In many language development we have to use "Hello, the world!" to demonstrate the success of a development environment, in today's tutorial, we have no exception to use this example to demonstrate how the snap application is built. While this example is simple, we will slowly discover some of the features of the snap system as we go into the routine, which can help us better understand the system. If you want to know about the 16.04 Desktop support for SNAP, see the article "Install Snap app to Ubuntu 16.4 desktop system".
1) Install the Hello-world app from the snap store
We can find this app in the snap store with the following command:
$ sudo snap install Hello-world
After installing this app, we can find the Snap.yaml file for this application in the following directory. This file is very similar to the Snapcraft.yaml file for a project. It's just that there's no parts part in it.
[email protected]:/snap/hello-world/current/meta$ ls GUI snap.yaml
The contents of Snap.yaml are as follows:
Snap.yaml
Name:hello-worldversion:6.3architectures: [All]summary:the ' Hello-world ' of snapsdescription: | This was a simple snap example, includes a few interesting binaries to demonstrate snaps and their confinement.
* hello-world.env -Dump the env of commands run inside app Sandbox * hello-world.evil-show how snappy Sandboxe S binaries * hello-world.sh -Enter interactive shell, runs in app Sandbox * Hello-world -Simply OUTP UT textapps:env: command:bin/env Evil: command:bin/evil sh: command:bin/sh hello-world: command : Bin/echo
It can be seen that the format is very close to our Snapcraft.yaml project file. The Env,evil,sh and Echo commands indicated in this document can be found in the following directories:
[Email protected]:/snap/hello-world/current/bin$ lsecho env Evil SH
Of course, we can use our VI editor to view the specific content inside. The entire file structure is as follows:
[Email protected]:/snap/hello-world/current$ tree-l 3.├──bin│├──echo│├──env│├──evil│└──sh└──meta ├─ ─gui │└──icon.png └──snap.yaml
2) Create our own Hello-world project
For some reason, we have not found the source of this project on the Internet. Since this project is very simple, we can reconstruct the project in our own way: We change the snap.yaml above to the snapcraft.yaml we need and take the required documents into the catalogue we need. This allows us to easily refactor the project. The purpose of this is that we want to show some of the features we want to see by modifying this project.
After our refactoring, we finally finished our first snap application. The directory schema is as follows:
[Email protected]:~/snappy/desktop/helloworld$ tree-l 3.├──bin│├──echo│├──env│├──evil│└──sh├──setup│ └──gui│ └──icon.png└──snapcraft.yaml
Here Snapcraft is our project file, which is used to package our app. Its content is as follows:
Snapcraft.yaml
Name:hello-xiaoguoversion:1.0architectures: [All]summary:the ' Hello-world ' of snapsdescription: | This was a simple snap example, includes a few interesting binaries to demonstrate snaps and their confinement.
* hello-world.env -Dump the env of commands run inside app Sandbox * hello-world.evil-show how snappy Sandboxe S binaries * hello-world.sh -Enter interactive shell, runs in app Sandbox * Hello-world -Simply OUTP UT textconfinement:strictapps:env: command:bin/env Evil: command:bin/evil sh: command:bin/sh Hello-world: Command:bin/echoparts:hello: plugin:copy files: ./bin:bin
In terms of content, it's almost the same as the snap we saw before. Here we use the copy plugin. We can use the following command to query all the plugins that are currently supported:
[Email protected]:~/snappy/desktop/helloworld$ snapcraft list-pluginsant catkin copy Gulp kbuild make nil python2 qmake tar-contentautotools cmake go jdk kernel Maven Nodejs python3 scons
In fact, the plugin architecture under Snapcraft is also developed, and developers can develop the plugin they need. Before we pack our apps, we have to make sure that all the files in the bin directory are executable:
[Email protected]:~/snappy/desktop/helloworld/bin$ ls-altotal 24drwxrwxr-x 2 liuxg liuxg 4096 July 00:31 drwxrwxr -X 4 liuxg liuxg 4096 July 18 10:31. -rwxrwxr-x 1 liuxg liuxg 31 July 05:20 echo-rwxrwxr-x 1 liuxg liuxg 27 July 05:20 env-rwxrwxr-x 1 li Uxg liuxg 274 July 05:20 evil-rwxrwxr-x 1 liuxg liuxg 209 July 05:20 sh
Otherwise, we need to use the following command to complete:
$ chmod a+x Echo
At this point, we have completed one of the most basic hello-world projects.
