Request for classic confinement: oras and oras-test

BillyZha · September 14, 2023, 4:56pm

ORAS project provides a way to push and pull OCI Artifacts to and from OCI Registries. We have onboarded oras CLI v1.0.0 to Snapcraft so our Ubuntu users can easily install it. But to authenticate with OCI registries, oras CLI need to access below resources which are not in the snap sandbox:

an external system-wide configuration file shared with docker and other container tools to store credentials.
external helper tool binaries to save and load credentials securely.

Due to the above two use cases, oras CLI need to be installed in a classic way so both the configuration and external binaries installed on the Ubuntu host can be correctly found.

oras belongs to account(orasproject@gmail.com) and oras-test belongs to account(qweeah@gmail.com). We use oras to build and publish public snaps and oras-test to do PoC and validate our automated workflows.

dclane · September 20, 2023, 10:35am

Hello BillyZha,

Thanks for submitting this request. According to the process for reviewing classic snaps, we require that the request fit into one of the supported categories. Could you please identify if ORAS fits within any of those categories?

Have you considered if personal-files or system-files might be able to be used to satisfy this?

Would you be able to package those binaries into the snap using stage-packages?

sahnaseredini · October 3, 2023, 10:33am

Hey @BillyZha - ping, can you please provide the requested information that @dclane asked for? Thanks.

BillyZha · October 7, 2023, 3:08am

Could you please identify if ORAS fits within any of those categories?

Our use case fits into this one: kubernetes tools requiring arbitrary authentication agents . ORAS can be used to upload and download container images. Other K8S tools are expected to share the auth config and agents with ORAS.

Have you considered if personal-files or system-files might be able to be used to satisfy this?

Since the file path is user-specified, we need to enable ORAS snap to access(read and write) files in every folder of $HOME, as well as every system files. I am not sure if it’s doable and it’s seems better not to sandbox those config files.

Would you be able to package those binaries into the snap using stage-packages ?

No we can’t. ORAS is expected to support any binaries compliant to the authentication mechanism and it’s not possible to enumerate all the applications during build(snapcraft) time.

All in all, ORAS has the exact issue discussed in Personal-files request for kontena-lens - store-requests - snapcraft.io and Classic confinement for kontena-lens - store-requests - snapcraft.io. To me ORAS should not be sandboxed.

dclane · October 19, 2023, 4:03am

Thanks for your patience @BillyZha.

The requirements for classic are understood. @advocacy, can you please perform the vetting?

emitorino · November 8, 2023, 9:02am

Looping @Igor in case the previous msg was missed

Igor · November 8, 2023, 9:14am

@BillyZha can you please point me to the official homepage for oras and oras test?

BillyZha · November 22, 2023, 8:53am

@Igor Official homepage for oras: https://oras.land/

oras-test is used to do PoC and validate our automated workflows and can be non-classic if it’s not applicable to be.

Igor · December 5, 2023, 11:36am

@BillyZha can you also please share (via DM if you like) the official email for oras?

BillyZha · December 11, 2023, 3:35am

@Igor You may use orasproject@gmail.com.

sahnaseredini · January 11, 2024, 3:12pm

Hey @BillyZha I picking up the publisher vetting from here. could you please get back to my DM that I just sent you. Thanks

sahnaseredini · January 19, 2024, 4:03pm

The publisher vetting for the oras snap is not complete. Thanks.

sahnaseredini · January 19, 2024, 4:11pm

Classic confinement override granted to oras snap, this is now live.

BillyZha · May 17, 2024, 7:41am

@sahnaseredini Hi I tried to release a classic snap but got below error:

Publishing snap "oras_v1.2.0-rc.1_arm64.snap"...
/snap/bin/snapcraft upload oras_v1.2.0-rc.1_arm64.snap --release candidate
Uploading... (--->)
Uploading... (<---)
Status: processing
Status: processing
Status: processing
Status: error while processing
Issues while processing snap:
- confinement 'classic' not allowed with plugs/slots

BillyZha · May 17, 2024, 7:41am

Is there any way to check if the classic confinement is enforced?

sahnaseredini · May 17, 2024, 8:20am

Hi, could you please make sure you’ve removed the list of current plugs (home and network) from your snap as you’re having classic confinement and try it again?

BillyZha · May 17, 2024, 8:25am

Oh I missed that. Got it, will try in next release, thanks.

BillyZha · May 20, 2024, 7:56am

Tried and it works, thanks