4aa230baeaa99434238b444c8a12a9f7

2020-02-27 431浏览

1.Ubuntu Snap 技术介绍 Rex Tsai Technical Architect rex.tsai@canoincal.com 29 August 2017
2.Ubuntu 简介
3.Canonical We are the company behind Ubuntu
4.Ubuntu is the #1 Choice for Innovators 3 million + developers
5.cloud to edge
6.Ubuntu is powering smart IoT Smart drone controllers Advanced robotics Home gateways Industrial gateways Digital Signage
7.Ubuntu is the #1 Choice for Innovators & developers 17% 6% 3% 2% 2% Mint Fedor Debi Oth Ubunt a an er uSource:Eclipse Foundation + StackOverflow survey
8.Ubuntu Snap 软件包全新的软件包格式
9.特色软件https://uappexplorer.com/snapshttps://insights.ubuntu.com/tag/snaps
10.六、七月特色软件
11.特色软件 - 微信客户端 Electronic WeChat is a unofficial WeChat client. A better WeChat on Linux. Built with Electron. By DawnDIYhttps://uappexplorer.com/snap/ubuntu/electronic-wechat
12.特色软件 - 豆瓣FM An unofficial client of Douban FM. You can select the channels you like to play songs and share it to Sina Weibo. By DawnDIYhttps://uappexplorer.com/snap/ubuntu/douban-fm
13.Snap 技术架构
14.What is a Snap? ● A squashFS filesystem containing your app runtime and a snap.yaml file with specific metadata. It has a read-only file-system and, once installed, a writable area ● Self-contained. It bundles most of the libraries and runtimes it needs and can be updated and reverted without affecting the rest of the system ● Confined from the OS and other apps through security mechanisms, but can exchange content and functions with other snaps according to fine-grained policies controlled by the user and the OS defaults Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
15.Snap Package Architecture ● As squashFS filesystem based architecture, the snap is capable ofproviding:■ Transactional updates ■ Integrity of the content ■ Compression (⅓ of unpacked size) ■ Read Only Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
16.Snap Package Architecture ● A snap packageships:■ One or more services ■ CLI apps ■ GUI apps ■ They are not limited to one process. Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
17.Snap Package Architecture ● It has its own writable space (services and users) & (versioned and unversioned) Versioned root writable area $SNAP_DATA Common root writable area $SNAP_COMMON Versioned User writable area $SNAP_USER_DATA Common User writable area $SNAP_USER_COMMON Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
18.Snap Package Architecture ● Process Isolation (/tmp per process and app process) Versioned root writable area $SNAP_DATA Common root writable area $SNAP_COMMON Versioned User writable area $SNAP_USER_DATA Common User writable area $SNAP_USER_COMMON /tmp /tmp Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
19.Snap Package Architecture ● MAC to other resources (Paths (/home), Devices /dev, etc) mediated with interfaces Versioned root writable area $SNAP_DATA Common root writable area $SNAP_COMMON Versioned User writable area $SNAP_USER_DATA Common User writable area $SNAP_USER_COMMON /tmp /tmp Service Service CLI GUI snap code & assets (squashfs, RO bind-mounted in /snap//) $SNAP
20.Snap PackageArchitecture:Snappy FHS Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON $SNAP Common User writable area $SNAP_USER_COMMON ● SNAP: installation directory (read-only) ● SNAP_DATA: per-revision application data directory (writable) ● SNAP_COMMON: application data directory common to all revisions (writable) ● SNAP_USER_DATA: per-revision, per-user application data directory (writable) ● SNAP_USER_COMMON: per-user application data directory common to all revisions (writable) ● SNAP_ARCH: architecture of the system (eg, amd64, arm64, armhf, i386, etc) ● SNAP_LIBRARY_PATH: library paths added to LD_LIBRARY_PATH ● SNAP_NAME: package name ● SNAP_REVISION: store revision for this snap ● SNAP_VERSION: package version ● TMPDIR: temporary directory (writable) ● XDG_RUNTIME_DIR: set to /run/user//snap.$SNAP_NAME (writable)
21.The snapd system ● snapd, a management environment that handles installing and updating snaps using the transactional system, as well as garbage collection of old versions of snaps ● snapd-confine, an execution environment for the applications and services delivered in snap packages ● Interface, snaps interact with each other using interface
