Cannot install snapd on Amazon Linux 2

I am trying to install snapd per these instructions:

It appears my server is running CentOS 7 (it is an Amazon EC2 instance):

$ cat /etc/*release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)

$ cat /proc/version
Linux version 4.14.181-142.260.amzn2.x86_64 (mockbuild@ip-10-0-1-132) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-8) (GCC)) #1 SMP Wed Jun 24 19:07:39 UTC 2020

I have run the following:

$ sudo yum install epel-release
$ sudo yum install snapd

I then get this output from yum:

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
250 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd.x86_64 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: snap-confine(x86-64) = 2.45.3.1-1.el7 for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: snapd-selinux = 2.45.3.1-1.el7 for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: fuse for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: squashfs-tools for package: snapd-2.45.3.1-1.el7.x86_64
--> Processing Dependency: squashfuse for package: snapd-2.45.3.1-1.el7.x86_64
--> Running transaction check
---> Package fuse.x86_64 0:2.9.2-11.amzn2 will be installed
---> Package snap-confine.x86_64 0:2.45.3.1-1.el7 will be installed
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
---> Package squashfs-tools.x86_64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed
--> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.x86_64
---> Package squashfuse.x86_64 0:0.1.102-1.el7 will be installed
--> Processing Dependency: squashfuse-libs(x86-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.4)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.5)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.6)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2(FUSE_2.8)(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuse.so.2()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.x86_64
--> Running transaction check
---> Package fuse-libs.x86_64 0:2.9.2-11.amzn2 will be installed
---> Package libzstd.x86_64 0:1.3.3-1.amzn2.0.1 will be installed
---> Package lzo.x86_64 0:2.06-8.amzn2.0.3 will be installed
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
---> Package squashfuse-libs.x86_64 0:0.1.102-1.el7 will be installed
--> Finished Dependency Resolution
Error: Package: snapd-selinux-2.45.3.1-1.el7.noarch (epel)
           Requires: selinux-policy-base >= 3.13.1-266.el7
           Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (@amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

I also tried:

$ sudo yum install snapd-selinux
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
250 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd-selinux.noarch 0:2.45.3.1-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-266.el7 for package: snapd-selinux-2.45.3.1-1.el7.noarch
--> Finished Dependency Resolution
Error: Package: snapd-selinux-2.45.3.1-1.el7.noarch (epel)
           Requires: selinux-policy-base >= 3.13.1-266.el7
           Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (@amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

So far Googling for answers isn’t helping. Do I need to build snapd from source? If so… how?

Amazon Linux is NOT CentOS

Request Amazon to improve the situation.

Unfortunately it is what @Lin-Buo-Ren wrote. I would suggest to contact AMZN2 support and asking about the possibility of adding snapd to the extras repositories.

Amazon Linux 2 can install some packages from EPEL7, but not all of them. Snapd is EPEL is built with SELinux support, but AMZN2 does not ship the policy packages that the EPEL rpms are built with.

In the meantime, you can grab the source tarball from snap releases page right here: https://github.com/snapcore/snapd/releases/download/2.47.1/snapd_2.47.1.vendor.tar.xz Extract is somewhere, and the packaging/amzn-2/snapd.spec has all you need to build the RPMs yourself. You will need to copy the tarball to ~/rpmbuild/SOURCES (or set the _topdir accordingly).

3 Likes

Thank you @Lin-Buo-Ren & @mborzecki for your assistance. I was afraid the server was not actually a CentOS system.

