DEV Community

DevOps Fundamentals profile image DevOps Fundamental
DevOps Fundamental for DevOps Fundamentals

Posted on

Ubuntu Fundamentals: snapcraft

#ubuntu #system #administration #snapcraft

Snapcraft: A Production Deep Dive for Ubuntu Systems

Introduction

Maintaining consistent application environments across a fleet of Ubuntu servers, particularly in a cloud-native context, presents a significant challenge. Traditional package management (APT) can lead to dependency conflicts, versioning issues, and difficulties in rolling back changes. We’ve seen this firsthand managing a large-scale, multi-tenant SaaS platform running on Ubuntu 22.04 LTS VMs in AWS. The need for reproducible builds, isolated application environments, and atomic updates drove us to deeply investigate and adopt snapcraft. Mastering snapcraft isn’t just about packaging applications; it’s about understanding a fundamental shift in how software is deployed and managed on modern Ubuntu systems, impacting everything from security posture to operational efficiency. This post details a production-level understanding of snapcraft, focusing on practical application and troubleshooting.

What is "snapcraft" in Ubuntu/Linux context?

snapcraft is a command-line tool and ecosystem for building, packaging, and distributing applications as Snaps. Snaps are self-contained application packages that include all dependencies required to run, eliminating dependency hell. Unlike traditional .deb packages managed by APT, Snaps are containerized using squashfs for the application itself and overlayfs for writable data. This isolation provides a higher degree of security and reproducibility.

Ubuntu has heavily invested in Snaps, making them the default packaging format for core system components like corectl, snapd, and increasingly, critical applications like Firefox. While snapcraft is primarily associated with Ubuntu, it's also usable on other Debian-based distributions, though the level of integration and support varies.

Key system tools and configuration involved:

  • snapd: The background service responsible for managing Snaps. Controlled via systemctl manage snapd.
  • snapcraft: The command-line tool for building Snaps.
  • snap: The command-line tool for installing, managing, and interacting with Snaps.
  • AppArmor: Used extensively for Snap confinement. Profiles are located in /var/lib/snapd/apparmor/profiles/.
  • snap-confine: A tool used by snapd to run Snaps in a confined environment.

Use Cases and Scenarios

  1. Microservice Deployment: Packaging individual microservices as Snaps ensures consistent runtime environments across development, staging, and production, simplifying deployment pipelines.
  2. Secure Application Distribution: Snaps’ confinement features are crucial for distributing applications with sensitive data or requiring strict security boundaries. We use this for internal tooling.
  3. Cloud Image Customization: Creating custom Ubuntu cloud images with pre-installed Snaps streamlines VM provisioning and reduces boot times.
  4. Edge Computing: Snaps are ideal for deploying applications to edge devices with limited resources and varying network connectivity.
  5. Application Rollbacks: Atomic updates and rollback capabilities of Snaps minimize downtime and risk during application upgrades.

Command-Line Deep Dive

Here are some practical commands:

  • Building a Snap: snapcraft --output myapp (creates a myapp.snap file).
  • Installing a Snap: sudo snap install myapp
  • Listing Installed Snaps: snap list
  • Viewing Snap Logs: snap logs myapp (accesses logs managed by journald).
  • Debugging a Snap: snap run --shell myapp (provides a shell inside the Snap's environment).
  • Checking Snap Confinement: snap connections myapp (shows which system resources the Snap has access to).
  • Refreshing a Snap: sudo snap refresh myapp
  • Reverting a Snap: sudo snap revert myapp

Example snap logs output (truncated):

2024-01-26T14:30:00Z [INFO] myapp: Starting application
2024-01-26T14:30:01Z [ERROR] myapp: Failed to connect to database: Connection refused
2024-01-26T14:30:01Z [WARN] myapp: Retrying connection in 5 seconds...
Enter fullscreen mode Exit fullscreen mode

Example AppArmor profile snippet (from /var/lib/snapd/apparmor/profiles/myapp):

#include <abstractions/base>
#include <abstractions/ubuntu-browsers.d/firefox>

network inet tcp,
network inet udp,
Enter fullscreen mode Exit fullscreen mode

System Architecture 

graph LR
    A[User] --> B(snap command);
    B --> C{snapd};
    C --> D[squashfs (App)];
    C --> E[overlayfs (Data)];
    C --> F[AppArmor];
    F --> G[Kernel];
    C --> H[systemd];
    H --> I[journald];
    B --> I;
    style A fill:#f9f,stroke:#333,stroke-width:2px
    style C fill:#ccf,stroke:#333,stroke-width:2px
Enter fullscreen mode Exit fullscreen mode

Snaps leverage several core system components. snapd acts as the central manager, interacting with the kernel through AppArmor for confinement. The application itself is stored in a read-only squashfs filesystem, while user data and writable files are stored in an overlayfs layer. systemd manages the Snap's services, and journald collects logs. The networking stack is accessed through AppArmor-defined profiles.

