Introduces immutability to OCI image by running everything as non-root user _daemon_; Updated README to include runtime flags for data persistence and USB printer access

Author: rudra-iitm

README.md

@@ -266,12 +266,20 @@ To pull the image from the GitHub Container Registry, run the following command:
   sudo docker pull ghcr.io/openprinting/hplip-printer-app:latest
 ```
 
+Create a Docker volume:
+```sh
+  sudo docker volume create hplip-printer-app
+```
+
 To run the container after pulling the image from the GitHub Container Registry, use:
 ```sh
   sudo docker run -d \
       --name hplip-printer-app \
       --network host \
       -e PORT=<port> \
+      -v hplip-printer-app:/var/lib/hplip-printer-app \
+      -v /dev/bus/usb:/dev/bus/usb:ro \
+      --device-cgroup-rule='c 189:* rmw' \
       ghcr.io/openprinting/hplip-printer-app:latest
 ```
 
@@ -281,18 +289,30 @@ Alternatively, you can pull the image from Docker Hub, by running:
   sudo docker pull openprinting/hplip-printer-app
 ```
 
+Create a Docker volume:
+```sh
+  sudo docker volume create hplip-printer-app
+```
+
 To run the container after pulling the image from Docker Hub, use:
 ```sh
   sudo docker run -d \
       --name hplip-printer-app \
       --network host \
       -e PORT=<port> \
+      -v hplip-printer-app:/var/lib/hplip-printer-app \
+      -v /dev/bus/usb:/dev/bus/usb:ro \
+      --device-cgroup-rule='c 189:* rmw' \
       openprinting/hplip-printer-app:latest
 ```
 
 - `PORT` is an optional environment variable used to start the printer-app on a specified port. If not provided, it will start on the default port 8000 or, if port 8000 is busy, on 8001 and so on.
 - **The container must be started in `--network host` mode** to allow the Printer-Application instance inside the container to access and discover printers available in the local network where the host system is in.
 - Alternatively using the internal network of the Docker instance (`-p <port>:8000` instead of `--network host -e PORT=<port>`) only gives access to local printers running on the host system itself.
+- `-v hplip-printer-app:/var/lib/hplip-printer-app` maps a volume for persistent storage.
+- The following volume and device settings are crucial for USB printer access:
+  - `-v /dev/bus/usb:/dev/bus/usb:ro` mounts the host's USB device directory read-only inside the container for USB printer access.
+  - `--device-cgroup-rule='c 189:* rmw'` allows the container to read, write, and mknod to USB devices.
 
 ### Setting Up and Running hplip-printer-app locally
 
@@ -330,18 +350,30 @@ Once the rock is built, you need to compile docker image from it.
   sudo rockcraft.skopeo --insecure-policy copy oci-archive:<rock_image> docker-daemon:hplip-printer-app:latest
 ```
 
+Create a Docker volume:
+```sh
+  sudo docker volume create hplip-printer-app
+```
+
 **Run the hplip-printer-app Docker Container**
 
