Tweaking ulimit in the sandboxes?

shadowsocks-libev is available on snapcraft, however, it requires tweaking fs.file-max to be functioning properly on large servers. Unfortunately, this need is complicated by the fact that snapd employs some sandboxing mechanism.

I did some digging and found two solutions:

  1. Install the package using --classic which disables sandboxing entirely; (this seems to be not recommended)
  2. Run snap run --shell and tweak ulimits there. However, this seems to be quite complicated for an end user to perform. Furthermore, it is unclear how to write an automated script that tweaks the parameters upon server reboot.


Related discussions:


Note that the --classic flag does not change the confinement of a snap from strict to classic, it simply permits the installation of a snap that already has classic confinement. If you want your snap to be able to be published with classic confinement, you must follow the steps outlined at Process for reviewing classic confinement snaps.

snap run --shell will actually give you a shell inside the sandbox, so if you are able to tweak the ulimit there then you can just tweak this from inside the snap normally as a daemon or an app. Do you see any denials in the system journal when you attempt to modify ulimit from your snap application? See journalctl -e --no-pager | grep DENIED.

Oh never mind it turns out it’s something else that’s causing the trouble.