Request for classic confinement for sos

Hi,

I would like to package sos [1] as a snap [2]. The sos command collects various log files and system information. Given the nature of this task the snap needs to be classically confined. The snap is not registered with the store yet as I am waiting for upstream to approve my PR.

Thanks,

Nick

[1] https://github.com/sosreport/sos
[2] https://github.com/sosreport/sos/pull/2233

Access to this information is not a supported use-case for classic confinement. I believe most of what sos should require access to would already be provided by various interfaces but without knowing more of what exactly sos tries to capture it is hard to be specific.
Can you give more details what is needed to be collected? For logs there is already the log-observe interface, or you can also use the system-backup interface to access most files from the host environment. Finally, there is the system-observe, hardware-observe and network-observe interfaces which allow access to various pieces of system information.

As such I feel sos should be able to operate under strict confinement.

Hi Alex,

Thanks for the hints! I will modify the snap and add those interfaces and check whether those are sufficient. Could we leave my request open for now until I can confirm whether the supported interfaces are sufficient?

Thanks!

Nick

Hey @nicolasbock,

Please feel free to leave this request open until you confirm sos works under strict confinement. You can use snappy-debug to get suggestions/understand missing interfaces and denials. If you run into problems, post the snappy-debug output here along with your questions and we are happy to help.

Please remember classic snaps are not installable on Ubuntu Core devices and also run in the global mount namespace, which means great care must be taken for the snap to work reliably across distributions. If you can make sos work under strict confinement, you will enjoy all the benefits of a stable runtime environment.