I am developing a Juju charm writing framework published as the Lucky snap. It is still under heavy development and is not ready for stable publishing yet, but I wanted to get started on verifying whether or not I could get/need classic confinement for the snap.
lucky binary serves three purposes:
lucky daemonthat runs alongside the charm agent and runs charm scripts
lucky clientthat is run from the charm scripts to control aspects of the daemon
lucky charmwhich is used by the charm developer on their local workstation to create and build charms
I have a design document outlining the design.
The Lucky daemon will need full permission to the system because it needs to be able to run scripts that can modify the system in any way including installing kernel modules, other snaps, apt-packages etc. It will also be running Docker containers.
The Luck charm tool that gets installed on the users workstation does not necessarily need those permissions.
The Lucky client just needs permissions to talk over daemon socket.