I am trying to build the RPM from source but have some questions as I have never done this before:

1. Running rpmbuild -bs snapd.spec requires that I have 2 files in SOURCES:

  • snapd_2.47.1.no-vendor.tar.xz
  • snapd_2.47.1.only-vendor.tar.xz

The tarball from the repository link is named otherwise, so I copied it twice and renamed it. This is likely incorrect because…

2. After it builds I see the following output:

systemd_post: invalid option -- '-'
error: Unknown option - in systemd_post()
Wrote: /root/rpmbuild/SRPMS/snapd-2.47.1-0.amzn2.src.rpm

3. I then ran rpmlint to check the integrity of the binary and received:

> rpmlint snapd-2.47.1-0.amzn2.src.rpm 

snapd.src: W: no-version-in-last-changelog
snapd.src:87: E: hardcoded-library-path in %{_prefix}/lib/environment.d}
snapd.src:88: E: hardcoded-library-path in %{_prefix}/lib/systemd/system-generators}
snapd.src:89: E: hardcoded-library-path in %{_prefix}/lib/systemd/system-environment-generators}
snapd.src:279: W: unversioned-explicit-provides bundled(golang(github.com/snapcore/bolt))
snapd.src:280: W: unversioned-explicit-provides bundled(golang(github.com/coreos/go-systemd/activation))
snapd.src:281: W: unversioned-explicit-provides bundled(golang(github.com/godbus/dbus))
snapd.src:282: W: unversioned-explicit-provides bundled(golang(github.com/godbus/dbus/introspect))
snapd.src:283: W: unversioned-explicit-provides bundled(golang(github.com/gorilla/mux))
snapd.src:284: W: unversioned-explicit-provides bundled(golang(github.com/jessevdk/go-flags))
snapd.src:285: W: unversioned-explicit-provides bundled(golang(github.com/juju/ratelimit))
snapd.src:286: W: unversioned-explicit-provides bundled(golang(github.com/kr/pretty))
snapd.src:287: W: unversioned-explicit-provides bundled(golang(github.com/kr/text))
snapd.src:288: W: unversioned-explicit-provides bundled(golang(github.com/mvo5/goconfigparser))
snapd.src:289: W: unversioned-explicit-provides bundled(golang(github.com/mvo5/libseccomp-golang))
snapd.src:290: W: unversioned-explicit-provides bundled(golang(github.com/snapcore/go-gettext))
snapd.src:291: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/openpgp/armor))
snapd.src:292: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/openpgp/packet))
snapd.src:293: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/sha3))
snapd.src:294: W: unversioned-explicit-provides bundled(golang(golang.org/x/crypto/ssh/terminal))
snapd.src:295: W: unversioned-explicit-provides bundled(golang(golang.org/x/xerrors))
snapd.src:296: W: unversioned-explicit-provides bundled(golang(golang.org/x/xerrors/internal))
snapd.src:297: W: unversioned-explicit-provides bundled(golang(gopkg.in/check.v1))
snapd.src:298: W: unversioned-explicit-provides bundled(golang(gopkg.in/macaroon.v1))
snapd.src:299: W: unversioned-explicit-provides bundled(golang(gopkg.in/mgo.v2/bson))
snapd.src:300: W: unversioned-explicit-provides bundled(golang(gopkg.in/retry.v1))
snapd.src:301: W: unversioned-explicit-provides bundled(golang(gopkg.in/tomb.v2))
snapd.src:302: W: unversioned-explicit-provides bundled(golang(gopkg.in/yaml.v2))
snapd.src:3324: W: macro-in-%changelog %systemd_user_
snapd.src: E: specfile-error systemd_post: invalid option -- '-'
snapd.src: E: specfile-error error: Unknown option - in systemd_post()
1 packages and 0 specfiles checked; 5 errors, 26 warnings.

I assume the warnings are probably ok; but there are some errors as well. I haven’t gone further than this yet as I am not quite sure if I should try to install this RPM given the errors mentioned.

Many thanks in advance for any help you can provide.

