Classic confinement request for fortd

ffoysal · January 29, 2021, 7:28pm

In the code kubectl has been used as a binary. Since kubectl is a classic confinement, thats why need to make fortd classic as well.

alexmurray · February 9, 2021, 5:32am

@ffoysal Can you please elaborate more on what the purpose of fortd is? Also how is it using kubectl? Please provide more information so we can properly evaluate this request.

ffoysal · February 9, 2021, 7:36pm

it is very custom service, that download kubernetes manifests from our own repo and deploy them in kubernetes cluster. In order to deploy them in microk8s cluster we use kubectl after downloading kubernetes manifests files.

emitorino · February 16, 2021, 3:42pm

Hey @ffoysal,

Have you explored shipping kubectl within fortd? Doing that + plugging some interfaces depending on where fortd needs to download the kubernetes manifests (such as home, removable-media, personal-files or even system-files), you could remain under strict confinement.

Thanks,

alexmurray · March 1, 2021, 3:55am

@ffoysal I notice the description for the fortd snap now says ‘this snap comes with it’s own kubectl’ - so it looks like you have already followed the advice from @emitorino above and hence it looks like fortd does not require classic confinement anymore. As such I am removing this request from our queue - if you think you still require this however, please let me know and we can re-add it again to follow-up.

ffoysal · March 1, 2021, 4:18pm

Hello @alexmurray, we tried the solution provided by @emitorino. It works. But as our snap evolving,
fortd not only accesses kubernetes but is a collector. It needs the ability to run troubleshooting diagnostics on the system and access files on the “classic” file system to to do so. It also has configuration function that requires access to mounts on the root file system.

ffoysal · March 4, 2021, 4:09pm

as described in the previous post, so we actually need classic confinement.

emitorino · March 9, 2021, 8:24pm

@ffoysal have you checked the mount-observe interface?

Also, there are several other interfaces that could be of help to access the file system while remaining under strict confinement: home, removable-media, personal-files and system-files. Do you think plugging them could be an option for fortd?

emitorino · March 17, 2021, 5:28pm

@ffoysal ping, can you please provide the requested information?

ffoysal · March 18, 2021, 2:41pm

we havent tried that. But for now we may continue to be strict. Thanks.

emitorino · March 19, 2021, 8:32pm

@ffoysal thanks.

Since you mentioned you fortd might continue under strict confinement, we are removing this request from our review queue. Whenever needed, simply write here again and we can add the request back to the queue. Thanks