I am working on publishing the Vicegerent devops tool as a snap. One essential part of the app is access to the host machine’s
$PATH variable and the ability to start arbitrary programs.
@jamesh told me in this post that this is only possible with the classic confinement. Thus I would request the permission for that.
I have registered the
vicegerent name and got the snap working in local machine.
I have read the linked discussion but I would encourage you first explore other alternatives that iiuc could work in your scenario while keeping your snap under strict confinement. From your github documentation, I see the app “helps you to run predefined sets of commands in the server”: have you tried shipping the tools you need (e.g. stage-package) in your snap?
I also see you might need to run docker, so you could install the docker snap and then make use of the docker interface. This topic can be of help for further understanding Request for "classic" confinement for package Wilfred.
FYI, if you take a look at our process for reviewing classic confinement snaps, the need to launch arbitrary applications is not generally considered a supported use-case for classic confinement .
So I suggest you turn the snap to strict confinement again and try some of the options provided. You can use snappy-debug to alert you of any denials. snappy-debug will recommend interfaces based on the behavior it observes in your snap. Instructions on how to do so can be found here https://snapcraft.io/docs/debugging-building-snaps#heading--identifying-missing-interfaces
Thank you for your suggestions!
I do not think that shipping the needed tools in the snap would solve the problem. A real-world usecase in a CI/CD pipeline might look like this:
- run some general system updates
- check that there is enough disk space available
- install the new version of the software
- run some checks to verify that the installation process was successful
Thus it would not be possible to foresee all the commands which might be needed for the end user. I am afraid that if only a restricted subset of commands are available, the application is not usable in practical scenarios any more.
Would there be an option to publish with
classic confinement to only
I have also considered just publishing the snap with GitHub releases and asking the users to install it manually, but this way there is no good way to handle updates.
@eeriksp the requirements for classic confinement in regards to
vicegerent are understood as it would appear it cannot function as expected (ie launching arbitrary binaries etc) without that permission.
Also from the description from the github project page:
“Vicegerent is a small Go application which helps you to run predefined sets of commands in the server invoked by an HTTP call.”
This would appear to potentially fit within the existing category for classic confinement of “HPC or orchestration agents/software for running workloads on systems without traditional users where the systems are otherwise managed outside of the agent”. This is a bit of a grey area (hence @emitorino’s discussion above as this is not entirely cut-and-dry) but given this is more of a specialist tool I am inclined to look at it more through this lens and so would support the use of classic confinement in this case.
As such, the requirements for classic confinement are understood.
@advocacy could you please perform publisher vetting?
@eeriksp Is there an official domain/page for Vicegerent by any chance?
@Igor Right now the GitHub repository page serves that purpose. However, in the future as the documentation grows in size, we are planning to publish a dedicated webpage.
@Igor: For now I believe we can use the
vicegerent github repository as the official app page. @eeriksp please let us know as soon as you publish a dedicated webpage for it. Thanks!
Yes, let’s use the GitHub page for now and I will let you know as soon as a dedicated page has been published.
@igor can we please proceed with vetting for this snap?
Based on the available criteria, +1 from me.
Thanks @igor, classic confinement granted, this is now live. Subsequent uploads of vicegerent should pass automated review.
Excellent, thank you!
Vicegerent v1.1 is now out and published as snap.