Snap layouts

There’s no “because” reason. It’s just a limitation of the current implementation.

As a side-effect of investigation into the issue with nested mimics we discussed an idea where Assumptions type could carry information about the base snap and content snaps enough so that we can know that a mimic needs to be created while computing the plan of operation. This would allow us to replace existing filesystem entries with other entries reliably.

Right now we cannot do that because of how the code is laid out:

  • we process entries one by one
  • as we process them we can discover that a place is read-only and we cannot create a directory/file/symlink
    • if that happens we construct a mimic

If we knew about the filesystem via the Assumptions type we could:

  • simulate creation of each element
  • gather and reorder all mimics we would create
  • sort them so that outermost mimic is created first (this avoids nesting)

This would also allow us to see the kind of object present at a given path and create a mimic so that we can replace it (remove / recreate).

1 Like

is there a “best practice” advice of when to use bind-file or bind vs symlink? i.e. when would we prefer to use a symlink over binding and vice versa?

Symlink is generally more light-weight and unlike a bind mount, can be removed by the application when used in locations such as $SNAP_DATA. Applications more commonly identify symlinks-vs-regular-files than they do with bind mounts so you may need to use a bind mount to convince a picky application to use something but in general symbolic links should be preferred simply because they are cheaper.


Hello @zyga-snapd, what i understand is Layout will bind the “$SNAP_DATA/etc/foo.conf” file with the host “/etc/foo.conf” path, maybe you can correct my understanding here.

My question is how i can place foo.conf file in $“SNAP_DATA/etc/foo.conf” path ?

For now, what I am doing is, I wrote a cp command which will copy the foo.conf file from “$SNAP/etc/config.conf” to “$SNAP_DATA/etc/foo.conf” in configure file of hooks dir that will be executed while installing the snap.

Does Layout will do the above task?

You cannot put the file in $SNAP_DATA/anything before the snap gets a chance to execute but on the upside the layout will actually create the file for you. All hooks, even install and configure run after the snap layout has been constructed.

EDIT: so to make it clear, you can just write to the file that was placed there by the layout system.

A post was split to a new topic: Python3 application with external module

12 posts were split to a new topic: Building with snapcraft in docker

It would be nice if it were documented that layouts were not supported in classic containment.


Thanks for bringing this up, and you’re absolutely right. We should have made it completely clear that layouts won’t currently work with classic. I’ve changed the first line to hopefully make it clearer and I’ve added a caveat to the limitations section.

1 Like

Using snapd-glib to configure core watchdog I need to talk to snapd using /run/snapd.socket. When I did that, Snappy debug complains about DENIAL for using /run/snapd.socket and suggested to make use of layouts

= AppArmor =
    Time: Apr 25 14:00:10
    Log: apparmor="DENIED" operation="connect" profile="snap.plt.wtdog.runner" name="/run/snapd.socket" pid=1605 comm="setpet" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
    File: /run/snapd.socket (write)
    * adjust program to use $SNAP_DATA
    * adjust program to use /run/shm/snap.$SNAP_NAME.*
    * adjust program to use /run/snap.$SNAP_NAME.*
    * adjust snap to use snap layouts (    

But the post here mentions /run path cannot be used. I tried it anyway using:
layout: /run/snapd.socket: bind-file: $SNAP_DATA/snapdsocket

But, get an error:
layout "/run/snapd.socket" in an off-limits area

So, what is the way out?

fixig snappy-debug to not suggest layouts for /run paths …

1 Like

To talk to the snapd.socket use the appropriate interface (snapd-control). Using layouts for that is a mistake and snappy debug should not be suggesting that.


Well, snappy-debug is trying to make suggestions based on what it sees, it has no idea what the snap is trying to do. A layout is a valid suggestion for many /run paths. It is not for /run/snapd.socket though, and I’ll adjust it for that.

(As an aside, snappy-debug typically does not recommend plugging super-privileged interfaces which is why snapd-control was not suggested).


Early on:

“With layouts, you can make elements in $SNAP, $SNAP_DATA, $SNAP_COMMON accessible from locations such as /usr, /var and /etc.”

But later on page:

" <source-path> must refer to either $SNAP, $SNAP_DATA or $SNAP_USER_DATA."

That seems contradictory.

i’d rather say redundant :slight_smile: what is contradictory about it ? it just re-states the same thing in different words …

The directory names differ.

hah, blind me … sorry :slight_smile:

Very good spot, thanks. I checked the original code and tests and it seems $SNAP_USER_DATA is a mistake. I’ve replaced it with $SNAP_COMMON. Thanks!

1 Like

Can this page show a legitimate example for symlink:?

During some investigation we’ve discovered that this doc is out of date. Specifically, there are some additional paths which are verboten: /lib/firmware and /lib/modules. See the code block here.

What’s interesting about this is that you can trivially work around it; if you modify your layout from being /lib/{firmware,modules}/foo to /usr/lib/{firmware,modules}/foo, you can distribute this snap just fine (not certain if it works, but snapcraft will no longer complain when building the snap).

What I think is even more interesting is that you can probably do what this layout restriction is trying to guard against (namely, replacing all of /lib/firmware or /lib/modules with some arbitrary directory/file) anyways by simply prepending /usr to your layout as above, which I think is a bug (considering /lib -> usr/lib).