Learning how to use Snapcraft and APT Repositories

Geekzy · August 24, 2023, 11:34am

I have started a project to create handy network sensor that can be deployed in locations where physical security may be lax/ non-existent. The goal is to design a device that uses Ubuntu Core for (disk encryption and general device hardening) as its base OS and install zeek on top using Snap packages to capture network traffic.

I understand that you can set up and install apt repositories using snap eg.

package-repositories: 
  - type: apt 
    key-id: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
    key-server: http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/
    url: http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/

However I am missing how I would go about installing the Zeek package and run it as part of the ‘parts’.

Does anyone know of any additional resources on designing snapcraft.yaml and apt repositories?

I have been going through the following resources (although they are lacking some completed examples): https://snapcraft.io/docs/package-repositories#heading--ppa-properties https://snapcraft.io/docs/snapcraft-overview

Any help or suggestions would be much appreciated.

mr_cal · August 24, 2023, 12:56pm

To use a package from that repo in a part, using stage-packages will ensure the package is available in the final artifact.

If you want to extract or manipulate the contents, you can use build-packages and override-build.

for example:

parts:
  zeek:
    plugin: nil
    stage-packages: zeek
    # or
    build-packages: zeek
    override-build:
      ...

Geekzy · August 24, 2023, 2:08pm

Thank you for the advise, but it looks as though I will not get that far I am experiencing an issue adding the GPG key for the repository: name: zeek base: core22 version: ‘0.1’ summary: Zeek sensor Snap description: | Zeek install for Mikrotik 2 interface appliances grade: devel confinement: strict

#apps:
#    zeek:
#      command: bin/zeekctl 
package-repositories: 
  - type: apt 
    key-id: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
    key-server: pgp.mit.edu
    url: http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/


parts:
   zeek-parts:
       source: .
       plugin: autotools
       build-packages:
           [zeek-lts]

I get the following error whilst running snapcraft --debug -v “Failed to install GPG Key:” but the error appears to be blank.

mr_cal · August 25, 2023, 12:43pm

That looks like a snapcraft bug where the gpg error is not captured.

Looking at your project, it looks like your key server is wrong (I believe opensuse stopped hosting their key server). Try keyserver.ubuntu.com or keys.openpgp.org.

Using that got further along in the build and raised a more useful error during apt update: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY

I’m not sure what the best solution is. Perhaps someone else on the forum can advise. The most common solution I see is adding the repository and calling apt-key adv in an override script, instead of using package-repositories (example).

Geekzy · August 29, 2023, 2:29pm

That looks to have done the trick, thank you for sending through the example I was able to take advantage of the override-build feature and it was able to install the required package using the following format:

parts:
   zeek-parts:
       plugin: nil
       override-build: |
           echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
           curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
           apt update
           apt install zeek-lts