Installing Ubuntu’s snap on Fedora Silverblue

Silverblue is an immutable distro, which mounts most of the system’s files as read-only and tracks their changes over time using OSTree — kind of like “git for the OS” — enhancing security and repeatability (great for development!).

As Ubuntu’s snap requires access to the root file system in order to create a symlink in /snap to /var/lib/snapd/snap, successfully installing it requires some special attention. Besides, $HOME directory in Silverblue defaults to the more traditional path /var/home/$USER, and since snap expects it to be on its modern location /home/$USER, we also need to work around this manually.

Thanks to systemd, though, this is all really easy to achieve. As Silverblue discards top-level changes on host’s restart, let’s first create a new service to make directory folders and replace symlinks in the root file system on boot:

# /etc/systemd/system/mkdir-rootfs@.service
[Unit]
Description=Enable mount points in / for OSTree
DefaultDependencies=no
[Service]
Type=oneshot
ExecStartPre=chattr -i /
ExecStart=/bin/sh -c "[ -L '%f' ] && rm '%f'; mkdir -p '%f'"
ExecStopPost=chattr +i /

Next, we’ll create two additional services. The first will bind mount /snap, in order to work around issue rpm-ostree#337 (thanks, paolope & BreiteSeite!):

# /etc/systemd/system/snap.mount
[Unit]
After=mkdir-rootfs@snap.service
Wants=mkdir-rootfs@snap.service
Before=snapd.socket
[Mount]
What=/var/lib/snapd/snap
Where=/snap
Options=bind
Type=none
[Install]
WantedBy=snapd.socket

We’d already be able to run snaps now, but only as root (e.g. with sudo), which isn’t ideal. To allow snaps to be run by any user, let’s create another service that will bind mount /home, to work around issue snappy#1620771:

# /etc/systemd/system/home.mount
[Unit]
After=mkdir-rootfs@home.service
Wants=mkdir-rootfs@home.service
Before=snapd.socket
[Mount]
What=/var/home
Where=/home
Options=bind
Type=none
[Install]
WantedBy=snapd.socket

Note: as Fedora uses SELinux instead of AppArmor by default, all snap applications run unconfined in the system (that is, in “classic” mode) — which is why this workaround isn’t as feasible to solve the $HOME issue. As far as I know, Ubuntu is the only distro which supports snap confinement.

Lastly, we’ll need to edit our host’s /etc/passwd file in order to update our $HOME directory from /var/home to /home, so snapd will use the new path:

sudo cp /etc/passwd /etc/passwd.bak &&
sudo sed -i 's:/var/home:/home:' /etc/passwd

We may now enable and execute our newly created systemd services:

sudo systemctl daemon-reload &&
sudo systemctl start {home.mount,snap.mount} &&
sudo systemctl enable {home.mount,snap.mount}

And that’s it! Snap may now be layered on top of Silverblue with rpm-ostree install snapd or simply restarted with systemctl restart snapd. ㊗

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store