Task #3781
closedSnap Package: Look into providing Suricata as a Snap Package
Description
These are my notes after looking into packaging Suricata as a Snap.
Why
Packaging Suricata as a Snap would allow us to create one single package that can be used across all popular Linux distributions. While I only tested x86_64 distributions, I believe the Snap store is capable of hosting packages for multiple architectures.
Confinement Mode
Snaps provide 2 confinement modes. Classic and strict. Classic gives the snap full access to the system. This would be required to give the Snap package a default Suricata feel of configuration in "/etc/suricata", logs in "/var/log/suricata", etc. This also increases the chances of the Snap package clashing with Suricata installed by other means (source, system package, etc). As Snaps appear to provide everything Suricata needs under strict confinement (af-packet, libpcap access), I only looked into strict confinement as that is the desired way to ship a Snap if possible.
Building a snap is relatively simple using a YAML based configuration file. Example:
https://github.com/jasonish/suricata-snap/blob/master/snap/snapcraft.yaml#L21
This is mostly a standard build/install process with the following notable changes:
- The configuration files "/etc/suricata" are moved to "/usr/share/suricata/etc" as "/etc" is not really available at runtime, or read-only not allowing the user to edit the configuration
- A copy of the "/usr/lib/file/magic.mgc" is copied from the build image to a location that is part of the Suricata package as this file when provided by the system is not available under strict confinement
Multiple Versions
Snap appears to support multiple "tracks". I believe this would allow us to define a "5.0" and a "4.1" track. There is also the "latest" track which for Suricata at this time would be the same as "5.0". This would allow a user to stay on the "4.1" track and get "4.1" patches without a surprise upgrade to "5.0". A request has to be made to the Snap Store management for multiple tracks.
Installation
When Suricata is fully released to the Snap Store, a user could install Suricata like:
snap install suricata
On install, the configuration files that were copied to /usr/share/suricata/etc would be copied to the "confined" "/etc/suricata". On the host system this would be visible at a location like "/var/snap/suricata/current/etc/". Running Interactively
All the Suricata commands are installed in "/var/lib/snapd/snap/bin" as:
- suricata
- suricata.sc
- suricata.update
Unfortunately due to Snap naming conventions we can't have "suricatasc" and "suricata-update".
- To edit the configuration file one must edit "/var/snap/suricata/current/etc/suricata.yaml". But to run Suricata using this configuration file you still call it like "suricata -c /etc/suricata/suricata.yaml".
- Suricata-Update "just" works with "sudo suricata.update".
- Logs end up in /var/snap/suricata/current/log/eve.json.
- The user can also direct logs to their home directory with the usual "-l" command line parameter.
- Rule files and configuration files can also be specified on the command line, provided they live under the users home directory
Snap provides the ability to define an application as a service. Under the hood it uses systemd, but lacks some configuration that you find on Ubuntu and CentOS (the /etc/{default,sysconfig}/suricata file). Instead it provides a way to set some configuration parameters. The test snap uses a wrapper script for the service that reads the command line arguments to use from a file. For example, to start the Suricata snap as a service:
snap set suricata service-args="-i eno1 -vvv" snap start suricata
- The "set" command above used the "configure" hook to create the file "/var/snap/suricata/current/etc/service-args" which the "service.sh" wrapper reads to set the command line variables
- The "set" feature of Snap allows setting any "key=val" pair which then calls your Snap defined configure hook, the above example was kept simple.
Unix Socket Control
Currently seeing issues with Suricata creating the control socket. It works fine on Fedora, but fails on Ubuntu. This is also one example of where the confinement can be slightly different between Linux distributions. This should be solvable by moving the socket location outside of "/var/run" or "/run".
Upgrading
Something to note about Snaps is they automatically upgrade in the background. I'm not sure if this can be stopped.
It appears that Suricata could run well package as a snap with the main issues being:
- The command names for suricatasc and suricata-update will be different
- The configuration, state data and log directories are different
We could get rid of most of that using classic confinement which would allow the Snap package to use /etc/suricata and /var/log/suricata.
Updated by Victor Julien almost 4 years ago
Thanks for the thorough analysis Jason. Some questions / thoughts:
- can a package be both supporting the classic and confined modes leaving it up to the user to decide at install time?
- if not, would it make sense to offer both?
- wonder if it would make sense to create a wrapper script for the suri commandline that hides the path oddities?
Updated by Jason Ish almost 4 years ago
Victor Julien wrote in #note-1:
Thanks for the thorough analysis Jason. Some questions / thoughts:
- can a package be both supporting the classic and confined modes leaving it up to the user to decide at install time?
No, just one.
- if not, would it make sense to offer both?
I don't see much reason to. If you make the jump to classic, just stick with it, accepting its caveats (conflicting with other Suricata installs for instance). We'd use install-hooks and what not to populate /etc/suricata, so can error our appropriately instead of clobbering an existing install.
- wonder if it would make sense to create a wrapper script for the suri commandline that hides the path oddities?
I'm not quite sure what this would do. From Suricata's perspective everything is normal as its essentially run in a jail with a file system layout specific to it. `suricasta -c /etc/suricata/suricata.yaml` works, its just that suricata.yaml is in /var/snap/suricata/current/etc/suricata.yaml. So its more about the user being aware of the oddities and not Suricata.
Updated by Jason Ish over 1 year ago
Just reviewed this quickly and I don't think much has changed.
I did not mention above that "classic" snaps need manual approval from the Snap store, and I believe they have to be approved on every publish.
There is a way now to provide classic and non-classic variations of a package with a single package using "tracks": https://snapcraft.io/docs/reviewing-classic-confinement-snaps
While testing the above there were issues where different levels of confinement, and paths used by the chroot differed between installing the snap locally or via the store which I think ultimately made me stop progressing as the build test cycle was no reliable. These may be issues that are now fixed within the snap tooling.
Updated by Jason Ish 9 months ago
- Status changed from Assigned to Rejected
- Assignee deleted (
Jason Ish)
Closing/rejecting. I no longer plan to look more into Snap packaging. Outside of Ubuntu land, Flatpaks seem to be winning over Snaps.
Re-open/self-assign if interested in Snap packaging, but this could be done by the community without OISF involvement.