Hello I have created a snap with strict confinement. Now one of the requirement is whenever the end user installs snap it will automatically provide us SSH access to their machines for our product support. Ideally it should do the following:
Is this possible to implement with snap? Will I get SSH access only within Snap confinement environment or the whole system?
Hi Rohit!
Distributing and running system services in snaps is definitely possible, and documented here. So, you could add the SSH server inside your snap and declare it as a service.
However SSH is a very special service, which requires permissions to change user and execute arbitrary commands. You might be able to tweak the SSH server so that it would continue executing under the snap_daemon user, and you might want to ship inside your snap the binaries that the shell user is going to run.
Iām assuming that you are asking this in order to let remote support operate the snap on behalf of the user, and that you donāt need full SSH access to the system; because, in that case, SSH access should already be provided by the core system, and thereās no need to add it to your snap as well.
But please let me know if I misunderstood the situation.
do not forget that the snap environment and the host system are separate systems running on the same hardware ā¦ if the host already runs an ssh daemon, port 22 will be taken already so you should definitely consider using a different port for your snapped ssh (or add some scripting that checks if there is already an sshd on the host and automatically switch to a different port)
PS: and indeed your snapped sshd only has as much system access as your snap has, you will effectively do the same as snap run --shell <yoursnap.command>, just remotely ā¦
Hello thanks for the pointers. I have few queries.
snap run --shell <yoursnap.command> it is automatically considered as root within the confinement. Following the same logic when we install sshd service, can we manipulate (R/W/X) any files present within Snap confinement remotely via SSH?snap_daemon user at underlying system level?/var/snap/<yoursnap>/current and /var/snap/<yoursnap>/common and all other directories/files allowed by any additional interfaces you connect.snap_daemon means usually some packaging effort ā¦net-tools to your stage-packages, enable the network-control interface (perhaps network-observe might be enough here though) and you should be able to use something like:if netstat -tln | grep -q 0.0.0.0:22; then
echo "ssh up"
fi
sudo snap logs mysnap.myservice but in āstrictā confinement I am not able to access any kind of service log.
If I redirect the service logs to a file in /var/snap/<yoursnap>/common/mylogs and host it using a fluentbit snap service is this possible?htop using SSH inside snap confinement?the log-observe interface gives you access to the system journals ā¦ you could then just ship journalctl in your snap and call something like:
journalctl -u snap.<snapname>.<servicename>
you can definitely use htop inside a snap (in fact there is a htop snap you could use via stage-snaps to include it in your snap) ā¦ just make sure you use the interface plugs the htop snap uses to gain access to all info on the host you need ā¦
I think journalctl comes prepackaged with systemd. Is it possible to install systemd as part of āstage-packagesā?
i dont see why not ā¦ iād use a separate part for this though and then use a stage: or prime: directive to only ship /bin/journalctl (and the libs it needs to run) ā¦
I just want to add that the snap itself is just read-only! If your snap does not work on the target computer due to issues in the read-only snap filesystem (e.g. missing config files, certificates, symbolic links, etc.) you need to fix the issue, build the snap and update the snap.
Thatās alright. I have a Elixir app with Distillery which cannot run on a read-only filesystem. Since then I have copied the source files to the āSNAP_DATAā folder and start my service from there.