 |
Title: Snap integration in Qubes OS templates |
|
Author: Solène |
|
Date: 16 October 2024 |
|
Tags: snap qubesos linux |
|
Description: In this guide, you will learn how to setup your Qubes OS |
|
templates to integrate snap programs |
|
|
|
# Introduction |
|
|
|
Snap package format is interesting, while it used to have a bad |
|
reputation, I wanted to make my opinion about it. After reading its |
|
design and usage documentation, I find it quite good, and I have a good |
|
experience using some programs installed with snap. |
|
|
 |
Snapcraft official website (store / documentation) |
|
|
|
Snap programs can be either packaged as "strict" or "classic"; when it |
|
is strict there is some confinement at work which can be inspected on |
|
an installed snap using `snap connections $appname`, while a "classic" |
|
snap has no sandboxing at all. Snap programs are completely |
|
decorrelated from the host operating system where snap is running, so |
|
you can have old or new versions of a snap packaged program without |
|
having to handle shared library versions. |
|
|
|
The following setup explains how to install snap programs in a template |
|
to run them from AppVMs, and not how to install snap programs in AppVMs |
|
as a user, if you need this, please us the Qubes OS guide linked below. |
|
|
|
Qubes OS documentation explains how to setup snap in a template, but |
|
with a helper to allow AppVMs to install snap programs in the user |
|
directory. |
|
|
|
Qubes OS official documentation: install snap packages in AppVMs |
|
|
|
In a previous blog post, I explained how to configure a Qubes OS |
|
template to install flatpak programs in it, and how to integrate it to |
|
the template. |
|
|
|
Previous blog post: Installing flatpak programs in a Qubes OS template |
|
|
|
# Setup on Fedora |
|
|
|
All commands are meant to be run as root. |
|
|
|
## Snap installation |
|
|
|
Snapcraft official documentation: Installing snap on Fedora |
|
|
|
Installing snap is easy, run the following command: |
|
|
|
``` |
|
dnf install snapd |
|
``` |
|
|
|
To allow "classic" snaps to work, you need to run the following |
|
command: |
|
|
|
``` |
|
sudo ln -s /var/lib/snapd/snap /snap |
|
``` |
|
|
|
## Proxy configuration |
|
|
|
Now, you have to configure snap to use the http proxy in the template, |
|
this command can take some time because snap will time out as it tries |
|
to use the network when invoked... |
|
|
|
``` |
|
snap set system proxy.http="http://127.0.0.1:8082/" |
|
snap set system proxy.https="http://127.0.0.1:8082/" |
|
``` |
|
|
|
## Run updates on template update |
|
|
|
You need to prevent snap from searching for updates on its own as you |
|
will run updates when the template is updated: |
|
|
|
``` |
|
snap refresh --hold |
|
``` |
|
|
|
To automatically update snap programs when the template is updating (or |
|
doing any dnf operation), create the file |
|
`/etc/qubes/post-install.d/05-snap-update.sh` with the following |
|
content and make it executable: |
|
|
|
``` |
|
#!/bin/sh |
|
|
|
if [ "$(qubesdb-read /type)" = "TemplateVM" ] |
|
then |
|
snap refresh |
|
fi |
|
``` |
|
|
|
## Qube settings menu integration |
|
|
|
To add the menu entry of each snap program in the qube settings when |
|
you install/remove snaps, create the file |
|
`/usr/local/sbin/sync-snap.sh` with the following content and make it |
|
executable: |
|
|
|
``` |
|
#!/bin/sh |
|
|
|
# when a desktop file is created/removed |
|
# - links snap .desktop in /usr/share/applications |
|
# - remove outdated entries of programs that were removed |
|
# - sync the menu with dom0 |
|
|
|
inotifywait -m -r \ |
|
-e create,delete,close_write \ |
|
/var/lib/snapd/desktop/applications/ | |
|
while IFS=':' read event |
|
do |
|
find /var/lib/snapd/desktop/applications/ -type l -name "*.desktop" | while… |
|
do |
|
ln -s "$line" /usr/share/applications/ |
|
done |
|
find /usr/share/applications/ -xtype l -delete |
|
/etc/qubes/post-install.d/10-qubes-core-agent-appmenus.sh |
|
done |
|
``` |
|
|
|
Install the package `inotify-tools` to make the script above working, |
|
and add this to `/rw/config/rc.local` to run it at boot: |
|
|
|
``` |
|
/usr/local/bin/sync-snap.sh & |
|
``` |
|
|
|
You can run the script now with `/usr/local/bin/sync-snap.sh &` if you |
|
plan to install snap programs. |
|
|
|
## Snap store GUI |
|
|
|
If you want to browse and install snap programs using a nice interface, |
|
you can install the snap store. |
|
|
|
``` |
|
snap install snap-store |
|
``` |
|
|
|
You can run the store with `snap run snap-store` or configure your |
|
template settings to add the snap store into the applications list, and |
|
run it from your Qubes OS menu. |
|
|
|
# Debian |
|
|
|
The setup on Debian is pretty similar, you can reuse the Fedora guide |
|
except you need to replace `dnf` by `apt`. |
|
|
|
Snapcraft official documentation: Installing snap on Debian |
|
|
|
# Conclusion |
|
|
|
More options to install programs is always good, especially when it |
|
comes with features like quota or sandboxing. Qubes OS gives you the |
|
flexibility to use multiple templates in parallel, a new source of |
|
packages can be useful for some users. |
