A validation set is an assertion that lists specific snaps that are either required to be installed together or are permitted to be installed together on a device or system.
One or more validation sets can be used to ensure only specific snaps are installed, and optionally, only specific snaps at fixed revisions. They can help a set of interdependent snaps maintain their testing and certification integrity, as well as help orchestrate their updates. But they can equally be used to simplify dependency deployment and to help manage devices.
Validation set functionality is currently under active development and there are several considerations that need to be made before using it:
- You can only currently create and monitor a validation set.
A validation set can not yet be enforced.
- A developer account is required, along with your developer id.
(see Create a developer account for further details)
- The snap daemon, snapd, needs to be installed from its edge channel (validation sets will be in snapd 2.50):
$ snap refresh snapd --channel edge
- Snapcraft version 4.7 or newer is required.
See below for further details on the following:
Creating a validation set
To create a validation set, use the
snapcraft edit-validation-sets command:
snapcraft edit-validation-sets <account-id> <set-name> <sequence>
This command requires your developer account id, an arbitrary name for the validation set, and a sequence number. The sequence number starts at 1 and is incremented at the developer’s discretion when there’s a substantial change or update to the validation set:
$ snapcraft edit-validation-sets xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f myset1 1
--key-name argument can be used to specify a key other than the default.
A text editor will open containing a template for a validation set assertion that needs to be filled in by the developer issuing the assertion.
account-id: <account-id> name: <set-name> sequence: <sequence> # The revision for this validation set # revision: 0 snaps: # - name: <name> # The name of the snap. # id: <id> # The ID of the snap. Optional, defaults to the current ID for # the provided name. # presence: [required|optional|invalid] # Optional, defaults to required. # revision: <n> # The revision of the snap. Optional.
The template validation set assertion needs to be populated with the details of the snaps you wish to include in the set. These are listed beneath the
snaps: section, and each snap can use the following fields:
The name of the snap, as you find on the store or in snap search.
The unique snap-id of the snap (see snap info <snap name> ).
Defaults to the snap-id of the named snap.
Can be either
requiredsnaps need to be installed,
optionalsnaps are permitted to be installed and
invalidsnaps explicitly must not be installed.
Defaults to required.
Specifies which revision of the snap needs to be installed.
The following is a populated example of a validation set assertion:
account-id: xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f name: myset1 # revision: 0 sequence: 1 snaps: - name: hello-world id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ presence: required - name: test-snapd-base-bare id: oXC9AkhtCxhlY80KZA3peZzWbnO4xPOT presence: optional - name: bare id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR presence: optional
We recommend making a copy of the saved validation set assertion before closing the editor. Closing the editor will first check the integrity of the assertion before automatically uploading it to the store.
To modify the assertion at a later point, run the same
snapcraft edit-validation-sets command with the same name but an incremented sequence number and/or revision.
Listing validation sets
snapcraft list-validation-sets command to check which validation sets area available in the store:
$ snapcraft list-validation-sets Account-ID Name Sequence Revision When xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f myset1 1 0 2021-04-08 xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f testset1 2 0 2021-03-31
To list only validation-sets with a specific set name, use the additional
$ snapcraft list-validation-sets --name myset1 Account-ID Name Sequence Revision When xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f myset1 1 0 2021-04-08
--sequence argument can be used to list validation sets with a specific sequence number:
$ snapcraft list-validation-sets --name myset1 --sequence 1 Account-ID Name Sequence Revision When xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f myset1 1 0 2021-04-08
By default, only the most latest validation sets are listed. To list every validation set available, add the
Monitoring assertion validity
snap validate command checks whether the
snaps: rules for all validation set assertions on the store are valid for the system:
$ snap validate Validation Mode Seq Current Notes xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/myset1 monitor 1 valid xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/testset1 monitor 2 invalid
An assertion is invalid if snaps in the system do not satisfy the constraints of the assertion, such as if required snaps are missing or whether unwanted snaps are present. Multiple validation sets can be used, as shown above, as long as they don’t have conflicting constraints and that they can cover different sets of snaps.
A specific validation set can be checked with
snap validate <account id>/<validation set name>, with an optional sequence point set by adding
=<sequence> to the validation set name:
$ snap validate xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/myset1=1 valid
--monitor argument can be used to both check the validity of a validation assertion on the system and periodically checking for new versions of the assertion on the store:
$ snap validate --monitor xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/testset1
A validation set assertion can be pinned by the system administrator at the given sequence number,:
$ snap validate --monitor xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/testset1=3
A pinned validation set is kept at the given sequence number, even if there’s a higher sequence number in the store. However, the validation will be updated to a newer version if one becomes available with the same sequence number.
Monitor mode validation requires a manual action (
snap validate, as shown above), but nothing is enforced in the system. Only when enforce mode has been implemented will validation sets have an impact on the system and will prevent installing/removing snaps that violate an assertion’s constraints.
Finally, to remove a validation set from the store, use the
$ snap validate --forget xSfWKGdLoQBoQx88vIM1MpbFNMq53t1f/myset1