NOTE: this has been superseded by a new plan, see below for details
To support applying netplan configuration from inside a snap, we have a 2 phase plan to implement this, with the eventual goal of “it just works” transparently by calling
netplan apply inside snaps. The reason we can’t just provide access for netplan to apply configuration directly is because it was decided that the necessary accesses were effectively full control and access to systemctl/systemd (see discussion on https://github.com/snapcore/snapd/pull/5915).
We will implement a hidden command to snapctl:
snapctl netplan-apply, which will simply have snapd run
netplan apply on behalf of the snap outside of confinement if and only if the calling snap:
- has the
netplan-applyattribute on the
network-setup-controlinterface specified as true (this will require store approval)
This will enable a snap to call
netplan apply by calling
snapctl netplan-apply, but this is only provided as a temporary measure until Phase 2 is available.
See https://github.com/snapcore/snapd/pull/7107 for an open PR which is close to implementing it.
Note that the
netplan-apply attribute is analogous to the
allow-sandbox attribute for
browser-support interface, granting additional accesses to a store-vetted, trusted consumer of the
Once snapctl is able to proxy calls to
netplan apply, then we will teach
netplan itself to check if it is running inside a snap, and if so, netplan will call
snapctl netplan-apply directly so that a application can use
netplan apply inside a snap and it just works. This is how xdg-open currently works inside snap confinement.
Note that in this phase, we still have the hidden snapctl command, which will only be meant to be called by netplan itself.