Hi @emitorino, thanks for the reply.
Have you tried using
system-filesinstead to access the defaults$PEBBLEand$PEBBLE_SOCKETdirs in /var/lib?
Yes, without success (but I didn’t dig any further to be able to say whether it was my fault it wasn’t working). However, even if that worked, I don’t think it would be enough, since pebble needs to support running arbitrary commands in the system. For example, the user can do pebble exec ls /etc or pebble add new-label /path/to/some/file, and more…meaning that access to any part of the filesystem is expected.
Although this category is supported for running workloads on systems without traditional users, I see we have granted classic for similar situations in the past. Still, we are seeing snaps like juju moving to strict confinement so I wonder if you could explore alternatives to make
pebblea strictly confined snap instead. @pedronis can you weight in?
afaik, Juju is a bit different, since it is meant to operate “external” infrastructures. Pebble, otoh, is more like systemd, supervisord, s6, s6-overlay…it’s a process control manager - Pebble will literally launch a local server to run user-defined processes.