Installing snaps in vault domain App VM without network

User Support
#1

I am trying to install the onlykey-app snap in the vault VM. My vault AppVM is based on a fedora 34 template. The snap is installed in the template VM. The application shows up in the installed Applications for the qube, however even when it is available in that list, it doesn’t appear to run.

I understand in the documentation it says to install the snaps in the AppVM. However with the vault VM not having network access, how would this be done? Should the installed files in the template be copied to the app vm? Thank you for your responses.

#2

You may try this, but there are also a lot of topics on the forum regarding snap.

#3

Following the first link provided did not seem to resolve the issue. I also tried to the following:

  • Remove snapd and qubes-snapd-help from the template
  • shut down both vault and template.
  • Reinstalled snapd, qubes-snapd-helper and the onlykey-app snap in the templateVM
  • Shut down the template, vault was still off at this point.
  • Refreshed the applications and the app showed in the application menu for the template.
  • Moved it over to the vault AppVM.

Even though it appears in the list of applicatoins, it doesn’t seem to be installed on the system.

Looking through the list of other issues, it seems a lot of the answers are to install the snaps in the appVM. This would work in normal circumstances if the AppVM has network access. However since the vault does not have network access, this route is not possible. I understand that I can temporarily add network access, however that would break the security model of the vault VM. I have not seen a specific thread trying to tackle this issue.

#4

Updated the title to reflect that.

#5

A less, but still not secure way would be to pass the package to vault and install it there? I would never do this, though.
You would probably want to look for error messages when starting it from terminal, looking into journalctl, dmesg, etc and to try to bind some dirs, instead.

#6

My current work around is to switch the template to a debian-11 template. The onlykey-app is shipped as a deb package or a snap. So I have the deb installed on the debian template. That seems to work. So when I need to use the app I’ll use the deb template, otherwise I’ll switch it to the fedora template. Although it seems a bit cumbersome. Unsure if there are any risks involved with that process.

The reason I like using the fedora template is that I have split-gpg and split-ssh working with my hardware token (onlykey) as the private key store. This setup I cannot seem to work in my vault VM when based on the debian template.