While pushing the aws-iot-greengrass snap to a branch, it got flagged for human review.
human review required due to ‘allow-installation’ constraint (bool) declaration-snap-v2_plugs_installation (greengrassd, docker)
Could I get approval to use docker? Is there any info I need to post?
It’s been 4 days without a reply. Out of urgency, I’m going to strip this plug for now. However, we’d still like permission for this.
Hello Jose, can you explain why is aws-iot-greengrass access to docker required?
We need it for supporting the docker connector. https://docs.aws.amazon.com/greengrass/latest/developerguide/docker-app-connector.html
In a non-snap environment, users can use that Greengrass feature to manage Docker containers.
The greengrass snap already uses the greengrass-support interface for container workloads. Are you saying this is a new workload for greengrass or is this a bug in the greengrass-support interface? @ijohnson - do you have any context?
The greengrass-support interface (before incoming PR https://github.com/snapcore/snapd/pull/9595) provides support for Greengrass’s containerized lambdas. These are just serverless functions that run on a device instead of the cloud. They only expect certain runtimes to be available (eg java, python, node, etc).
Docker containers give customers access to more complicated applications with dependencies that the Greengrass snap doesn’t have. Non-snap Greengrass offers a “docker connector” which basically lets customer drive Docker containers from the Greengrass Core.
Furthermore, we’re moving towards only supporting non-containerized lambdas, so we don’t want to use any of the container support that the greengrass-support interface offers today for security reasons.
Ah! I wasn’t sure if you were using the docker-support interface (which is quite lenient) in an effort to work around a deficiency in the greengrass-support interface. You actually want to run docker containers. Thanks for clearing this up.
While docker-support is superprivileged, so is greengrass-support (which this snap uses) and this snap now needs to drive docker containers. +1 to allow use of the docker-support interface (ie, installation constraint).
I suspect that we’ll just need the docker plug, not the docker-support plug, right? From my reading of the docs (and some examples on GitHub), docker should be enough to use docker. Correct me if I’m wrong.
@zjoseal - the docker interface allows access to the docker socket as provided by another snap, the docker-support interface allows running dockerd. Based on your last comment, it sounds like you aren’t planning on shipping dockerd. Is that correct?
Yeah, we plan to simply connect to the docker snap through its content interface. We hope to not ship docker inside of our snap.
Based on my updated understanding, I am rescinding my vote for docker-support.
While docker is superprivileged, so is greengrass-support (which this snap uses) and this snap now needs to drive docker containers via the docker plug. +1 to allow use of the docker interface (ie, installation constraint).
+1 for use of docker, as it was stated that its needed to connect to the docker snap.
2+ votes for, 0 votes against. Granting the requested use of docker to aws-iot-greengrass. This is now live.
