Mongodb Classic Confinement

jardon · December 7, 2022, 1:45pm

Hello! I would like to publish mongodb as a classically confined snap. The snap needs to be able to read and write to the host filesystem at a user-defined path. Many of the db components in various charms need to be able to all write to the same directory that is defined by the user, and the system-files interface does not allow for a dynamically configured path.

Is this an acceptable reason to publish this snap classically?

ogra · December 7, 2022, 1:53pm

see

about what is allowed and what is not …

jardon · December 7, 2022, 2:14pm

@ogra I have looked over that, but thank you for the link.

jnsgruk · December 7, 2022, 5:04pm

I’m actually not convinced that this should be a classic snap, to be honest. I think we should be striving for strict snaps for our databases. There will be some edge cases around storage, but I suspect with existing interfaces such as removable-media, system-files, system-backup and others, we’ll be able to get to a working solution.

ogra · December 7, 2022, 5:12pm

well, what i meant to say is that you need to point out in the request above which of the “allowed” categories from that page you think your request fits in, else you will not be able to get approval.

jardon · December 7, 2022, 6:57pm

What if I expose /data/db using the system files interface and require the use of a symlink at /data/db to point to another directory? This would allow a user to define a directory path. Is that technically possible or does the confinement interfere with that?

ogra · December 7, 2022, 9:20pm

apparmor will refuse to follow any symlink outside of the permitted confinement …

(you can always use bind mounts, but then you can as well just bind it into /var/snap/mongodb/common/db or some such without needing system-files)

emitorino · January 24, 2023, 2:01pm

+1 on this comment. In the global store we already have several db snaps published under strict confinement.

alexmurray · February 22, 2023, 6:19am

@jardon are you still wanting classic confinement for this snap? If so you need to provide some justification as to why this is required, and to which of the supported categories listed at Process for reviewing classic confinement snaps you believe the mongodb snap fits within. As from what I can see it doesn’t really appear to fit within any of the existing categories, and I can’t see any great justification as to why this snap is not able to work under strict confinement.

jardon · February 22, 2023, 8:52pm

No. We are moving forward without it. Thank you!

alexmurray · February 22, 2023, 11:44pm

Thanks for letting us know - I will remove this request from our queue.