Can a confined Snap run as a different uid and or guid?

With Slurm, there are use cases when a job is created using a specific uid or guid like so:

sudo slurm.srun --uid 1000 -N1 -l hostname

In this case, we are creating a job that will run the hostname command using uid 1000.

Needless to say, this user switcharoo fails with an expected error Unable to assume uid=1000

This should be possible with classic confinement, however, we’d prefer not to go that route.

With regular strict confinement, is it possible to run commands as users outside confinement?

With strict confinement, snaps started as root (eg, under sudo) may either run as root or drop to the snap_daemon user (see System usernames), but not arbitrary users.

Yep, and we’re utilizing the snap-daemon user now. However, for this particular use case, Slurm will need to run as a different user which sounds like we will need to look into Classic mode for this scenario.

Before you convert your snap over, please see Process for reviewing classic confinement snaps and see if your snap fits into one of the supported or unsupported categories for classic. If it is neither, please respond back here and we can discuss further.


It does not look like Slurm fits into the supported or unsupported use cases listed in that post. Which isn’t surprising because Slurm is a somewhat unique beast but also ubiquitous in HPC circles which Snap doesn’t yet have a firm foothold in.

In UAT we discovered a number of legitimate use cases where running Slurm jobs as particular users is desired (accounting is a prime example of this). Another use case is running jobs from (and saving data to) a directory besides ~/snap or $SNAP_COMMON. This isn’t uncommon in automation scenarios which would require re-tooling to use (or be aware of) the new directories.

The Strict-mode Snap is still very much applicable but in order for the Slurm snap to service all possible use cases, a classic-mode must be offered.

Pinging @jdstrand in case this thread got lost in your notifications :smiley: