As title, I’d like to know what its purpose but can’t find the documentation, any pointers?
As part of the setup sequence for running a snap on a classic system, a new mount namespace is setup for the snap when it is first run (this also can be setup if it’s run again after the namespace has been discarded by
/usr/lib/snapd/snap-discard-ns). The first step is to mount the rootfs snap (currently the core snap, but could be any base snap) file as “/”, so that the snap’s rootfs shows up as the core snap (or the specified base snap). After setting this up, a pivot_root is executed to enter the new rootfs (this is similar to a chroot if you’re more familiar with that), and part of how pivot_root works is that when you go into a new root, pivot_root needs to put the oldroot somewhere, and so for snaps, the oldroot parameter gets set to
/var/lib/snapd/hostfs. This way files from the original filesystem don’t “disappear”. Then to prevent snaps from accessing all the host’s files through this path, access to
/var/lib/snapd/hostfs is mediated through AppArmor to prevent accessing those files (but in some cases access is allowed, i.e. for getting NVIDIA GPU drivers, but it’s very specific what’s allowed). However as a proof of concept, you can use a utility called
nsenter to peek at what the namespaces the snap is setup with and look at this
/var/lib/snapd/hostfs, but notably without any of the confinement of snapd. First start a process confined by
snap-confine and get it’s pid:
$ snap run --shell hello-world.hello-world To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. $ echo $BASHPID 15255
Now we enter the same mount namespace with
nsenter (note the
--all option doesn’t appear to exist on xenial):
$ sudo nsenter -t 15255 --all -bash: /usr/bin/locale-check: No such file or directory # ls /meta/snap.yaml /meta/snap.yaml # cat /meta/snap.yaml name: core version: 16-2.35.2 summary: snapd runtime environment description: The core runtime environment for snapd type: os architectures: - amd64 confinement: strict grade: stable # ls /var/lib/snapd/hostfs/ bin dev home lib libx32 mnt root snap sys var boot etc initrd.img lib32 lost+found opt run srv tmp vmlinuz cdrom initrd.img.old lib64 media proc sbin swapfile usr vmlinuz.old # ls / bin dev home lib64 meta opt root sbin srv tmp var boot etc lib media mnt proc run snap sys usr writable
Also see the README on snap-confine’s mount namespaces here
Thanks for the explanation! Fully appreciated!
While Ians explanation is really excellent, I really don’t think such deep technical implementation details belong in the documentation though.
/var/lib/snapd/hostfs is nothing you should ever touch directly from a snap neither as user nor as developer, it is an implementation detail of snap namespace handling and confinement.
Actually, @zyga-snapd’s explanation here is the best version of this : Snapd 2.36, snap-confine logic walkthrough