It’s generally preferable to avoid --classic for better cross-distro portability of a snap, and of course better security for users. What are the blockers to strict confinement of this snap? I can appreciate that useful bundles etc might not be in the home directory, but there are ways to let users selectively grant access to files outside of the home tree.
In general, the Juju client isn’t doing anything that I can think of which would require --classic. What’s the rationale?
At the time that we put together the juju snap there were several interfaces that didn’t exist (IIRC, being able to access a user’s SSH host key was one of them). I believe they exist now, we just haven’t had the time to reevaluate what it would take to go strictly confined.
Some of my challenging use-cases:
@erik-lonroth I would imagine it would always be possible to install without confinement if you want. Do snaps break in the above scenarios with --devmode?
@jameinel could we at least progress the quick wins, i.e. take a look and see if there are standard interfaces that cover the things we need, and publish a list of things that are blockers if there are any?
@sabdfl not sure atm, but also now that I remember it, centos uses selinux which has some challenges with snap.
We discovered many of these things deploying and developing our HPC stack with MAAS, Juju and Slurm.
I would be happy to share experiences on that at some time.
