not_contains() {
2828
fi
2929
}
3030

31+
assert_occurrences() {
32+
local file=$1
33+
local expected=$2
34+
local count=$3
35+
local actual
36+
37+
actual=$(grep -F "$expected" "$file" | wc -l | tr -d '[:space:]')
38+
if [[ "$actual" != "$count" ]]; then
39+
echo "FAIL: ${file} expected ${count} occurrences of:" >&2
40+
echo " ${expected}" >&2
41+
echo "found ${actual}" >&2
42+
exit 1
43+
fi
44+
}
45+
3146
assert_file_exists() {
3247
local file=$1
3348

@@ -39,9 +54,11 @@ assert_file_exists() {
3954

4055
service="${ROOT}/deploy/deb/openshell-gateway.service"
4156
spec="${ROOT}/openshell.spec"
57+
snapcraft="${ROOT}/snapcraft.yaml"
4258

4359
assert_file_exists "$service"
4460
assert_file_exists "$spec"
61+
assert_file_exists "$snapcraft"
4562

4663
assert_contains \
4764
"$service" \
@@ -59,4 +76,9 @@ assert_contains \
5976
'ExecStartPre=/usr/bin/openshell-gateway generate-certs --output-dir ${OPENSHELL_LOCAL_TLS_DIR} --server-san host.openshell.internal'
6077
assert_not_contains "$spec" '%%S/openshell/tls'
6178

79+
assert_contains "$snapcraft" 'confinement: strict'
80+
assert_occurrences "$snapcraft" 'XDG_CONFIG_HOME: "$SNAP_USER_COMMON/xdg-config"' 2
81+
assert_occurrences "$snapcraft" 'XDG_DATA_HOME: "$SNAP_USER_COMMON/xdg-data"' 2
82+
assert_occurrences "$snapcraft" 'XDG_STATE_HOME: "$SNAP_USER_COMMON/xdg-state"' 2
83+
6284
echo "packaging asset tests passed"

0 commit comments

Comments
 (0)