Make a factory image containing a private snap!

Introduction

This post is an addition to the series on developing ROS from prototype to finished product on Ubuntu Core, in response to a question I received: "I want to make a factory image, but I don't want to make my snap public" Of course, neither this question nor the answer is specific to robotics. In this post, I will answer this question in two ways.

Before you start, you need to know some background knowledge about making Ubuntu Core images. If you have read [Developing ROS prototypes to finished products in Ubuntu Core 3 series of articles (specifically Part 5), you already have what you need. For background knowledge, if you haven't seen it, you can check out the tutorial on making your Ubuntu Core image.

If you are up to date and know what I am talking about when I say "model definition" or "model assertion", let's start using private sanps through different methods to make Ubuntu Core images .

Method 1: Don’t upload your snap to the store

This is the simplest method. First take a look at this example of model definition - amd64-model.json:

{
"type": "model",
"series": "16",
"model": "custom-amd64",
"architecture": "amd64",
"gadget": "pc",
"kernel": "pc-kernel",
"authority-id": "4tSgWHfAL1vm9l8mSiutBDKnnSQBv0c8",
"brand-id": "4tSgWHfAL1vm9l8mSiutBDKnnSQBv0c8",
"timestamp": "2017-06-23T21:03:24+00:00",
"required-snaps": ["kyrofa-test-snap"]
}

Let’s convert this into a model assertion:

$ cat amd64-model.json | snap sign -k my-key-name > amd64.model
You need a passphrase to unlock the secret key for
user: "my-key-name"
4096-bit RSA key, ID 0B79B865, created 2016-01-01
...

After obtaining the model assertion: amd64.model, if you give it to ubuntu-image for use now, you will hit a wall:

$ sudo ubuntu-image -c stable amd64.model
Fetching core
Fetching pc-kernel
Fetching pc
Fetching kyrofa-test-snap
error: cannot find snap "kyrofa-test-snap": snap not found
COMMAND FAILED: snap prepare-image --channel=stable amd64.model /tmp/tmp6p453gk9/unpack

Actually there is no snap named kyrofa-test-snap in the store. It is important to note here that the model definition (and the converted assertion) only contains a series of snap names. If you have a snap with that name locally, even if it doesn't exist in the store, you can tell ubuntu-image to use it by matching that name in the assertion via the --extra-snaps option:

$ sudo ubuntu-image -c stable \
--extra-snaps /path/to/kyrofa-test-snap_0.1_amd64.snap \
amd64.model
Fetching core
Fetching pc-kernel
Fetching pc
Copying "/path/to/kyrofa-test-snap_0.1_amd64.snap" (kyrofa-test-snap)
kyrofa-test-snap already prepared, skipping
WARNING: "kyrofa-test-snap" were installed from local snaps
disconnected from a store and cannot be refreshed subsequently!
Partition size/offset need to be a multiple of sector size (512).
The size/offset will be rounded up to the nearest sector.

Now, without the snap being uploaded to the store, you have obtained an Ubuntu Core image (named pc.img) with the private snap pre-installed. But there is a big problem with this. ubuntu-image will prompt a warning: not pre-installing the snap through the connected store means that you have no way to update it on the device that has burned these images. You can only update it by making a new image and re-flashing it to the device.

Method 2: Use a brand store

When you register for a store account and visit dashboard.snapcraft.io, you are actually viewing your snaps in the standard Ubuntu store. If you have newly installed snapd in your system, it will be downloaded from this store by default. While you can publish private snaps in the Ubuntu Store, you can't preinstall them into an image because only you (and the collaborators you add) have permission to use it. The only way to create a mirror in this situation is to publish your snap publicly, however that doesn't serve the purpose of this post.

For this use case we have what is called Brand Store. Branded stores are still hosted in the Ubuntu Store, but they are a customized, specialized version for a specific company or device. Brand stores may or may not inherit from the standard Ubuntu store, and brand stores may choose to be open to all developers or restricted to a specific group (keeping them private is what we want).

Please note that this is a paid feature. You need to apply for a brand store. Once the request is approved, you will be able to see your new store by accessing "stores you can access" under your username.

There you can see multiple stores that you have access to. At a minimum there will be two: the standard Ubuntu store and your new branded store. Select the brand store (red box), enter and record your store ID (blue box): you will need it later.

Registering a name or uploading a snap in the brand store uses the same methods as the standard store, except that they are now uploaded to your brand store instead of the standard one. If you place your brand store in unlisted, these snaps will not be visible to external users. But what needs to be noted here is that when uploading a snap for the first time, it needs to be operated through the web interface. After that, you can continue working with Snapcraft as usual.

So how did these change? My "kyrofal-store" inherits snaps from the Ubuntu store and also contains a "kyrofa-bran-test-snap" released in the stable channel. This snap is not available in the Ubuntu store and if you search for it, you won't find it:

$ snap find kyrofa-branded
The search "kyrofa-branded" returned 0 snaps

But using the store ID we recorded earlier, we can create a model assertion that downloads the snap from the brand store instead of the Ubuntu store. We just need to add the "store" key to the JSON file, like this:

{
"type": "model",
"series": "16",
"model": "custom-amd64",
"architecture": "amd64",
"gadget": "pc",
"kernel": "pc-kernel",
"authority-id": "4tSgWHfAL1vm9l8mSiutBDKnnSQBv0c8",
"brand-id": "4tSgWHfAL1vm9l8mSiutBDKnnSQBv0c8",
"timestamp": "2017-06-23T21:03:24+00:00",
"required-snaps": ["kyrofa-branded-test-snap"],
"store": "kyek"
}

Use the method in method 1 to sign it, and then we can simply make an Ubuntu Core image pre-installed with our brand store's private snap like this:

$ sudo ubuntu-image -c stable amd64.model
Fetching core
Fetching pc-kernel
Fetching pc
Fetching kyrofa-branded-test-snap
Partition size/offset need to be a multiple of sector size (512).
The size/offset will be rounded up to the nearest sector.

Now, just like at the end of method 1, you have a pc.img prepared for the factory. And all snaps in images created using this method are downloaded from the store, which means they will update automatically as usual.

in conclusion

So far, there are only two ways to do this. When I started writing this post, I thought there might be a third way (making the snap private and then using it to make a mirror), but that turned out not to be possible.

In addition, we have also received many requests for internal deployment or enterprise stores. Although such products have not yet been announced, the store team is working on it. I will write an article about it once it becomes available.

Hope this helps!

The above is the detailed content of Make a factory image containing a private snap!. For more information, please follow other related articles on the PHP Chinese website!