zigford.org

About | Links | Scripts
Sharing linux/windows scripts and tips

Snaps on Gentoo - The saga continues

February 10, 2019 — Jesse Harris

A while ago I posted about Snaps on Gentoo, about why and how to get it working. Sometime after that post, snaps stopped working and I didn't have the time to investigate.

Until last week that is.

Update 07/09/2019

My snapd ebuild is now in an overlay on it's own for your convenience. See here

TL;DR

If you just want to install my snapd ebuild, run this bit:

        echo app-portage/layman git >> /etc/portage/package.use/layman
        emerge app-portage/layman
        layman -o http://jesseharrisit.com/overlay.xml -f -a zigford
        emerge app-emulation/snapd

Read on for more details

Last week I decided to have a crack at getting Gentoo running on my work owned "Precision 5510". It's a couple of years old now, but is quite servicable. I will want to use it booted into Gentoo for work now and again and this will involve Chromium (Firefox doesn't like launching Citrix sessions through the ICA client).

Chromium takes forever to build and that is just not fun, especially with the frequency that releases occur. So I set about getting snaps to work.

I installed JamesB192's personal overlay and found that snaps didn't work on this clean build.

JamesB192's ebuild seems to be written quite well, and it was easy to bump the version to the latest. What I found was that at some point snapd must have switched to require apparmor. I reviewed my previous kernel configs from when snapd was working and apparmor was not in my configuration.

Adding Apparmor support

AppArmor is a process confinement feature to restrict a process to specific abilities. You can enable it with the following kernel configuration:

        CONFIG_SECURITY_APPARMOR=y

And the following boot commandline

        apparmor=1 security=apparmor

Now to add apparmor support to the ebuild we need install an apparmor profile. The ./configure command in the source, generates one if the --enable-apparmor parameter is specified. I've added that to the ebuild. Then the Makefile translates paths in the profile depending on configure options. So I added the following to the ebuild

        # Generate apparmor profile
        sed -e ',[@]LIBEXECDIR[@],/usr/lib64/snapd,g' \
            -e 's,[@]SNAP_MOUNT_DIR[@],/snapdsnap,' \
            "${C}/snap-confine/snap-confine.apparmor.in" \
            > "${C}/snapsp-confine/usr.lib.snapd.snap-confine.real"

Then during the install phase:

        insinto "/etc/apparmor.d"
        doins "${C}/snap-confine/usr.lib.snapd.snapd-confine.real"

Tags: snapd, gentoo