Classic confinement request: fce

jog · January 17, 2019, 7:57pm

I have a foundation cloud engine tooling snap (fce) used by the cpe team for Foundation Cloud Build deployments. It’s classic because we need to create and update .gitconfig and .local/share/juju/ in the users $HOME. BTW it was pushed by the oil-ci-bot@canonical.com user.

popey · January 17, 2019, 8:03pm

Ordinarily I’d +1 as having done the background checks, this looks sane.

Is the access limited to only ~/.gitconfig and ~/.local/share/juju or does the snap also need access to other directories and/or other external arbitrary binaries to function correctly?

If access requirements are indeed very limited, would it be possible for us to create a bespoke interface for the tool, rather than use classic? One for @jdstrand at least, in part.

jog · January 17, 2019, 8:09pm

Yes, it also needs to access other binaries on the system, that are not necessarily known or even available at the time the snap is build. This tooling is used in a very dynamic deployment environment, driven by the need and requirements of the site at which the cloud is being installed.

popey · January 18, 2019, 1:22pm

Thanks for explaining.
Ok, then +1 for classic confinement from me.

Wimpress · January 18, 2019, 1:25pm

I would ordinarily give this a +1 but I see that @jdstrand has added an interface to define discrete personal and/or system files that a snap can access. Perhaps classic is not required now and @jdstrand can confirm?

jog · January 21, 2019, 1:54pm

Can you provide more information on how to define a discrete file list and I’ll give it a try?

sparkiegeek · January 21, 2019, 1:56pm

jog · January 30, 2019, 12:26am

The fce snap provides tooling to drive installations using juju, which is a classic snap. So it seems I’m blocked at the point where the tooling calls juju. Classic confinement for bootstack-ops snap is a thread describing a similar issue but appears to have never been resolved.

We intend to use this snap internally to support the CPE field consultants and it will remain private. Would you please reconsider allowing classic confinement?

jog · January 30, 2019, 4:18pm

BTW, The proposed fce snap’s functionality could be categorized along with these existing snaps:
conjure-up
juju-crashdump
juju-wait
juju-lint
rally
fcbtest
openstackclients

In fact fce uses most of these snaps, which are all classic confinement.

jog · February 1, 2019, 3:36pm

@jdstrand are you the best person to make a decision on this?

jdstrand · February 1, 2019, 8:25pm

Not typically, but I understand the juju position and have vetted you. Granting use of classic. This is now live.