Snap integration in Qubes OS templates

NIL# Introduction

Snap package format is interesting, while it used to have a bad reputation, I wanted to make my opinion about it. After reading its design and usage documentation, I find it quite good, and I have a good experience using some programs installed with snap.

Snapcraft official website (store / documentation)

Snap programs can be either packaged as "strict" or "classic"; when it is strict there is some confinement at work which can be inspected on an installed snap using `snap connections $appname`, while a "classic" snap has no sandboxing at all. Snap programs are completely decorrelated from the host operating system where snap is running, so you can have old or new versions of a snap packaged program without having to handle shared library versions.

The following setup explains how to install snap programs in a template to run them from AppVMs, and not how to install snap programs in AppVMs as a user, if you need this, please us the Qubes OS guide linked below.

Qubes OS documentation explains how to setup snap in a template, but with a helper to allow AppVMs to install snap programs in the user directory.

Qubes OS official documentation: install snap packages in AppVMs

In a previous blog post, I explained how to configure a Qubes OS template to install flatpak programs in it, and how to integrate it to the template.

Previous blog post: Installing flatpak programs in a Qubes OS template

Setup on Fedora

All commands are meant to be run as root.

Snap installation

Snapcraft official documentation: Installing snap on Fedora

Installing snap is easy, run the following command:

dnf install snapd

To allow "classic" snaps to work, you need to run the following command:

sudo ln -s /var/lib/snapd/snap /snap

Proxy configuration

Now, you have to configure snap to use the http proxy in the template, this command can take some time because snap will time out as it tries to use the network when invoked...

snap set system proxy.http="http://127.0.0.1:8082/"
snap set system proxy.https="http://127.0.0.1:8082/"

Run updates on template update

You need to prevent snap from searching for updates on its own as you will run updates when the template is updated:

snap refresh --hold

To automatically update snap programs when the template is updating (or doing any dnf operation), create the file `/etc/qubes/post-install.d/05-snap-update.sh` with the following content and make it executable:

#!/bin/sh

if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
    snap refresh
fi

Qube settings menu integration

To add the menu entry of each snap program in the qube settings when you install/remove snaps, create the file `/usr/local/sbin/sync-snap.sh` with the following content and make it executable:

#!/bin/sh

# when a desktop file is created/removed
# - links snap .desktop in /usr/share/applications
# - remove outdated entries of programs that were removed
# - sync the menu with dom0

inotifywait -m -r \
-e create,delete,close_write \
/var/lib/snapd/desktop/applications/ |
while  IFS=':' read event
do
    find /var/lib/snapd/desktop/applications/ -type l -name "*.desktop" | while read line
    do
        ln -s "$line" /usr/share/applications/
    done
    find /usr/share/applications/ -xtype l -delete
    /etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh
done

Install the package `inotify-tools` to make the script above working, and add this to `/rw/config/rc.local` to run it at boot:

/usr/local/bin/sync-snap.sh &

You can run the script now with `/usr/local/bin/sync-snap.sh &` if you plan to install snap programs.

Snap store GUI

If you want to browse and install snap programs using a nice interface, you can install the snap store.

snap install snap-store

You can run the store with `snap run snap-store` or configure your template settings to add the snap store into the applications list, and run it from your Qubes OS menu.

Debian

The setup on Debian is pretty similar, you can reuse the Fedora guide except you need to replace `dnf` by `apt`.

Snapcraft official documentation: Installing snap on Debian

Conclusion

More options to install programs is always good, especially when it comes with features like quota or sandboxing. Qubes OS gives you the flexibility to use multiple templates in parallel, a new source of packages can be useful for some users.