3) Compile and execute our application
In the root directory of our project, we directly enter the following command:
$ snapcraft
If all goes well, we can see the following files and directories in the root directory of the project:
[Email protected]:~/snappy/desktop/helloworld$ tree-l 2.├──bin│├──echo│├──env│├──evil│└──sh├──hello-xia oguo_1.0_all.snap├──parts│└──hello├──prime│├──bin│├──command-env.wrapper│├──command-evil.wrapper│├── Command-hello-world.wrapper│├──command-sh.wrapper│└──meta├──setup│└──gui├──snapcraft.yaml└──stage └──b Inch
We can see a production snap file. Of course, we also saw a few other file directories: Parts, stage and prime. These directories are automatically generated during the packaging process. For more information about Snapcraft, we can obtain the following commands:
[Email protected]:~/snappy/desktop/helloworld$ snapcraft--help ... The available lifecycle commands Are:clean Remove Content-cleans downloads, builds or install artifacts. Cleanbuild Create a snap using a clean environment managed by LXD. Pull Download or retrieve artifacts defined for a part. Build build artifacts defined for a part. Build systems capable of running parallel build jobs would do so unless "--no-parallel-build" I s specified. Stage stage the part's built artifacts into the common staging area. Prime Final Copy and preparation for the snap. Snap Create a snap. Parts Ecosystem Commands Update Updates the Parts listing from the cloud. Define shows the definition for the cloud part. Search searches the remotes part of the cache for matching parts. Calling Snapcraft without a COMMAND would default to ' snap ' ...
As we can see above, the lifecycle required to package a snap application:
Pull,
Build,
Stage,
PrimeAnd
Snap. For a snap project, each part of its file can exist on the site, such as GIT,BZR or tar. During the packaging process, Snapcraft can automatically download them from the web and coexist in the parts directory. With build, each part's installed file is in a subdirectory called install under each one. In the stage process, it centralizes each part's files in a unified file schema. Prime is the ultimate way to put a packaged file together in the stage so that we can package it as a snap package through the snap process in the final process.
If you want to clear these intermediate files in the packaging process, we can enter the following commands on the command line:
$ Snapcraft Clean
We can install our app with the following commands:
$ sudo snap install Hello-xiaoguo_1.0_all.snap
If we install through the above method, each installation will produce a new version, and occupy the system's hard disk resources. We can also install them in the following ways:
$ sudo snap try Prime/
The advantage of this approach is that it is not necessary to produce a new version every time. At the time of installation, it directly uses a soft link to mount the prime directory we compiled directly.
This allows us to install our application in our 16.04 desktop system. We can use the following command to view:
[Email protected]:~/snappy/desktop/helloworld$ snap listname Version Rev Developer Noteshello-world 6.3 canonical -hello-xiaoguo 1.0 x2-ubuntu-core 16.04+ 20160531.11-56 122 canonical -
Obviously our Hello-xiaoguo application has been successfully installed in the system. So how are we going to run our application?
From our Snapcraft.yaml file, we can see that our package name is called Hello-xiaoguo. In our package, we have defined four applications: env, Evil,sh and Hello-world. So when we run them, we need to run them separately using the following commands:
$ hello-xiaoguo.env$ hello-xiaoguo.evil$ hello-xiaoguo.sh$ Hello-xiaoguo.hello-world
That is, we use the << package name >>.<< app name >> format to run our app. Like what:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.hello-world Hello world!
The source code of the whole project is: Https://github.com/liu-xiao-guo/helloworld-snap
4) SNAP's operating environment
We can execute the following command:
$ hello-xiaoguo.env | grep SNAP
With the above instruction, we can get all the environment variables about a snap runtime:
[Email protected]:~$ hello-xiaoguo.env | grep SNAPSNAP_USER_COMMON=/HOME/LIUXG/SNAP/HELLO-XIAOGUO/COMMONSNAP_LIBRARY_PATH=/VAR/LIB/SNAPD/LIB/GL:SNAP_ common=/var/snap/hello-xiaoguo/commonsnap_user_data=/home/liuxg/snap/hello-xiaoguo/x2snap_data=/var/snap/ Hello-xiaoguo/x2snap_revision=x2snap_name=hello-xiaoguosnap_arch=amd64snap_version=1.0snap=/snap/hello-xiaoguo /x2
These snap-related environment variables can be referenced in our app. We don't need to hard-code our variables. For example, we can refer to $snap in our Snapcraft, which represents the path of the installation of our current SNAP. At the same time, we can see a very important directory:
Snap_data=/var/snap/hello-xiaoguo/x2
This directory is the private directory of our snap. Our snap can only read and write to this directory or Snap_user_data. Otherwise, a secure error message will be generated. For example, in our evil script:
Evil
#!/bin/shset-eecho "Hello Evil world!" echo "This example demonstrates the app confinement" echo "you should see a permission denied error Next" echo "Haha" >/ Var/tmp/myevil.txtecho "If You see this line the confinement are not working correctly, please file a bug"
Through this script we write "Haha" to Myevil.txt in/var/tmp/, which creates a secure denied error message:
[Email protected]:~$ hello-xiaoguo.evilhello Evil world! This example demonstrates the app Confinementyou should see a permission denied error Next/snap/hello-xiaoguo/x2/bin/evil: 9:/snap/hello-xiaoguo/x2/bin/evil:cannot Create/var/tmp/myevil.txt:permission denied
The most fundamental reason for this is that our snap app does not have access to directories that do not belong to him. This is the most fundamental security mechanism for SNAP applications. To illustrate the problem, we create a CreateFile script:
CreateFile
#!/bin/shset-eecho "Hello a nice world!" echo "This example demonstrates the app confinement" echo "This app tries to write to its own user directory" echo "Haha" &G T $HOME/test.txtecho "succeeded! Please find a file created at $HOME/test.txt "echo" If does not see this, please file a bug "
Add to our Snapcraft.yaml:
CreateFile: command:bin/createfile
RePack Our App:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.createfile Hello a nice world! This example demonstrates the app Confinementthis apps tries to write to its own user directorysucceeded! Please find a file created at/home/liuxg/snap/hello-xiaoguo/x3/test.txtif don't see this, please file a bug
Here we can see that we have successfully produced a file in position/home/liuxg/snap/hello-xiaoguo/x3/. The definition of $HOME can be obtained in the following ways:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.env | grep homegpg_agent_info=/home/liuxg/.gnupg/s.gpg-agent:0:1snap_user_common=/home/liuxg/snap/hello-xiaoguo/ commonandroid_ndk_root=/home/liuxg/android-ndk-r10esnap_user_data=/home/liuxg/snap/hello-xiaoguo/x3pwd=/home/ liuxg/snappy/desktop/helloworldhome=/home/liuxg/snap/hello-xiaoguo/x3xauthority=/home/liuxg/. Xauthority
Careful developers may find that the definitions and variables
Snap_user_dataIs the same:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.env | grep SNAPSNAP_USER_COMMON=/HOME/LIUXG/SNAP/HELLO-XIAOGUO/COMMONSNAP_LIBRARY_PATH=/VAR/LIB/SNAPD/LIB/GL:SNAP_ common=/var/snap/hello-xiaoguo/commonsnap_user_data=/home/liuxg/snap/hello-xiaoguo/x3snap_data=/var/snap/ Hello-xiaoguo/x3snap_revision=x3snap_name=hello-xiaoguosnap_arch=amd64snap_version=1.0snap=/snap/hello-xiaoguo /x3
5) Create an app that can be written to the desktop home
In the previous section, we have basically seen some aspects of the security of the snap application. What should we do in our snap application if we want to write content to home in our desktop computer? First, let's create a createfiletohome script like this:
Createfiletohome:
#!/bin/shset-eecho "Hello a nice world!" echo "This example demonstrates the app confinement" echo "This app tries to write to its own user directory" echo "Haha" &G T /home/$USER/test.txtecho "succeeded! Please find a file created at $HOME/test.txt "echo" If does not see this, please file a bug "
In the above we write to our user's home directory what we need. If we recompile and run our application, we will find:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.createfiletohome Hello a nice world! This example demonstrates the app Confinementthis apps tries to write to its own user directory/snap/hello-xiaoguo/x1/bin/c Reatefiletohome:9:/snap/hello-xiaoguo/x1/bin/createfiletohome:cannot create/home/liuxg/test.txt:permission Denied
Obviously, it produces a false message. We are not allowed to write any content to our user's home. So how can we do that?
