Do core snaps come with bundled kernels?

kedstar991 · December 30, 2020, 1:46pm

Hello,

I was just wanting to expand my knowledge regarding snaps/linux and how they work. How does a snap which use core18/core20 work on say ubuntu 16.04?

Suppose the snap requires some specific kernel feature that is only available with a newer glibc/kernel. How potentially does a core20 kernel environment get loaded and bundled to run and execute on 16.04?

I notice on my 20.10 install that the core base snap comes with an initrd.img-core whilst core18/core20 do not. How does this get used and why isn’t is present in core18/core20? Also, when I run a shell environment in a snap, it seems to print out the kernel in use on my system rather than a specific core kernel.

In a previous discussion thread, there was a post about how kernels get bundled so I assume the above is true somehow. Ubuntu core 18? I was just curious specifically as to how this secondary kernel gets loaded and use. I assume with some kexec system call?

Thanks in advance for your clarification.

James-Carroll · December 30, 2020, 1:41pm

An important distinction between virtual machines and containers is that containers share their hosts kernel space, and virtual machines create new kernel spaces. So the simplest answer to how snap interacts with the kernel on classic systems is that it simply doesn’t, if your app absolutely required kernel functionality your kernel didn’t have in a classic system, snap can’t help you.

Ubuntu core 18 isn’t a classic system though and can make use of kernel snaps, but I’m not confident to say how the Core system works since I’ve never had reason to use it. https://snapcraft.io/docs/kernel-snap

Regarding specifically glibc, that’s a userspace component and the base snaps do ship it, so you can guarantee older systems have a version of glibc compatible with the code in your snap whereas a system like AppImage generally doesn’t make this guarantee (and heavily advises against it).

Edit: Thinking about the “core” base generally, it’s honestly just old and has a lot of inherent legacy behaviour about it. For example, it facilitates re-executing snapd to keep it on the latest version, something that core18 and core20 don’t do because they split off that functionality to the snapd snap instead. I’d imagine the initrd file makes sense when core16 was modern but not with modern designs.

ogra · December 30, 2020, 5:22pm

snaps are executed on top of their base snap … i.e. a snap with base: core18 uses core18 as its rootfs inside its confinement. so if you install a base: core18 snap on a 16.04 system, the executables will in fact run on top of a 18.04 userspace …

the kernel features snaps use are rather generic security features (seccomp, apparmor, namespaces, cgroups, …) that are available in all kernels since 4.x (4.4 i think). if snapd finds a kernel feature missing it is able to run the appliactions with degraded confinement (you can check this with the snap debug confinement and snap debug sandbox-features commands)

Ubuntu Core has a very specific boot process that is managed by initramfs scripts to assemble a rootfs of the various layers … i.e. on boot the “writable” partition gets mounted, the core(18,20) squashfs from the snap is searched and mounted as readonly filesystem, writable bits are established as bind mounts hooked into this readonly fs where required. once this mount assembly is done, the system switches to the assembled stack and it becomes your rootfs.

in core16 we were still building the initrd.img as a part of the core snap itself to make sure the binaries there match whats in the rootfs. when building a kernel snap the core snap is downloaded and the initrd.img from there is used (potential changes like adding kernel modules or firmware are achieved by unpacking/re-packing of the initrd.img file)
this setup was also used in core18 (simply re-using the initrd.img from the core(16) snap). with core20 there is now a pre-built initrd.img that is pulled from launchpad instead of pulling it ut of the core snap.

kernels are bundled with Ubuntu Core images (simply to boot from), but not for snap applications running on some classically installed distro, there is no direct connection between kernels (beyond, well requiring certain options to be set for full confinement) and snap packages.

the Ubuntu Core kernels are simply a “snapped version” of the kernels shipped with the respective release (i.e. UC16 -> 4.4, UC18 -> 4.15, UC20 -> 5.4)

tl;dr: kernels are only relevant for Ubuntu Core installations, nt for snap packages in general