Containerize all the things with Ubuntu Core 20

Thom Holwerda 2021-02-03 Ubuntu 7 Comments

The key difference between regular Ubuntu and Ubuntu Core is the underlying architecture of the system. Traditional Linux distributions rely mostly on traditional package systems—deb, in Ubuntu’s case—while Ubuntu Core relies almost entirely on Canonical’s relatively new snap package format.
Ubuntu Core also gets a full 10 years of support from Canonical rather than the five years traditional Ubuntu LTS releases get. But it’s a bit more difficult to get started with, since you need an Ubuntu SSO account to even log in to a new Ubuntu Core installation in the first place.

Ars takes a look at this rather unusual Ubuntu variant.

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

7 Comments

2021-02-03 10:45 pm

sukru
It looks like SSO is not a hard requirement:
https://blog.plip.com/2018/10/09/bootstrap-ssh-on-ubuntu-core-with-out-ubuntu-sso-credentials/

Overall the distribution seems to be geared for Internet connected devices (IoT), which you would *not* login. So there is an automated install and upgrade mechanism, and everything* is a read only snap (unless you configure otherwise).

I think this can be compared to a more modern version of puppet.
2021-02-04 8:15 am

p13.
An all-snap distro … who thought that would be a good idea? Especially on IoT devices, performance is going to be atrocious.

2021-02-04 8:24 pm

Morgan
Not to mention the security nightmare. Snaps are served from closed source, Canonical-owned servers with no way to verify that the files you get are what Canonical intended. One bad actor gains access to their servers and it’s game over for every snap-enabled installation out there.

2021-02-04 10:45 pm

sukru
They offer custom “stores”:
https://ubuntu.com/core/smartstart/guide/app-store-commissioning

Basically you can upload the snaps yourself, and authorize with your digital signature. However Canonical still does the hosting and authentication.

2021-02-05 2:35 pm

Alfman verbose=1
sukru,

They offer custom “stores”:
Basically you can upload the snaps yourself, and authorize with your digital signature. However Canonical still does the hosting and authentication.

This is exactly the sort of centralization of control that many of us are critical of on other platforms, be it apple, microsoft, google, whoever. Technology should not become tethered to a single store or privileged vendor. Rather than restate it, I’m just going to quote someone else who’s already said it…

https://blog.linuxmint.com/?p=3766

If you’re a Fedora user and you want to install Spotify, you’re told to go to https://snapcraft.io/spotify. Spotify doesn’t distribute RPM packages, appimage, Flatpak or anything useful to a Fedora user who wants to download it, or to a Fedora maintainer who wants to add it to a repository. Fedora users are told to go to what is essentially a commercial store operated by a RedHat competitor where stats tell them their distribution is only 7th best.

We’re in luck, we can still download the .deb. If Spotify stops caring, what do we do? We move to snap because we have to? Will the snap store continue to let people download actual .snap files in the future or will that get locked down ? Will the snap store continue to operate without an Ubuntu One account or will we get vendor-locked ? I think it’s important to appreciate these aspects.

We all have smartphones, and we all know how great the Google Play store is. How often do we see .apk (Android packages) on the web ? How hard are they to install without the Google store ? How free is an editor to publish its .apk itself while being present in the store ? Who controls all that and what does it mean for us ? Who governs what can and cannot go into the store ? Who makes commercial deals ? Who do we rely on ? And why ?

As long as snap is a solution to a problem, it’s great. Just like Flatpak, it can solve some of the real issues we have with frozen package bases. It can provide us with software we couldn’t otherwise run as packages. When it starts replacing packages for no good reason though, when it starts harming our interaction with upstream projects and software vendors and reducing our choice, it becomes a threat.

I think the concerns over centralization and giving competitors control have merit.

That aside, I think sandboxing applications is good. We definitely need more effective ways for owners to control processes in linux. However I do question the snap implementation. Although snaps make it easy to just do away with dependencies altogether, this design is highly inefficient.

I find it awkward, unnecessary and undesirable to have a mount point for each application and I despise the rapid pollution of /proc/mount, although admittedly with better tooling it might be improved. The other gripe is the massive bloat. Ordinarily we’d justify bloat in shared libraries because they are shared by applications, but with snap this is not the case and resource bloat gets multiplied by every application, which adds up quickly when you start using a lot of snaps. Not only do shared resources need to be loaded repeatedly, they consume more memory and it results in more thrashing of the CPU cache at runtime. Consequently snap’s method of bundling will never be as efficient as traditional packages.

So, given the choice I’d stick to traditional packages and flatpak seems a bit better for 3rd party software.

2021-02-05 4:54 pm

Flatland_Spider
In response to the Fedora Spotify question: https://flathub.org/apps/details/com.spotify.Client

The community has done a great job of repackaging Snap apps into flatpaks.

The problem is library versioning, and how most OSes don’t have a way to deal with it. The traditional way was to bundle everything together in it’s own directory tree. Linux gets around it by having most software go through a central distribution system, but this limits the libraries to the lowest common denominator version.

Nix and the OSTree stuff is the latest attempt to fix this without having lots of application bloat.

https://ostreedev.github.io/ostree/

I want to start ranting about how bad containers are on Linux, and how they should be more like Jails. However, I’m going to go write some code and enjoy my Friday.
2021-02-06 12:30 am

sukru
Alfman,

Once again it is convenience vs openness, with a touch of revenue seeking.

I actually find using containers and read only mounts for IoT an nice compromise. They waste space, but makes everything more secure. And for embedded devices there will most likely one or a few containers on each device, so not much waste after all.

On the other hand, there needs to be a central location to configure all those devices. Ideally it would be your own server, hosted privately, or in a cloud. But Ubuntu does not work that way.

For the enterprise they offer their own SSO system, and basically say: if you want to have user management, you have to go through us, and pay a per-user fee. That is the same in other products, for example MaaS will allow you control physical racks of servers as if they were virtual machine hosts. But you cannot delegate responsibilities to local accounts, only Ubuntu SSO ones.

Here, there is a choice:
– Fork Ubuntu’s code, and maintain your own server
– Pay Ubuntu for commercial subscription, and receive professional service

There is no third option. Well, ideally there would be a open source fork, but nobody takes that on. (Who would want to deploy a very large scale IoT automation infrastructure, but does not have the money to buy Ubuntu licenses?)