This is the talk I gave in Ubuntu release party at Shenzhen University, which is an introduction to the new snap packaging format and its companion build tools snapcraft/snapcraft.io.
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Snap - the universal packaging format for linux distros
1. Snap :
the universal packaging format for Linux distros
Anthony Wong Engineering Manager, Canonical
Shenzhen University, 2 June 2018
2. Why a new packaging format?
As a user
● I want applications that are easy to install, keep up-to-date and
secure.
As a developer/publisher
● I want an easy and fast way to distribute my software for different
Linux distributions.
3.
4.
5. Snap Features
● Better security
● By default, snaps are confined. No network access, limited filesystem
access, etc.
● Interact with system and other snaps through fine-grained interfaces.
● Kernel sandbox features has matured over the years
● cgroups, namespace, seccomp, Apparmor
● But snap is not quite like container
● Provides strict, devmode and classic policies
● Self-contained
● All libraries are bundled
6. Snap Features
● Immutable: snap is a mounted read-only squashfs
● Multiple versions are kept on filesystem, can easily roll back to
previous version
● Auto-update by default
● Smaller size
● Squashfs is compressed and is mounted, not decompressed.
● Co-exist with existing packaging systems (deb, RPM, etc)
7. Snap Store
● Centralized software store
● No need to install third-party
repository or PPA
● Tracks
● different versions can co-exist in the
store
● each track has its own risk channels
(edge, beta, candidate, stable)
● Enterprise features such as update
control (paid service)
9. Snap Architecture
● Let's look at the hello-world snap
$ tree /snap/hello-world/current/
/snap/hello-world/current/
├── bin
│ ├── echo
│ ├── env
│ ├── evil
│ └── sh
└── meta
├── gui
│ └── icon.png
└── snap.yaml
● The important file that snapd cares is meta/snap.yaml
10. Snap Architecture
$ cat /snap/hello-world/current/meta/snap.yaml
name: hello-world
version: 6.3
architectures: [ all ]
summary: The 'hello-world' of snaps
description: |
This is a simple snap example that includes a few interesting binaries
to demonstrate snaps and their confinement.
* hello-world.env - dump the env of commands run inside app sandbox
* hello-world.evil - show how snappy sandboxes binaries
* hello-world.sh - enter interactive shell that runs in app sandbox
* hello-world - simply output text
apps:
env:
command: bin/env
evil:
command: bin/evil
sh:
command: bin/sh
hello-world:
command: bin/echo
11. Sandbox
● Every snap is sandboxed by snapd
● Snap can only see its own private mount namespace, like chroot
● Certain syscalls are blocked by seccomp, e.g. networking
● Process is isolated, e.g. you cannot send signals to other processes
owned by same user
● Every snap has its own /tmp
● Access to sensitive devices is blocked, e.g. /dev/video*, /dev/kmsg
● There are common and per-user writeable area to store data
● snapd interface allows snap to get more privileges.
12. snapd Interface
● If your snap needs to do something outside of confinement, you
need to use interface.
● An interface consists of a plug and a slot
● Slot is the provider, plug is the consumer
● Example slots are home, gsettings, network, x11, wayland,
pulseaudio. Many are offered by core snap.
● Run snap interface to find out more
14. Advantages for Publishers
● Build once runs everywhere
● Give control back to publishers, not distro vendor
● No middle man to distribute your software, quick feedback loop
● Publishers to decide when to update, when to promote from
beta to stable.
15. Snapcraft for App publishers
● snapcraft provides a super easy way to package any kind of
applications
$ snapcraft plugins
ament dotnet jhbuild nodejs rust
ant dump kbuild plainbox-provider scons
autotools go kernel python tar-content
catkin godeps make python2 waf
catkin-tools gradle maven python3
cmake gulp meson qmake
copy jdk nil ruby
● snapcraft cleanbuild: build within LXD container
16. Sample snapcraft.yaml
name: hello
version: "2.10"
summary: GNU Hello, the "hello world" snap
description: GNU hello prints a friendly greeting.
This is part of the snapcraft tour at https://snapcraft.io/create/
confinement: strict
apps:
hello:
command: hello
parts:
gnu-hello:
plugin: autotools
source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz