Ubuntu Core 技术详解
3 likes1,382 views
This document introduces Ubuntu Snap technology. It discusses that Snap is a new software package format that provides transactional updates, self-containment, and application confinement through security mechanisms. Snap packages can contain services, command line tools, or graphical applications and provide writable spaces for data and common areas between versions. The document also overviewed Snapcraft for developing Snaps and Ubuntu Core which uses all Snaps for an minimal and secure IoT focused Ubuntu distribution.
Ubuntu Core 技术详解
- 1. Ubuntu Snap 技术介绍 Rex Tsai Technical Architect rex.tsai@canoincal.com 29 August 2017
- 2. Ubuntu 简介
- 3. Canonical We are the company behind Ubuntu
- 4. Ubuntu is the #1 Choice for Innovators 3 million + developers
- 6. Ubuntu is powering smart IoT Smart drone controllers Advanced robotics Home gateways Industrial gateways Digital Signage
- 7. Source: Eclipse Foundation + StackOverflow survey Mint Fedor a Debi an Oth er Ubunt u Ubuntu is the #1 Choice for Innovators & developers 2% 2% 3% 6% 17%
- 10. 六、七月特色软件
- 11. 特色软件 - 微信客户端 Electronic WeChat is a unofficial WeChat client. A better WeChat on Linux. Built with Electron. By DawnDIY https://uappexplorer.com/snap/ubuntu/electronic-wechat
- 12. 特色软件 - 豆瓣FM An unofficial client of Douban FM. You can select the channels you like to play songs and share it to Sina Weibo. By DawnDIY https://uappexplorer.com/snap/ubuntu/douban-fm
- 13. Snap 技术架构
- 14. snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI ● A squashFS filesystem containing your app runtime and a snap.yaml file with specific metadata. It has a read-only file-system and, once installed, a writable area ● Self-contained. It bundles most of the libraries and runtimes it needs and can be updated and reverted without affecting the rest of the system ● Confined from the OS and other apps through security mechanisms, but can exchange content and functions with other snaps according to fine-grained policies controlled by the user and the OS defaults What is a Snap?
- 15. snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI ● As squashFS filesystem based architecture, the snap is capable of providing: ■ Transactional updates ■ Integrity of the content ■ Compression (⅓ of unpacked size) ■ Read Only Snap Package Architecture
- 16. ● A snap package ships: ■ One or more services ■ CLI apps ■ GUI apps ■ They are not limited to one process. snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI Snap Package Architecture
- 17. ● It has its own writable space (services and users) & (versioned and unversioned) Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI Snap Package Architecture
- 18. ● Process Isolation (/tmp per process and app process) Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI /tmp /tmp Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Snap Package Architecture
- 19. ● MAC to other resources (Paths (/home), Devices /dev, etc) mediated with interfaces Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP ServiceService CLI GUI /tmp /tmp Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Snap Package Architecture
- 20. Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Snap Package Architecture: Snappy FHS ● SNAP: installation directory (read-only) ● SNAP_DATA: per-revision application data directory (writable) ● SNAP_COMMON: application data directory common to all revisions (writable) ● SNAP_USER_DATA: per-revision, per-user application data directory (writable) ● SNAP_USER_COMMON: per-user application data directory common to all revisions (writable) ● SNAP_ARCH: architecture of the system (eg, amd64, arm64, armhf, i386, etc) ● SNAP_LIBRARY_PATH: library paths added to LD_LIBRARY_PATH ● SNAP_NAME: package name ● SNAP_REVISION: store revision for this snap ● SNAP_VERSION: package version ● TMPDIR: temporary directory (writable) ● XDG_RUNTIME_DIR: set to /run/user//snap.$SNAP_NAME (writable) $SNAP
- 21. The snapd system ● snapd, a management environment that handles installing and updating snaps using the transactional system, as well as garbage collection of old versions of snaps ● snapd-confine, an execution environment for the applications and services delivered in snap packages ● Interface, snaps interact with each other using interface
- 24. Ubuntu Core
- 25. A minimal, secure, transactional Ubuntu designed for IoT
- 26. What is Ubuntu Core? A minimal version with the same bits as today’s Ubuntu Ubuntu Core with transactional updates Applications confined by technologies lead by Canonical Safe, reliable, worry free updates with tests and rollback Amazing developer experience with snapcraft Easily extensible Easily create app stores for all your devices
- 27. All Snap Architecture In a snappy system, all software beyond the bootloader is distributed as a snap in this same format. ● The OS snap contains the core operating system. ● The kernel snap contains the kernel and hardware-specific drivers. ● The gadget snap is device specific and is used to configure a particular model of device. Ubuntu Core Kernel 4.4 Confined applications packages as a snap with dependencies Minimal OS packaged as snap Clearly defined Kernel and device packaged as snap
- 28. OS IMAGE SIZE Ubuntu Core 350 MB 829 MB Ubuntu Server Minimal footprint
