Snap - the universal packaging format for linux distros
0 likes316 views
Snap is a universal packaging format for Linux that simplifies application installation and updates while enhancing security through sandboxing. It allows developers to distribute software across various Linux distributions with a self-contained system that includes all necessary libraries. Snap features a centralized store for easy version management and compatibility with existing packaging systems, enabling publishers to maintain control over updates without intermediary processes.
![Snap Architecture
$ cat /snap/hello-world/current/meta/snap.yaml
name: hello-world
version: 6.3
architectures: [ all ]
summary: The 'hello-world' of snaps
description: |
This is a simple snap example that includes a few interesting binaries
to demonstrate snaps and their confinement.
* hello-world.env - dump the env of commands run inside app sandbox
* hello-world.evil - show how snappy sandboxes binaries
* hello-world.sh - enter interactive shell that runs in app sandbox
* hello-world - simply output text
apps:
env:
command: bin/env
evil:
command: bin/evil
sh:
command: bin/sh
hello-world:
command: bin/echo](https://image.slidesharecdn.com/snap-theuniversalpackagingformatforlinuxdistros-180603103000/85/Snap-the-universal-packaging-format-for-linux-distros-10-320.jpg)
Snap - the universal packaging format for linux distros
- 1. Snap : the universal packaging format for Linux distros Anthony Wong Engineering Manager, Canonical Shenzhen University, 2 June 2018
- 2. Why a new packaging format? As a user ● I want applications that are easy to install, keep up-to-date and secure. As a developer/publisher ● I want an easy and fast way to distribute my software for different Linux distributions.
- 5. Snap Features ● Better security ● By default, snaps are confined. No network access, limited filesystem access, etc. ● Interact with system and other snaps through fine-grained interfaces. ● Kernel sandbox features has matured over the years ● cgroups, namespace, seccomp, Apparmor ● But snap is not quite like container ● Provides strict, devmode and classic policies ● Self-contained ● All libraries are bundled
- 6. Snap Features ● Immutable: snap is a mounted read-only squashfs ● Multiple versions are kept on filesystem, can easily roll back to previous version ● Auto-update by default ● Smaller size ● Squashfs is compressed and is mounted, not decompressed. ● Co-exist with existing packaging systems (deb, RPM, etc)
- 7. Snap Store ● Centralized software store ● No need to install third-party repository or PPA ● Tracks ● different versions can co-exist in the store ● each track has its own risk channels (edge, beta, candidate, stable) ● Enterprise features such as update control (paid service)
- 8. Snap Store
- 9. Snap Architecture ● Let's look at the hello-world snap $ tree /snap/hello-world/current/ /snap/hello-world/current/ ├── bin │ ├── echo │ ├── env │ ├── evil │ └── sh └── meta ├── gui │ └── icon.png └── snap.yaml ● The important file that snapd cares is meta/snap.yaml
- 10. Snap Architecture $ cat /snap/hello-world/current/meta/snap.yaml name: hello-world version: 6.3 architectures: [ all ] summary: The 'hello-world' of snaps description: | This is a simple snap example that includes a few interesting binaries to demonstrate snaps and their confinement. * hello-world.env - dump the env of commands run inside app sandbox * hello-world.evil - show how snappy sandboxes binaries * hello-world.sh - enter interactive shell that runs in app sandbox * hello-world - simply output text apps: env: command: bin/env evil: command: bin/evil sh: command: bin/sh hello-world: command: bin/echo
- 11. Sandbox ● Every snap is sandboxed by snapd ● Snap can only see its own private mount namespace, like chroot ● Certain syscalls are blocked by seccomp, e.g. networking ● Process is isolated, e.g. you cannot send signals to other processes owned by same user ● Every snap has its own /tmp ● Access to sensitive devices is blocked, e.g. /dev/video*, /dev/kmsg ● There are common and per-user writeable area to store data ● snapd interface allows snap to get more privileges.
- 12. snapd Interface ● If your snap needs to do something outside of confinement, you need to use interface. ● An interface consists of a plug and a slot ● Slot is the provider, plug is the consumer ● Example slots are home, gsettings, network, x11, wayland, pulseaudio. Many are offered by core snap. ● Run snap interface to find out more
- 13. snap.yaml of vlc name: vlc version: 3.0.3-1-3-gf09fd0d summary: Read, capture, broadcast your multimedia streams confinement: strict grade: stable apps: vlc: command: command-vlc.wrapper plugs: - unity7 - network - network-bind - home - opengl - pulseaudio - mount-observe - optical-drive - camera - removable-media - screen-inhibit-control - x11 - desktop - desktop-legacy slots: - mpris
- 14. Advantages for Publishers ● Build once runs everywhere ● Give control back to publishers, not distro vendor ● No middle man to distribute your software, quick feedback loop ● Publishers to decide when to update, when to promote from beta to stable.
- 15. Snapcraft for App publishers ● snapcraft provides a super easy way to package any kind of applications $ snapcraft plugins ament dotnet jhbuild nodejs rust ant dump kbuild plainbox-provider scons autotools go kernel python tar-content catkin godeps make python2 waf catkin-tools gradle maven python3 cmake gulp meson qmake copy jdk nil ruby ● snapcraft cleanbuild: build within LXD container
- 16. Sample snapcraft.yaml name: hello version: "2.10" summary: GNU Hello, the "hello world" snap description: GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/create/ confinement: strict apps: hello: command: hello parts: gnu-hello: plugin: autotools source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz
- 18. How snap is made
- 25. Beautiful Frontpage for Snaps https://snapcraft.io/<app_name>
- 26. Beautiful Frontpage for Snaps https://snapcraft.io/electronic-wechat
- 27. Private Metrics for Your Snap
- 28. Thanks! Anthony Wong Engineering manager, Canonical