Snap install modes

A snap can be installed with the following optional arguments, typically used to help test a snap under development, troubleshoot interface issues, or debug application crashes:

  • --classic: classic confinement for full system access
  • --dangerous: dangerous mode for testing local unsigned snaps
  • --devmode: developer mode for testing and viewing log output
  • --jailmode: forces a snap to be installed with strict confinement

In addition to the above, --transaction can be used to install a set of snaps as a single transaction. See Transactional updates for more details.

See Check snap install mode for how to check the install mode status of any installed snaps.


Classic confinement

Without further command line arguments, a default snap installation will attempt to install a snap as strictly confined.

Strict confinement is used by the majority of snaps, enabling them to run their applications and services in complete isolation with a minimal access level that’s always deemed safe.

Certain snaps, however, require unfettered access to the system, and these are packaged as classic snaps. Installing a snap that requires classic access will prompt the user to use the additional --classic argument:

$ sudo snap install snapcraft --classic

Only classic snaps can be installed with the --classic argument. However, while the argument is silently accepted when installing a strict snap, it won’t make any difference to its confinement. The snap will still be strictly confined.

See Snap confinement for more details on confinement levels.

Dangerous mode

The --dangerous argument will install a local snap without validating or checking its assertions or signatures. These signatures are used to link a snap to its publisher and store, and to ensure that a snap remains unchanged during delivery and storage.

This option is useful when testing snaps shared through a trusted channel, and for testing snaps built locally, before eventually being published to the store.

Developer mode

This mode is intended to help snap developers identify the interfaces an application needs.

Adding the --devmode argument to the snap installation command will permit full access to system resources but will also report each access when no appropriate interface has been specified. This report is sent to the system log.

This feature allows developers to iterate over their snap, selectively adding interfaces to their application before switching to strict mode after all necessary interfaces have been specified.

The validity of a snap’s signed assertions will also be checked, linking a snap to its developer and store, but the installation will progress even when the validity cannot be verified. In this case, the devmode snap is additionally equivalent to being installed with --dangerous (see above).

A strictly confined snap running in devmode will generate log and AppArmor profile output associated with the snap, helping snap developers and testers understand access issues and other confinement problems.

The devmode argument is also a requirement if a snap has been built and published with confinement: devmode in its snapcraft.yaml. These snaps are built for testing and cannot be released to their respective stable channels. See Choosing a security model for further details.

Additionally, snaps running in development mode will not be updated. This is because it’s assumed the snap developer wishes to test, and continue testing, a specific release. To update a snap, it will first need to be removed and reinstalled without --devmode.

Jail mode

Installing a snap with --jailmode will install the snap into a strictly confined environment.

Only non-classic snaps can be installed with jailmode. This can be useful when testing how a snap published with devmode (see above) will behave when strictly confined, and is usually a precursor to a snap being published as confined and stable after a period of testing.

Check snap install mode

The snap list command will include the install mode status in the Notes column for each respective snap:

Name        Version            Rev    Tracking        Publisher     Notes
liquidctl   1.7.1-11-g6295354  1      latest/stable   morrisong     devmode
snapcraft   5.0                6751   latest/stable   canonical✓    classic

“jailmode: forces a snap to be installed with strict[ly] confinement”

$ sudo snap install snapcraft --classic. (trailing period)

Finally, this seems confusing:

" Developer mode Adding the --devmode argument to the snap installation command will install the snap as a strictly confined snap with full access to system resources, effectively disabling security confinement."

Within the space of a single sentence, you read that the snap will be installed “as a strictly confined snap”, yet “with full access to system resources.” I’m not sure how to interpret that.

Thanks for the fixes and for mentioning devmode.

I’ve added that devmode will also log access when there’s no appropriate interface, which is useful when working out which snap an interface needs. I’d also like to come back to this and add a specific example with log output, working out which interface is required and adding it.