Request for classic confinement in cri-o snap

kjackal · September 19, 2023, 1:55pm

Hi,

We would like to ship a cri-o snap that is classic. The reason for this is that cri-o is a container runtime that needs to integrate with components in the host system and spawn unconfined processes. We would appreciate if you could approve the review of it in https://dashboard.snapcraft.io/snaps/cri-o/

Thank you, Konstantinos

dclane · September 22, 2023, 10:53am

hi @kjackal

Thanks for putting the request up. We typically require classic requests to fit into one of the categories listed in the process for revewing classic confinement snaps. This might be something that an exception can be made for, but I also note that (with snapd support) LXD is able to operate as a strictly confined snap for instance, (and docker is also). A couple of quick ideas come to mind: would the docker-support or lxd-support interfaces help at all, and does snappy-debug make any interface suggestions?

kjackal · October 2, 2023, 2:05pm

Hi @dclane

LXD is not a good example of strict snap because as you see in [1] it essentially drops the confinement when it starts.

Strictly confining container runtimes imposes many challenges to the underlying workloads. For example there is no obvious way to predict all possible workloads the user will need to run and therefore there is no way to predict what interfaces should be used. This is our experience with the MicroK8s snap for which we had to ship two versions a classic and a strict one.

I appreciate your understanding.

Thanks, Konstantinos

[1] https://github.com/canonical/lxd-pkg-snap/blob/latest-edge/snapcraft/commands/daemon.start#L4

dclane · October 11, 2023, 10:36am

@pedronis would you be able to comment here? I am inclined to think that cri-o is a candidate for classic, despite not fitting directly into an existing supported category.

kjackal · October 23, 2023, 10:40am

Is there any update on this?

dclane · October 24, 2023, 1:46am

I spoke with @pedronis last week, he is expecting to learn more about the broader requirement this week.

alexmurray · November 10, 2023, 7:47am

@pedronis - do you have any further updates which you can share regarding the general request for container runtimes to be granted classic confinement, or some other way forward for the cri-o snap? Thanks.

emitorino · November 30, 2023, 1:43pm

@kjackal hey, apologize for the late response.

Is your team still willing to ship cri-o as a classic confined snap?

Thanks!