New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces/greengrass-support: add support for Amazon Greengrass as a snap #3467
Conversation
@didrocks - if you want to test this, simply create a devmode snap and use 'plugs: [network-bind, greengrass-support]'. Then do:
You can of course also try it in strict mode like I did :) |
Codecov Report
@@ Coverage Diff @@
## master #3467 +/- ##
==========================================
+ Coverage 77.16% 77.16% +<.01%
==========================================
Files 373 374 +1
Lines 25793 25803 +10
==========================================
+ Hits 19903 19912 +9
Misses 4133 4133
- Partials 1757 1758 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name seems fine, code seems fine, permissions seem extremely rich. Trusting you on the latter.
@niemeyer - indeed it is rather permissive. This interface can be thought of in the same general category as docker-support, lxd-support and kubernetes-support which is why it has a restrictive installation constraint in the base declaration. |
Sorry to bother you all, but could you please point me to where I can install this snap, and ideally an example of it in use? Thank you very much! |
Amazon Greengrass (https://aws.amazon.com/greengrass) consists of several parts: remote AWS, greengrassd and so-called 'lambda functions'. greengrassd communicates with AWS and launches lambda functions within a sandbox. This interface allows greengrassd to launch lambda functions within the Greengrass sandbox. The Greengrass sandbox is proprietary software and not designed to work with snappy confinement. The Greengrass sandbox for lambda functions consists of (only as it pertains to interactions with the snappy sandbox):
As such, the greengrass-support interface provides a lot of privilege to the connected snap and like other interfaces of this kind, it requires a snap declaration for installation.
Due to how Greengrass is designed, lambda functions have the same snappy permissions as greengrassd and their confinement primarily comes from the Greengrass sandbox. Various ideas were explored for snappy security policy to make lambda function confinement stricter (eg, having a separate strict profile for lambda functions that the snappy sandbox would enforce when executing lambda functions). Because of greengrassd's use of NO_NEW_PRIVS, the only way to achieve this was to use AppArmor policy stacking, but there are various kernel and userspace bugs that prevent pursuing this at this time. Once these bugs are addressed, a future update to this interface may implement policy stacking to further restrict lambda functions.
Lastly, this interface was developed using a partially functional snap from @didrocks and I expect some iterating and profile additions once the fully functionally snap is available (@didrocks and Amazon are working together on this). As is, the interface is able to launch greengrassd which then launches several processes as sandboxed lambda functions, so the interface should be pretty close to being finalized as is (and is therefore IMO ok to commit to snapd now).