22.跨越操作系统的封装格式https://snapcraft.io/docs/core/install
23.操作方式动手尝试https://tutorials.ubuntu.com/tutorial/basic-snap-usage
24.Ubuntu Core
25.A minimal, secure, transactional Ubuntu designed for IoT
26.What is Ubuntu Core? A minimal version with the same bits as today’s Ubuntu Ubuntu Core with transactional updates Applications confined by technologies lead by Canonical Safe, reliable, worry free updates with tests and rollback Amazing developer experience with snapcraft Easily extensible Easily create app stores for all your devices
27.All Snap Architecture Ubuntu Core Confined applications packages as a snap with dependencies Minimal OS packaged as snap Kernel 4.4 Clearly defined Kernel and device packaged as snap In a snappy system, all software beyond the bootloader is distributed as a snap in this same format. ● The OS snap contains the core operating system. ● The kernel snap contains the kernel and hardware-specific drivers. ● The gadget snap is device specific and is used to configure a particular model of device.
28.Minimal footprint 829 MB OS IMAGE SIZE 350 MB Ubuntu Core Ubuntu Server
29.Modular and simple architecture Legacy Ubuntu Core Confined applications packages as a snap with dependencies Minimal OS packaged as snap KernelLegend:Applicatio nA Application B OS package Kernel Clearly defined Kernel and device packaged as snap Shared library Device driver
30.Transactionalupdates:Apps, OS and kernel Original data Writable area Original snap Upgrade Modified data during upgrade Writable area Updated snap Rollback on failure Original data Writable area Original snap Original data is kept on device Original data Writable area Original snap
31.Automatically confines applications writable area app writable area app writable area app writable area app Snaps are confined os and isolated kernel
32.Security and apps confinement
33.Appsconfinement:Trust model The trust model of snappy Ubuntu Core is different from traditional Ubuntu Software iseither:● Part of the base system OS ● Pre-installed via OEM/gadget snaps (apps and frameworks installed during provisioning) ● Snaps installed from a store
34.Appsconfinement:Trust model By default the application snaps are untrusted by the OSand:● cannot access other applications' data ● cannot access non-app-specific user data ● cannot access privileged portions of the OS Trusted by the OS VS Untrusted by the OS
35.Appsconfinement:Technologies Several technologies are used by snappy Ubuntu Coreto:● Implement the security sandboxing ● Implement the application isolation These technologies aremainly:●AppArmor:A Mandatory Access Control system to confine programs and processes to a limited set of resources. (Application Isolation) ●Seccomp:A secure computing mode that provides an application sandboxing mechanism (wiki) ● Devicecgroups:are a kernel mechanism for grouping, tracking, and limiting the resource usage of tasks examplehttps://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
36.Snap locations after installation data from app with root can be written to var/lib/apps/// However, if an app does not have root privs, the best place for dumping data is
37.Snapcraft
38.snapcraft.io Developers from multiple Linux distributions and companies collaborate on the “snap” universal Linux package format, enabling a single binary package to work perfectly and securely on any Linux desktop, server, cloud or device.
39.snapcraft.io Snapcraft lets developers assemble their snap from existing projects, leveraging different technologies. Project A (Part A) Project B (Part B) Project C (Part C) ...
40.Snapcraft benefits Fordevelopers:● snap your app once and it will run on any snappy device ● can leverage existing part library ('stand on the shoulder of giants') ● complete control of their entire software stack
41.Snapcraft 组合机制 Snapcraft lets developers assemble their snap from existing projects.
42.snapcraft.io ● A central aspect of a snapcraft recipe is a "part". A part is a piece of software or data that the snap package requires to work or to build other parts. ● Each part is managed by a snapcraft plugin that encapsulates the logic of the underlying technologyparts:cam:plugin:'>plugin: