Interface management


#1

When a snap needs to access a resource outside of its own confinement, it uses an interface. Interfaces enable resources from one snap to be shared with another.

Interfaces are commonly used to enable a snap to access OpenGL acceleration, sound playback or recording, your network and your $HOME directory. But which interfaces a snap requires, and provides, is very much dependent on the type of snap and its own requirements.

Most users don’t need to worry about interfaces. Snaps are designed for strong application isolation and safe interface connections are made automatically.

To see which interfaces a snap is using, type snap connections <snapname>:

$ snap connections vlc
Interface            Plug                  Slot               Notes
camera               vlc:camera            -                  - 
desktop              vlc:desktop           :desktop           -
desktop-legacy       vlc:desktop-legacy    :desktop-legacy    -
home                 vlc:home              :home              -
mount-observe        vlc:mount-observe     -                  -
mpris                -                     vlc:mpris          -
pulseaudio           vlc:pulseaudio        :pulseaudio        -
(...)

In the above output, you can see that VLC isn’t using the camera interface because its slot is empty, and that the home interface is connected to the system $HOME directory (denoted by the :home slot name).

See Supported interfaces for a comprehensive list of interfaces supported by snap.

Slots and plugs

An interface consists of a connection between a slot and a plug. The slot is the provider of the interface while the plug is the consumer, and a slot can support multiple plug connections.

interfaces_plugs-slots

In the output to snap connections vlc (see above), every interface used by VLC is listed in the first column. The Plug and Slot columns then describe how each interface is connected. For instance, the pulseaudio interface connects VLC’s PulseAudio plug to the system’s PulseAudio slot, shown as pulseaudio vlc:pulseaudio :pulseaudio -.

You can see which other snaps are using an interface with the interface command:

$  snap interface pulseaudio
name:    pulseaudio
summary: allows operating as or interacting with the pulseaudio service
plugs:
  - spotify
  - vlc
slots:
  - core

In the above output, you can see that both VLC and Spotify snaps are connected to the Core PulseAudio slot. Core and system are synonymous.

Manual connections

An interface may be automatically connected when the snap is installed, or manually connected at some point after installation.

To list all currently registered interfaces for your system, along with their slots, plugs and current connections, use the snap connections command with no further arguments:

$ snap connections
Interface       Plug                    Slot                    Notes
home            vlc:home                :home                   -
network         vlc:network             :network                -
network         wormhole:network        :network                -
pulseaudio      vlc:pulseaudio          :pulseaudio             -
(...)

Interfaces provided by the system begin with the : (colon) symbol and are implemented by the Core snap, such as with :pulseaudio in the above output. For a slot to be visible, and connectable, its corresponding snap needs to be installed.

To view which snaps provide connectable slots and plugs, use the snap interface <interface name> command (not the connections command we used earlier):

$ snap interface pulseaudio
snap interface pulseaudio
name:    pulseaudio
summary: allows operating as or interacting with the pulseaudio service
plugs:
  - vlc
slots:
  - core

To make a connection, use the following syntax:

$ snap connect <snap>:<plug interface> <snap>:<slot interface>

A slot and a plug can only be connected if they have the same interface name. For example, to connect FFmpeg’s PulseAudio plug to the system’s PulseAudio slot, you’d enter the following:

$ sudo snap connect ffmpeg:pulseaudio :pulseaudio

To disconnect an interface, use snap disconnect:

$ snap disconnect <snap>:<plug interface> <snap>:<slot interface>

Following our previous example, you could would disconnect ffmpeg:pulseaudio with the following command:

$ sudo snap disconnect ffmpeg:pulseaudio :pulseaudio

ⓘ A successful connection grants any necessary permissions that may be required by the interface to function.


