The nova-hypervisor snap for OpenStack uses a number of privileged interfaces:
system-trace, hardware-observe, system-observe, process-control, openvswitch, libvirt, network-observe, network-control, firewall-control
Hi jdstrand, sorry just verifying this and ran across some other issues that I need to handle to verify completely. It looks like we don’t need system-trace. I think this was added for ovs tracing but I’m not sure it’s necessary. I’ll get back to you soon for sure though.
Why is account-control needed? I’d not expect nova to be managing accounts in the machine. And similar question for kernel-module-control. Those two interfaces means the snap can do pretty much anything at all.
@niemeyer, I think we can drop kernel-module-control as well. While we get the denial below (looks like iproute2 is calling into iptables which does some modprobing), my basic mainline testing seems to be ok without that interface so lets not include kernel-module-control for now.
Wrt kernel-module-control, most applications do not need to be able load arbitrary modules on the system, which is what kernel-module-control gives. Instead, they want specific modules loaded and are very happy if the module is already loaded into the kernel. As a result, the is a ‘kmod’ backend in the interfaces code that can be used to tell snapd to load modules that are needed by the interface on behalf of the application. Eg, we load several firewall modules when something plugs firewall-control.
What module is ip trying to load? If you actually need the module, perhaps it can simply be added to an existing interface or a new interface?