From 05001ec249e07c45ff17ebe9a032d356668bafd4 Mon Sep 17 00:00:00 2001
From: Corey Bryant <corey.bryant@canonical.com>
Date: Tue, 13 Jun 2017 14:55:02 +0000
Subject: [PATCH] Switch back to strict confinement

The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Switch back to running apps under root

Change-Id: I4704cac75230df5514ce42cdd6cde2b7ad9ed9b3
---
 README.md                | 11 +++--------
 snap/snap-openstack.yaml | 15 ---------------
 snapcraft.yaml           | 41 +++++++++++-----------------------------
 3 files changed, 14 insertions(+), 53 deletions(-)

diff --git a/README.md b/README.md
index 09218e9..31c8a51 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ service, Glance.
 
 The glance snap can be installed directly from the snap store:
 
-    sudo snap install --edge --classic glance
+    sudo snap install --edge glance
 
 The glance snap is working towards publication across tracks for
 OpenStack releases. The edge channel for each track will contain the tip
@@ -17,8 +17,8 @@ will be published progressively to beta, then candidate, and then stable once
 CI validation completes for the channel. This should result in an experience
 such as:
 
-    sudo snap install --classic --channel=ocata/stable glance
-    sudo snap install --classic --channel=pike/edge glance
+    sudo snap install --channel=ocata/stable glance
+    sudo snap install --channel=pike/edge glance
 
 ## Configuring glance
 
@@ -64,11 +64,6 @@ The services for the glance snap will log to its $SNAP_COMMON writable area:
 
 ## Managing glance
 
-The glance snap will drop privileges to run daemons and commands under
-a regular user named snap-glance. Additionally, permissions and ownership
-of files and directories in /var/snap/glance/common/ are modified to
-restrict access from other users.
-
 The glance snap has alias support that enables use of the well-known
 glance-manage command. To enable the alias, run the following prior to
 using the command:
diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml
index 37b1c6e..bfc82de 100644
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@@ -1,20 +1,11 @@
 setup:
-  users:
-    snap-glance: [snap-glance]
-  default-owner: "root:snap-glance"
   dirs:
-    - "{snap_common}/etc"
     - "{snap_common}/etc/glance/glance.conf.d"
-    - "{snap_common}/lib"
     - "{snap_common}/lib/images"
     - "{snap_common}/lock"
     - "{snap_common}/log"
   templates:
     glance-snap.conf.j2: "{snap_common}/etc/glance/glance.conf.d/glance-snap.conf"
-  rchown:
-    "{snap_common}/lib": "snap-glance:snap-glance"
-    "{snap_common}/lock": "snap-glance:snap-glance"
-    "{snap_common}/log": "snap-glance:snap-glance"
 entry_points:
   glance-manage:
     binary: "{snap}/bin/glance-manage"
@@ -24,8 +15,6 @@ entry_points:
       - "{snap_common}/etc/glance/glance-manage.conf"
     config-dirs:
       - "{snap_common}/etc/glance/glance.conf.d"
-    run-as:
-      snap-glance: [snap-glance]
   glance-registry:
     binary: "{snap}/bin/glance-registry"
     config-files:
@@ -35,8 +24,6 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/glance/glance.conf.d"
     log-file: "{snap_common}/log/glance-registry.log"
-    run-as:
-      snap-glance: [snap-glance]
   glance-api:
     binary: "{snap}/bin/glance-api"
     config-files:
@@ -46,5 +33,3 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/glance/glance.conf.d"
     log-file: "{snap_common}/log/glance-api.log"
-    run-as:
-      snap-glance: [snap-glance]
diff --git a/snapcraft.yaml b/snapcraft.yaml
index 2085449..9b6feff 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -6,30 +6,30 @@ description: |
   to store, browse, share, distribute and manage bootable disk images,
   other data closely associated with initializing compute resources,
   and metadata definitions.
-confinement: classic
+confinement: strict
 grade: devel
 
 apps:
   api:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-api
+    command: snap-openstack glance-api
     daemon: simple
+    plugs:
+      - network-bind
   registry:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-registry
+    command: snap-openstack glance-registry
     daemon: simple
+    plugs:
+      - network
+      - network-bind
   manage:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-manage
+    command: snap-openstack glance-manage
     aliases:
       - glance-manage
+    plugs:
+      - network
 
 parts:
   glance:
-    after: [python]
     plugin: python
     python-version: python2
     source: http://tarballs.openstack.org/glance/glance-stable-ocata.tar.gz
@@ -50,11 +50,6 @@ parts:
       - libssl-dev
       - libxml2-dev
       - libxslt1-dev
-    stage:
-      - -usr/bin/2to3
-      - -usr/bin/pydoc
-      - -usr/bin/python2.7
-      - -usr/lib/python2.7
     install: |
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@@ -65,7 +60,6 @@ parts:
     after: [glance]
     plugin: dump
     source: snap
-  # TODO: replace below with scriplets once implemented in snapcraft
   config:
     after: [glance]
     plugin: dump
@@ -81,16 +75,3 @@ parts:
         - etc/glance/*.json
     stage: [$etc]
     prime: [$etc]
-  python:
-    source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
-    plugin: autotools
-    configflags:
-      - --prefix=/usr
-      - --enable-shared
-      - --enable-unicode=ucs4
-    build-packages:
-      - libssl-dev
-    prime:
-      - -usr/include
-    install:
-      $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip