Confinement 'classic' for semaphore snap

fiftin · March 21, 2025, 1:34pm

name: semaphore
description: Modern UI for Ansible, Terraform
snapcraft: Install Semaphore UI on Linux | Snap Store
upstream: GitHub - semaphoreui/semaphore: Modern UI and powerful API for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools.
upstream-relation: I’m owner and maintainer of the project
supported-category: supported classic confinement category that the snap fits within. The list of supported categories can be found here
reasoning: Semaphore requires Ansible, Terraform, OpenTofu apps to work. Users want to use the version of the apps that they need, not the one that I can embed in the snap. I want to allow users to use the apps which installed in the system. This will greatly increase the value of the application.

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

Note that snappy-debug can be used to identify possible required interfaces. See Debugging snaps | Snapcraft documentation for more information.

store-requests-bot · March 21, 2025, 1:35pm

This request has been added to the queue for review by the @reviewers team.

fiftin · March 26, 2025, 9:11pm

Hi @alexmurray,

How long does it take you to review the application?

As I mentioned, Semaphore require access to the system Ansible, Terraform, OpenTofu, etc.

Isolation does not allow full use of Semaphore because users want control version of Ansible/Terraform/OpenTofu.

ogra · March 26, 2025, 9:46pm

You didn’t pick a category above, this is a hard requirement (not a reviewer here, just pointing out your data is incomplete)…

fiftin · March 26, 2025, 10:52pm

Oh, yes. Thank you!

I can’t update the post, can I add it in comment?

Category: orchestration agents/software

fiftin · March 27, 2025, 8:14am

@alexmurray I have supported strict-mode for a long time, but now we have added support for a number of external tools. Users expect that they will work in Snap too.

The ability to remove the restriction is very important to us. Without it, we will not be able to develop our application.

jslarraz · March 28, 2025, 11:06am

Hey @fiftin

Usually access to external binaries is not a reason to get classic confinement, and those packages/snaps should be staged instead.

However, in this case, as some of those applications (at least Terraform) are already using classic I think it makes sense to grant semaphore classic, as discussed for Request classic confinement for tf-wrapper

Thus I’m happy to #approve this request after publisher vetting. I’ll contact you via DM to start the publisher vetting process.

Thanks

fiftin · March 28, 2025, 12:05pm

Hi @jslarraz Thanks a lot! I’m looking forward to it!

jslarraz · March 28, 2025, 5:02pm

Publisher is vetted. This is now live.

I noticed that automatic review shows an additional error due to interfaces are not allowed (or needed) with classic confinement. Your snap should passed automatic review after fixing it.

Thanks

fiftin · March 28, 2025, 5:39pm

Got it. Thank you very much!! I hope now snap will become the main way to install Semaphore!