About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

Snap integration in Qubes OS templates

Written by Solène, on 16 October 2024.
Tags: #snap #qubesos #linux

Comments on Fediverse/Mastodon

1. Introduction §

Snap package format is interesting, while it used to have a bad reputation, I wanted to make my opinion about it. After reading its design and usage documentation, I find it quite good, and I have a good experience using some programs installed with snap.

Snapcraft official website (store / documentation)

Snap programs can be either packaged as "strict" or "classic"; when it is strict there is some confinement at work which can be inspected on an installed snap using snap connections $appname, while a "classic" snap has no sandboxing at all. Snap programs are completely decorrelated from the host operating system where snap is running, so you can have old or new versions of a snap packaged program without having to handle shared library versions.

The following setup explains how to install snap programs in a template to run them from AppVMs, and not how to install snap programs in AppVMs as a user, if you need this, please us the Qubes OS guide linked below.

Qubes OS documentation explains how to setup snap in a template, but with a helper to allow AppVMs to install snap programs in the user directory.

Qubes OS official documentation: install snap packages in AppVMs

In a previous blog post, I explained how to configure a Qubes OS template to install flatpak programs in it, and how to integrate it to the template.

Previous blog post: Installing flatpak programs in a Qubes OS template

2. Setup on Fedora §

All commands are meant to be run as root.

2.1. Snap installation §

Snapcraft official documentation: Installing snap on Fedora

Installing snap is easy, run the following command: 

dnf install snapd

To allow "classic" snaps to work, you need to run the following command: 

sudo ln -s /var/lib/snapd/snap /snap

2.2. Proxy configuration §

Now, you have to configure snap to use the http proxy in the template, this command can take some time because snap will time out as it tries to use the network when invoked... 

snap set system proxy.http="http://127.0.0.1:8082/"
snap set system proxy.https="http://127.0.0.1:8082/"

2.3. Run updates on template update §

You need to prevent snap from searching for updates on its own as you will run updates when the template is updated: 

snap refresh --hold

To automatically update snap programs when the template is updating (or doing any dnf operation), create the file /etc/qubes/post-install.d/05-snap-update.sh with the following content and make it executable: 

#!/bin/sh

if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
    snap refresh
fi

2.4. Qube settings menu integration §

To add the menu entry of each snap program in the qube settings when you install/remove snaps, create the file /usr/local/sbin/sync-snap.sh with the following content and make it executable: 

#!/bin/sh

# when a desktop file is created/removed
# - links snap .desktop in /usr/share/applications
# - remove outdated entries of programs that were removed
# - sync the menu with dom0

inotifywait -m -r \
-e create,delete,close_write \
/var/lib/snapd/desktop/applications/ |
while  IFS=':' read event
do
    find /var/lib/snapd/desktop/applications/ -type l -name "*.desktop" | while read line
    do
        ln -s "$line" /usr/share/applications/
    done
    find /usr/share/applications/ -xtype l -delete
    /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
done

Install the package inotify-tools to make the script above working, and add this to /rw/config/rc.local to run it at boot: 

/usr/local/bin/sync-snap.sh &

You can run the script now with /usr/local/bin/sync-snap.sh & if you plan to install snap programs.

2.5. Snap store GUI §

If you want to browse and install snap programs using a nice interface, you can install the snap store. 

snap install snap-store

You can run the store with snap run snap-store or configure your template settings to add the snap store into the applications list, and run it from your Qubes OS menu.

3. Debian §

The setup on Debian is pretty similar, you can reuse the Fedora guide except you need to replace dnf by apt.

Snapcraft official documentation: Installing snap on Debian

4. Conclusion §

More options to install programs is always good, especially when it comes with features like quota or sandboxing. Qubes OS gives you the flexibility to use multiple templates in parallel, a new source of packages can be useful for some users.