The probelius app is a debugging tool developed to probe a juju-deployed environment performing checks, validations and collecting information for the purpose of assisting in diagnosing issues such as OpenStack, Ceph and Juju issues. It also installs and runs hotsos (a very similar debugging tool focused on a single node, also a classic snap) in several nodes such as nova-compute, neutron-api, rabbitmq-server and ceph.
The main reason it needs to be a classic snap is because of juju. Juju is a classic snap and juju commands cannot be successfully invoked through a non-classic snap due to several permission issues, documented in [1]. There is a workaround listed in the comments but I couldn’t get it to work. Using snappy-debug lists apparmor issues towards a @/var/lib/juju namespace which is hardcoded in juju [2].
The alternative use of python-juju lib has some disadvantages, as the API result is different than what is expected from the Juju CLI (even when converting both to json), and the python lib API compatibility is not kept up-to-date with the latest Juju versions.
I have discussed about [1] with several different people within the Snap and Juju teams and eventually gave up trying to make the workaround work. If anyone wants to give it a try and is successful I would be more than happy to make this a strict confined snap (which I actually prefer instead of classic).
Looking forward to hearing back from the review team. Thanks in advance!
I note the juju snap is moving towards strict confinement (Auto connect requests for juju) - in this case would probelius be able to work better with it?
However, since probelius is a debugging tool and it needs to execute arbitrary commands (hotsos etc) then it does meet the requirements for classic confinement as outlined in Process for reviewing classic confinement snaps.
I am happy to grant classic confinement but would like to hear your thoughts re the strict juju snap above first. Thanks.
The juju snap is going to be strict confined? That is awesome news!! I do believe that a strict confined probelius will be able to work with it then!
However, do you have a timeframe for when that is expected (juju snap strict confinement) ? I wouldn’t be happy to wait long until that happens without a probelius classic release as it is a useful tool for our daily work.
I’m assuming it is fine to have a classic release and then change it to strict confined? I suppose there might have problems with automatic snap upgrade (probably would need to have it removed and reinstalled to switch to strict confinement?) but even if so it is not a big problem and easy to address where it is going to be used.
So one strictly confined snap cannot call another strictly confined snap - but you could use stage-snaps to include the juju snap within probelius perhaps if you need to directly call juju. Alternatively, the juju snap could perhaps provide a content-interface which allows other snaps to communicate with it once it is strictly confined. @wallyworld can you give any guidance here?
Finally snapd will automatically upgrade from a classic to a strictly confined snap as this does not lessen the security confinement (however if a snap moves from strict to classic then snapd will not automatically update to the classic version).
Hey @ganso there is an ongoing discussion/request about the juju snap moving to stric confinement which you can read at Auto connect requests for juju.
Maybe @wallyworld can provide a time frame for this so we can determine how to proceed with this request?
Hello! any update regarding the classic approval of probelius?
I see in the other thread " Auto connect requests for juju" that it is stated that it is now live, however, when doing “snap info juju” it is still classic, so, what is the timeframe?
That would be a question for the juju team - from the snap store side everything is in place as far as I know but they likely have their own timeframes for publishing the strict mode snap to stable etc.
@alexmurray@emitorino I’m verry sorry for the delay! I forgot to respond since the previous ping.
Unfortunately Juju snap no longer being classic only applies to version 3.0 which is still in beta, so given this is a tool that we need to run on production environments, right now it is not time-sensitive to test this as even if it worked we cannot release it (because the juju snap is not released), so testing it has drastically dropped in my prority list compared to other more pressing tasks and bug-fixes for the tool.
Right now the tool is being serviced through cloning the git-repo or copying a tarball of it, which is certainly far from ideal, but it is the best we’ve been able to do right now given the constraints.
Hi @ganso - no problems, we’ll remove this request from our review queue for now. When you have more time to test/respond, simply do so here and we can add the request back to the queue. Thanks.
