With strict confinement, snaps started as root (eg, under sudo) may either run as root or drop to the snap_daemon user (see System usernames), but not arbitrary users.
Yep, and we’re utilizing the snap-daemon user now. However, for this particular use case, Slurm will need to run as a different user which sounds like we will need to look into Classic mode for this scenario.
Before you convert your snap over, please see Process for reviewing classic confinement snaps and see if your snap fits into one of the supported or unsupported categories for classic. If it is neither, please respond back here and we can discuss further.
It does not look like Slurm fits into the supported or unsupported use cases listed in that post. Which isn’t surprising because Slurm is a somewhat unique beast but also ubiquitous in HPC circles which Snap doesn’t yet have a firm foothold in.
In UAT we discovered a number of legitimate use cases where running Slurm jobs as particular users is desired (accounting is a prime example of this). Another use case is running jobs from (and saving data to) a directory besides ~/snap or $SNAP_COMMON. This isn’t uncommon in automation scenarios which would require re-tooling to use (or be aware of) the new directories.
The Strict-mode Snap is still very much applicable but in order for the Slurm snap to service all possible use cases, a classic-mode must be offered.