Unable to create an image that uses private snaps


#1

I have a private snap in the store. I’m logged in, and I can sudo snap install my-private-snap. I assumed that meant I could also create an Ubuntu Core image using that private snap, but that doesn’t seem to be the case:

$ sudo ubuntu-image -c beta amd64.model
Fetching core
Fetching pc-kernel
Fetching pc
Fetching my-private-snap
error: cannot find snap "my-private-snap": snap not found
COMMAND FAILED: snap prepare-image --channel=beta amd64.model /tmp/tmpmlrgh4bg/unpack

Is this by design?


#2

Unless that snap is also in a brand store tied to the device you are making through its model, the device will not be able to access it or refresh it on its own.

snapd has your creds , but ubuntu-image uses its embedded snap in ways that don’t talk to snapd. It’s a bit of an open design question whether we want to change that.

What is supported atm is using UBUNTU_STORE_AUTH_DATA_FILENAME to point to a JSON file with the macaroon bits ({"macaroon": ..., "discharges": [...]}, where discharges are actually unbound), there is no official tooling to create such a file though.

So the open questions are, should there be a way for snap prepare-image to ask snapd for creds or do downloads on its behalf? and/or should either snap login or snapcraft login[1] have a mode to create such a file?

[1] I do have some python code around based on snapcraft.storeapi to make one


#3

Ah, that explains why it isn’t working the way I expected.

I was asked how one would support a small in-house fleet of factory robots without making one’s snap public. There are a few different methods, each with advantages and disadvantages. I thought this would be one of the methods, and they might even be able to install the macaroon as well via cloud-init (obviously that has downsides, but for a team of devs it’s probably okay). They could of course use the official images, but then there’s more of a manual process for getting the snap on there.