'Classic Request' - Request 'Classic' confinement permission for BaSHELL

Zoralab · May 24, 2018, 2:53am

Hi everyone,

I’m requesting a ‘classic’ confinement for my first application ‘BaSHELL’ due to its needs to write into conventional file system. The details are summarized as follows:

What Application
BaSHELL - https://snapcraft.io/bashell, https://launchpad.net/~zoralab/+archive/ubuntu/bashell

App Purpose

To provide a test framework for bash scripts
To provide a test framework for automation at bash/shell level instead of using any language specific library/package.

Reason
BaSHELL has the ability to create and delete files and directories for a git repository. It can create/delete the test folder, test script and bashell-friendly bash script.

BaSHELL normal test run does not requires the ‘write/delete’ permission and it can run off the shelf. Currently, BaSHELL is released as strict confinement.

Development Repository
https://gitlab.com/ZORALab/BaSHELL - next branch

App License

Open-source: Apache 2.0

Pricing

Free

Bug Report Location

GitLab - https://gitlab.com/ZORALab/BaSHELL/issues

Maintainers

(Holloway) Chew, Kean Ho - http://sites.google.com/view/chewkeanho

lucyllewy · May 27, 2018, 3:27pm

As your snap is currently strictly confined, I think you will need to explain further why classic mode is required. Specifically, what does the snap need to write into “the conventional filesystem”? Why are the interfaces provided in the strict confinement system insufficient to allow the access your snap requires?

Zoralab · May 28, 2018, 4:50am

Apologies for the missing details. The existing strict confinement is suitable for running bashell framework but it broke the existing “developer mode” functions for our users, (as in, develop test scripts or setup).

The following are the functions when user wants to develop test script or install bashell framework into his/her git repository:

Installation Function — $ bashell -i
BaSHELL has the ability to install itself locally (bashell.sh) into a git repository. This requires directory write and file write. By using the command “bashell -i”, it creates the following file structure:

repo/scripts/bashell.sh
repo/tests/scripts/.gitkeep
repo/tests/temp/.gitkeep
$HOME/.bashell.sh # cache bashell.sh since snap is a binary.

This allows developer (our users) to run bashell.sh locally in their respective git repository for situation where the test machine doesn’t need further configurations.

Create function — $ bashell -c
BaSHELL caters 2 types of creation: the bashell friendly bash script and the test script. Their commands are

$ bashell -c bash “path/to/the/file/with/filename.bash”
$ bashell -c script “test_suite/test_title”

Both creates their bash script respectively.

The test script, with the extension .test is parked under:

repo/tests/scripts/test_suite/test_title.test

Delete function — $ bashell -d

This works in the opposite of create and install.

$ bashell -d framework

This is the opposite of install. It will delete the entire repo/tests folder, clearing all bashell traces inside a git repo.

$ bashell -d script FILEPATH

This deletes the existing test script, with filepath pointing to the test script.

In execute test however, the command is as simple as:

$ bashell
$ # OR
$ bashell -r

This run function doesn’t need the --classic confinement privileges. It is working off the strict confinement. Hence, it is suitable for test machine with the developed bashell test framework.

In a separate thread https://forum.snapcraft.io/t/is-snap-install-classic-flag-on-user-side-meant-to-override-the-default-published-strict-confinement-or-is-it-a-bug/5531/6, I received feedback that bashell can have bigger audience if it remains in “strict” confinement, such as Ubuntu Core market due to its run capability on test machine (which doesn’t need development capability).

However, it broke the “develop” mode. I’m currently using the app description and documentation to instruct the users to install bashell using the “–classic” flag for “development”.

Between delivering broken functionalities vs. larger audience, the former has higher priority. Please advise.

Zoralab · June 13, 2018, 11:48am

@lucyllewy, anything else needed for review?

popey · June 19, 2018, 11:16am

Thanks for the request. you have this in your store description:-

If you need to use bashell to develop test scripts, or delete,
you must install through terminal and append the "--classic" flag
when you install it. Example:

$ sudo snap install bashell --classic

Your snap is not currently classic confined, so this instruction is erroneous. Please do not encourage people to install non-classic snaps as classic, as they will likely break in interesting and unpredictable ways. the --classic flag is not designed to be an ‘override’ for non-classic snaps, it’s a flag to indicate acceptance of risk. The developer has a classic snap, and the user is accepting that this snap may read from and write to arbitrary locations.

Have you considered just using the home interface?

Wimpress · June 19, 2018, 11:20am

Hi @Zoralab - I’ve taken a look at your script and rationale for requesting classic confinement. I think you can achieve what you require with a strictly confined snap that uses the home interface. Here is a modified snapcraft.yaml for bashell.

name: bashell
version: '1.2.0'
summary: A simple BASH script for unit-testing all your BASH scripts
description: |
        bashell is a high level shell program designed to test bash script
        and handling high level test from system level. It itself is a bash
        script too so it doesn't need any external libraries, packages or
        gems just to run a software testing framework.
type: app
architectures:
        - all
grade: stable
confinement: strict

parts:
  bashell:
    source: https://gitlab.com/ZORALab/BaSHELL
    source-type: git
    plugin: nil
    install: |
      mkdir $SNAPCRAFT_PART_INSTALL/bin
      cp bashell.sh $SNAPCRAFT_PART_INSTALL/bin/bashell

apps:
  bashell:
    command: bin/bashell
    plugs:
      - home

All the interface are documented here:

https://github.com/snapcore/snapd/wiki/Interfaces

Zoralab · June 27, 2018, 3:44pm

@popey and @Wimpress, thanks for the feedback! I’ve tested your guidance and this is exactly what I’m looking for: stay in strict confinement, serving both read and write access.

I didn’t know that the command plugs includes home interface. I already released a minor version based on the feedback and removed the --classic instruction flag.

In this case, we can close this request. I want bashell to remain upstream with the latest technologies so we don’t have to proceed with classic confinement.

Additional read-up for future reader: