As far as we know, snapcraft only allow approved software maintainer to have “classic” confinement. So today I will share how I use this restriction for my system and package management in cluster of thousand Ubuntu server.
Register snap name.
Build your snap with strict confinement.
Snapcraft push your private app.
Install your app using snap command.
Jail break the confinement by using this "sudo ln -s /snap/my app/current/bin/mybinary /usr/local/sbin/mybinary
With this solution. I’m able to publish latest app to all my server while allow app to have “classic” privilege
I’d much rather you didn’t, and there is no promise that this will carry on working down the road, but, sure, today it’ll work.
Also, if you do this, and expose a vulnerability through your now unconfined app, and your cluster of thousands of ubuntu servers gets compromised as a consequence, don’t come crying to us.
Also, your app dependency libraries won’t be found within the snap. Instead they’ll be searched for within your host system, which means that you are likely to encounter incompatibilities and breakage.
along with all that has been said already, doesnt this setup mean that everyone installing your snap from the store will get a completely broken package (until she does the linking etc) ? assuming you dont test it in the actual confined use-case …
The app is written in golang/rust and distribute as single binary. Even if the user installed the app, it will work in strict confinement but missing the features of classic binary have.
The whole idea is we don’t have to deal with deb repo or waiting for server to run apt update and upgrade. Snapd will update the release to latest version.
You can set app to private only if you want to control who can install your application.
Maybe in the future, I will submit my app for classic confinement review. Will see…
Unconfined app still restricted by local POSIX restrictions like file permission and etc. The app still require sudo if it require system access. Apparmor on the system used to prevent this. The whole idea is how we use snapd to distribute binary and make sure system always use the latest binary.
