Hi,
i have different pressing questions regarding the docker-support interface.
-
Why is there a plug privileged defined in snapcraft.yaml (see below) and what is its purpose ?
-
There is a further plug “support” with the same interface “docker-support”. Why could this plug not be used for the attribute privileged-containers:true/false?
-
Does the privileged plug have any impact on the security of the snap host system?
-
Why can the docker containers could not be started any more (entry point: permission denied) if the plug privileged plug is removed?
-
What does the description in the docker support interface file mean? (see screenshot) Does this mean there is a possibility that one might break out of the snap sandbox? What dose “device ownership” mean in this context. (source https://github.com/snapcore/snapd/blob/master/interfaces/builtin/docker_support.go (row 618))
From original docker snap sources: https://git.launchpad.net/~docker/+git/snap/tree/snap/snapcraft.yaml:
plugs:
home:
read: all
removable-media:
support:
interface: docker-support
privileged:
interface: docker-support
privileged-containers: true
docker-cli:
interface: docker
…
dockerd:
command: dockerd-wrapper
daemon: simple
plugs:
- firewall-control
- home
- network-bind
- network-control
- privileged
- support
slots:
- docker-daemon
Thank you for your support.
Kind regards
Johannes
(the indendation is pretty essential) …