Mongodb Classic Confinement

Hello! I would like to publish mongodb as a classically confined snap. The snap needs to be able to read and write to the host filesystem at a user-defined path. Many of the db components in various charms need to be able to all write to the same directory that is defined by the user, and the system-files interface does not allow for a dynamically configured path.

Is this an acceptable reason to publish this snap classically?


about what is allowed and what is not …

@ogra I have looked over that, but thank you for the link.

I’m actually not convinced that this should be a classic snap, to be honest. I think we should be striving for strict snaps for our databases. There will be some edge cases around storage, but I suspect with existing interfaces such as removable-media, system-files, system-backup and others, we’ll be able to get to a working solution.

well, what i meant to say is that you need to point out in the request above which of the “allowed” categories from that page you think your request fits in, else you will not be able to get approval.

What if I expose /data/db using the system files interface and require the use of a symlink at /data/db to point to another directory? This would allow a user to define a directory path. Is that technically possible or does the confinement interfere with that?

apparmor will refuse to follow any symlink outside of the permitted confinement …

(you can always use bind mounts, but then you can as well just bind it into /var/snap/mongodb/common/db or some such without needing system-files)

1 Like

+1 on this comment. In the global store we already have several db snaps published under strict confinement.