Using Snap Packages in Gentoo » serra.me

Using Snap Packages in Gentoo

One of the main advantages of snap packages is the possibility to use them not only on one Linux distribution like ‘traditional’ packages, but on a wide variety of distributions without having to modify or rebuild them. Many distributions provide the necessary snapd daemon in their repositories.

It is entirely possible to use snap packages with Gentoo too, even though we need to meet some specific prerequisites and do some tinkering. On the other hand, even building new snap packages with snapcraft and multipass or LXD will be possible afterwards. Since snapd is not available in Gentoo’s official portage tree, we use the overlay maintained by Jesse “zigford” Harris.

Prerequisites

First and foremost: systemd is a mandatory requirement since snapd is not compatible with OpenRC. Since snapcraft requires elevated privileges, sudo should be installed and properly configured too.

In order to aquire the necessary ressources and permissions on the host system, snapd is using the AppArmor framework. In case you are using your own kernel, it might be necessary to manually enable AppArmor support in its configuration. The relatively new binary packages have AppArmor support already enabled.

I won’t cover the migration of a Gentoo based system to systemd at this point. Since this topic is so extensive, I’ll publish a separate article at a later point in time.

AppArmor and systemd

We need to compile systemd with the USE flags policykit and apparmor enabled, libseccomp with static-libs. Therefore we’ll add the following entries to the /etc/portage/package.use file:

sys-apps/systemd policykit apparmor
sys-libs/libseccomp static-libs

The apparmor ebuild is masked by default, so we unmask it in the /etc/portage/package.accept_keywords file where we also unmask the snapd ebuild so we always get the latest (non-stable) version.

sys-libs/libapparmor ~amd64
sys-apps/apparmor ~amd64
app-emulation/snapd ~amd64

In the next step, we (re-) build systemd and AppArmor.

emerge sys-apps/systemd
emerge sys-apps/apparmor

In order to make AppArmor available right after the system is booted up, it’s necessary to modify the bootloader configuration. We need to add the following line to /etc/default/grub or modify it accordingly:

GRUB_CMDLINE_LINIX_DEFAULT="apparmor=1 security=apparmor"

Afterwards, the GRUB configuration gets rewritten with the command

grub-mkconfig -o /boot/grub/grub.cfg

and we can reboot the system.

Installing snapd itself

I recommend using layman for including the overlay. Using the following commands, we install layman, include the snapd overlay and install snapd itself:

emerge app-portage/layman
layman -L
layman -a snapd
emerge --sync
emerge --ask app-emulation/snapd

For finalizing the installation, we enable and start the necessary systemd units:

systemctl enable --now snapd
systemctl enable --now snapd.socket
systemctl enable --now snapd.apparmor

The installation of snapd is now complete and snap packages can be used.

Additional permissions for snapcraft

In case we want to allow unprivileged user accounts to create new snaps with snapcraft, we need to add them to the groups adm or lxd. The adm group is necessary if you want to use multipass for providing the build VM, lxd if you want to use LXD instead.

gpasswd --add username adm
gpasswd --add username lxd

Comments

Leave a Reply

Your email address will not be published.