=== benfrancis6 is now known as benfrancis | ||
=== benfrancis0 is now known as benfrancis | ||
mborzecki | morning | 06:22 |
---|---|---|
mup | PR snapd#11845 closed: tests/main/nfs-support: be robust against umount failures <Simple 😃> <Test Robustness> <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11845> | 06:57 |
mup | PR snapd#11834 closed: o/snapstate: exclude services from refresh app awareness hard running check <Bug> <refresh app awareness> <Created by stolowski> <Merged by stolowski> <https://github.com/snapcore/snapd/pull/11834> | 08:17 |
mup | PR snapd#11847 opened: tests/main/interfaces-browser-support: verify jupyter notebooks access <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11847> | 09:18 |
mup | PR snapd#11178 closed: tests: increase the memory on test minimal-smoke with secboot disabled <Simple 😃> <Run nested> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11178> | 11:23 |
mup | PR snapd#11848 opened: tests: revert lxd change to support nested lxd launch <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11848> | 11:28 |
mup | PR snapd#11824 closed: interfaces/browser-support: allow editing of Jupyter notebooks in browsers <Created by nteodosio> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11824> | 13:13 |
mup | PR snapd#11847 closed: tests/main/interfaces-browser-support: verify jupyter notebooks access <Simple 😃> <Created by bboozzoo> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11847> | 13:13 |
mup | PR snapcraft#3777 closed: parts: fix metadata extraction dirs <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3777> | 14:33 |
tacomaster | I have a question about snaps. I have found online that snaps are immutable but is there any protection to the rest of the machine? The reason I ask is I am trying to run a server service on ubuntu server and trying to see if it would be better to use, a container or a snap for security reasons? | 17:33 |
tacomaster | or would it be best to write an apparmor profile for that service? | 17:34 |
mardy | tacomaster: hi! When you launch a snap, a container is created: not only AppArmor confines the process, but also we use seccomp, cgroups, and mount namespaces to isolate the snap from the rest of the machine | 20:40 |
mardy | tacomaster: the more interface you connect in the snap, the more "holes" we drill in the container | 20:41 |
mardy | *interfaces | 20:41 |
ogra | tacomaster, adding to what mardy said, every single snap undergoes an autmatic review during upload. there are interfaces that are harmless (like "audio-playback") when your snap connects them, and there are more privileged ones (i.e. "network-setup-control") ... snaps that use the higher privileged ones need to pass a manual review by the security team ... if you look at the "store-requests" category at forum.snapcraft.io you cn find them all ... | 21:13 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!