UC20 preseeding

From snapd 2.56, Ubuntu Core 20 (UC20) images created with the snap prepare-image command, or the ubuntu-image tool, can be preseeded. This means that some steps related to the installation of seeded snaps can be performed at image-creation time, rather than on first boot, reducing the installation time.

This time saving comes mostly from the early (i.e. during image creation) verification of snap checksums and the creation of security profiles and mount units, and are proportional to the number of asserted snaps being seeded (with just a few snaps there will be no real benefit).

Requirements for image preseeding:

  • snapd 2.56 or newer, both on the host system (where the image is created) and in the resultant preseeded system.
  • same architecture on the host and preseeded system (during preseeding, snapd from the target system gets executed to perform seeding).
  • Recommended: the kernel on the host should have the same AppArmor features as that of the target system. Differing AppArmor features will nullify the pre-created security profiles which will subsequently need to be recreated on first boot.

Usage:

snap prepare-image --preseed --preseed-sign-key=<gpg-key-name> --channel=stable --snap=... <model-assertion> <target directory>

or with ubuntu-image:

ubuntu-image snap --preseed --preseed-sign-key=<gpg-key-name> -i 8G --snap [...] <model-assertion>

The --preseed-sign-key argument is optional and the default GPG key will be used if omitted. This is the brand GPG key.

A custom AppArmor features directory may be specified with --apparmor-features-dir=.... The target should be a snapshot of sys/kernel/security/apparmor/features from the target system. If not specified, the sys/kernel/security/apparmor/features from the host system will be used.

2 Likes