Installation request for landscape-client: /writable system-files

store-requests privileged-interfaces
1

Hello,

We’ve recently added a new system-files interface to the landscape-client snap to provide Landscape scripts with a writable directory on Ubuntu Core devices. I’d like to request we allow-installation of the snap.

Thanks!

CC: @kenvandine @mikecw @mitchburton

2

This request has been added to the queue for review by the @reviewers team.

3

Hello @st3v3nmw. Your request makes sense to me so +1(#voteFor).

What do other @reviewers think?

1 Like
4

Not a reviewer, but I have to deal with customers using it all day and this will give any user of the snap the ability to work around all snap security, confinement and measurements through random landscape scripts, pretty much making the whole snap concept moot, we are working since years to get rid of cloud-init on the devices because it allows exactly the same (and is used for this).

I have seen plenty of setups where people started altering things like generated systemd snap units, manipulate random files that should not be accessible at all etc through cloud-init which ended up having machines mis-behave or completely break to the point where they could only be factory-reset in production to recover them …

Why does landscape need full write access to the full rootfs ? This is pretty much the exact opposite of what we try to achieve with UbuntuCore…

Has this been discussed with the architects ? @pedronis @niemeyer ?

1 Like
5

Thanks @ogra … I’ll let @kenvandine respond since he proposed the code changes.

6

… though the change is limited to /writable not / unless I’m missing something.

7

Yes and /writable is in fact your rootfs on core (with the respective core snap reversely bind mounted into it by the initrd to become / )

8

Ah okay, thanks for the explanation.

9

This allows landscape-client, which is intended to be able to manage devices at scale, able to write to paths that the producer of the core image have specified as writable. These paths are typically specified as writable because they are used for configuration. Not everything in the ubuntu ecosystem has a well-defined API for configuration. The landscape-client provides a script mechanism for administrators to use to handle these types of cases and with system-files access to /writable that can be utilized for paths were pre-determined to be necessary. It also requires the producer of the snap to provide a gadget snap to connect it.

Use case:

Fleet of core based systems with firefox in an environment that requires organizational configuration. If /etc/firefox is specified in the core image as a writable path, landscape’s script feature can be used to deploy necessary changes at scale to effective lock-down the browser as needed.

There could be other ways to handle cases like this, but without support like this the script feature is pretty limited in landscape and we should make that clear to customers. These configuration situations would then need to be solved by customers for each thing they need to configure and it would need to be made clear that script support is quite limited. Right now it’s documented as a means to effectively do anything not already well defined.

10

After more discussion with @ogra, I’m going to -1 this myself. I think this needs to really be solved as a documentation effort in landscape to provide examples of how customers can deploy configuration snaps that use proper snap settings for everything that’s expected to be configured.

3 Likes
11

The change will be reverted in the codebase, thanks all.

1 Like
12

I was about to answer along the lines of what @ogra said. Thanks for exploring other solutions

2 Likes
13

Thanks a lot @ogra @pedronis for your inputs and thanks @st3v3nmw @kenvandine for looking for a better alternative :slight_smile:

I’m removing this topic from the review queue

1 Like