Request to set google-cloud-sdk confinement to classic.
google-cloud-sdk’s gcloud requires execute access to
/usr/bin/git
/usr/bin/scp
/usr/bin/ssh
/usr/bin/ssh-keygen
for a subset of gcloud command to work.
I can confirm Will Faris works for Google on the Google Cloud SDK team. I met with him yesterday to discuss the creation of the google-cloud-sdk snap.
@willfaris When we spoke yesterday you described the requirement for classic as more than just access to some binaries, after all openssh-client and git could be staged in the snap. For the benefit of the other reviewers please can you elaborate on the interactions these tools have with other software, such as Docker, that make a better case for why classic confinement is required at this time.
Also for the benefit of the other reviewers, creating a classic snap is a first step with the target of confinement longer term.
Ah good point about staging openssh-client and git with the google-cloud-sdk snap.
gcloud wraps docker commands (documentation here https://cloud.google.com/sdk/gcloud/reference/docker) but only on systems where gcloud detects that “docker.io” is installed. Not all users (in fact most do not) use the gcloud docker commands.
Agreed the classic snap is a first step, we will be working on the best solution for our user’s to move google-cloud-sdk to confinement mode (as well as making 1 or more other snaps that connect to each other) to provide the full set of software that a gcloud installation could provide via its components subsystem as well as cases like docker (which gcloud exposes if it detects docker is installed).
Is there any other information I should put in this request?
Granting the request based on @Wimpress’ comment. This is now live.
@willfaris - note that there are interfaces for ssh (eg, plugs: [ssh-keys]) and docker (eg, plugs: [docker]). Based on the feedback given here, it sounds like it could move to strict right away.
@willfaris - not that revision 10 passed review, but you’ll need to publish it to a channel. Your next upload should pass automated review.
Confirmed this is working today. Thanks!