Performance Considerations

Snaps can introduce performance overhead compared to traditionally packaged applications due to the containerization and filesystem layers. I/O performance is a common bottleneck, especially with frequent writes to the overlayfs.

  • htop: Monitor CPU and memory usage of snapd and Snap processes.
  • iotop: Identify I/O-intensive Snap processes.
  • sysctl vm.swappiness: Adjust swappiness to optimize memory usage. Lower values reduce swapping.
  • perf record -g -p <snap_pid>: Profile Snap processes to identify performance hotspots.

We found that using SSD storage significantly mitigated I/O performance issues. Also, minimizing writes within the Snap's writable layer improves performance. Avoid frequent logging to disk within the Snap if possible.

Security and Hardening

Snaps offer enhanced security through confinement, but vulnerabilities can still exist.

  • ufw: Configure a firewall to restrict network access to Snaps.
  • AppArmor: Review and customize AppArmor profiles to limit Snap capabilities. Use aa-logprof to analyze AppArmor denials.
  • fail2ban: Monitor Snap logs for suspicious activity and automatically block malicious IPs.
  • auditd: Track system calls made by Snaps for security auditing.
  • Regular Snap Updates: Keep Snaps updated to patch security vulnerabilities.

Example ufw rule:

sudo ufw allow from 192.168.1.0/24 to any port 80
sudo ufw deny from any to any port 22 proto tcp
Enter fullscreen mode Exit fullscreen mode

Automation & Scripting

Ansible is ideal for automating Snap management:

- name: Install My App Snap
  community.general.snap:
    name: myapp
    state: present
    classic: false # Use classic confinement only if necessary

- name: Refresh My App Snap
  community.general.snap:
    name: myapp
    state: latest
Enter fullscreen mode Exit fullscreen mode

Cloud-init can be used to install Snaps during VM provisioning:

#cloud-config
package_update: true
package_upgrade: true
packages:
  - snapd
runcmd:
  - sudo snap install myapp
Enter fullscreen mode Exit fullscreen mode

Logs, Debugging, and Monitoring

  • journalctl -u snapd: View snapd service logs.
  • dmesg: Check for kernel-level errors related to Snaps.
  • netstat -tulnp: Monitor network connections established by Snaps.
  • strace -p <snap_pid>: Trace system calls made by a Snap process.
  • lsof -p <snap_pid>: List open files used by a Snap process.

Monitor Snap refresh status and errors using snap changes. Regularly review snap logs for application-specific issues.

Common Mistakes & Anti-Patterns

  1. Using Classic Confinement Unnecessarily: Classic confinement bypasses many security features. Avoid it unless absolutely required.
    • Incorrect: snap install --classic myapp
    • Correct: snap install myapp
  2. Ignoring AppArmor Denials: AppArmor denials indicate potential security issues or misconfigured profiles. Investigate and address them.
  3. Overly Broad AppArmor Profiles: Granting Snaps excessive permissions weakens security. Follow the principle of least privilege.
  4. Not Monitoring Snap Updates: Failing to update Snaps leaves systems vulnerable to known exploits.
  5. Excessive Logging Within Snaps: High logging volume can degrade performance. Optimize logging levels and consider using a centralized logging solution.

Best Practices Summary

  1. Prefer Strict Confinement: Always use strict confinement unless absolutely necessary to use classic.
  2. Regularly Update Snaps: Automate Snap updates to patch security vulnerabilities.
  3. Monitor AppArmor Denials: Proactively address AppArmor denials to maintain security.
  4. Optimize I/O Performance: Use SSD storage and minimize writes to the overlayfs.
  5. Use Ansible for Automation: Automate Snap management with Ansible for consistency and scalability.
  6. Centralized Logging: Integrate Snap logs with a centralized logging system for analysis and alerting.
  7. Review Snap Connections: Regularly audit Snap connections to ensure least privilege.
  8. Name Snaps Consistently: Use a standardized naming convention for Snaps.

Conclusion

snapcraft represents a significant evolution in application packaging and deployment on Ubuntu. While it introduces complexities, the benefits of isolation, reproducibility, and atomic updates are crucial for modern, scalable, and secure infrastructure. Mastering snapcraft requires a deep understanding of its underlying architecture and operational considerations. Actionable next steps include auditing existing Snap deployments, building automation scripts, monitoring Snap behavior, and documenting internal standards. Ignoring these practices risks compromising system reliability, security, and maintainability.

Top comments (0)