Snap Store Proxy Migration to enterprise store

mathervenrate · July 4, 2025, 3:54pm

I am currently migrating the snap proxy from snap-store-proxy to enterprise-store.

However its quite a mess. The documentation specified export commands work, except for the --export-yaml command. I needed to update the snap-store-proxy snap first for this command to work. So far so good.

The Offline Snap-store-proxy package created with store-admin --register --offline only contains the snap-store-proxy snap, not the enterprise store snap. Thus I needed to manually import the enterprise-store snap before proceeding.

After installation, I tried to import the store config again. This is where the issue started:

sudo enterprise-store config --import-yaml proxy-config-backup.txt;
error: [Errno 2] No such file or directory: 'proxy-config-backup.txt'
## its literally there. in the same directory. 
root@SnapStoreIn001:/opt/snapstore/installer/configBackup# ll
total 52
drwxr-x--- 2 root  root   4096 Jul  3 11:06 ./
drwxr-x--- 6 root root 4096 Jul  4 17:00 ../
-rw------- 1 root  root     61 Jul  3 11:06 proxy.auth.secret.txt
-rw------- 1 root  root  17419 Jul  4 16:25 proxy-config-backup.txt
-rw------- 1 root  root     61 Jul  3 11:06 proxy.device-auth.secret.txt
-rw------- 1 root  root   4325 Jul  3 11:06 proxy.key.private.txt
-rw------- 1 root  root   3243 Jul  3 11:06 proxy.tls.key.txt
-rw------- 1 root  root     70 Jul  3 11:05 README.md

I tried with different notations using proxy-config-backup.txt, ./proxy-config-backup.txt even using the full path “/opt/snapstore/installer/configBackup/proxy-config-backup.txt”.

None worked. I then decided to try piping it in:

cat proxy-config-backup.txt | enterprise-store config --import-yaml That worked, kind of. However it threw an error:

root@SnapStoreIn001:/opt/snapstore/installer/configBackup# cat proxy-config-backup.txt | enterprise-store config --import-yaml 
error: permission denied to alter role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "packagereview" may alter this role.

Now I have no idea if the import was completed and this is a neglegable error, or if something of the configuration failed to be imported.

The next two import commands worked.

sudo enterprise-store config proxy.device-auth.secret=$(cat proxy.device-auth.secret.txt);
sudo enterprise-store config proxy.auth.secret=$(cat proxy.auth.secret.txt);

Then the next issue popped up:

sudo enterprise-store config proxy.key.private=$(cat proxy.key.private.txt);
error: Can't set a private key without a public key # I suspect it shouldve been imported previously with the proxy-config-backup.txt but wasnt. 
# rerunning this command now brings the same database error: 
root@SnapStoreIn001:/opt/snapstore/installer/configBackup# sudo enterprise-store config proxy.key.private=$(cat proxy.key.private.txt);
error: permission denied to alter role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "packagereview" may alter this role.

sudo enterprise-store config proxy.tls.key=$(cat proxy.tls.key.txt);
usage: snap-proxy [-h] [-d] COMMAND ...
snap-proxy: error: unrecognized arguments: -----END RSA PRIVATE KEY-----
# This one is really wild. What exactly is happening here?

Manually checking the proxy.tls.key with diff and the file I was able to confirm that they match. Yet this is weird. Now I have no idea if the migration actually worked or not.

Will maybe expand on how this migration went later.

mathervenrate · July 7, 2025, 9:08am

I found the issue:

An older version of the snap store may have incorrectly created the postgresql role permissions. After manually updating them the store was up and running.

However, one of my systems got a weird new issue:

error: cannot refresh: cannot refresh snap-declarations for snaps:

       - enterprise-store: snap-declaration (lbMnNIJ5CLW0uFvTsvBFRQGc50tZmALN; series:16) not found

I hav no idea what ID this snap is and why it fails. This only appeared after the migration. And its certainly not easy to debug. Snap doesnt list the snap ids anywhere for lookup.

mathervenrate · July 7, 2025, 11:29am

Oh well. I tried the “snap refresh” on the same host the enterprise-store was installed.

But I didnt have the enterprise-store snap imported into itself yet.

Also, it seems as if store-admin is no longer needed, as enterprise-store can do the same.

# register with enterprise-store instead of store-admin register "domain" 
enterprise-store register --https --offline 
# copy created tar.gz file to offline host extract and run install.sh (follow documentation) 

enterprise-store fetch-snaps "[snap]"
# upload
curl -T snap.tar.gz https://server/path
# download on internal 
curl -O https://server/path
# copy into enterprisestore directory - otherwise enterprise-store cannot find them
cp snap.tar.gz /var/snap/enterprise-store/common/snaps-to-push/
#import 
enterprise-store push-snap snap.tar.gz

Anyway. Seems to work now. What an odyssee. Maybe it can help someone else.

ogra · July 7, 2025, 2:54pm

@degville, @suligap sounds like we have some room for improvement of the migration docs, the above might be some valuable input …

suligap · July 8, 2025, 6:24am

Thanks for the report. Passed this on internally.