Ubuntu Core 技术详解

20170829 线上讲堂 - Ubuntu Snap 与 Ubuntu Core 技术介绍

1. Ubuntu Snap 技术介绍 Rex Tsai Technical Architect rex.tsai@canoincal.com 29 August 2017
2. Ubuntu 简介
3. Canonical We are the company behind Ubuntu
4. Ubuntu is the #1 Choice for Innovators 3 million + developers
5. cloud to edge
6. Ubuntu is powering smart IoT Smart drone controllers Advanced robotics Home gateways Industrial gateways Digital Signage
7. Ubuntu is the #1 Choice for Innovators & developers 17% 6% 3% 2% 2% Debi Fedor Oth Ubunt an a er u Source: Eclipse Foundation + StackOverflow survey Mint
8. Ubuntu Snap 软件包 全新的软件包格式
9. 特色软件 https://uappexplorer.com/snaps https://insights.ubuntu.com/tag/snaps
10. 六、七月特色软件
11. 特色软件 - 微信客户端 Electronic WeChat is a unofficial WeChat client. A better WeChat on Linux. Built with Electron. By DawnDIY https://uappexplorer.com/snap/ubuntu/electronic-wechat
12. 特色软件 - 豆瓣FM An unofficial client of Douban FM. You can select the channels you like to play songs and share it to Sina Weibo. By DawnDIY https://uappexplorer.com/snap/ubuntu/douban-fm
13. Snap 技术架构
14. What is a Snap? ● A squashFS filesystem containing your app runtime and a snap.yaml file with specific metadata. It has a read-only file-system and, once installed, a writable area ● Self-contained. It bundles most of the libraries and runtimes it needs and can be updated and reverted without affecting the rest of the system ● Confined from the OS and other apps through security mechanisms, but can exchange content and functions with other snaps according to fine-grained policies controlled by the user and the OS defaults Service Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
15. Snap Package Architecture ● As squashFS filesystem based architecture, the snap is capable of providing: ■ Transactional updates ■ Integrity of the content ■ Compression (⅓ of unpacked size) ■ Read Only Service Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
16. Snap Package Architecture ● A snap package ships: ■ One or more services ■ CLI apps ■ GUI apps ■ They are not limited to one process. Service Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
17. Snap Package Architecture ● It has its own writable space (services and users) & (versioned and unversioned) Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON Service Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
18. Snap Package Architecture ● Process Isolation (/tmp per process and app process) Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON /tmp Service /tmp Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
19. Snap Package Architecture ● MAC to other resources (Paths (/home), Devices /dev, etc) mediated with interfaces Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON /tmp Service /tmp Service CLI snap code & assets (squashfs, RO bind-mounted in /snap/<snap_name>/<version>) $SNAP GUI
20. Snap Package Architecture: Snappy FHS Versioned root writable area $SNAP_DATA Versioned User writable area $SNAP_USER_DATA Common root writable area $SNAP_COMMON Common User writable area $SNAP_USER_COMMON $SNAP ● SNAP​: installation directory (read-only) ● SNAP_DATA​: per-revision application data directory (writable​) ● SNAP_COMMON​: application data directory common to all revisions (writable​) ● SNAP_USER_DATA​: per-revision, per-user application data directory (writable​) ● SNAP_USER_COMMON​: per-user application data directory common to all revisions (writable​) ● SNAP_ARCH​: architecture of the system (eg, amd64, arm64, armhf, i386, etc) ● SNAP_LIBRARY_PATH​: library paths added to LD_LIBRARY_PATH ● SNAP_NAME​: package name ● SNAP_REVISION​: store revision for this snap ● SNAP_VERSION​: package version ● TMPDIR​: temporary directory (writable​) ● XDG_RUNTIME_DIR​: set to /run/user//snap.$SNAP_NAME (writable​)
21. The snapd system ● snapd, a management environment that handles installing and updating snaps using the transactional system, as well as garbage collection of old versions of snaps ● snapd-confine, an execution environment for the applications and services delivered in snap packages ● Interface, snaps interact with each other using interface
22. 跨越操作系统的封装格式 https://snapcraft.io/docs/core/install
23. 操作方式 动手尝试 https://tutorials.ubuntu.com/tutorial/basic-snap-usage
24. Ubuntu Core
25. A minimal, secure, transactional Ubuntu designed for IoT
26. What is Ubuntu Core? A minimal version with the same bits as today’s Ubuntu Ubuntu Core with transactional updates Applications confined by technologies lead by Canonical Safe, reliable, worry free updates with tests and rollback Amazing developer experience with snapcraft Easily extensible Easily create app stores for all your devices
27. All Snap Architecture Ubuntu Core Confined applications packages as a snap with dependencies In a snappy system, all software beyond the bootloader is distributed as a snap in this same format. ● ● Minimal OS packaged as snap ● Kernel 4.4 Clearly defined Kernel and device packaged as snap The OS snap contains the core operating system. The kernel snap contains the kernel and hardware-specific drivers. The gadget snap is device specific and is used to configure a particular model of device.
