This is a request for the auto-connect for MicroStack snap’s interfaces to for strict confinement. These interfaces include (quite a few):
block-devices
hardware-observe
firewall-control
hugepages-control
kernel-module-observe
kvm
libvirt
log-observe
microstack-support
mount-observe
netlink-audit
network-control
openvswitch-support
process-control
raw-usb
system-observe
system-trace
As a quick summary, the MicroStack snap delivers an OpenStack cloud in a snap format. This involves lots of interactions with the host system in order to provide and orchestrate virtual infrastructure.
Many thanks in advance. Myself and @dmitriis are happy to answer any questions that you may have.
+1 from me too - whilst this grants a lot of privileges, I don’t think any of this is controversial given what the microstack snap requires. +2 votes for, 0 votes against.
Granting auto-connect of block-devices, hardware-observe, firewall-control, hugepages-control, kernel-module-observe, kvm, libvirt, log-observe, microstack-support, mount-observe, netlink-audit, network-control, openvswitch-support, process-control, raw-usb, system-observe, system-trace for microstack. This is now live.
However, I have 1 quick question - microstack currently has use of but manual connection of kernel-module-control - is this still required? Does microstack require auto-connection of kernel-module-control? Thanks.
In regards to the kernel-module-control, my understanding is that the necessary bits were rolled into the microstack-support interface. However, I’d need to reconfirm this and @dmitriis is likely to have more in-depth knowledge around this. If my understanding is correct, then it would make sense to move the kernel-module-control usage in the snap itself. Let me confirm and circle back.
