Ubuntu Snap: the Price of the Isolation

Sep 12, 2020

The idea of the majority of Linux distributions is to compile Linux kernel, collect existing Open Source and proprietary software, test and then patch it if required, add something own and pack the results into the packages, so users can install and use these programs. Ubuntu packages grouped into APT repositories. Users can manage packages with apt command.

Software developers usually do not write all the code required by their programs, but use different libraries and frameworks (e.g. graphical applications can use GTK to draw widgets like button or label). It allows developers to save some time and make fewer bugs. As a result the majority of software nowadays has dependencies. Different programs can depend on the same library (most of the GUI programs in Gnome depend on GTK) that is why there is no need to install the same library several times. Each APT package defines a list of dependencies, so when the user executes a command like apt install gnome-calculator package manager install not only gnome-calculator itself but also its dependencies like libgtksourceview-4-0.

Such an approach allows users to save disk space and reduce security risks: if there is some problem in the common library it’s enough to update it once and all dependent programs will use the new version. Unfortunately, such an approach is not a silver bullet and has some downsides:

• Suppose two programs depend on different versions of the same library. It this case there will be a conflict during dependencies resolution that is why apt command will fail and the user can’t install both programs at the same time.
• Providers of third-party software like Viber or Skype have to make different packages of the same product for different Ubuntu distributions, e.g. 18.04 and 20.04 have different versions of system libraries that, so it’s required to build and maintain two different packages for one program.
• apt installs each program globally so it will be a conflict when two packages try to create a file with the same name.
• Traditional programs can access all user files and resources that is why it’s difficult to control such software. In case of a security vulnerability in one program all user’s files are in danger.

Several years ago Ubuntu introduced Snap - a package manager with an alternative approach, designed to solve apt problems.

The idea of this package manager is to pack not only the program but also all its dependencies into one package called snap. In this case software maintainer prepares only one package for all versions of Ubuntu and even other Linux distributions like Arch Linux, CentOS, or Manjaro. There are no conflicts between different packages because there are no common dependencies, so it’s normal when two JavaScript applications use different versions of the Node.JS.

Snap especially useful when the user wants to try a new version of some program, e.g. VLC. With apt, it’s not always safe because the installation of one program can lead to updating some libraries required by another program and this can make a conflict preventing the installation of the new program or even break the entire system. That is why when I want to try some new unstable version of some software I have to use a virtual machine that uses a lot more resources and also has some limitations. With Snap the programs are isolated from each other that is why it’s safe to try a new version of the software and return to a stable one in case of troubles. For VLC I just execute a command:

sudo snap install vlc --channel=latest/edge

It installs a bleeding edge version of the popular media player. User can find their own balance between stability and the latest features for each program.

By default each snap is isolated from the external world but what if it’s required to interact with the system? There is a well-known image editor GIMP. It’s obvious that the user wants to give GIMP access to the home directory, so it will be possible to edit photos. To achieve this goal the mechanism of plugs and slots was introduced. A snap describes the interfaces it requires. For each of the required interface, snap defines a plug which will be connected to the corresponding slot by the snapd daemon either automatically, or manually, depending on the interface. GIMP snap requires the home interface and defines gimp:home plug. snapd daemon connects this plug to the :home slot, so GIMP can read and write files in the user’s home directory. There are a lot of different interfaces that allow programs to request access for resources like network, sound, or gpio. I think such an approach is very convenient and increases security level because the user can give programs only required permissions (like in iOS or Android) e.g. the user can forbid the browser to access the webcam and it will be impossible to record the video from the webcam even in case of browser jailbreak.

Unfortunately, the isolation is not a free feature and the user has to pay some price for it:

• More data have to be downloaded: apt install gimp - 19Mb, snap install gimp - 263Mb.
• Applications need more time to startup.
• Application maintainers have to keep in mind that their applications would be run in the isolated container. For one application there will be no difference but for another, there will be plenty of issues with logging, packaging, and so on.

Things I’ve described above are fundamental problems of containerization and isolation. I agree to pay such a price for the benefits I get, but there is an issue specific to Ubuntu snap. I know that updates are important and it’s better to update the system as soon as possible to reduce security risks but I like to control updates myself. Usually, I disable auto-updates and call apt upgrade every week but only when I have an actual backup and some time to solve possible update issues. Auto-updates are one of the core concepts of Snap and it’s impossible to disable this feature. I can use some hacks like setting refresh.hold="2030-01-01T00:00:00-00:00" to disable updates til 2030 but it looks strange.

Update: January 10, 2023, snapd 2.58 released, it’s possible to disable auto-updates in Snap from the stable channel.

Concluding, I don’t think that all the software should be containerized but a Snap approach is very useful for third-party programs. It can save a lot of time for developers and make the distribution of Linux programs much easier for the developers and safer for the users. I think the Snaps package manager or its alternatives like AppImage or Flatpak will be very widespread in near future.