Snappy

skills and migration-skill in particular needs more documentation

Bug #1543220 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Won't Fix
Critical
Unassigned

Bug Description

With the recent changes to snap.yaml, the security directives (caps, security-template, security-override and security-policy) have moved under the migration-skill. docs/meta.md was updated for this, but it lacks examples and is altogether too terse. This may be intentional since AIUI the skills work is still in flux but IMO the migration-skill in particular needs to be adequately documented for people moving from 15.04 to 16.04.

As an example, if 15.04 package.yaml has:

services:
- name: foo
  caps:
  - network-client
  ...
- name: bar
  caps:
  - network-client
  - snapd
  ...
- name: baz
  security-template: unconfined
  ...
- name: norf
  security-policy:
    apparmor: meta/norf.aa
    seccomp: meta/norf.sc
- name: quux
  security-override:
    apparmor: meta/quux-aa.override
    seccomp: meta/quuz-sc.override

then your 16.04 yaml should have something like (very casual naming for the mapping to illustrate these map names can be anything):

apps:
  foo:
    ...
    uses:
    - my-networking-stuff
  bar:
    ...
    uses:
    - my-networking-stuff
    - my-snapd-stuff
  baz:
    ...
    uses:
    - my-unconfined
  norf:
    ...
    uses:
    - my-custom
  quux:
    ...
    uses:
    - my-caps-with-overrides

uses:
  my-networking-stuff:
    type: migration-skill
    caps:
    - network-client
  my-snapd-stuff:
    type: migration-skill
    caps:
    - snap-management
  my-unconfined:
    type: migration-skill
    security-template: unconfined
  my-custom:
    type: migration-skill
    security-policy:
      apparmor: custom.aa
      seccomp: custom.sc
  my-caps-with-overrides:
    type: migration-skill
    caps:
    - network-client
    security-override:
      read-paths:
      - /etc/motd
      write-paths:
      - /run/quux.pid
      syscalls:
      - yyy
      - zzz

AIUI, the security yaml was moved under a migration skill so that snap.yaml could land without the now obsoleted security yaml and that the non-migration security skills will land once other skills details are worked out. Also note that the available 'caps' on 16.04 is different than on 15.04 since they are migrating to skills. You can see the current list with 'sudo snappy install snappy-debug && snappy-debug.security list -i', but be warned this list is subject to change as the skills work evolves.

See original description
Tags: snap-docs
Jamie Strandboge (jdstrand)
Changed in snappy:
importance: Undecided → Critical
Jamie Strandboge (jdstrand)
description: updated
description: updated
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Michael Vogt (mvo) wrote :

There is no "migration-skill" (or "old-security") anymore. We do have documentation for the interfaces system in docs/interfaces.md. Is there anything missing here or can we close this bug?

Changed in snappy:
status: New → Incomplete
Daniel Holbach (dholbach)
tags: added: snap-docs
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

migration-skill is gone. Closing.

Changed in snappy:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.