Would it be possible to create a SNAP for Netbird?

[bmullan]

Is your feature request related to a problem? Please describe. No

Describe the solution you'd like I'd like to see a Netbird SNAP available. That could enable installation by end-users with a single command such as:

$ sudo snap install netbird-ui
or
**$ sudo snap install netbird-cli***

SNAPs utilize a release Channel concept (ie stable, candidate, beta, edge) They define which release of a snap is installed and tracked for updates. SNAPs can be updated or rolled-back to a previous version if an update does happen to cause some problem for a user.

Describe alternatives you've considered none. But I'd imagine there would be interest in a Flatpak installer.

Additional context Add any other context or screenshots about the feature request here.

[mlsmaycon]

thanks for your suggestion @bmullan, as we are using Goreleaser, it is possible to build snap packages.

We have to check our repositories if there are any compatibility issues.

[bmullan]

Great thanks the reply. I'll keep my eye out.

brian

On Sun, Jan 8, 2023 at 4:23 PM Maycon Santos @.***> wrote:

thanks for your suggestion @bmullan https://github.com/bmullan, as we are using Goreleaser https://goreleaser.com/customization/snapcraft/, it is possible to build snap packages.

We have to check our repositories if there are any compatibility issues.

— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/646#issuecomment-1374930533, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM23J26IRN5VYRV45R7Y4TWRMV5TANCNFSM6AAAAAATUUOVTY . You are receiving this because you were mentioned.Message ID: @.***>

[bmullan]

thanks for your suggestion @bmullan, as we are using Goreleaser, it is possible to build snap packages.

Did any work happen on creating SNAP package for Netbird?

thanks for your suggestion @bmullan, as we are using Goreleaser, it is possible to build snap packages.

We have to check our repositories if there are any compatibility issues.

[Guillaumebeuzeboc]

Hello, I recently publish a snap for NetBird in beta. I didn't use goreleaser, but built it directly from sources. The snap is still waiting for the auto-connections.

The snap is available on the Store (in beta). The sources for the snap are available on GH.

So far, I did only basic tests with the snap (connect to the default NetBird server). Any feedback is welcome.

I can prepare a PR to have the snap built directly in this repository if you want to take ownership @mlsmaycon .

[bmullan]

@Guillaumebeuzeboc I just installed your Netbird Snap beta on my ubuntu 22.04.3 LTS system and it only took 30 seconds.

FYI .. your Link _(GH)_ points to an empty Github page!

Also, what all does the Netbird Snap install/configure?
I realize you just published the Netbird Snap beta but a ReadMe on the "missing" Github link (see above) would help answer other basic questions.

Thanks so much for your effort !
I'll respond here if I find anything or have questions.

Brian

[bmullan]

@Guillaumebeuzeboc

Your Netbird SNAP works Great from what I've seen!

1. I setup 2 Ubuntu 22.04.3 LTS Servers.
2. One local and one on Digital Ocean Cloud.
3. I installed LXD on both Servers and created 2 LXD (system) Containers on each Server (I used Ubuntu 22.04 as the LXD Container OS's as well)

   Note: the "default" LXD config is to create all new LXD Containers behind a Bridge named "lxdbr0"
   and using a Private 10.x.x.x/24 network

4.Then on Both Servers (the LXD Container Hosts) I installed the Netbird SNAP

5. Accessed the Netbird Admin UI and verified both Servers showed as Peers.
6. Created a Netbird Route on each Server which routed that Server's lxdbr0 bridge IP /24 Network to the Mesh VPN
7. Verified I could ping from LXD Containers on local Server LXD Host to LXD Containers on Digital Ocean LXD Host and vice-versa

Side Note:
On the Digital Ocean Server's LXD Containers I installed the "ubuntu-mate-deskop" and XRDP (_using cenergy's XRDP install script because it builds from latest NeutrinoLab's XRDP source and can enable Sound Redirection from the remote. In one of my "local" Server's LXD Containers I installed freerdp2-x11. I then from that "local" Container's command line I used "xfreerdp /v:x.x.x.x" to launch the Ubuntu Mate desktop on the Digital Ocean LXD Container so it appeared to me Locally.

Works great!

See attached PDF from a Mindmap I created to document the steps I took.