Supported interfaces
Home folder folder permissions
Adding OpenGL/GPU support to a snap
Security policy and sandboxing
Command line utility needs read access to file in current dir
Classic request for Godot
Secret key has missing trust [sic] in Thunderbird
Snapcraft overview
Snap confinement
The device-buttons interface
Supported snap hooks
Snapcraft app and service metadata
Interface hooks
Access to NAS drive
Access to NAS drive
The accounts-service interface
The upower-observe interface
The unity8-contacts interface
The unity8-calendar interface
The unity8 interface
The uhid interface
The udisks2 interface
The ubuntu-download-manager interface
The tpm interface
The timezone-control interface
The timeserver-control interface
The time-control interface
The thumbnailer-service interface
The system-trace interface
The system-observe interface
The storage-framework-service interface
The ssh-public-keys interface
The ssh-keys interface
The spi interface
The snapd-control interface
The shutdown interface
The serial-port interface
The screen-inhibit-control interface
The removable-media interface
The raw-usb interface
The pulseaudio interface
Getting started
The process-control interface
The ppp interface
The physical-memory-observe interface
The physical-memory-control interface
The password-manager-service interface
The optical-drive interface
The openvswitch-support interface
The openvswitch interface
The opengl interface
The online-accounts-service interface
The ofono interface
The network-status interface
The network-setup-observe interface
The network-setup-control interface
The network-observe interface
The network-manager interface
The network-control interface
The network-bind interface
The network interface
The netlink-connector interface
The netlink-audit interface
The mpris interface
The mount-observe interface
The modem-manager interface
The mir interface
The media-hub interface
The maliit interface
The lxd-support interface
The lxd interface
The log-observe interface
The location-observe interface
The location-control interface
The locale-control interface
The libvirt interface
The kvm interface
The kubernetes-support interface
The kernel-module-control interface
The juju-client-observe interface
The joystick interface
The io-ports-control interface
The iio interface
The i2c interface
The hostname-control interface
The home interface
The hidraw interface
The hardware-random-observe interface
The hardware-random-control interface
The hardware-observe interface
The gsettings interface
The greengrass-support interface
The gpio-memory-control interface
The gpio interface
The gpg-public-keys interface
The gpg-keys interface
The fwupd interface
The fuse-support interface
The framebuffer interface
The firewall-control interface
The dvb interface
The dummy interface
The docker-support interface
The can-bus interface
The calendar-service interface
The bool-file interface
The docker interface
The unity7 interface
The x11 interface
The wayland interface
Supported interfaces
The dbus interface
The desktop interface
The desktop-legacy interface
The dcdbas-control interface
The cpu-control interface
The cups-control interface
The core-support interface
The classic-support interface
The camera interface
The browser-support interface
The broadcom-asic-control interface
The bluez interface
The bluetooth-control interface
The avahi-observe interface
The avahi-control interface
The autopilot-introspection interface
The alsa interface
Snap Documentation
The content interface
The account-control interface
Snapcraft checklist
Permission denied when trying to access user files
Manual Review Requested - hub (classic confinement)
Snapcraft.yaml reference
Gtk-Message: Failed to load module "appmenu-gtk-module"
Minecraft launcher crashed in Debian
Home folder folder permissions
Using in-development features in `snapcraft.yaml`
Pulseaudio recording
Parallel Installs
Developing hotplug interfaces
Hotplug support
The intel-mei interface
The daemon-notify interface
The display-control interface
The u2f-devices interface
The block-devices interface
The adb-support interface
The kernel-module-observe interface
The system-files interface
The personal-files interface
#2

Is it correct that for a Snap to operate in confined mode through an interface, that the app must somehow code against that interface? For example, if I have an X11 app would I code it against the Snap X11 wrapper, or just start using the X11 API directly?


#3

It is important to note that ‘interface’ here is a snapd term, not to be confused with Application Programming Interfaces (APIs), Application Binary Interfaces (ABIs), DBus interfaces, etc. Your snapcraft.yaml/snap.yaml declares the snapd interfaces that your snap needs to use relevant programming interfaces for the resource. In your case, you declare ‘plugs: [x11]’ and then you are allowed to talk to the X server using the raw X protocol or any other higher level abstractions (eg, windowing toolkits like gtk, qt, etc).


#4

Ok interesting, that is a little different than what I had expected. Doesn’t that leave the Snaps in the position of needing knowledge of the systems they’re deploying to? For example if I have a Snap that is requesting :network-setup-control don’t I need to know what network manager is installed?

Also, are there any good resources on writing against Snap interfaces for developers? This is pretty much the only link I can find and it’s hard to understand what exactly is being opened up when an app is connected to an interface.


#5

Interfaces can be thought of as contracts between the slot side (the provider, sometimes its a service) and the plug side (the consumer). On an all-snaps system like Ubuntu Core, the snap executes in a predictable runtime where snapd exposes so-called ‘implicit slots’. Other slots are provided by app snaps (eg, a network-manager snap). In this manner, you only have to know what the slot implementation provides. It would be considered a bug in a providing snap to drop APIs, etc or otherwise break consuming snaps.

For so-called classic distributions where snaps are installed alongside debs/rpms, the above mostly holds true for strict and devmode snaps, though, yes, it is true that Fedora and Ubuntu might ship different network-managers as part of the system. Typically there isn’t a tight coupling between the client libraries and services (indeed, libraries like Qt have abstractions you program to and they figure out which network-manager DBus APIs are available), but where there is a tight coupling, the snap would have to account for that.

For ‘classic snaps’ which have no confinement and can access anything on the system directly, it is up to the snap publisher to account for any difference across distributions (which is made is by using libraries like the aforementioned Qt with network-manager).


