Refreshing snapd in openSUSE

If you came here for the update and were using the system:snappy repository then you don’t need to do anything new unless you are using Tumbleweed. The regular package update will take care of everything.

On a Tumbleweed system you must issue one more command:

sudo systemctl enable snapd.apparmor.service

This service loads snap-specific apparmor profiles on boot.

Pre-release update thread

I am working on a refresh of snapd 2.33 in openSUSE Leap 42.3, Leap 15 and tumbleweed inside the system:snappy repository.

I have synchronised the packaging in the repository with the one used in snapd master. I noticed that Leap 42.3 cannot parse our snap-confine apparmor profile so I will need to figure out why this didn’t happen in testing and, obviously, to fix it.

I will update this thread as I go

Update 1

I have sent preliminary packages to my home branch:

Those are untested and mostly based on the packaging in snapd tree (in sync with 2.33).

Update 2

I have iterated on the packages slightly and have tested them in practice on three environments (Leap 42.3, Leap 15 and Tumbleweed). There’s still one more todo, I had to increase the badness override for snap-confine because it lost its position independent build flags.

I will be sending PRs for master soon and in the end a sync request to system:snappy.

Update 3

I’ve started pushing out the fixes to master. I also backported apparmor support from master so that on tumbleweed (but only there) there will be more confinement than before. I have sent most of my changes back as the following PRs. There will be a small tweak to apparmor on top of one of those (that would otherwise conflict) that I will add as well.

Update 4

I put this work on hold as landing the PRs is impossible due to issues in CI. Those issues should be resolved in a few hours and then I can propose final packaging update to system:snappy

Update 5

All of the support PRs have landed in snapd master. I will work on refreshing that packaging and will open a call-for-testing ahead of the sync back to system:snappy.

This release will differentiate LEAP and Tumbleweed where the former will be just as before but the latter will now use strict apparmor confinement! I will update this thread once the test repository is ready.

Update 6

I have some builds ready in

If you have a openSUSE machine, please test them. I please post the feedback below. I will be sending a sync request to system:snappy tomorrow.

Update 7

I sent a tweet with, hopefully, some re-tweet power among openSUSE users :slight_smile:

If you are here for the testing then please head to this link, grab a package and start playing. When reporting feedback please provide the output of snap version as this will help me a lot.

On openSUSE Tumbleweed (yay) there is experimental support for apparmor. This may break applications but this is the (also) the best place to enable it. If you can, please test rebooting your system. Snap applications should work after rebooting.

To install the repository please do:

sudo zypper addrepo --refresh snappy
sudo zypper install snapd

Replace Leap_42.3 with either Leap_15.0 or Tumbleweed, as appropriate.

If you are on Tumbleweed please run this command as well:

sudo systemctl enable --now snapd.apparmor.service

Update 8

I’ve done a round of testing on my machines and found (and fixed) a number of smaller issues.

Update 9

I have sent a sync request back to system:snappy

I am looking at how to file bugs for the security team to lower our badness score (polkit mainly).

Update 10

The release is live!

If you want to get back to the regular repository (system:snappy) after using the pre-relase please do this:

sudo zypper rr snappy
sudo zypper addrepo --refresh snappy

Replace Tumbleweed with Leap_15.0 or Leap_42.3 as appropriate.

You will be prompted to confirm the vendor switch (to system:snappy), please confirm this.

Enjoy using snapd!

1 Like