Snap Store Proxy Migration to enterprise store

mathervenrate · July 4, 2025, 3:54pm

I am currently migrating the snap proxy from snap-store-proxy to enterprise-store.

However its quite a mess. The documentation specified export commands work, except for the --export-yaml command. I needed to update the snap-store-proxy snap first for this command to work. So far so good.

The Offline Snap-store-proxy package created with store-admin --register --offline only contains the snap-store-proxy snap, not the enterprise store snap. Thus I needed to manually import the enterprise-store snap before proceeding.

After installation, I tried to import the store config again. This is where the issue started:

sudo enterprise-store config --import-yaml proxy-config-backup.txt;
error: [Errno 2] No such file or directory: 'proxy-config-backup.txt'
## its literally there. in the same directory. 
root@SnapStoreIn001:/opt/snapstore/installer/configBackup# ll
total 52
drwxr-x--- 2 root  root   4096 Jul  3 11:06 ./
drwxr-x--- 6 root root 4096 Jul  4 17:00 ../
-rw------- 1 root  root     61 Jul  3 11:06 proxy.auth.secret.txt
-rw------- 1 root  root  17419 Jul  4 16:25 proxy-config-backup.txt
-rw------- 1 root  root     61 Jul  3 11:06 proxy.device-auth.secret.txt
-rw------- 1 root  root   4325 Jul  3 11:06 proxy.key.private.txt
-rw------- 1 root  root   3243 Jul  3 11:06 proxy.tls.key.txt
-rw------- 1 root  root     70 Jul  3 11:05 README.md

I tried with different notations using proxy-config-backup.txt, ./proxy-config-backup.txt even using the full path “/opt/snapstore/installer/configBackup/proxy-config-backup.txt”.

None worked. I then decided to try piping it in:

cat proxy-config-backup.txt | enterprise-store config --import-yaml That worked, kind of. However it threw an error:

root@SnapStoreIn001:/opt/snapstore/installer/configBackup# cat proxy-config-backup.txt | enterprise-store config --import-yaml 
error: permission denied to alter role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "packagereview" may alter this role.

Now I have no idea if the import was completed and this is a neglegable error, or if something of the configuration failed to be imported.

The next two import commands worked.

sudo enterprise-store config proxy.device-auth.secret=$(cat proxy.device-auth.secret.txt);
sudo enterprise-store config proxy.auth.secret=$(cat proxy.auth.secret.txt);

Then the next issue popped up:

sudo enterprise-store config proxy.key.private=$(cat proxy.key.private.txt);
error: Can't set a private key without a public key # I suspect it shouldve been imported previously with the proxy-config-backup.txt but wasnt. 
# rerunning this command now brings the same database error: 
root@SnapStoreIn001:/opt/snapstore/installer/configBackup# sudo enterprise-store config proxy.key.private=$(cat proxy.key.private.txt);
error: permission denied to alter role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "packagereview" may alter this role.

sudo enterprise-store config proxy.tls.key=$(cat proxy.tls.key.txt);
usage: snap-proxy [-h] [-d] COMMAND ...
snap-proxy: error: unrecognized arguments: -----END RSA PRIVATE KEY-----
# This one is really wild. What exactly is happening here?

Manually checking the proxy.tls.key with diff and the file I was able to confirm that they match. Yet this is weird. Now I have no idea if the migration actually worked or not.

Will maybe expand on how this migration went later.

mathervenrate · July 7, 2025, 9:08am

I found the issue:

An older version of the snap store may have incorrectly created the postgresql role permissions. After manually updating them the store was up and running.

However, one of my systems got a weird new issue:

error: cannot refresh: cannot refresh snap-declarations for snaps:

       - enterprise-store: snap-declaration (lbMnNIJ5CLW0uFvTsvBFRQGc50tZmALN; series:16) not found

I hav no idea what ID this snap is and why it fails. This only appeared after the migration. And its certainly not easy to debug. Snap doesnt list the snap ids anywhere for lookup.

mathervenrate · July 7, 2025, 11:29am

Oh well. I tried the “snap refresh” on the same host the enterprise-store was installed.

