Snap

Snap is a software deployment and package management system. The packages are called 'snaps' and the tool for using them is 'snapd', which works across a range of Linux distributions and allows, therefore, distribution-agnostic upstream software deployment. Canonical, the developer of Snap, manages the Snap Store service through which snaps are deployed.

snapd is a REST API daemon for managing snap packages. Users can interact with it by using the snap client, which is part of the same package.

Snaps can be confined using AppArmor which is now enabled in the default kernel. Consult relevant wiki pages to find steps for enabling AppArmor in your system.

Installation

Install the snapd^AUR package.

snapd supports the AppArmor security model if it is enabled on your system, to install it follow AppArmor#Installation.

If you are using AppArmor, enable and start both apparmor.service and snapd.apparmor.service.

Configuration

To launch the snapd daemon when snap tries to use it, enable/start snapd.socket.

Usage

The snap tool is used to manage the snaps.

Finding

To find snaps to install, you can query the Ubuntu Store with:

$ snap find searchterm

Installing

Once you found the snap you are looking for you can install it with:

# snap install snapname

This requires root privileges. Per user installation of snaps is not possible, yet. This will download the snap into /var/lib/snapd/snaps and mount it to /var/lib/snapd/snap/snapname to make it available to the system.

It will also create mount units for each snap and add them to /etc/systemd/system/multi-user.target.wants/ as symlinks to make all snaps available when the system is booted. Once that is done you should find it in the list of installed snaps together with its version number, revision and developer using:

$ snap list

You can also sideload snaps from your local hard drive with:

# snap install --dangerous /path/to/snap

Updating

To update your snaps manually use:

# snap refresh

Snaps are refreshed automatically according to snap refresh.timer setting.

To view the next/last refresh times use:

# snap refresh --time

To set a different refresh time, eg. twice a day:

# snap set core refresh.timer=0:00~24:00/2

See system options documentation page for details on customizing the refresh time.

Removing

Snaps can be removed by executing:

# snap remove snapname

Tips and tricks

Classic snaps

Some snaps (e.g. Julia and Pycharm) use classic confinement. However, classic confinement requires the /snap directory, which is not FHS-compliant. The snapd package does not ship this directory, however the user can manually create a symbolic link between /var/lib/snapd/snap and /snap to allow the installation of classic snaps:

# ln -s /var/lib/snapd/snap /snap

Confinement

When using AppArmor, snapd will generate the same profiles for snaps as on Ubuntu. The AppArmor parser is smart enough to drop the rules that are not yet supported by the mainline kernel.

To verify that basic confinement is working, install hello-world snap. Then run the following:

$ hello-world.evil

Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
/snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

The denial was caused by AppArmor and should have been logged:

# dmesg

...
[  +0.000003] audit: type=1327 audit(1540469583.966:257): proctitle=2F62696E2F7368002F736E61702F68656C6C6F2D776F726C642F32372F62696E2F6576696C
[ +12.268939] audit: type=1400 audit(1540469596.236:258): apparmor="DENIED" operation="open" profile="snap.hello-world.evil" name="/var/tmp/myevil.txt" pid=10835 comm="evil" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[  +0.000006] audit: type=1300 audit(1540469596.236:258): arch=c000003e syscall=2 success=no exit=-13 a0=55d991ba6bc8 a1=241 a2=1b6 a3=55d991ba6be0 items=0 ppid=31349 pid=10835 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=3 comm="evil" exe="/bin/dash" subj==snap.hello-world.evil (enforce)
...

If you do not see the denial, verify that the profiles were loaded:

# aa-status | grep snap.hello-world

   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh

Also, you can check what sandbox features are available in the system according to snapd:

$ snap debug sandbox-features

apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
confinement-options:  devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap

Hide the snap folder

See XDG Base Directory#Hiding unwanted directories to hide the snap folder.

Sudo

With secure_path being enabled in sudo by default, the /var/lib/snapd/snap/bin directory is no longer present in the default $PATH environment variable of the process started by sudo. Commands such as sudo lxc list will fail, as the lxc symbolic link can no longer be found by the shell process.

This can be addressed on per user basis by adding the following snippet to /etc/sudoers.d/90_snap:

# Add snap binaries installation dir to PATH
Defaults:<your-user-name> secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin:/var/lib/snapd/snap/bin"

Where <your-user-name> must be replaced with the desired $USER.

Troubleshooting

Text unreadable

If you are seeing squares instead of readable characters, you need to clear the font cache:

# rm -f /var/cache/fontconfig/*
$ rm -f ~/.cache/fontconfig/*
# fc-cache -r -v

Snapctl also stores internal caches for each individual snap, which need to be cleared seperately. First, find them by running:

$ find ~/snap/ -wholename '*/.cache/fontconfig'

... /home/darth_vader/snap/mailspring/common/.cache/fontconfig
... /home/darth_vader/snap/authy/common/.cache/fontconfig
... /home/darth_vader/snap/icedrive/common/.cache/fontconfig
... /home/darth_vader/snap/discord/common/.cache/fontconfig
... /home/darth_vader/snap/bitwarden/common/.cache/fontconfig

Then either remove them individually or use this simple loop.

Finally, Restart your session.

Error: cannot mount squashfs

Snap packages use the SquashFS file system. In the event of an error similar to the following:

error: system does not fully support snapd: cannot mount squashfs image using "squashfs"

you may verify that the SquashFS kernel module is loaded with

$ lsmod

Module                  Size  Used by
squashfs               xxxxx  x
...

Error: /user.slice/user-1000.slice/session-1.scope is not a snap cgroup

You need to set your DBUS_SESSION_BUS_ADDRESS environment variable like so:

export DBUS_SESSION_BUS_ADDRESS="unix:path=$XDG_RUNTIME_DIR/bus"

To make this change permanent and also available in your GUI session, consider adding this line to your ~/.xprofile file.

For more information and full discussion about this issue, please read here

Graphical management

Both Gnome Software Center and KDE Discover can provide native snap support. For KDE Discover install discover-snap^AUR package.

The Snap Store can be installed via snap

# snap install snap-store

Support

Arch Linux related mailing lists and other official Arch Linux support channels are not an appropriate place to request help with snaps on Arch Linux. An appropriate place to ask for support is the Snapcraft forum.

See also

• Official site
• GitHub repository
• ArsTechnica article (2016-06) about Ubuntu snaps becoming available for Arch and other distributions