Sudo use by snapcraft


First time in the forum here, so forgive me if this is not the correct category.

We have have a software that we distribute as a snap. So far we have been manually running snapcraft to build the snap.

Sometimes snapcraft will use sudo to install or update build dependencies (I think). This means that I can’t use it in an unsupervised system, such as a CI setup.

I am using now buildbot to build the snaps nightly, and sometimes it will fail because it needs sudo access.

How is this usually handled? Should I run the buildbot worker with admin privileges? This sounds rather risky to me…


typically you would instead use snapcraft cleanbuild to have it use an lxd container, that way you wont need sudo at all (and have the guarantee that your build runs in a similar clean environment as provides) …

As @ogra suggests, many of us use snapcraft cleanbuild or the build service. In addition you can also use which gives you more flexibility than the build service. (Technically build and launchpad use the same backend build systems, but build has a simpler workflow and UI). Another option is to use travis or circle-ci. Both are able to build snaps, and the process runs as root so can do all the necessary parts of installing extra packages.

Is this for new packages needed to satisfy a build? If these are already there, that should be a bug in the snapcraft tool itself. We will work on fixing that aspect of it. From the top of my head, it is usually the only location where this would be required (build-snaps, build-packages).

@kalikiana can you make a PR where we don’t call apt if all build-packages are statisfied? Same thing for build-snaps in a different PR.

We already have logic in place for that, both for build packages and build snaps. If they’re installed Snapcraft won’t try to install them again.

Oh, so it will only invoke sudo to install new dependencies in snapcraft.yaml then.

I’ll try the cleanbuild method, this seems the saner method. I was having issues also with the permissions of files inside the snap due to restrictive umasks imposed by buildbot by default, and this seems to also solve that. I’ll need a bigger HD.