Snap

The Ubuntu Snappy project is one of the major containerization technologies available in Hydra. Canonical Inc.'s Ubuntu Snappy project consists of a software packaging system called Snap, a runtime called snapd, a software market called Snap Store, and a build toolbox called snapcraft. Snap is compatible with a variety of Linux distributions, and the resultant packages are self-contained apps that operate in a sandbox with mediated access to the host system. Snap was initially designed for cloud apps, but it was eventually adapted to operate with IoT devices and desktop applications as well.

Snapd

Snapd is the runtime daemon of Ubuntu Snappy, responsible for managing the snaps during the runtime. It provides means to control services and the lifecycle of Snap applications through CLI and REST-API. We will use the CLI for build and deployment in Hydra and REST-API is utilized in the Athena project for integration with other tools like Kubernetes. Lack of the native support for these integrations was a serious obstacle for Trirematics to develop. Snapd also implements the confinement policies that isolate snaps from the base system and from each other and governs the interfaces that allow snaps to access specific system resources outside of their confinement.

Snap Packages

Snaps are self-contained packages that may be installed on a variety of Linux systems. This is in contrast to typical Linux package management techniques, which need customized packages for each Linux distribution. The snap file format is a single compressed filesystem with the extension .snap that uses the SquashFS format. This filesystem includes the application, the libraries on which it is dependent, and the declarative metadata. Snapd interprets this metadata to create a properly designed secure sandbox for that application. When the files are used, the snap is mounted by the host operating system and decompressed on the fly. Although this has the advantage of using less disk space for snaps, it also means that some big programs start slower.

Snap differs from previous universal Linux packaging formats like Flatpak in that it supports any type of Linux program, including desktop applications, server tools, IoT apps, and even system services like the printer driver stack. Snap relies on systemd to achieve this by allowing it to run socket-activated system services in a Snap. As a result, Snap works best on distributions that support that init mechanism.

Snap Store

Developers may distribute their applications straight to users through the Snap Store. Traditional Linux package management techniques, such as APT or YUM, package and distribute programs as part of the operating system. This causes a lag between application development and end-user deployment. Application developers, on the other hand, may publish their apps in the Snap Store and have them delivered straight to consumers without the need for distribution maintainers to intervene. All apps uploaded to the Snap Store undergo automatic testing, including a malware scan. However, Snap apps do not receive the same level of verification as software in the regular Ubuntu archives. Although the Snap sandbox reduces the impact of a malicious app, Canonical recommends users only install Snaps from publishers trusted by the user.

Snapd and Snap Sandbox

Applications in a Snap run in an application container with limited access to the host system. Using Interfaces, Users can give an application mediated access to additional features of the host such as recording audio, accessing USB devices, and recording video. These interfaces mediate regular Linux APIs so that applications can function in the sandbox without needing to be rewritten. Desktop applications can also use the XDG Desktop Portals, a standardized API originally created by the Flatpak project to give sandboxed desktop applications access to host resources. These portals often provide a better user experience compared to the native Linux APIs because they prompt the user for permission to resources such as a webcam at the time the application uses them. The downside is that applications and toolkits need to be rewritten in order to use these newer APIs. The Snap sandbox also supports sharing data and Unix sockets between Snaps. This is often used to share common libraries and application frameworks between Snaps to reduce the size of Snaps by avoiding duplication.

The Snap sandbox primarily relies on the upstream Linux kernel's AppArmor Linux Security Module (LSM). Because only one main LSM may be active at any given time, the Snap sandbox becomes much less safe when another major LSM is activated. As a result, on systems like Fedora that allow SELinux by default, the Snap sandbox suffers greatly. Although Canonical is collaborating with many other developers and organizations to enable several LSMs to operate concurrently, this solution is still a long way off.

Automatic and Atomic Updates

Multiple times a day, snapd checks for available updates of all Snaps and installs them in the background using atomic operation. Updates can be reverted and use delta encoding to reduce their download size. Publishers can release and update multiple versions of their software in parallel using channels. Each channel has a specific track and risk, which indicates the version and stability of the software released on that channel. When installing an application, Snap defaults to using the latest/stable channel, which will automatically update to new major releases of the software when they become available. Publishers can create additional channels to give users the possibility to stick to specific major releases of their software.

Snapcraft

Snapcraft is the Snaps buildkit written in Python and licensed under the GNU General Public License, version 3.0. Snapcraft produces packages in a Virtual Machine using Multipass or Linux Containers using LXD to ensure that the end product is the same independent of the distribution or operating system on which it is created. Snapcraft is compatible with a wide range of build tools and programming languages, including Go, Java, JavaScript, Python, C/C++, and Rust. It also supports the import of application metadata from a variety of sources, including AppStream, git, shell scripts, and setup.py files.

Compatibility

Snap initially only supported the all-Snap Ubuntu Core distribution but in June 2016, it was ported to a wide range of Linux distributions to become a format for universal Linux packages. A number of Linux distributions support Snap out of the box such as Ubuntu (and e.g. Kubuntu, Xubuntu), Manjaro, Zorin OS, KDE Neon, Solus, and Li-f-e. Snap is also available for many other distributions such as CentOS, Debian, Elementary OS, Fedora, GalliumOS, Kali Linux, Linux Mint, OpenEmbedded, Parrot Security OS, Pop! OS, Raspbian, Red Hat Enterprise Linux, and openSUSE.

References

Wikipedia