 ```sh
   sudo docker run -d \
       --name hplip-printer-app \
       --network host \
       -e PORT=<port> \
+      -v hplip-printer-app:/var/lib/hplip-printer-app \
+      -v /dev/bus/usb:/dev/bus/usb:ro \
+      --device-cgroup-rule='c 189:* rmw' \
       hplip-printer-app:latest
 ```
 - `PORT` is an optional environment variable used to start the printer-app on a specified port. If not provided, it will start on the default port 8000 or, if port 8000 is busy, on 8001 and so on.
 - **The container must be started in `--network host` mode** to allow the Printer-Application instance inside the container to access and discover printers available in the local network where the host system is in.
 - Alternatively using the internal network of the Docker instance (`-p <port>:8000` instead of `--network host -e PORT=<port>`) only gives access to local printers running on the host system itself.
+- `-v hplip-printer-app:/var/lib/hplip-printer-app` maps a volume for persistent storage.
+- The following volume and device settings are crucial for USB printer access:
+  - `-v /dev/bus/usb:/dev/bus/usb:ro` mounts the host's USB device directory read-only inside the container for USB printer access.
+  - `--device-cgroup-rule='c 189:* rmw'` allows the container to read, write, and mknod to USB devices.
 
 #### Setting up
 

rockcraft.yaml

@@ -19,19 +19,21 @@ platforms:
 environment:
   MIBDIRS: /hplip-printer-app/current/usr/share/snmp/mibs:/hplip-printer-app/current/usr/share/snmp/mibs/iana:/hplip-printer-app/current/usr/share/snmp/mibs/ietf
 
+run-user: _daemon_
+
 services:
-  dbus:
-    command: /scripts/run-dbus.sh
+  avahi-daemon:
+    command: /scripts/run-avahi.sh
     override: replace
     on-failure: restart
     startup: enabled
 
-  hplip-printer-app:
+  ps-printer-app:
     command: /scripts/start-server.sh
     override: replace
     on-failure: shutdown
     startup: enabled
-    after: [dbus]
+    after: [avahi-daemon]
 
 parts:
   pappl:
@@ -305,7 +307,7 @@ parts:
       # hplip parts to avoid any file clashes.
       - libavahi-common3
       - libavahi-client3
-      - avahi-utils
+      # - avahi-utils
     prime:
       - -etc/fonts
       - -var
@@ -814,28 +816,175 @@ parts:
       - -usr/share/man
       # Reported unused by snapcraft linter
       - -usr/lib/*/libgssapi.*
+    after: [avahi, pappl-retrofit, pappl, cups, libcupsfilters, libppd, hplip]
+
+  avahi:
+    plugin: autotools
+    source: https://github.com/avahi/avahi.git
+    source-type: git
+    autotools-configure-parameters:
+      - --prefix=/usr
+      - --disable-qt3
+      - --disable-qt4
+      - --disable-qt5
+      - --disable-gtk
+      - --disable-gtk3
+      - --disable-gdbm
+      - --disable-python
+      - --disable-pygtk
+      - --disable-python-dbus
+      - --disable-mono
+      - --disable-monodoc
+      - --disable-manpages
+      - --disable-xmltoman
+      - --with-avahi-user=_daemon_
+      - --with-avahi-group=_daemon_
+      # - --with-avahi-priv-access-group=netdev
+      # - --with-distro=debian
+      - --disable-gobject
+      - --datadir=/usr/share
+      - --libdir=/usr/lib/${CRAFT_ARCH_TRIPLET_BUILD_FOR}
+      - --with-systemdsystemunitdir=/usr/lib/systemd/system
+      - --localstatedir=/var
+      - --sysconfdir=/etc
+    build-packages:
+      - g++
+      - gcc
+      - gettext
+      - intltool
+      - libdaemon-dev
+      - libdbus-1-dev
+      - libevent-dev
+      - libexpat1-dev
+      - libglib2.0-dev
+      - libsystemd-dev
+      - xmltoman
+    override-build: |
+        craftctl default
+        # for reference sort systemd service files
+        sed -i \
+            -e 's|\(.*\)avahi-daemon -s.*|\1avahi-daemon -s --no-drop-root|g' \
+            -e 's|\(.*\)avahi-daemon -r.*|\1avahi-daemon -r --no-drop-root|g' \
+            ${CRAFT_PART_INSTALL}/usr/lib/systemd/system/avahi-daemon.service
+        mkdir -p \
+            ${CRAFT_PART_INSTALL}/usr/lib/systemd/system/multi-user.target.wants
+        ln -sf \
+            ../avahi-daemon.service \
+            ${CRAFT_PART_INSTALL}/usr/lib/systemd/system/multi-user.target.wants/avahi-daemon.service
+    build-environment:
+      - LD_LIBRARY_PATH: "${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$CRAFT_STAGE/usr/lib"
+    override-prime: |
+      set -eux
+      craftctl default
+      sed -i 's/use-ipv6=yes/use-ipv6=no/' ${CRAFT_PRIME}/etc/avahi/avahi-daemon.conf
+      sed -i 's|<user>messagebus</user>|<user>_daemon_</user>|; /<policy user="root">/,/<\/policy>/d' $CRAFT_PRIME/usr/share/dbus-1/system.conf
+      sed -i 's/<policy group="netdev">/<policy group="_daemon_">/g; s/<policy user="root">/<policy user="_daemon_">/g' $CRAFT_PRIME/usr/share/dbus-1/system.d/avahi-dbus.conf
+    stage-packages:
+      - libdaemon0
+      - libevent-2.1-7
+      - avahi-utils
