Connect to snapd on remote side

Hello, Everybody
As I know the snap command-line client has interaction with Snapd service to manage and maintenance snaps.
As a default behavior, when installing Snapd, both of the above tools are installed together in the local machine.
I want to know if there is any way to connect to a remote snapd hosted on the remote side and manage the snaps in that way?
Something like DockerEngine/docker command-line for example?

Thanks,
Ali

there is an api https://snapcraft.io/docs/snapd-api

1 Like

Communication between the snap command line utility and snapd is done via an HTTP protocol over a UNIX domain socket, with the intention that the same protocol could be used for remote access at some point in the future.

With that said, it likely won’t be as simple as just making snapd listen on a TCP socket. The API has grown since those early plans, and there would need to be a security review of what level of access makes sense for remote clients. The outcome might even be that the existing snapd API is the wrong level for remote management/administration.

1 Like

Thank you guys. I have checked the API that provided by @ogra.
@jamesh I have an IoT-First development in my mind.
Does any concerns exists about the snapd API? If yes, where are located these concerns in the road map of the snap and snapd?

As I said in the previous post, the API has expanded since those early days without a lot of thought directed at remote access. Originally there were effectively two levels of access:

  • open access: can be accessed by anyone, including unprivileged users.
  • authenticated access: must be root, or have an access token acquired via snap login.

Since then, a “root only access” mode was added for some new API endpoints that won’t access by non-root users (even if they have an access token), and authenticated access also supports polkit authorisation (to allow non-root admin users to access the API without an access token).

Some obvious questions include:

  • Does the open access mode make sense for TCP access? The information considered safe to provide to a local user is differ from information considered safe to unauthenticated remote clients.
  • How should the “root only” endpoints behave for remote clients? Is it okay if they are simply unavailable?
  • How would clients verify that it is talking to the snapd instance it thinks it is? With the UNIX domain socket, the client knows that non-root users would not be able to create the socket file and there is no need to worry about communications being snooped on or altered.

If all you’re trying to do is install an Ubuntu Core system and install/configure a few snaps on it, there might be other tools besides remote API access that satisfy your needs.

You can fairly easily build a custom image to flash onto the devices that includes your custom snaps. The process goes something like this:

  1. Write a model definition that specifies the kernel, gadget, boot base snap, and any extra snaps required by the device.
  2. Sign the definition to create a model assertion using snap sign and a key registered to your developer account.
  3. Use the ubuntu-image tool to build an image from the model assertion. This will download the referenced snaps from the store, or can use local copies of those snaps if appropriate.
  4. Flash the image to your devices and leave them to boot.

For simple cases, you can use the standard kernel and gadget snaps provided by Canonical. For more complicated cases you might need to create your own gadget snap, which lets you set initial snap set style configuration or connect up interface plugs/slots for the pre-loaded snaps that wouldn’t normally auto-connect.