The nova-hypervisor snap for OpenStack uses a number of privileged interfaces:
system-trace, hardware-observe, system-observe, process-control, openvswitch, libvirt, network-observe, network-control, firewall-control
This is a lot of privilege being given to nova, but I know nova needs most of them. Can you comment on why nova needs system-trace? This is the only one I was surprised about.
Hi jdstrand, sorry just verifying this and ran across some other issues that I need to handle to verify completely. It looks like we don’t need system-trace. I think this was added for ovs tracing but I’m not sure it’s necessary. I’ll get back to you soon for sure though.
@jdstrand, apologies for the delayed reply. I ran across a few more issues in testing system-trace and wanted to make sure we have everything covered in this request.
It turns out we do not need system-trace. I think it may have been added for openvswitch tracing but it’s not required for mainline execution, so let’s not add it for now.
We do, however, need to add account-control and kernel-module-control plugs to the list of auto-connected interfaces, in addition to those listed in the original request above.
Why is account-control needed? I’d not expect nova to be managing accounts in the machine. And similar question for kernel-module-control. Those two interfaces means the snap can do pretty much anything at all.
@niemeyer, I think we can drop kernel-module-control as well. While we get the denial below (looks like iproute2 is calling into iptables which does some modprobing), my basic mainline testing seems to be ok without that interface so lets not include kernel-module-control for now.
Wrt kernel-module-control, most applications do not need to be able load arbitrary modules on the system, which is what kernel-module-control gives. Instead, they want specific modules loaded and are very happy if the module is already loaded into the kernel. As a result, the is a ‘kmod’ backend in the interfaces code that can be used to tell snapd to load modules that are needed by the interface on behalf of the application. Eg, we load several firewall modules when something plugs firewall-control.
What module is ip trying to load? If you actually need the module, perhaps it can simply be added to an existing interface or a new interface?