Snap layouts

lucyllewy · November 25, 2019, 11:36pm

is there a “best practice” advice of when to use bind-file or bind vs symlink? i.e. when would we prefer to use a symlink over binding and vice versa?

zyga-snapd · November 26, 2019, 12:52pm

Symlink is generally more light-weight and unlike a bind mount, can be removed by the application when used in locations such as $SNAP_DATA. Applications more commonly identify symlinks-vs-regular-files than they do with bind mounts so you may need to use a bind mount to convince a picky application to use something but in general symbolic links should be preferred simply because they are cheaper.

Shubham_Pushpkar · November 27, 2019, 11:32am

Hello @zyga-snapd, what i understand is Layout will bind the “$SNAP_DATA/etc/foo.conf” file with the host “/etc/foo.conf” path, maybe you can correct my understanding here.

My question is how i can place foo.conf file in $“SNAP_DATA/etc/foo.conf” path ?

For now, what I am doing is, I wrote a cp command which will copy the foo.conf file from “$SNAP/etc/config.conf” to “$SNAP_DATA/etc/foo.conf” in configure file of hooks dir that will be executed while installing the snap.

Does Layout will do the above task?

zyga-snapd · November 27, 2019, 2:09pm

You cannot put the file in $SNAP_DATA/anything before the snap gets a chance to execute but on the upside the layout will actually create the file for you. All hooks, even install and configure run after the snap layout has been constructed.

EDIT: so to make it clear, you can just write to the file that was placed there by the layout system.

chipaca · November 27, 2019, 3:27pm

A post was split to a new topic: Python3 application with external module

chipaca · January 7, 2020, 9:17am

12 posts were split to a new topic: Building with snapcraft in docker

TravisEz13 · March 6, 2020, 12:25am

It would be nice if it were documented that layouts were not supported in classic containment.

degville · March 9, 2020, 11:47am

Thanks for bringing this up, and you’re absolutely right. We should have made it completely clear that layouts won’t currently work with classic. I’ve changed the first line to hopefully make it clearer and I’ve added a caveat to the limitations section.

busybox · April 25, 2020, 4:54pm

Using snapd-glib to configure core watchdog I need to talk to snapd using /run/snapd.socket. When I did that, Snappy debug complains about DENIAL for using /run/snapd.socket and suggested to make use of layouts

= AppArmor =
    Time: Apr 25 14:00:10
    Log: apparmor="DENIED" operation="connect" profile="snap.plt.wtdog.runner" name="/run/snapd.socket" pid=1605 comm="setpet" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
    File: /run/snapd.socket (write)
    Suggestions:
    * adjust program to use $SNAP_DATA
    * adjust program to use /run/shm/snap.$SNAP_NAME.*
    * adjust program to use /run/snap.$SNAP_NAME.*
    * adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

But the post here mentions /run path cannot be used. I tried it anyway using:
layout: /run/snapd.socket: bind-file: $SNAP_DATA/snapdsocket

But, get an error:
layout "/run/snapd.socket" in an off-limits area

So, what is the way out?

ogra · April 25, 2020, 5:17pm

fixig snappy-debug to not suggest layouts for /run paths …

zyga-snapd · April 27, 2020, 7:33am

To talk to the snapd.socket use the appropriate interface (snapd-control). Using layouts for that is a mistake and snappy debug should not be suggesting that.

jdstrand · April 28, 2020, 6:42pm

Well, snappy-debug is trying to make suggestions based on what it sees, it has no idea what the snap is trying to do. A layout is a valid suggestion for many /run paths. It is not for /run/snapd.socket though, and I’ll adjust it for that.

(As an aside, snappy-debug typically does not recommend plugging super-privileged interfaces which is why snapd-control was not suggested).

rpjday · February 15, 2022, 10:01am

Early on:

“With layouts, you can make elements in $SNAP, $SNAP_DATA, $SNAP_COMMON accessible from locations such as /usr, /var and /etc.”

But later on page:

" <source-path> must refer to either $SNAP, $SNAP_DATA or $SNAP_USER_DATA."

That seems contradictory.

ogra · February 15, 2022, 10:27am

i’d rather say redundant what is contradictory about it ? it just re-states the same thing in different words …

rpjday · February 15, 2022, 10:29am

The directory names differ.

ogra · February 15, 2022, 10:30am

hah, blind me … sorry

degville · February 15, 2022, 12:17pm

Very good spot, thanks. I checked the original code and tests and it seems $SNAP_USER_DATA is a mistake. I’ve replaced it with $SNAP_COMMON. Thanks!

rpjday · February 15, 2022, 2:29pm

Can this page show a legitimate example for symlink:?

dilyn · March 15, 2023, 5:37pm

During some investigation we’ve discovered that this doc is out of date. Specifically, there are some additional paths which are verboten: /lib/firmware and /lib/modules. See the code block here.

What’s interesting about this is that you can trivially work around it; if you modify your layout from being /lib/{firmware,modules}/foo to /usr/lib/{firmware,modules}/foo, you can distribute this snap just fine (not certain if it works, but snapcraft will no longer complain when building the snap).

What I think is even more interesting is that you can probably do what this layout restriction is trying to guard against (namely, replacing all of /lib/firmware or /lib/modules with some arbitrary directory/file) anyways by simply prepending /usr to your layout as above, which I think is a bug (considering /lib -> usr/lib).

degville · March 20, 2023, 5:33pm

Thanks for letting us know, and for the detailed comment. I’ll take a look over this doc and update it.