28. Minimal footprint OS IMAGE SIZE 829 MB 350 MB Ubuntu Core Ubuntu Server
29. Modular and simple architecture Legacy Ubuntu Core Confined applications packages as a snap with dependencies Minimal OS packaged as snap Kernel Kernel Clearly defined Kernel and device packaged as snap Legend: Applicatio nA Application B OS package Shared library Device driver
30. Transactional updates: Apps, OS and kernel Modified data during upgrade Original data Writable area Original data Writable area Writable area Original snap Upgrade Updated snap Original data is kept on device Original data Writable area Original snap Rollback on failure Original snap
31. Automatically confines applications writable area writable area writable area writable area app app app app Snaps are confined and isolated os kernel
32. Security and apps confinement
33. Apps confinement: Trust model The trust model of snappy Ubuntu Core is different from traditional Ubuntu Software is either: ● Part of the base system OS ● Pre-installed via OEM/gadget snaps (apps and frameworks installed during provisioning) ● Snaps installed from a store
34. Apps confinement: Trust model By default the application snaps are untrusted by the OS and: ● cannot access other applications' data ● cannot access non-app-specific user data ● cannot access privileged portions of the OS Trusted by the OS VS Untrusted by the OS
35. Apps confinement: Technologies Several technologies are used by snappy Ubuntu Core to: ● Implement the security sandboxing ● Implement the application isolation These technologies are mainly: ● AppArmor: A Mandatory Access Control system to confine programs and processes to a limited set of resources. (Application Isolation) ● Seccomp: A secure computing mode that provides an application sandboxing mechanism (wiki) ● Device cgroups: are a kernel mechanism for grouping, tracking, and limiting the resource usage of tasks example https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
36. Snap locations after installation data from app with root can be written to var/lib/apps/<app-name>/<version>/ However, if an app does not have root privs, the best place for dumping data is
37. Snapcraft
38. snapcraft.io Developers from multiple Linux distributions and companies collaborate on the “snap” universal Linux package format, enabling a single binary package to work perfectly and securely on any Linux desktop, server, cloud or device.
39. snapcraft.io Snapcraft lets developers assemble their snap from existing projects, leveraging different technologies. Project A (Part A) Project B (Part B) Project C (Part C) ...
40. Snapcraft benefits For developers: ● snap your app once and it will run on any snappy device ● can leverage existing part library ('stand on the shoulder of giants') ● complete control of their entire software stack
41. Snapcraft 组合机制 Snapcraft lets developers assemble their snap from existing projects.
42. snapcraft.io ● ● A central aspect of a snapcraft recipe is a "part". A part is a piece of software or data that the snap package requires to work or to build other parts. Each part is managed by a snapcraft plugin that encapsulates the logic of the underlying technology parts: cam: plugin: go source: git://github.com/mikix/golang-static-http stage-packages: - fswebcam glue: plugin: copy files: webcam-webui: bin/webcam-webui
43. Snapcraft plugins $ snapcraft list-plugins ant autotools catkin cmake gradle kbuild copy gulp kernel go jdk make maven nil nodejs plainbox-provider python2 python3 qmake scons tar-content Write your own plugins: - https://developer.ubuntu.com/en/snappy/build-apps/plugins/ Custom plugin examples: - https://github.com/ubuntu/snappy-playpen
44. Snap usage Live tour of snapcraft build commands (clean, stage, prime…) Snapcraft upload/update/release commands
45. 创建软件包
46. 创见你的第一个 snap... ● 手把手教学 ○ ○ https://tutorials.ubuntu.com/tutorial/create-your-first-snap https://tutorials.ubuntu.com/tutorial/snap-a-python-application ● 动手做一个服务器 ○ https://tutorials.ubuntu.com/tutorial/build-a-nodejs-service ● 看看别人的代码… ○ https://github.com/search?utf8=%E2%9C%93&q=filename %3Asnapcraft.yaml&type=Code
47. build.snapcraft.io 持续交付 快速迭代 Confidential Canonical™
48. build.snapcraft.io Create an update Auto build and publish Auto update and rollback
49. build.snapcraft.io
50. How to build your app for all architectures? ● ● Develop your application for one architecture and test it successfully, let’s say amd64 Create a project on launchpad and make use of the services there ○ https://kyrofa.com/posts/building-your-snap-on-device-there-s-a-better-way ○ Click on the “Create snap package” button
51. 近期活动
52. https://www.shenzhenware.com/events/1047030532
53. http://www.huodongxing.com/event/239810979480
54. 参加黑客松微信群 Ubuntu官方微博 Ubuntu官方微信
55. 其他英文资源 ● Ask a question on Ask Ubuntu ○ If you’re stuck on a problem, someone else has probably encountered it too and they can help you. Take a look at the "ubuntu-core" tag on Ask Ubuntu or ask a question. ● Join our real time chat (#snappy on freenode.net) ○ Share your projects and ask other developers for support. This high-bandwidth IRC channel is a good place when you are looking for a quick answer to a single question. ● For app developers ○ Reach out to other snap developers by using the"snapcraft" tag on Ask Ubuntu, join the snapcraft mailing list and make sure to join the Ubuntu App Developers Google+ community. ● Snapcraft.io forums ○ This is the place where snap users, contributors and developers get together. We are a multi-distribution team of enthusiasts and professionals that want to improve the way software is distributed and used in Linux systems. https://forum.snapcraft.io/
56. Thank you Rex Tsai http://weibo.com/chihchun/ rex.tsai@canonical.com