Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces: add lxd-support interface #1720
Conversation
jdstrand
added some commits
Aug 22, 2016
|
Looks good to me, LGTM |
|
Ok, so as part of this, can someone from the snappy team do the initial upload of lxd on the canonical account and request for the lxd and lxc snap names to be moved to the canonical account too? My understanding is that I can't really do any of those myself but once that's done, I can get the store team to set things up so we can manage that snap with our normal SSO accounts (we'll need @tych0, myself and a bot account for automatic uploads). |
|
I can upload a lxd snap and give you access to it. |
|
@mvo5 Cool, that'd be nice. Lets just upload whatever we currently have in the edge channel under my account for now, I'll upload something a bit more up to date later :) I pushed a copy from the store to https://dl.stgraber.org/J60k4JY0HppjwOjW8dZdYc8obXKxujRu_21.snap if that helps you. Also it'd be great if you could add: To the uploaders, that'd be great. That way we can have Tycho iterate his packaging there in the edge channel and once that's done, we can have our existing bot account (managing PPAs and backports) to deal with the uploads whenever upstream changes (for edge, the rest will be manual). |
|
I've just logged into myapps from that bot account (ubuntu-lxc-bot@stgraber.org) so it should have a myapps account now. I'll have Tycho do the same. |
|
Please send a mail to canonical-snapcraft with detailed coverage of how this bot account is used. This shared account will be able to upload not only lxd, which holds an interface that can do absolutely anything on the system, but also replace ubuntu-core itself, so an arbitrary bot owning credentials there is not okay. |
niemeyer
reviewed
Aug 24, 2016
| +func (iface *LxdSupportInterface) SanitizePlug(plug *interfaces.Plug) error { | ||
| + snapName := plug.Snap.Name() | ||
| + devName := plug.Snap.Developer | ||
| + if snapName != "lxd" { |
niemeyer
Aug 24, 2016
Contributor
Can we please merge both of those errors on a single message:
"lxd-support interface is reserved for the upstream LXD project"
niemeyer
reviewed
Aug 24, 2016
| @@ -296,6 +296,14 @@ Can read system logs and set kernel log rate-limiting. | ||
| * Auto-Connect: no | ||
| +### lxd-support | ||
| +Can access all resources and syscalls on the device for LXD to mediate access | ||
| +for its containers. This interface currently may only be used by the lxd snap |
niemeyer
Aug 24, 2016
•
Edited 1 time
-
niemeyer
Aug 24, 2016
Contributor
-
Aug 24, 2016
This interface currently may only be established with the upstream LXD project.
|
Code LGTM assuming the suggested messaging changes go in. |
|
This looks good to me! I applied the review feedback into #1733 and merged that so that it can be part of the SRU of today. @stgraber Unfortunately if the snap is already in the store I can not help. I can only upload new snaps. To transfer snaps from one account to the other you will have to talk to the store team, Nessita is the best person probably. |
jdstrand commentedAug 22, 2016
•
Edited 1 time
-
jdstrand
Aug 22, 2016
As discussed in #1699, implement a transitional (essentially unconfined) lxd-support interface such that the plugging snap must be named 'lxd' and be from the 'canonical' developer. This also means that the interface will not connect if the snap is sideloaded. LXD developers should add 'plugs: [ lxd-support ]' to the snap and test by uploading to the store in a non-stable channel and 'snap install lxd --channel=...'. When assertions are fully in place for interface connections, we may consider changing this.
The check is implemented in SanitizePlug and it does not panic(). Instead the error is logged in syslog like so: