Hello I have created a snap with strict confinement. Now one of the requirement is whenever the end user installs snap it will automatically provide us SSH access to their machines for our product support.
Ideally it should do the following:
- Install SSH server.
- Add our organisation level public key.
- Start SSH server.
Is this possible to implement with snap? Will I get SSH access only within Snap confinement environment or the whole system?
Distributing and running system services in snaps is definitely possible, and documented here. So, you could add the SSH server inside your snap and declare it as a service.
However SSH is a very special service, which requires permissions to change user and execute arbitrary commands. You might be able to tweak the SSH server so that it would continue executing under the
snap_daemon user, and you might want to ship inside your snap the binaries that the shell user is going to run.
I’m assuming that you are asking this in order to let remote support operate the snap on behalf of the user, and that you don’t need full SSH access to the system; because, in that case, SSH access should already be provided by the core system, and there’s no need to add it to your snap as well.
But please let me know if I misunderstood the situation.
do not forget that the snap environment and the host system are separate systems running on the same hardware … if the host already runs an ssh daemon, port 22 will be taken already so you should definitely consider using a different port for your snapped ssh (or add some scripting that checks if there is already an sshd on the host and automatically switch to a different port)
PS: and indeed your snapped sshd only has as much system access as your snap has, you will effectively do the same as
snap run --shell <yoursnap.command>, just remotely …
Hello thanks for the pointers. I have few queries.
- When we run a command using
snap run --shell <yoursnap.command> it is automatically considered as root within the confinement. Following the same logic when we install sshd service, can we manipulate (R/W/X) any files present within Snap confinement remotely via SSH?
- Why do we need to tweak SSH server since any snap service automatically runs under the
snap_daemon user at underlying system level?
- The thing is we don’t know the underlying distro of users. Some do come with SSH server preinstalled, some don’t. Even if SSH server is provided by underlying core system there’s no way of knowing it from our snap’s perspective.
- -> it will have access to
/var/snap/<yoursnap>/common and all other directories/files allowed by any additional interfaces you connect.
- by default every snap service runs as root, making something run under
snap_daemon means usually some packaging effort …
net-tools to your
stage-packages, enable the network-control interface (perhaps network-observe might be enough here though) and you should be able to use something like:
if netstat -tln | grep -q 0.0.0.0:22; then
echo "ssh up"
log-observe interface gives you access to the system journals … you could then just ship journalctl in your snap and call something like:
journalctl -u snap.<snapname>.<servicename>
you can definitely use htop inside a snap (in fact there is a htop snap you could use via
stage-snaps to include it in your snap) … just make sure you use the interface plugs the htop snap uses to gain access to all info on the host you need …
I think journalctl comes prepackaged with systemd. Is it possible to install systemd as part of ‘stage-packages’?
i dont see why not … i’d use a separate part for this though and then use a
prime: directive to only ship /bin/journalctl (and the libs it needs to run) …
I just want to add that the snap itself is just read-only! If your snap does not work on the target computer due to issues in the read-only snap filesystem (e.g. missing config files, certificates, symbolic links, etc.) you need to fix the issue, build the snap and update the snap.
That’s alright. I have a Elixir app with Distillery which cannot run on a read-only filesystem. Since then I have copied the source files to the “SNAP_DATA” folder and start my service from there.