As I said in the previous post, the API has expanded since those early days without a lot of thought directed at remote access. Originally there were effectively two levels of access:
- open access: can be accessed by anyone, including unprivileged users.
- authenticated access: must be root, or have an access token acquired via
Since then, a “root only access” mode was added for some new API endpoints that won’t access by non-root users (even if they have an access token), and authenticated access also supports polkit authorisation (to allow non-root admin users to access the API without an access token).
Some obvious questions include:
- Does the open access mode make sense for TCP access? The information considered safe to provide to a local user is differ from information considered safe to unauthenticated remote clients.
- How should the “root only” endpoints behave for remote clients? Is it okay if they are simply unavailable?
- How would clients verify that it is talking to the snapd instance it thinks it is? With the UNIX domain socket, the client knows that non-root users would not be able to create the socket file and there is no need to worry about communications being snooped on or altered.
If all you’re trying to do is install an Ubuntu Core system and install/configure a few snaps on it, there might be other tools besides remote API access that satisfy your needs.
You can fairly easily build a custom image to flash onto the devices that includes your custom snaps. The process goes something like this:
- Write a model definition that specifies the kernel, gadget, boot base snap, and any extra snaps required by the device.
- Sign the definition to create a model assertion using
snap sign and a key registered to your developer account.
- Use the
ubuntu-image tool to build an image from the model assertion. This will download the referenced snaps from the store, or can use local copies of those snaps if appropriate.
- Flash the image to your devices and leave them to boot.
For simple cases, you can use the standard kernel and gadget snaps provided by Canonical. For more complicated cases you might need to create your own gadget snap, which lets you set initial
snap set style configuration or connect up interface plugs/slots for the pre-loaded snaps that wouldn’t normally auto-connect.