Request classic confinment for Tigris CLI tool

Along with regular database client functionality, our CLI provides a way to easily spin up local-development database instance, using: tigris local up / tigris local down commands. Those commands require docker image pull, run and stop permission.

In order to publish the CLI on snap we would need classic confinement permission, or strict confinement with plugs.docker permission. Moreover, we only need permission to pull, run and stop very specific tigrisdata/tigris-local image.

Please consider the request.

We are 100% open-source:

@firsov as you have described, tigris can stay under strict confinement and plug docker instead. If tigris properly work this way, this is preferred. Could you please update the post title to reflect this is not a classic confinement request anymore?

+1 from me for use of docker to tigris since based on what I see in the Makefile, docker compose commands are needed to start/stop the server and other basic functionalities. Can other @reviewers please vote?

It seems that auto-connection could be desirable but this will require publisher vetting since docker is a privileged interface.

Thanks for your reply, @emitorino!

What would be my next steps?

I’ve changed the confinement to strict, added docker plug and requested manual review here:

Here is my snapcraft.yaml:

Is that right?

+1 from me for use-of docker by tigris as this is part of its standard functionality.

+2 votes for, 0 votes against. Granting auto-connect for plugging docker to tigris, this is now live.

@firsov could you please upload a new revision or request a manual review so the changes take effect?

Thank you, for granting the permission.

I’ve uploaded new version and it works.

$ sudo tigris local up
[sudo] password for firs: 
latest: Pulling from tigrisdata/tigris-local 
Digest: sha256:c380a586b4f850cdf8a95faf2e453b593485ce1a2e0b1cc6a373528ffabc3a24
Status: Image is up to date for tigrisdata/tigris-local:latest
Tigris is running at localhost:8081
$ tigris create database db1
$ tigris list databases
$ sudo tigris local down
Tigris stopped

However, I have couple of questions:

  1. system docker cannot be used and docker need to be installed from snap: sudo snap install docker. Is there a way to explicitly define docker dependency for Tigris snap, so that it’s installed automatically?
  2. Docker commands require super privileges sudo tigris local up, while with the system I can run it with the current user priveleges tigris local up, is there a way to enable unprivileged Docker access for the snap?

Thanks again, besides two above concerns it works nicely!