Classic confinement request for molecule snap

Molecule is a test framework used to test Ansible roles and playbook by orchestrating virtualized test resources using local or cloud providers (docker, podman, libvirt, openstack, azure, ex2, gce,…).

Do to the nature of the tool, it cannot work with a normal confinement.

See for the latest changes proposed to the initial snap.

Molecule is a cli tool that installs molecule command and the current recommended installation method is using pip install from pypa inside a virtual environment.

@ssbarnea can you please be more specific on why this cannot work with strict confinement? What specific use-cases does molecule support which are not able to be achieved in strict confinement and what it is about strict confinement that is preventing this? Without this information it is hard to justify a request for classic confinement.

Molecule is using various backends for running virtualized hosts, some of them are local ones (docker, podman, libvirt, vagrant) and some them are clouds (ec2, gce, azure, openstack, …). To talk with almost any of these it indirectly needs access to their credentials, which are stored in either environment variables (most common) or config files (like cloud.yml for openstack). For example to work correctly with docker, the default backend, it would use DOCKER_HOST variable.

In fact in most cases is not even molecule that does access these, is one of the vendor libraries that does this directly. For example docker-py is one such example.

If I understood correctly to access user defined env-vars or files from user profile is problematic for snaps.

Maybe it would be easier to understand what kind of runtime requirements molecule needs is to understand that it is 90% ansible, rest in python. Clearly it does not need root on the machine it is run on.

The system-files and personal-files interfaces allows snaps to get access to various configuration files from either the system or the users home directory respectively - so this should be used instead of classic for access to credentials etc in well known locations. If access to a local docker socket is needed, there is also the docker interface - so it sounds like molecule should not need classic unless I am missing something.

@ssbarnea - ping regarding the requested information.

@ssbarnea - ping, this request cannot proceed without the requested information.

@ssbarnea I am removing this request from our queue but will re-add it if you can provide the requested information.