Since LXD "system" containers can run most Linux Distro's (fedora, centos, alpine, ubuntu, debian, suse etc etc) and each Server (assuming _appropriate "resources" can run dozens or hundreds of LXD Containers).

LXD containers can also run Docker or Flatpak "nested" in an LXD Container.
Docker & Flatpaks run just like they do on a non-LXD Server.

With just 2 Netbird Peers and I can have access to apps on any of those LXD Distro containers.

ciab-netbird-setup.pdf

Let me know if you have any questions.

Brian

[Guillaumebeuzeboc]

@bmullan

I think the GH link died since I merged in the meantime. Currently, the main branch contains a basic readme.

Regarding the snap configure/install, they are snap hooks which are essential executables to execute at certain time of the snap life. In the NetBird snap the configure hook is used to restart the NetBird daemon whenever someone changed the configuration (via snap set netbird service-run-arguments in this case). The install hook is simply unsetting the value for the configuration service-run-arguments on the snap installation.

Thank you for all the tests! I am glad it worked. It appears that we have different use cases. I have been using NetBird to interconnect edge devices on different networks.

From your tests I just want to clarify some points:

• Although the snap is "based" on core 22, it can run on other Ubuntu versions or even other Linux distros. I have been using it on 20.04 for example.
• I saw that you installed the snap on the host for the LXD containers to access it. The snap can also be installed in one of the LXD containers to give access to only one container, for example.
• I am not sure why you mention Flatpack. Did you mean snap? Or is it a use case to have snap + Flatpack + docker running side by side?
• In your mind map, the birdup.sh is calling sudo netbird up, I think the sudo is not necessary since the NetBird socket has enough permission.

Also, to simplify the connection process for the snap, I have requested auto-connections. Once approved, this means that the user will simply have to type sudo snap netbird install --beta and then netbird up.

[bmullan]

@Guillaumebeuzeboc

regarding some of your questions:

I saw that you installed the snap on the host for the LXD containers to access it. The snap can also be installed in one of the LXD containers to give access to only one container, for example.

Yes, I know I could configure an individual LXD Container with Netbird. LXD "system" Containers have multiple approaches to doing that besides install Netbird inside an individual Container. An LXD Container's networking can be via MACVLAN, Bridge, Routed interfaces to the Host. They also support use of "cloud-init" to preinstal/configure things in a container.

I am not sure why you mention Flatpak. Did you mean snap? Or is it a use case to have snap + Flatpak + Docker running side by side?

LXD Containers default to running "unprivileged" (root in the container is not root in the Host) but can be run as Privileged Containers if desired.

By running Docker containers or Flatpak's "Nested" inside an "unprivileged" LXD "system" Container your Docker or Flatpak's have that extra security.

Unprivileged containers are safe by design. The container uid 0 is mapped to an unprivileged user outside of the container and only has extra rights on resources that it owns itself.

With such container, the use of SELinux, AppArmor, Seccomp and capabilities isn't necessary for security. LXD will still use those to add an extra layer of security which may be handy in the event of a kernel security issue

Docker containers typically run with root as the default user

So as an example, running a Docker Container "nested" in an LXD Container... if the Docker app were to escape to a shell it might gain "root" in the LXD Container but not in the Host Server.

Regarding Flatpaks, an example, to give a Flatpak app permission to access the Linux host file system:

$ sudo flatpak override [app id] --filesystem=host

But doing that to a Flatpak running "Nested" in an LXD "system" Container the Flatpak can run Privileged (re root) in the LXD Container but it is not root in the Host Server!

So that is one reason I mentioned LXD capable of running Docker & Flatpak "nested".

Also, LXD supports export/import of local/remote Containers & "live migration of a Container from Server A to Server B"

It appears that we have different use cases. I have been using NetBird to interconnect edge devices on different networks.

I do that also but I always try a remote desktop connection from Edge device (lxd container on Server A to LXD Container on Server B somewhere else) just as one test of the mesh vpn performance. I also do that using iPerf.

Also thanks for letting me know:

In your mind map, the birdup.sh is calling sudo netbird up, I think the sudo is not necessary since the NetBird socket has enough permission.

[Guillaumebeuzeboc]

The snap is now auto-connected to the required interfaces. The manual connections are no longer required.

The instructions to install and setup NetBird snap are now simpler:

sudo snap install netbird --beta
netbird up