Classic confinement for subutai snap

Overview

subutai (snap) is a tool to manage lxc containers with P2P technology packed in - peers collaborate and share resources to create secure virtual environments tying together the shared network and machine resources across peers - quoting the official Github repository.

Long Story

These bullet points may illustrate what is it and how it works

  • open source project backed by commercial company
  • trial to a new way of how containers are organized and connected to each other
  • container management based on lxc-tools APIs, not lxd/docker
  • openvswitch based internal networking
  • p2p network (as in BitTorrent) based secure tunnel for inter-peer container communications
  • opt-in ability to join a centralized bazaar to share network and machine resources
  • all functionalities mentioned above can be used through a web UI that’s shipped as management container

Why it qualifies classic confinement

  • user need to start using the software by preparing a fresh block device using the provision command shipped in the package, and it will generate a mount service and make it dedicate to this package
  • this lxc based container management implementation would need a standalone interface to make container part work, like lxd/docker, but the project is still moving fast and implementation details are not stable enough
  • containers are managed using lxc-tools API and they are confined in the lxc-tools style lxc profile configurations, thus making them not harmful to the host
  • some of the required services does not work with existing interfaces (rngd for example).

Links

Bump for edit of detailed information.

Bump, it’s already 10 days old, let’s don’t forget it.

Apologies for the delay on this. I’m +1 as @aron is upstream, and there are limitations in our interfaces which require classic for the snap to function currently.

+1 from me given the requirement for access to block devices.

To be clear, there is an lxd-support interface which grants access to the lxd socket. This is not sufficient for your needs? If not, why? (I’m trying to understand the requirements of your snap so it can perhaps move to strict mode some day).

@aron - can you answer this?

I’m sorry but the team has decided to move away from snap because there was so long time before getting comments. Anyways thanks for you help!

It would surely still be interesting to know why you could not use the lxd-support interface which was specifically designed for your use case, so lacking features can potentially be added (if they do not break the security model).