Cannot install snapd on Amazon Linux 2

I am trying to install snapd per these instructions:

It appears my server is running CentOS 7 (it is an Amazon EC2 instance):

$ cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

$ cat /proc/version
Linux version 4.14.181-142.260.amzn2.x86_64 (mockbuild@ip-10-0-1-132) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-8) (GCC)) #1 SMP Wed Jun 24 19:07:39 UTC 2020

I have run the following:

$ sudo yum install epel-release
$ sudo yum install snapd

I then get this output from yum:

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
250 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd.x86_64 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: snap-confine(x86-64) = 2.45.3.1-1.el7 for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: snapd-selinux = 2.45.3.1-1.el7 for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: fuse for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: squashfs-tools for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: squashfuse for package: snapd-2.45.3.1-1.el7.x86_64
--> Running transaction check
---> Package fuse.x86_64 0:2.9.2-11.amzn2 will be installed
---> Package snap-confine.x86_64 0:2.45.3.1-1.el7 will be installed
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
---> Package squashfs-tools.x86_64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed
--> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.x86_64
---> Package squashfuse.x86_64 0:0.1.102-1.el7 will be installed
--> Processing Dependency: squashfuse-libs(x86-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.4)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.5)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.6)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.8)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Running transaction check
---> Package fuse-libs.x86_64 0:2.9.2-11.amzn2 will be installed
---> Package libzstd.x86_64 0:1.3.3-1.amzn2.0.1 will be installed
---> Package lzo.x86_64 0:2.06-8.amzn2.0.3 will be installed
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
---> Package squashfuse-libs.x86_64 0:0.1.102-1.el7 will be installed
--> Finished Dependency Resolution
Error: Package: snapd-selinux-2.45.3.1-1.el7.noarch (epel)
           Requires: selinux-policy-base >= 3.13.1-266.el7
           Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (@amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

I also tried:

$ sudo yum install snapd-selinux
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
250 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
--> Finished Dependency Resolution
Error: Package: snapd-selinux-2.45.3.1-1.el7.noarch (epel)
           Requires: selinux-policy-base >= 3.13.1-266.el7
           Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (@amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

So far Googling for answers isn’t helping. Do I need to build snapd from source? If so… how?

Amazon Linux is NOT CentOS

Request Amazon to improve the situation.

Unfortunately it is what @Lin-Buo-Ren wrote. I would suggest to contact AMZN2 support and asking about the possibility of adding snapd to the extras repositories.

Amazon Linux 2 can install some packages from EPEL7, but not all of them. Snapd is EPEL is built with SELinux support, but AMZN2 does not ship the policy packages that the EPEL rpms are built with.

In the meantime, you can grab the source tarball from snap releases page right here: https://github.com/snapcore/snapd/releases/download/2.47.1/snapd_2.47.1.vendor.tar.xz Extract is somewhere, and the packaging/amzn-2/snapd.spec has all you need to build the RPMs yourself. You will need to copy the tarball to ~/rpmbuild/SOURCES (or set the _topdir accordingly).

Thank you @Lin-Buo-Ren & @mborzecki for your assistance. I was afraid the server was not actually a CentOS system.

I am trying to build the RPM from source but have some questions as I have never done this before:

1. Running rpmbuild -bs snapd.spec requires that I have 2 files in SOURCES:

• snapd_2.47.1.no-vendor.tar.xz
• snapd_2.47.1.only-vendor.tar.xz

The tarball from the repository link is named otherwise, so I copied it twice and renamed it. This is likely incorrect because…

2. After it builds I see the following output:

systemd_post: invalid option -- '-'
error: Unknown option - in systemd_post()
Wrote: /root/rpmbuild/SRPMS/snapd-2.47.1-0.amzn2.src.rpm

3. I then ran rpmlint to check the integrity of the binary and received:

> rpmlint snapd-2.47.1-0.amzn2.src.rpm 

snapd.src: W: no-version-in-last-changelog
snapd.src:87: E: hardcoded-library-path in %{_prefix}/lib/environment.d}
snapd.src:88: E: hardcoded-library-path in %{_prefix}/lib/systemd/system-generators}
snapd.src:89: E: hardcoded-library-path in %{_prefix}/lib/systemd/system-environment-generators}
snapd.src:279: W: unversioned-explicit-provides bundled(golang(github.com/snapcore/bolt))
snapd.src:280: W: unversioned-explicit-provides bundled(golang(github.com/coreos/go-systemd/activation))
snapd.src:281: W: unversioned-explicit-provides bundled(golang(github.com/godbus/dbus))
snapd.src:282: W: unversioned-explicit-provides bundled(golang(github.com/godbus/dbus/introspect))
snapd.src:283: W: unversioned-explicit-provides bundled(golang(github.com/gorilla/mux))
snapd.src:284: W: unversioned-explicit-provides bundled(golang(github.com/jessevdk/go-flags))
snapd.src:285: W: unversioned-explicit-provides bundled(golang(github.com/juju/ratelimit))
snapd.src:286: W: unversioned-explicit-provides bundled(golang(github.com/kr/pretty))
snapd.src:287: W: unversioned-explicit-provides bundled(golang(github.com/kr/text))
snapd.src:288: W: unversioned-explicit-provides bundled(golang(github.com/mvo5/goconfigparser))
snapd.src:289: W: unversioned-explicit-provides bundled(golang(github.com/mvo5/libseccomp-golang))
snapd.src:290: W: unversioned-explicit-provides bundled(golang(github.com/snapcore/go-gettext))
snapd.src:291: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/openpgp/armor))
snapd.src:292: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/openpgp/packet))
snapd.src:293: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/sha3))
snapd.src:294: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/ssh/terminal))
snapd.src:295: W: unversioned-explicit-provides bundled(golang(golang.org/x/xerrors))
snapd.src:296: W: unversioned-explicit-provides bundled(golang(golang.org/x/xerrors/internal))
snapd.src:297: W: unversioned-explicit-provides bundled(golang(gopkg.in/check.v1))
snapd.src:298: W: unversioned-explicit-provides bundled(golang(gopkg.in/macaroon.v1))
snapd.src:299: W: unversioned-explicit-provides bundled(golang(gopkg.in/mgo.v2/bson))
snapd.src:300: W: unversioned-explicit-provides bundled(golang(gopkg.in/retry.v1))
snapd.src:301: W: unversioned-explicit-provides bundled(golang(gopkg.in/tomb.v2))
snapd.src:302: W: unversioned-explicit-provides bundled(golang(gopkg.in/yaml.v2))
snapd.src:3324: W: macro-in-%changelog %systemd_user_
snapd.src: E: specfile-error systemd_post: invalid option -- '-'
snapd.src: E: specfile-error error: Unknown option - in systemd_post()
1 packages and 0 specfiles checked; 5 errors, 26 warnings.