It builds fine here:

Processing files: snapd-debuginfo-2.47.1-0.amzn2.x86_64
Provides: snapd-debuginfo = 2.47.1-0.amzn2 snapd-debuginfo(x86-64) = 2.47.1-0.amzn2
Requires(rpmlib): rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/snapd-2.47.1-0.amzn2.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/snapd-2.47.1-0.amzn2.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/snap-confine-2.47.1-0.amzn2.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/noarch/snapd-devel-2.47.1-0.amzn2.noarch.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/snapd-debuginfo-2.47.1-0.amzn2.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.RvvLSr
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd snapd-2.47.1
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/snapd-2.47.1-0.amzn2.x86_64
+ exit 0

However, running rpmlint does indeed list an error, like so:

snapd.spec: E: specfile-error systemd_post: invalid option -- '-'
snapd.spec: E: specfile-error error: Unknown option - in systemd_post()

I did some more digging, and the error is triggered by this macro used in %post:

%systemd_user_post %{snappy_user_svcs}

Further investigation shows that the macro does not expand correctly:

$ rpmbuild -E '%systemd_user_post'
systemd_post: invalid option -- '-'
error: Unknown option - in systemd_post()

if [ $1 -eq 1 ] ; then 
        # Initial installation 
        systemctl preset  >/dev/null 2>&1 || : 
fi 

and that’s because the macro itself is buggy. It is defined as follows:

%systemd_user_post() %systemd_post --user --global %{?*}

but the fixed version should look at least like so (also see https://github.com/systemd/systemd/commit/e67ba783696f21782ad5c2ba00515d387016e785 for details):

%systemd_user_post() %{expand:%systemd_post \\--user \\--global %%{?*}}

This is fixed in the systemd package in RHEL7/CentOS7 (systemd-219-73.el7_8.9.x86_64 ). However, AMZN2 seems to include their own rebuild of the package (systemd-219-57.amzn2.0.12.x86_64) without fixes.

I suggest you file a bug with Amazon Linux 2 support and request the package to be updated or relevant fixed included.

1 Like

Thank you very much @mborzecki. As I am out of my depth here, I will likely setup another server instance instead where it’s a more familiar environment for me. I’m only trying to get a Let’s Encrypt certificate installed for a QA server.

In the meantime, I’ll open a support request with Amazon and will report back here with updates.

1 Like

For those following this thread, Amazon has opened an internal ticket on this issue and also provided a link to install Certbot on the server in its current state:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#install

3 Likes

@etipaced
Thanks for the link to the internal ticket. I ran into exactly the same problem when trying to secure my spring boot backend and the instruction is very helpful.
I have a question though, at step 6 of that link, what should I put as Common Name and Subject Alternative Name (SAN)? Now I only have a URL for my backend deployed in Elastic Beanstalk , something like “www.MY-BACKEND-env.eba-i4bmsusd.us-west-1.elasticbeanstalk.com”.
I do have purchased a domain name (say my-awesome-app.com), should I use “my-awesome-app,com” as the Common Name and “www.my-awesome-app,com” as SAN?

Really it’s up to you; but it sounds like you ultimately want to run your application at the my-awesome-app.com domain, so that would be the one to use in step 6. Otherwise if you use the auto-generated domain from AWS, that would be the domain you’d be installing the LE certificate against (which may or may not be what you want).

1 Like

Last update from Amazon:

November 5, 2020:

Good Day,
Thank you for your response; Tshepo here again.
I just received feedback from the internal ticket to the service team and have acknowledged the bug with selinux package in EPEL7 and are working hard to provide a fix. This fix is tracked internally and I cannot currently provide an ETA.

They since have closed the ticket due to inactivity on November 15, 2020.

1 Like

We are currently rebuilding the package and pushing them to a custom repository. You can grab the YUM repo file right here: https://people.canonical.com/~mvo/snapd/amazon-linux2/snapd-amzn2.repo

If EPEL is enabled in your system, you may need to be a bit more specific when installing snapd, so instead of

$ yum install snapd

you may need to run

$ yum install snapd-2.47.1-1.amzn2.1

The package is based on the EPEL one, with the main difference that SELinux is disabled (since it’s not supported by AMZN2 kernel anyway), and /snap -> /var/lib/snapd/snap symlink is avaialble out of the box.

We want to make the repository a bit more official and eventually host it at snapcraft.io.

You can also add this at the inside the /etc/yum.conf file to disable snapd packages from EPEL:

[main]
...
exclude=snapd-*.el7 snap-*.el7
2 Likes