Request classic confinement for tf-wrapper

dex4er · January 7, 2025, 6:23pm

name: tf-wrapper
description: Less verbose and more shell-friendly Terraform
snapcraft: tf/.goreleaser.yaml at main · dex4er/tf · GitHub
upstream: GitHub - dex4er/tf: Less verbose and more shell friendly Terraform
upstream-relation: author
supported-category: tools for local, non-root user driven configuration of/switching to development workspaces/environments
reasoning: access to $HOME/.terraform directory; running other commands (terraform binary and its plugins)

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces.

Running strict confinement ends with errors like:

Error: exec: “tofu”: executable file not found in $PATH

jslarraz · January 9, 2025, 9:15am

Hi @dex4er

Strict confinement is always preferred over classic. Can you try:

access to $HOME/.terraform directory

Use personal-files interface

running other commands (terraform binary and its plugins)

Use stage-packages to ship the required binaries with your snap

Thanks

dex4er · January 12, 2025, 10:26pm

Hi @jslarraz

I checked the wrapper with strict confinement and it is useless. The wrapper should be able to run any version of Terraform and actually any other commands too as Terraform can run anything using local-exec.

De facto the wrapper + Terraform are kind of shell and this is legit excuse to use classic confinement.

If you won’t agree then I’m going to remove this wrapper from Snapcraft.io as it will become useless as standalone tool without access to the other commands.

jslarraz · January 22, 2025, 10:58am

The two reason you provided, are explicitly listed as unsupported in the Process for reviewing classic confinement snaps

dependent software only available on host (ship in instead snap (eg, stage-packages, build from source))
access to dot files in $HOME (use $HOME instead of getent*, personal-files)

So honestly, I don’t this this snap is subject for classic confinement

dex4er · January 22, 2025, 2:48pm

Ok, no problem. I see that Snap package is not the best option for such wrapper that runs any other command from the host then I’m removing this package from the store.

ogra · January 23, 2025, 11:50am

Well, terraform is in fact a classic snap itself (not sure if that makes this request more valid, but it actually used a different category and different reasoning) Guidance on classic vs auto-connect for Terraform

dex4er · January 23, 2025, 12:05pm

This is exactly reason why I can’t use non-classic confinement yet: I can’t embed Terraform as it is not yet with strict confinement. So maybe later.

jslarraz · January 23, 2025, 1:11pm

Let me bring this discussion the next reviewers alignment meeting. I’ll come back to you