/usr/bin/fold got permission denied but /usr/bin/fmt is working fine. What's happened?
#6

I’ll defer to the snap advocacy team here (@evan, @Wimpress and @popey) but can say you can look at the snapd source code for the latest on what is allowed: https://github.com/snapcore/snapd/tree/master/interfaces/builtin


#7

Ah ok actually that source is very helpful. So for the network_setup_control interface, it’s actually operated by files using netplan. And I guess network_bind operates by allowing system calls to accept/bind/listen? That seems doable.

https://netplan.io/

Our current installation script uses authbind though. So much to learn. I’ll save it all for another thread though. It looks like the source is the place to go for good dev details on interfaces now.


#8

Is it possible for a launcher (preferably, a shell script) to detect whether a certain interface is connected to a snap without detecting AppArmor denials?


#9

You could try:

#!/bin/sh

usage() {
    echo "Usage: check-plug <snap name> <interface name>"
    exit
}

if [ -z "$1" -o -z "$2" ]; then
    usage
fi

SNAPNAME="$1"
INTERFACE="$2"

if snap interface "$INTERFACE" | sed -e '1,/plugs:/d' | sed -e '/slots:/,$d' | awk '{print $2}' | grep "^$SNAPNAME\$" >/dev/null; then
    echo connected
else
    echo not connected
fi

Edit: Just spotted that you want this inside the snap. I don’t know if that data is exposed to the application in a snap… I just checked snapctl, which doesn’t appear to expose the info, so you cannot do it through that.


#10

Thanks for the info.


#11

indeed you dont really need to “detect denials” but just check if you have the expected access to a file, device or whatever the interface normally provides.

#! /bin/sh

[ -r "/var/log/syslog" ] || echo "please connect log-observe !!"

#12

I would like to found out how to assert plugs/slots and plugs & slots with attributes in this topic.


#13

This topic used to have all the undocumented and new interfaces which are not yet updated in https://docs.snapcraft.io/reference/interfaces . I see they are no longer available here as well. Could you please add a link where we can find the updated interfaces list ?


#14

We’re currently working on the Interfaces pages and we’ll definitely be adding the interface list back (likely today), along with a reference to each interface. Sorry this isn’t clear - when something like this affects the docs again, I’ll leave a ‘Work in progress’ note with an explanation.


#15

The interface section is still not available. When can we expect it to be back ?


#16

Have you seen Supported interfaces? It should include all the details there were previously in this topic, but let me know if there’s something missing.


#17

Still broken here (18.04 LTS). The above steps do not resolve it.

The snap was ‘postman’ and my home folder is /home/local/SOMETHING/myname


#18

So this page doesn’t seem to teach you how to add interfaces to your snapcraft file, and neither does:
https://docs.snapcraft.io/supported-interfaces/7744

The latter tells you what interfaces are supported, but neither of these docs seem to be linking me towards, as an author, how to do a strict mode snap and have it request interfaces.

The Go examples are both “devmode” snaps, and thus don’t do confinement (AFAICT).

Some of that seems to be described in:
https://docs.snapcraft.io/the-snap-format/698

but if you just start with “Creating a Snap” it seems to direct you immediately to the language-specific details, which at least for the Go ones, doesn’t direct you back.


#19

We’re missing a huge chunk of the snapcraft lifecycle, including installation (in a central place), command syntax, confinement, adding interfaces, using plugins, tracking down dependencies, build override examples, scriptlets, troubleshooting and publishing.

All of the above are high priority (and what I’m currently working on), so we’ll have something published on here soon.


#20

As a snap package creator, I am interested in what precisely a particular interface provides, in technical terms. Some interfaces are pretty intuitive, like ‘home’. Some others are rather obscure: for example, what precisely does plugging into ‘avahi-control’ enable? How exactly does it affect my C program which uses the avahi-client library? And If I want to provide a slot for an interface, what precisely must I do in my snap?

I assume it ultimately all comes down to the basic Linux kernel and IPC interfaces: files, system calls, etc. It would be helpful if the interfaces were described in terms of those primitives. Given that there is just a few of those basic primitives, I also wonder why there are very specific interfaces such as ‘avahi-control’? Why is something related to an application like Avahi part of the basic snap system? Would it make sense for any snap other than ‘avahi’ to provide the avahi-related slots? What happens if multiple snaps provide this slot? As another example, the ‘docker’ interface begs the same questions.

Furthermore, if the interfaces are intended to be so application specific, then it seems essential for a snap application developer or an embedded system developer to also be able to implement their own interfaces, without hacking the snap system itself. Is that possible or is it part of the vision?