Generic Snap questions

Kyle Fazzari kyle.fazzari at canonical.com
Fri Feb 3 19:11:56 UTC 2017 

On 02/03/2017 04:06 AM, Andrew Mason wrote:
> Hi All,
> I have been listening to Alan Pope plugging snaps for a while now on the LUP 
> podcast and decided to try it out by installing a popular snap on a remote VM.

Hey, thanks for giving it a shot!

> 1. This particular snap was a collection of used a combination of Apache httpd
> + MySQL and a few other utilities. 
> 
> I presume that if I wanted to use something like nginx instead of apache  and 
> MariaDB instead of mysql I would need to rebuild the snap my self ? Is the 
> source / build instructions (.yml file?) available in some form that I can 
> access?

Yeah this really depends on the snap. Indeed, if the snap in question
embeds these things, unless the snap itself supports swapping things out
somehow, your best path may be to rebuild the snap yourself using the
components you desire. Whether or not you can do this also depends on
the snap, e.g. it may not be open source. Figuring that out and/or
finding the snap sources is a bit of a challenge right now since nothing
shows you that information[1].

> 2. This snap in particular seemed to be configured to listen on the IP address 
> of machine it was running on. As this was deployed in Azure the VM is deployed 
> with a private 10.x IP address and sits behind a foobarqux.cloudapp.net so it 
> was not possible to visit the IP address directly; I ended up using an SSH 
> tunnel to address this, but conceptually if I wanted to change a configuration 
> element like this, what is the correct way to do so ?

That would also be up to the snap in question. snapd supports a
configure hook[2] that the snap can implement to support such things,
but implementing that hook (and what exactly can be changed with it) is
still up to the snap. The snap could also expose such functionality with
its own app, if the developer chose to do so.

> 3. Say a bunch of people want their own instance of this snappified service. 
> How are / should additional instances handled from an installation perspective 
> ? 
> 
> Also how would multiple instances be configured with regards to TCP port 
> access ?

I'm not 100% sure I understand this question. Snaps aren't per-user
(they're installed system-wide), so if you're asking how multiple users
on the same machine would install this snap, the answer is "they
wouldn't" I suppose. Please clarify this question if I didn't answer it.

> 4. There was some attempt by the package to install a Let's encrypt 
> certificate however that failed due (possibly) to the aforementioned IP 
> address issue.. 
> 
> Is there any provision to be able to execute certain parts of the post-install 
> / pre-install scripts like there is with a debian package ? i.e -reconfigure 
> 
> Assuming I am able to get a certificate manually...e.g I have an EV cert for 
> the domain; how would I go about installing the Certificate into my new snap. 
> 
> I understand they are mounted images but from my understanding these are read 
> only. Do I just mount -o remount,rw  ?

I'm afraid not. They're not only mounted read-only, they're squashfs
images which by definition ARE read-only. You cannot write to them.
However, if the snap in question is fetching certs from Let's Encrypt,
it's not writing to the snap either-- it must be placing those in a
writable area (e.g. /var/snap/<snapname>/current/). I see no reason why
you can't do the same with your certs, but again: the snap in question
must support this. For example, the Nextcloud snap in stable only
supports generating self-signed certificates or fetching certificates
from Let's Encrypt, but the one in candidate has support for adding
custom ones.

> 5. Prior to the  installation of the aforementioned snap, I used UFW to add a 
> firewall restricting access to all but the SSH port.
> 
> After installing this snap it did not seem to automatically open a port. Is 
> this the correct behaviour ? If I am building a snap of my own application how 
> would I go about informing the user that this additional task is necessary ? 
> Can I prompt them to perform this action ?

Unless the snap has firewall access (available as an interface), it
won't have permission to touch it. So no, in most cases, the snap will
not automatically open a port in your firewall. This is a good thing, in
my opinion! If you're building a snap of your own application, I assume
this would be in its documentation (either online or available as a
--help option).

> If you have made it this far I really appreciate that you have taken the time 
> to consider the questions and any answers would be greatly valued.

Thanks for reaching out! I hope I helped-- please ask for clarification
where that isn't the case.

[1]: https://bugs.launchpad.net/snappy/+bug/1624829
[2]: https://github.com/snapcore/snapd/wiki/hooks#configure

-- 
Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170203/b91e2fcc/attachment.sig>

More information about the Snapcraft mailing list