Info about SNAP lxd-support interface needed


Why do SNAPCRAFT provide lxd-support interface and what added functionality/access does it give on top of LXD itself? The reason , i am asking this is , i see LXD SNAP itself plugs to the slot “lxd-support”. Bit confused here becs, my basic understanding is, the interfaces enable access to services provided by other applications/snap or others via slots

I could understand, LXD needs other services such as network, network-bind and system-observe for it to work and it exposes lxd interface for other applications to connect to! But why would it need to connect to lxd-support? Sorry if it sounds basic, but couldn’t get a hang of this interface requirement.

gokul@srv1:~$ snap connections lxd
Interface Plug Slot Notes
lxd - lxd:lxd -
lxd-support lxd:lxd-support :lxd-support -
network lxd:network :network -
network-bind lxd:network-bind :network-bind -
system-observe lxd:system-observe :system-observe -

Snap interfaces grant additional permissions to the snap, in this case the lxd-support interface is an interface which was designed to provide LXD with what it needs to interact with the system.

That interface will effectively only ever be used by the lxd snap itself and will never be granted for use by another snap. Snaps that wish to interact with lxd should use the lxd interface instead which will grant them access to the LXD socket.

Thanks @stgraber for the reply. Is it possible to give 1 or 2 example permissions lxd-support provides . I mean like, for example “network” interface gives access to network in the host, what access does lxd-support provide ?

lxd-support provides pretty much unlimited access to the kernel and filesystem as LXD needs the ability to define containers and virtual machines, including security profiles (apparmor, seccomp, …) and the ability to have processes persist across snap restarts/updates.

@stgraber, do you have any suggestion for below:
i want to remotely manage the LXD cluster including what LXD SNAP version the hosts can have, also, i can’t access LXD REST API directly in a host for env setup reasons. I was thinking, placing GRPC code to access and execute operations on the LXD unix socket. My impression was, it would be much straight forward if i have my own SNAP which has stage-snaps dependency on LXD SNAP(including a specific version) and use the LXD binaries & libs to execute in my SNAP environment(isolated from any existing LXD environment). Am i allowed to do this?

Hmm, maybe. I’m not sure how well including the LXD snap as a stage-snap will work in general, but if that does work and your snap contains all the bits needed to start your own LXD daemon from the bits pulled in through the stage-snap, that may work.

You’d then either need to install the snap in devmode which turns off all confinement and will let it work, or you’ll indeed need to have the lxd-support interface added.
In either case, such a snap will never be allowed in the store, so you’ll end up having to always sideload it snap install whatever.snap --dangerous.

Thanks @stgraber , i think , i got the answer i was looking for.