Allow LXD plug for ams-node-controller

morphis · July 25, 2022, 6:51am

Hey all,

the Anbox Cloud team at Canonical develops a small service called ams-node-controller which is running side by side with each LXD instance on a machine inside a LXD cluster. It connects to LXD over it’s Unix domain socket at /var/snap/lxd/common/lxd/unix.socket to perform additional operations when Anbox containers are started, like adjusting firewall rules or similar. It only connects to the socket to receive lifecycle events from LXD and does not perform any active operations on the LXD API.

We would like to ask to get the lxd plug allowed for the ams-node-controller snap so we can publish and release it through the snap store proper.

Please let me know if there are any further questions.

cc @stgraber

Thanks!

alexmurray · July 26, 2022, 4:25am

It is a shame there is not a lxd-observe or similar interface that would allow a less-privileged / more constrained way to interact with lxd as a snap as this snap would seem to be a great use-case for such an interface.

However, given this does not exist, and the ams-node-controller snap requires to interact with lxd then the lxd interface is the only possible solution. @morphis you have not specified whether you are requesting auto-connect for this interface - so for now I will assume this is just requesting use-of the lxd interface for publishing to the store and that the interface is expected to be manually connected.

Given that the lxd interface is super-privileged, granting use-of this interface requires publisher vetting - but in this case the snap is published by Canonical so this is assumed.

As such, +1 from me for use-of lxd for ams-node-controller.

morphis · July 26, 2022, 6:33am

@alexmurray Thanks for reminding me of the auto-connect question. We will not need auto-connect as ams-node-controller will be usually deployed by a charm which can take care of that on the target machine. There is some additional configuration necessary anyway for the snap to be of any use.

Being allowed to publish the snap to the store and allowed to use the lxd interface is all we need at this point.

Thanks!

pfsmorigo · August 5, 2022, 9:28pm

+1 from me too. +2 votes for, 0 votes against, granting use of lxd for ams-node-controller. This is now live.

morphis · August 8, 2022, 7:41am

Thanks @pfsmorigo!

Verified that new snaps pushed to the store are now passing automatic review.