Publish Vicegerent snap with classic confinement

I am working on publishing the Vicegerent devops tool as a snap. One essential part of the app is access to the host machine’s $PATH variable and the ability to start arbitrary programs.

@jamesh told me in this post that this is only possible with the classic confinement. Thus I would request the permission for that.

I have registered the vicegerent name and got the snap working in local machine.

Hey @eeriksp,

I have read the linked discussion but I would encourage you first explore other alternatives that iiuc could work in your scenario while keeping your snap under strict confinement. From your github documentation, I see the app “helps you to run predefined sets of commands in the server”: have you tried shipping the tools you need (e.g. stage-package) in your snap?

I also see you might need to run docker, so you could install the docker snap and then make use of the docker interface. This topic can be of help for further understanding Request for "classic" confinement for package Wilfred.

FYI, if you take a look at our process for reviewing classic confinement snaps, the need to launch arbitrary applications is not generally considered a supported use-case for classic confinement .
So I suggest you turn the snap to strict confinement again and try some of the options provided. You can use snappy-debug to alert you of any denials. snappy-debug will recommend interfaces based on the behavior it observes in your snap. Instructions on how to do so can be found here https://snapcraft.io/docs/debugging-building-snaps#heading--identifying-missing-interfaces

Hey @emitorino,

Thank you for your suggestions!

I do not think that shipping the needed tools in the snap would solve the problem. A real-world usecase in a CI/CD pipeline might look like this:

  • run some general system updates
  • check that there is enough disk space available
  • install the new version of the software
  • run some checks to verify that the installation process was successful

Thus it would not be possible to foresee all the commands which might be needed for the end user. I am afraid that if only a restricted subset of commands are available, the application is not usable in practical scenarios any more.

Would there be an option to publish with classic confinement to only edge or beta channels?

I have also considered just publishing the snap with GitHub releases and asking the users to install it manually, but this way there is no good way to handle updates.