Hey,
we, the Anbox team at Canonical, maintain a snap named anbox-cloud-appliance which we are currently moving from classic to strict confinement. Anbox Cloud is only available through the Ubuntu Pro offering from Canonical and requires access to credentials to access the official image server hosted at https://images.anbox-cloud.io. These credentials are placed by the pro client when the anbox-cloud service is enabled in a file at /var/lib/ubuntu-advantage/private/anbox-cloud-credentials (see ubuntu-pro-client/uaclient/entitlements/anbox.py at next-v34 · canonical/ubuntu-pro-client · GitHub for the responsible code in the Ubuntu Pro client). The anbox-cloud-credentials file has permissions set to 0600 and is owned by root:root.
These credentials are specific to Anbox Cloud and in order to provide users access to the image server through the setup experience of the anbox-cloud-appliance snap we would like to have read-only access to this specific file via the system-files interface.
Auto connection is not strictly needed as we can always ask the user through the interactive setup to connect the interface but would be preferred.
The plug configuration will look as follows
plugs:
var-lib-ubuntu-advantage-private-anbox-cloud-credentials:
interface: system-files
read:
- /var/lib/ubuntu-advantage/private/anbox-cloud-credentials
The intended flow for usage of the anbox-cloud-appliance snap is
# User attaches to his Ubuntu Pro subscription
$ sudo pro attach xxx
# The "anbox-cloud" service is enabled which will make the pro client install the `anbox-cloud-appliance` snap
$ sudo pro enable anbox-cloud
# The user runs the initialization process of the Anbox Cloud Appliance which will load and configure the credentials as necessary
$ sudo anbox-cloud-appliance init
This is what is supported with the classic confined anbox-cloud-appliance snap today, see the official documentation.
Alternatively we can ask the user to manually provide the necessary credentials from the file at initialization time but would like to avoid that.
Thanks!
1 Like
Hey @morphis
This request looks legit to me. It should not be very surprising for anyone that anbox-cloud-appliance snap requires of anbox-cloud-credentials to access the anbox-cloud.
Thus, +1 from me for granting anbox-cloud-appliance read access to /var/lib/ubuntu-advantage/private/anbox-cloud-credentials via auto-connection of system-files interface
Thanks
Thanks @jslarraz !
@review-team anyone else who can take a look? 
+1 from me too for the same reasoning as @jslarraz above 
Thanks @alexmurray !
@review-team any further comments/votes necessary or can we get this in place? Thanks
+2 for, 0 against, granting anbox-cloud-appliance read access to /var/lib/ubuntu-advantage/private/anbox-cloud-credentials via auto-connection to a system-files interface named var-lib-ubuntu-advantage-private-anbox-cloud-credentials. The publisher is vetted. This is now live.
Please let me know if everything works as expected
1 Like
Thanks @jslarraz!
Publishing a new snap with the plug and auto-connection works fine.
However we seem to have misunderstood how the system files interface works. As with the current configuration it allows us access to the /var/lib/ubuntu-advantage/private/anbox-cloud-credentials path through the AppArmor rules but the file isn’t mapped from the hostfs to the snap execution environment. So it looks like the actual path we need access to from within the snap environment is /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/private/anbox-cloud-credentials rather than /var/lib/ubuntu-advantage/private/anbox-cloud-credentials. Is this understanding correct?
If yes, can we update the allowed plug definition to the following:
plugs:
hostfs-var-lib-ubuntu-advantage-private-anbox-cloud-credentials:
interface: system-files
read:
- /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/private/anbox-cloud-credentials
I’ve prefixed the plug here with hostfs- to not make the plug name much longer.
1 Like
Thanks @morphis - that sounds fine. I have updated the snap declaration on the store to match this change via hostfs.
1 Like
Many thanks @alexmurray !
I can confirm that with the updated plug and snap declaration now everything works as expected.