Method One: We use the following method to install our application:
$ sudo snap install Hello-xiaoguo_1.0_all.snap--devmode
Note the above
--devmode, it indicates that our SNAP application ignores any security issues during development, i.e. our snap will not accept any security restrictions imposed by the snap system, just like any previously developed application. This approach is generally useful for early development of a snap application. By the time we have perfected our functions, we will refine our safe parts.
Method Two:We re-rewrite our snapcraft.yaml as follows:
Snapcraft.yaml
Name:hello-xiaoguoversion:1.0architectures: [All]summary:the ' Hello-world ' of snapsdescription: | This was a simple snap example, includes a few interesting binaries to demonstrate snaps and their confinement.
* hello-world.env -Dump the env of commands run inside app Sandbox * hello-world.evil-show how snappy Sandboxe S binaries * hello-world.sh -Enter interactive shell, runs in app Sandbox * Hello-world -Simply OUTP UT textconfinement:strictapps:env: command:bin/env Evil: command:bin/evil sh: command:bin/sh Hello-world: command:bin/echo createfile: command:bin/createfile createfiletohome: command:bin/ Createfiletohome plugs: [Home]parts:hello: plugin:copy files: ./bin:bin
Above, we added the home plug under the Createfiletohome application. It indicates that our app can access the user's home directory. In the snap system, if an application wants to access another restricted resource or access a resource owned by another application, we can do so through interface. For more information on the interface aspects of SNAP, you can refer to the interfaces link. We can view all the interface by the following command:
[Email protected]:~$ snap interfacesslot plug:camera -:cups-control -:firewall-control -: Gsettings -:home -:locale-control -:log-observe -:modem-manager -:mount-observe -: Network -:network-bind -:network-control -:network-manager -:network-observe -:opengl -:optical-drive -:p pp -:p ulseaudio -:snapd-control -:system-observe -: Timeserver-control -:timezone-control -:unity7 -:x11 -
RePack Our App:
[Email protected]:~/snappy/desktop/helloworld$ hello-xiaoguo.createfiletohome Hello a nice world! This example demonstrates the app Confinementthis apps tries to write to its own user directorysucceeded! Please find a file created at/home/liuxg/snap/hello-xiaoguo/x1/test.txtif don't see this, please file a bug
Now, we no longer have the error message shown above. All the source code in: https://github.com/liu-xiao-guo/helloworld-final
6) Application of the shell
While our Hello app is very simple, it does show the side of many of the snap apps we want to see. In our application, we also have an application called sh. It is a shell on the event. We can start it in the following way:
$ hello-xiaoguo.sh
When the application is started:
[Email protected]:~$ hello-xiaoguo.shlaunching A shell inside the default app confinement. Navigate to yourapp-specific directories with: $ cd $SNAP $ cd $SNAP _data
We can do the task we want through this shell. Like what:
bash-4.3$ cd/home/liuxgbash-4.3$ pwd/home/liuxgbash-4.3$ Touch hello.texttouch:cannot Touch ' hello.text ': Permission Denied
We found that because of the snap security restrictions, we were not able to create a file we wanted anywhere in the same way as the previous system. There are many more examples that we leave to you to experience slowly.
HelloWorld Snap Routines