I assume the warnings are probably ok; but there are some errors as well. I haven’t gone further than this yet as I am not quite sure if I should try to install this RPM given the errors mentioned.

Many thanks in advance for any help you can provide.

It builds fine here:

Processing files: snapd-debuginfo-2.47.1-0.amzn2.x86_64
Provides: snapd-debuginfo = 2.47.1-0.amzn2 snapd-debuginfo(x86-64) = 2.47.1-0.amzn2
Requires(rpmlib): rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/snapd-2.47.1-0.amzn2.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/snapd-2.47.1-0.amzn2.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/snap-confine-2.47.1-0.amzn2.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/noarch/snapd-devel-2.47.1-0.amzn2.noarch.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/snapd-debuginfo-2.47.1-0.amzn2.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.RvvLSr
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd snapd-2.47.1
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/snapd-2.47.1-0.amzn2.x86_64
+ exit 0

However, running rpmlint does indeed list an error, like so:

snapd.spec: E: specfile-error systemd_post: invalid option -- '-'
snapd.spec: E: specfile-error error: Unknown option - in systemd_post()

I did some more digging, and the error is triggered by this macro used in %post:

%systemd_user_post %{snappy_user_svcs}

Further investigation shows that the macro does not expand correctly:

$ rpmbuild -E '%systemd_user_post'
systemd_post: invalid option -- '-'
error: Unknown option - in systemd_post()

if [ $1 -eq 1 ] ; then 
        # Initial installation 
        systemctl preset  >/dev/null 2>&1 || : 
fi 

and that’s because the macro itself is buggy. It is defined as follows:

%systemd_user_post() %systemd_post --user --global %{?*}

but the fixed version should look at least like so (also see https://github.com/systemd/systemd/commit/e67ba783696f21782ad5c2ba00515d387016e785 for details):

%systemd_user_post() %{expand:%systemd_post \\--user \\--global %%{?*}}

This is fixed in the systemd package in RHEL7/CentOS7 (systemd-219-73.el7_8.9.x86_64 ). However, AMZN2 seems to include their own rebuild of the package (systemd-219-57.amzn2.0.12.x86_64) without fixes.

I suggest you file a bug with Amazon Linux 2 support and request the package to be updated or relevant fixed included.

Thank you very much @mborzecki. As I am out of my depth here, I will likely setup another server instance instead where it’s a more familiar environment for me. I’m only trying to get a Let’s Encrypt certificate installed for a QA server.

In the meantime, I’ll open a support request with Amazon and will report back here with updates.

For those following this thread, Amazon has opened an internal ticket on this issue and also provided a link to install Certbot on the server in its current state:

@etipaced
Thanks for the link to the internal ticket. I ran into exactly the same problem when trying to secure my spring boot backend and the instruction is very helpful.
I have a question though, at step 6 of that link, what should I put as Common Name and Subject Alternative Name (SAN)? Now I only have a URL for my backend deployed in Elastic Beanstalk , something like “www.MY-BACKEND-env.eba-i4bmsusd.us-west-1.elasticbeanstalk.com”.
I do have purchased a domain name (say my-awesome-app.com), should I use “my-awesome-app,com” as the Common Name and “www.my-awesome-app,com” as SAN?

Really it’s up to you; but it sounds like you ultimately want to run your application at the my-awesome-app.com domain, so that would be the one to use in step 6. Otherwise if you use the auto-generated domain from AWS, that would be the domain you’d be installing the LE certificate against (which may or may not be what you want).

Last update from Amazon:

November 5, 2020:

Good Day, Thank you for your response; Tshepo here again. I just received feedback from the internal ticket to the service team and have acknowledged the bug with selinux package in EPEL7 and are working hard to provide a fix. This fix is tracked internally and I cannot currently provide an ETA.

They since have closed the ticket due to inactivity on November 15, 2020.

4 posts were split to a new topic: Unofficial snapd repository for Amazon Linux 2

Download the snap-confine and snapd packages from https://github.com/albuild/snap/releases/tag/v0.1.0 and Install the package using ``` sudo yum -y install snap-confine-2.36.3-0.amzn2.x86_64.rpm snapd-2.36.3-0.amzn2.x86_64.rpm ( make sure you open the terminal on the downloads directory) Once all that is done on the same terminal and directory , enable the snapd.socket using sudo systemctl enable --now snapd.socket Log out and login (You can simply reboot your instance from the lightsail homepage) Try installing anything from the snap store without using yum and it will work.

Thanks, but the project you linked to contains very outdated binaries (2.36 released back in 2018). We actually host an unofficial Amazon Linux on one of the project contributor’s account as described here: Unofficial snapd repository for Amazon Linux 2 which is mostly up to date with the packages available in EPEL.