+      - mdns-scan
+      # - libavahi-client3
+      # - libavahi-common3
+    stage:
+      - etc/avahi
+      - usr
+      - -usr/lib/**/libavahi-client.so*
+      - -usr/lib/**/libavahi-common.so*
+      - -usr/lib/**/*.acd
+      - -usr/lib/**/*.la
+      - -usr/lib/**/avahi
+      - -usr/lib/**/libavahi-glib*
+      - -usr/lib/**/libavahi-libevent*
+      - -usr/lib/**/libevent-*
+      # - -usr/lib/**/libnss_mdns*
+      - -usr/lib/**/pkgconfig
+      - -usr/include
+      - -usr/share/doc
+      - -usr/share/man
+      - -usr/share/locale
     after: [pappl-retrofit, pappl, cups, libcupsfilters, libppd, hplip]
 
-  avahi-daemon:
+  utils:
     plugin: nil
     overlay-packages:
-      - avahi-daemon
-      - avahi-utils
-      - libnss-mdns
-      - mdns-scan
-      - dbus
       - python3
+      - dbus
+      - libnss-mdns
+    override-prime: |
+      set -eux
+      craftctl default
+
+      # Set up Avahi Daemon runtime directory
+      mkdir -p "$CRAFT_PRIME/var/run/avahi-daemon"
+      chown 584792:584792 "$CRAFT_PRIME/var/run/avahi-daemon"
+      chmod 777 "$CRAFT_PRIME/var/run/avahi-daemon"
+
+      # Set up D-Bus runtime directory
+      mkdir -p "$CRAFT_PRIME/var/run/dbus"
+      chown 584792:584792 "$CRAFT_PRIME/var/run/dbus"
+      chmod 777 "$CRAFT_PRIME/var/run/dbus"
+
+      # Set up the CUPS SSL server root directory
+      CUPS_SERVERROOT="$CRAFT_PRIME/etc/cups/ssl"
+      mkdir -p "$CUPS_SERVERROOT"
+      chown 584792:584792 "$CUPS_SERVERROOT"
+      chmod 770 "$CUPS_SERVERROOT"
+
+      # Set up the state directory and file for the printer app
+      STATE_DIR="$CRAFT_PRIME/var/lib/hplip-printer-app/"
+      mkdir -p "$STATE_DIR"
+      chown 584792:584792 "$STATE_DIR"
+      chmod 770 "$STATE_DIR"
+
+      # Create a state file inside the state directory
+      STATE_FILE="$STATE_DIR/hplip-printer-app.state"
+      touch "$STATE_FILE"
+      chown 584792:584792 "$STATE_FILE"
+      chmod 644 "$STATE_FILE"
+
+      # Set up the hp state directory and file for the printer app
+      HP_STATE_DIR="$CRAFT_PRIME/var/lib/hp"
+      mkdir -p "$HP_STATE_DIR"
+      chown 584792:584792 "$HP_STATE_DIR"
+      chmod 770 "$HP_STATE_DIR"
+
+      # Create a hp state file inside the state directory
+      HP_STATE_FILE="$HP_STATE_DIR/hplip.state"
+      touch "$HP_STATE_FILE"
+      chown 584792:584792 "$HP_STATE_FILE"
+      chmod 644 "$HP_STATE_FILE"
+
+      # Ensure the spool directory is owned properly
+      SPOOL_DIR="$CRAFT_PRIME/var/spool/hplip-printer-app"
+      mkdir -p "$SPOOL_DIR"
+      chown 584792:584792 "$SPOOL_DIR"
+      chmod 770 "$SPOOL_DIR"
+
+      # Create and set permissions for the application log file
+      touch $CRAFT_PRIME/hplip-printer-app.log
+      chown 584792:584792 $CRAFT_PRIME/hplip-printer-app.log
+      chmod 644 $CRAFT_PRIME/hplip-printer-app.log
+
+      # Setting up permissions to USB backend
+      USB_BACKEND="$CRAFT_PRIME/usr/lib/hplip-printer-app/backend/usb"
+      chmod u+s "$USB_BACKEND"
+    after: [avahi, pappl-retrofit, pappl, cups, libcupsfilters, libppd, hplip]
 
   scripts:
     plugin: dump
     source: .
     organize:
-      # "HP" discovery-only CUPS backendto discover
+      # "HP" discovery-only CUPS backend to discover
       # network printers using the hp-probe utility, as
       # HPLIP's "hp" backend only discovers USB printers
       HP: usr/lib/hplip-printer-app/backend/HP
     stage-packages:
       - udev
+    override-prime: |
+      set -eux
+      craftctl default
+      chmod +x $CRAFT_PRIME/scripts/*
     prime:
       - -etc
       - bin
@@ -845,21 +994,3 @@ parts:
       - usr/lib/hplip-printer-app/backend/
       - -usr/lib/tmpfiles.d
     after: [hplip-printer-app]
-
-  dbus-scripts:
-    plugin: dump
-    source: scripts/
-    organize:
-      run-dbus.sh: /scripts/run-dbus.sh
-      start-server.sh: /scripts/start-server.sh
-    override-prime: |
-      set -eux
-      craftctl default
-      # Ensure the run-dbus.sh script has executable permissions
-      if [ -f "$CRAFT_PRIME/scripts/run-dbus.sh" ]; then
-        chmod +x "$CRAFT_PRIME/scripts/run-dbus.sh"
-      fi
-      # Ensure the start-server.sh script has executable permissions
-      if [ -f "$CRAFT_PRIME/scripts/start-server.sh" ]; then
-        chmod +x "$CRAFT_PRIME/scripts/start-server.sh"
-      fi

scripts/run-avahi.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eux
+
+# Start dbus-daemon in the background
+/usr/bin/dbus-daemon --system --nofork &
+
+# Wait for the D-Bus system bus to be ready
+while [ ! -e /var/run/dbus/system_bus_socket ]; do
+  echo "Waiting for dbus-daemon to initialize..."
+  sleep 1
+done
+
+# Start avahi-daemon after dbus-daemon is ready
+/usr/sbin/avahi-daemon -f /etc/avahi/avahi-daemon.conf --no-drop-root --debug
+
+# Keep the container running
+exec tail -f /dev/null