Hi,
related to https://dashboard.snapcraft.io/snaps/juju-bmc/revisions/2/
I just pushed a new version of juju-bmc with changes to support confinement: strict
about juju-bmc:
summary: juju plugin that adds a command to access a server out band management
description: |
This snap installs a juju plugin, to add the “bmc” command to juju. This
command takes advantage of juju and maas to obtain the relevant credentials
and establishes a connection to the BMC console of a bare metal server.
direct link to snapcraft.yaml => https://git.launchpad.net/juju-bmc/tree/snap/snapcraft.yaml
The personal-files interface is needed to access the pre-existing credentials for juju/maas (juju-bmc is just a plugin, makes no sense to configure maas/juju separately).
I did try to have only “read” permissions for maascli.db, which makes sense as we don’t intend to modify them. However, the maas cli connects to it in “append” mode so the write permissions seem to be needed. Juju access works correctly with just read permissions work OK with juju.
Also, it would be ideal if this can auto-connect (as well as ssh-keys…), but I understand if not possible and will add docs for end-users to connect manually as required.
Thanks,
JG
personal-files instances should be named descriptively so that users can have some understanding of what they grant access to - in this case config-files is too generic. Also write access implies read so there is no need for listing read for $HOME/.maascli.db as you already have write for this.
Can this please be split into 2 separate personal-files plugs as follows:
plugs:
dot-maascli-db:
interface: personal-files
write:
- $HOME/.maascli.db
dot-local-share-juju:
interface: personal-files
read:
- $HOME/.local/share/juju
+1 from me for auto-connect to dot-maascli-db and dot-local-share-juju via personal-files as above.
Any chance somebody can complete the approval of the snap? As mentioned above the changes requested by @alexmurray have already been implemented…
+1 for use of personal-files for read-only access to $HOME/.local/share/juju with the interface reference ‘dot-local-share-juju’. While the snap is not the clear owner of this directory, it clearly needs access to it.
+1 for use of personal-files for write access to ‘dot-maascli-db’ (though, please file a bug against maas, it should be able to support read-only access) with the interface reference ‘dot-maascli-db’. While juju-bmc is not the clear owner of the maas-db, the nature of the maas cli requires it be read/write and the description of the snap makes it clear it works with maas.
The request was not clear on if auto-connection was requested, but I believe from all the details given that is implied, so +1 for auto-connection for both.
As for ssh-keys, -1. This interface is very sensitive and the snap can easily use ‘snapctl is-connected ssh-keys’ to guide the user on what to do if it isn’t connected.
Granting use of and auto-connection for ‘dot-local-share-juju’ and ‘dot-maascli-db’ as described above. This is now live.
Note, while the snap declaration has been granted, there is a corresponding change to the review-tools that has been made that is not yet in production and new revisions will not pass automated review until it is. In the meantime, you can request manual reviews for new revisions and a reviewer can manually approve.