But I didnt have the enterprise-store snap imported into itself yet.

Also, it seems as if store-admin is no longer needed, as enterprise-store can do the same.

# register with enterprise-store instead of store-admin register "domain" 
enterprise-store register --https --offline 
# copy created tar.gz file to offline host extract and run install.sh (follow documentation) 

enterprise-store fetch-snaps "[snap]"
# upload
curl -T snap.tar.gz https://server/path
# download on internal 
curl -O https://server/path
# copy into enterprisestore directory - otherwise enterprise-store cannot find them
cp snap.tar.gz /var/snap/enterprise-store/common/snaps-to-push/
#import 
enterprise-store push-snap snap.tar.gz

Anyway. Seems to work now. What an odyssee. Maybe it can help someone else.

ogra · July 7, 2025, 2:54pm

@degville, @suligap sounds like we have some room for improvement of the migration docs, the above might be some valuable input …

suligap · July 8, 2025, 6:24am

Thanks for the report. Passed this on internally.

mathervenrate · July 10, 2025, 4:46pm

Going to add more information:

I decided to completely remove and reinstall the store again, since I was running in more issues. The enterprise-store itself worked (enterprise-store status showed all services running and green), but for some unknown reason it was unable to fetch any snaps.

snap refresh did work, however it only did as long as I didnt update any snaps. After updating the stored snaps, snap refresh failed to download the new snap revisions. I then tried with curl to download them manually:

curl -i https://snap.store/api/v1/snaps/download/lbMnNIJ5CLW0uFvTsvBFRQGc50tZmALN_4.snap
HTTP/1.1 500 INTERNAL SERVER ERROR
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 10 Jul 2025 14:31:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 265
Connection: keep-alive
Snap-Store-Version: 69
X-View-Name: snapdevicegw.webapi_download.snap_download
X-VCS-Revision: 1d4b1a7
X-Request-Id: ce10e35a-9a15-4571-9c73-6fcfe893965c

<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

Looking in the logs of the server, the snapdevicegw was indeed crashing with an error when requesting a snap:

(I am omitting the full stacktrace here for clarity, but the important one is this one: )

file: /snap/enterprise-store/4/srv/snapdevicegw/code/snapdevicegw/webapi_download.py
error occured in line 409: provider['signing_secret'].encode('utf8'), signer=BucketedTimedSigner
function: get_cdn_download_url

Pyhton Error: Cannot read "encode" on NoneType # not copy pasted, since i lost the logs with the reinstall. that wasnt clever but hey, we all do mistakes.

I assume, since I regenerated the offline-store-install package with a new “enterprise-store register” the signing_secret changed or something. But this is way too deep into the enterprise-store source code, which I dont know any of. So I cannot tell if thats what really happend.

After completely deleting (purging) the enterprise-store, resetting the postgres database, and removing left over snaps – I completely reinstalled the enterprise-store from the offline package, readded the postgres db and re-imported some packages. The package download seems to work again for now.

Also I really seemed to have an really old snap-store-proxy version before migration, because the snaps were still stored in /var/snap/snap-store-proxy/common/nginx/airgap/ The documentation does state something about …/common/snapstorage-local/scanned - which did not include any snaps in my case, even though I upgraded the snap-store-proxy to the latest stable available one before migrating to the enterprise store.

As a final question:

Am I supposed to export snaps with enterprise-store fetch-snaps - I didnt notice it before, but can I limit how many snap revisions will be downloaded with the fetch-snaps function? It kept downloading tons of revisions. For now I did fall back to exporting snaps with store admin, which seems to work.

Additionaly: Is it possible for the enterprise-store to also fetch dependency snaps? Like firefox does require lxc as dependency. It would be great if it would be automatically fetched. Otherwise, I would need to download → transport → import → install → fail install because dependency is not met → download → transport → import → install → fail again because more dependencies are needed → …