We would like to make a request for “classic” confinement for the STACKIT CLI.
This CLI can be used to manage STACKIT Cloud resources, and use cases can include reading and writing arbitrary files (JSON request payloads, user set configurations, etc.), accessing the OS keychain to store credentials, using the network, etc.
STACKIT is a cloud provider, so we believe our CLI falls under the supported “public cloud agents” category.
Thank you in advance!
I’m not fully convinced that the CLI falls under the “public cloud agents” category. It looks to me something more intended to run in cloud instances to perform the required instance management/maintenance tasks. However, maybe someone with a bit more context than me from when the supported categories were defined can comment here.
Anyway, afaik there are other public cloud CLIs running in strict mode with no issues. Regarding your snap requirements:
- Reading/writing arbitrary files
- JSON request payloads: I would expect to find them in home directory (it may also be a restriction of the snap that should not harm the usability a lot). You can get access to it via
- user set configurations: they would be placed in a predefined directory. You can ask for access to this directory via
system-files interfaces depending on the concrete location.
- accessing the OS keychain to store credentials: you may access it via portals as discussed here
- using the network: you can easily access the network by plugging the
The STACKIT CLI can be used to manage STACKIT Cloud resources. It is comparable to Google’s
gcloud CLI (for Google Cloud) or Microsoft’s
az CLI (for Azure). Both of these were granted “classic” confinement in the Snap store.
In this previous forum post regarding the STACKIT CLI, @sergiusens also compared it to
aws-cli and @ogra suggested the “public cloud agent” category.
Since this snap has a requirement to access arbitrary resources from the host, and it fits within the supported category for classic confinement of
public cloud agents, the requirements for classic confinement are understood.
To grant this, we need to perform publisher vetting - @Philipp I wonder if you would be interested in considering pursuing the Verified Accounts process for STACKIT as a publisher in the snap store?
Hi @alexmurray, thank you for your response. We would like to become a verified account and will create a new post regarding this matter.
How are the next steps for the classic confinement of our CLI? Can this be done in parallel, or is the verification part of the process?
@joaopalet thanks for providing the information and taking are about the proper confinement for STACKIT CLI. Did you have the time analyze the questions/recommendations @jslarraz provided? It’s true that STACKIT CLI can fit into one of our supported categories and is comparable to other classic snaps. But if you can solve the issues you describe while staying under strict confinement, STACKIT CLI user will benefit from the stable and secure runtime environment the strictly confined snaps have.
The next step for classic confinement is to verify the pubisher - and the process for Verified Accounts is more complete and user visible (since the publisher is designated with a in the store etc) - otherwise we can do a more lightweight process here. Both can be done in parallel.