- 29. Legacy Ubuntu Core Kernel Kernel Confined applications packages as a snap with dependencies Minimal OS packaged as snap Clearly defined Kernel and device packaged as snap OS packageApplication B Shared library Device driverApplicatio n A Legend: Modular and simple architecture
- 30. Transactional updates: Apps, OS and kernel Original data Writable area Original snap Upgrade Modified data during upgrade Writable area Updated snap Original data Writable area Original data is kept on device Original snap Original data Writable area Original snap Rollback on failure
- 31. Automatically confines applications kernel os appapp writable areawritable area Snaps are confined and isolated app writable area app writable area
- 32. Security and apps confinement
- 33. Apps confinement: Trust model The trust model of snappy Ubuntu Core is different from traditional Ubuntu Software is either: ● Part of the base system OS ● Pre-installed via OEM/gadget snaps (apps and frameworks installed during provisioning) ● Snaps installed from a store
- 34. Apps confinement: Trust model By default the application snaps are untrusted by the OS and: ● cannot access other applications' data ● cannot access non-app-specific user data ● cannot access privileged portions of the OS VSTrusted by the OS Untrusted by the OS
- 35. Several technologies are used by snappy Ubuntu Core to: ● Implement the security sandboxing ● Implement the application isolation These technologies are mainly: ● AppArmor: A Mandatory Access Control system to confine programs and processes to a limited set of resources. (Application Isolation) ● Seccomp: A secure computing mode that provides an application sandboxing mechanism (wiki) ● Device cgroups: are a kernel mechanism for grouping, tracking, and limiting the resource usage of tasks Apps confinement: Technologies example https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
- 36. Snap locations after installation data from app with root can be written to var/lib/apps/<app-name>/<version>/ However, if an app does not have root privs, the best place for dumping data is
- 37. Snapcraft
- 38. Developers from multiple Linux distributions and companies collaborate on the “snap” universal Linux package format, enabling a single binary package to work perfectly and securely on any Linux desktop, server, cloud or device. snapcraft.io
- 39. Snapcraft lets developers assemble their snap from existing projects, leveraging different technologies. ... Project A (Part A) Project B (Part B) Project C (Part C) snapcraft.io
- 40. For developers: ● snap your app once and it will run on any snappy device ● can leverage existing part library ('stand on the shoulder of giants') ● complete control of their entire software stack Snapcraft benefits
- 41. Snapcraft 组合机制 Snapcraft lets developers assemble their snap from existing projects.
- 42. ● A central aspect of a snapcraft recipe is a "part". A part is a piece of software or data that the snap package requires to work or to build other parts. ● Each part is managed by a snapcraft plugin that encapsulates the logic of the underlying technology parts: cam: plugin: go source: git://github.com/mikix/golang-static-http stage-packages: - fswebcam glue: plugin: copy files: webcam-webui: bin/webcam-webui snapcraft.io
- 43. Snapcraft plugins $ snapcraft list-plugins ant cmake gradle kbuild maven plainbox-provider qmake autotools copy gulp kernel nil python2 scons catkin go jdk make nodejs python3 tar-content Write your own plugins: - https://developer.ubuntu.com/en/snappy/build-apps/plugins/ Custom plugin examples: - https://github.com/ubuntu/snappy-playpen
- 44. Live tour of snapcraft build commands (clean, stage, prime…) Snapcraft upload/update/release commands Snap usage
- 45. 创建软件包
- 46. 创见你的第一个 snap... ● 手把手教学 ○ https://tutorials.ubuntu.com/tutorial/create-your-first-snap ○ https://tutorials.ubuntu.com/tutorial/snap-a-python-application ● 动手做一个服务器 ○ https://tutorials.ubuntu.com/tutorial/build-a-nodejs-service ● 看看别人的代码… ○ https://github.com/search?utf8=%E2%9C%93&q=filename %3Asnapcraft.yaml&type=Code
- 48. build.snapcraft.io Create an update Auto build and publish Auto update and rollback
- 50. How to build your app for all architectures? ● Develop your application for one architecture and test it successfully, let’s say amd64 ● Create a project on launchpad and make use of the services there ○ https://kyrofa.com/posts/building-your-snap-on-device-there-s-a-better-way ○ Click on the “Create snap package” button
- 51. 近期活动
- 55. 其他英文资源 ● Ask a question on Ask Ubuntu ○ If you’re stuck on a problem, someone else has probably encountered it too and they can help you. Take a look at the "ubuntu-core" tag on Ask Ubuntu or ask a question. ● Join our real time chat (#snappy on freenode.net) ○ Share your projects and ask other developers for support. This high-bandwidth IRC channel is a good place when you are looking for a quick answer to a single question. ● For app developers ○ Reach out to other snap developers by using the"snapcraft" tag on Ask Ubuntu, join the snapcraft mailing list and make sure to join the Ubuntu App Developers Google+ community. ● Snapcraft.io forums ○ This is the place where snap users, contributors and developers get together. We are a multi-distribution team of enthusiasts and professionals that want to improve the way software is distributed and used in Linux systems. https://forum.snapcraft.io/