Validation sets

A validation set is an assertion that lists specific snaps that are either required to be installed together or are permitted to be installed together on a device or system.

They can be created using the snapcraft command, and monitored with the snap command. See How to manage validation sets for further details. For devices running Ubuntu Core, they can be declared as part of the model definition.

Why use a validation set

A validation set can help a group of interdependent snaps maintain their testing and certification integrity, as well as help orchestrate their updates. But they can equally be used to simplify dependency deployment and to help manage devices.

In particular, if the model assertion for a device includes optional snaps, a validation set can be used to ensure specific collections of snaps are installed together on derivatives of the same devices.

Not really a docs issue, but given the valid command “snap validate …” described on this page, it is curious that “snap --help” makes no mention of the “validate” subcommand. Even “snap help --all” says nothing about it.

Also (and I’ve mentioned this earlier), other than a link to this page from “What’s New”, there is no ToC entry that would lead a reader here.

Hi @degville,

i created a validation set using my developer accout on my pc. Now if i want to enforce it on a Ubuntu Core system, how do I do that? There is no enforce validation on snapd rest api. so how do i communicate with the UCore system to enforce validation. Moreover when i tried to enfore it over there manually, it returns

error: cannot apply validation set: invalid mode “enforce”

What version of snapd do you have (snap --version)?

snap    2.53.4
snapd   2.53.4
series  16
kernel  5.4.0-1050-raspi

Right. 2.53.x only supports --monitor. Enforcing became available with 2.54 (I just checked in the code) and this documentation was updated, but we forgot to adjust snapd version number; sorry for the confusion.

1 Like

I updated snapd and then it worked. also i have to enforce the validation manually on the UCore system. Is there a way to do this though snapd rest api?

Yes there is (snap command talks via REST API for everything it does). The documentation for this API should become available very soon at https://snapcraft.io/docs/snapd-api

1 Like

The documentation for this has now been added to our REST API reference: validation-sets

2 Likes

As I test it, “snap validate --forget” does not remove a vset from the system, it just stops enforcing it, correct? It still shows up in the list of available vsets so that it can be set to enforcing again. Is that correct?

Oh, wait, I see that further down, that’s explained. That’s a really unfortunate choice of option, --forget; is it too late to change it to something like “–unenforce”?

Hi, I was testing how to use validation sets.

I first install all the snaps at the revision i needed and I was able to enforce the validation set.

After that i updated the validation set to have a snap of a different revision. Now when i do : snap refresh and snap validate all i get is that the validation set is invalid now and enforced.

How can i get it to refresh automatically to required revision, shouldnt it do that?

@rahul-tt Are you using brand store?

yes, i am using a brand store

I’ve observed something similar. Below, dev machine is Ubuntu Desktop 20.04, and target machine is UC20 pointing to a private brand store.

  1. On dev machine: Publish snaps acme-foo and acme-bar in private brand store. Upload & release revision 1 of acme-foo and revision 1 of acme-bar to the respective latest/stable channels.

  2. On dev machine: Create Ubuntu Core image, which includes snaps acme-foo following latest/stable and acme-bar following latest/stable in model assertion.

  3. On target machine: Boot image. Allow system to prepare device & perform initial refresh (no updates expected to acme-foo & acme-bar). Place a refresh hold for one week (arbitrary time, simply to prevent unexpected auto-refreshes during test).

  4. On dev machine: Run snapcraft edit-validation-sets acme vs-baz 1, to create:

account-id: acme
name: vs-baz
sequence: 1
# The revision for this validation set
# revision: 0
snaps:
  - name: acme-foo
    id:   f00a1phanum3r1cstr1ng
    presence: required
    revision: 1
  - name: acme-bar
    id:  bara1phanum3r1cstr1ng
    presence: required
    revision: 1
  1. On target machine: Run snap validate --enforce acme/vs-baz=1. This succeeds (as the set is simply describing the current state of the latest/stable channels, which the device is following and up to date on.) snap validate confirms that the set is valid and being enforced.

  2. On dev machine: Upload and release revision 2 of acme-bar to store. Release to latest/stable.

  3. On target machine: Run snap refresh, and observe that no new snap revisions are installed, as expected (because while revision 2 is available on latest/stable the currently enforced validation set prevents it from being installed)

  4. On dev machine: Run snapcraft edit-validation-sets acme vs-baz 1, to create

account-id: acme
name: vs-baz
sequence: 1
# The revision for this validation set
# revision: 1
snaps:
  - name: acme-foo
    id:   f00a1phanum3r1cstr1ng
    presence: required
    revision: 1
  - name: acme-bar
    id:  bara1phanum3r1cstr1ng
    presence: required
    revision: 2
  1. On target machine: run snap refresh.

    EXPECTED BEHAVIOR: acme-bar refreshes to revision 2, as the latest revision of acme/vs-baz=1 allows. acme/vs-baz=1 remains valid & enforced.

    OBSERVED BEHAVIOR: acme/vs-baz=1 becomes invalid. acme-bar is also not refreshed to revision 2. snap known validation-set indicates the device is aware of latest revision of vs-baz but something breaks along the way

This is exactly what i am facing. Thanks for explaining with an example

@alexclewontin Thanks for providing detailed steps and inputs. Could you please attach the list of snap changes and the list of tasks (snap change <ID>) for the last snap refresh; also, journalctl -u snapd for that period may be helpful if you still have it?

@rahul-tt and @alexclewontin There is an additional requirement currently in place (besides brand store) for enforcing of validation sets by snap store that was missing in the original requirements, the first post in this thread has just been updated to reflect that - see the points after " Currently, in order to enforce a validation set, the following is also required…". Sorry for the confusion.

What is meant by this? What key would be “the default” key?

1 Like