Air-gapped mode

Snap Store Proxy can operate in an air-gapped (offline) mode, meaning it can be deployed in networks that are disconnected from the internet.

Note: The air-gapped mode is in a closed internal beta currently.

Overview

Client devices connect to the air-gapped Snap Store Proxy. The proxy never contacts the general Snap Store nor the internet in general.

Proxy operators side-load all necessary snaps into their air-gapped Snap Store Proxy.

Registration

Air-gapped Snap Store Proxy operators first have to register their offline proxy on a machine with internet access:

sudo snap install snap-store-proxy --edge

sudo snap-proxy generate-keys

sudo snap-proxy config proxy.domain="$<domain-or-ip-of-the-air-gapped-proxy>"

Follow the HTTPS setup guide to ensure that your offline Snap Store Proxy will be registered behind HTTPS scheme, meaning that any client device that attempts to use it, will contact it via HTTPS.

On the same machine, register the air-gapped Snap Store Proxy:

# You'll be prompted to provide your SSO authentication and will
# be asked some survey questions about the intended proxy usage.
sudo snap-proxy register --offline --channel=edge --arch=amd64

The result of the above is a tarball offline-snap-store.tar.gz that is then moved to the target host machine for the air-gapped Snap Store Proxy.

Database setup

The target machine (the air-gapped Snap Store Proxy host) should have network access to a properly configured PostgreSQL database.

Installation

You will need the offline-snap-store.tar.gz bundle from the registration step to continue with installation.

Note: The air-gapped mode is in a closed internal beta currently and installation is password protected.

The script below illustrates the installation process on the target air-gapped machine. Please note that the following variables need to be set appropriately:

  • POSTGRESQL_CONN_STRING - the connection string to a properly set up PostgreSQL database

  • SNAPSTORE_BETA_PASSWORD - a closed beta password required for the installation of the air-gapped Snap Store Proxy

  • PROXY_ACCESS_PASSWORD - password required for management of the air-gapped Snap Store Proxy over the network

#!/bin/bash

set -eu

# PostgreSQL connection string to the Snap Store Proxy database.
POSTGRESQL_CONN_STRING="${POSTGRESQL_CONN_STRING}"
# Closed beta password required for the airgap installation.
SNAPSTORE_BETA_PASSWORD="${SNAPSTORE_BETA_PASSWORD}"
# Management access password for the proxy.
PROXY_ACCESS_PASSWORD="${PROXY_ACCESS_PASSWORD}"

tar xvzf offline-snap-store.tar.gz
cd offline-snap-store
./install.sh

sudo snap-store-proxy config proxy.db.connection="$POSTGRESQL_CONN_STRING"

SNAPSTORE_BETA_PASSWORD="$SNAPSTORE_BETA_PASSWORD" sudo -E snap-store-proxy enable-airgap-mode --password $PROXY_ACCESS_PASSWORD

sudo snap-store-proxy status

Side-loading snaps

Air-gapped Snap Store Proxy operators can fetch snaps from the official Snap Store and import them into their air-gapped proxy. These will be the only snaps (and their revisions) available for installation from the air-gapped proxy.

Fetching snaps

Example of fetching the jq snap on a machine with internet access:

sudo snap-store-proxy fetch-snaps jq --channel=stable --architecture=amd64

This produces a tar.gz file that has to be moved to the air-gapped proxy and imported there.

Importing (pushing) snaps

Once the snap bundles are on the airgap host, they should be moved to the /var/snap/snap-store-proxy/common/snaps-to-push/ directory, from where they can be imported.

Example of importing a jq.tar.gz snap bundle on the air-gapped proxy host:

sudo snap-store-proxy push-snap /var/snap/snap-store-proxy/common/snaps-to-push/jq-20200406T103511.tar.gz

The jq snap is now available for installation from this air-gapped Snap Store Proxy. This means that snap info jq and snap install jq will succeed on a connected client device.

Client Device Configuration

Client devices only ever connect to the offline proxy. They do this without sending any device authentication/authorization information to the proxy. A client device that has already obtained a serial assertion, will not be able to use the air-gapped proxy, as the air-gapped proxy currently is unable to authenticate its client devices offline.

Configuring client devices follows the same process as with an online Snap Store Proxy.

Limitations

Air-gapped mode provides only a subset of the core functionality of the regular Snap Store Proxy or the official Snap Store. Some of the missing features are:

  • Searching for snaps

  • Device registration and authorization