Confine snap

[MonicaisHer]

This PR confines the OTBR snap by adding the necessary interfaces to each app:

otbr-setup requires:

• network, network-bind, network-control and firewall-control plugs to set up the network and firewall.
• system-observe and system-config-files plugs to access system information and config files in order to set up iproute (/etc/sysctl.* and /etc/iproute2).

otbr-agent requires:

• network, network-bind, `network-control plugs to set up the network.
• avahi-observe and avahi-control plugs to allow DNS-SD-based discovery.
• bluetooth-control and bluez plugs for device discovery over Bluetooth Low Energy (BLE).
• raw-usb to discover physically connected RCP.
• system-runtime-files to access system files (/run/openthread-wpan0.*) during runtime.

otbr-web requires:

• network, network-bind plugs to access and operate the network.
• system-runtime-files plug to access system files (/run/openthread-wpan0.*) during runtime.

ot-ctl requires:

• system-runtime-files plug to access system files (/run/openthread-wpan0.*) during runtime.

This PR also removes sudo from scripts during build time, to prevent file permission issues during runtime.

Testing

Build and setup:

snapcraft clean && snapcraft -v --debug

sudo snap remove --purge openthread-border-router
sudo snap install ./openthread-border-router_0.1_amd64.snap --dangerous

# set this if your infra interface is different from the default wlp3s0
sudo snap set openthread-border-router infra-if="eno1"

sudo snap connect openthread-border-router:system-etc-iproute
sudo snap connect openthread-border-router:system-etc-sysctl
sudo snap connect openthread-border-router:system-run
sudo snap connect openthread-border-router:system-run-openthread-wpan0

sudo snap connect openthread-border-router:avahi-control
sudo snap connect openthread-border-router:firewall-control
sudo snap connect openthread-border-router:raw-usb
sudo snap connect openthread-border-router:network-control
sudo snap connect openthread-border-router:bluetooth-control
sudo snap connect openthread-border-router:bluez

sudo snap connections openthread-border-router  

Start :

sudo snap start openthread-border-router

Following the steps here to form a Thread Network, then discover and pair the Thread lighting device into the OTBR network:

1. Connect the RCP dongle (A) to a USB port
2. Use the CTL tool to initialize the Thread network:

   sudo openthread-border-router.ot-ctl
   > dataset init new
   Done
   > dataset commit active
   Done
   > ifconfig up
   Done
   > thread start
   Done

3. Obtaining the OTBR operational dataset (OTBR network's credentials):

   sudo openthread-border-router.ot-ctl
   > dataset active -x
   0e08...f7f8
   Done

4. Discovering and pairing the Thread lighting device into the OTBR network over Bluetooth LE:

   sudo chip-tool pairing ble-thread 110 hex:0e08...f7f8 20202021 3840

[farshidtz]

Did another test, this time only using the GUI. I could form a network and see the status without an issue.

[MonicaisHer]

The testing of commissioning a Thread device into a Thread network, formed by this PR's confined OTBR snap, has encountered several issues.

First, the nRF52840 dongle stores pairing information from previous connections and disable BLE advertisement upon the first successful pairing. This makes the second pairing test impossible. Moreover, after a factory reset (pressing the reset button), the pairing info and disabled BLE advertisement are sometimes left behind, indicating that the factory reset might not be cleaning enough.

Another difficulty is when attempting to commission the Thread device into the Thread network using chip-tool with OTBR snap. The commissioning process can be performed successfully once with the unconfined OTBR snap, but never succeeds when using confined OTBR snap from this PR. This means that some interfaces might be missing for the confined OTBR snap.

Pressing the factory reset button on the nRF52840 dongle sometimes results in a clean factory reset, while other times it does not. This inconsistency makes it challenging to do efficient testing now. So it is best to hold this PR until the testing of commissioning the Thread device into the Thread network passes successfully.

Logs for the nRF52840 dongle after the factory reset and firmware reflash: https://pastebin.ubuntu.com/p/KZwd7PDwdj/

[farshidtz]

A factory reset of the dongle appears to clear the storage (but not the flash memory). Once done, the application is placed into discovery mode.

To do a factory reset, start the application by opening a serial console with minisim, then hold the large white button for more than 3 seconds after seeing "Release button within 3000ms to cancel" in the logs.

You would see the following in the logs:

...
[00:00:00.370,941] <inf> chip: [SVR]Fabric already commissioned. Disabling BLE advertisement
...
[00:32:53.126,739] <inf> app: Factory Reset Triggered. Release button within 3000ms to cancel.
...
[00:32:56.480,102] <inf> chip: [DL]Performing factory reset
[00:32:56.855,834] <inf> chip: [DL]Erasing Thread persistent info...
[00:00:12.625,488] <inf> app: Init CHIP stack
...
[00:00:01.172,149] <inf> chip: [DL]CHIP task running
[00:00:01.175,079] <inf> chip: [DL]CHIPoBLE advertising started
[00:00:01.176,849] <inf> chip: [DL]NFC Tag emulation started
[00:00:31.175,354] <inf> chip: [DL]CHIPoBLE advertising mode changed to slow

Discover from another device:

$ bluetoothctl scan le | grep Matter
[NEW] Device CA:5E:86:D1:47:92 MatterLight

[MonicaisHer]

@farshidtz, thanks for the solution to perform a clean factory reset of the nRF52840 dongle. I have successfully tested the confined OTBR snap to commission and control the Thread device. For details please see the testing section in this PR description.