1

I am using APT::Install-Recommends "false" in /etc/apt/apt.conf to restrict my machine to software I deliberately installed. I still remain free to later accept such recommendation.

This mechanism does not seem to apply to snaps. During unattended updates openprinting/cups and brlin/hunspell-dictionaries-1-7-2004 were installed, neither of which is was necessary for any other installed snap, and neither of which was authorized.

I would like to prevent this from happening again. If necessary, even limiting unattended installation to Canonical-supported software, throwing an error when requested updates are impossible under such policy. What are my options?

anx
  • 2,348

1 Answers1

0

Snap retention|refresh|pinning|autoremove

A often discussed question ... with a bunch of half-answers.

Since snap has no package systems that just upgrades in place , snap pulls dependencys with the packages and also keeps a copy of the last n versions of snaps

( and you are right if you think that snap uses your local storage like a mirrored registry with the last n versions )

Current State of Snap Auto-Cleaning:

In fact there is a Feature proposal since 2022 ( ~3 Years ) , so maybe spread some votes there ..

Snap CleanUp / AutoPurge Ways:

The closes to "auto-pruning" you can get:

  • Engage the auto-clean script to get rid of old versions ( found here )

  • disable autos-snapshots , their manual says it all:

    sudo snap set system snapshots.automatic.retention=no will disable it

    Automatic snapshot retention time is configured with the snapshots.automatic.retention system option. The default value is 31 days, and the value needs to be greater than 24 hours

    ...

    Disabling automatic snapshots will not affect preexisting, automatically generated snapshots, but only those generated by subsequent snap removals.

  • clean up the snapshots, there is a very good example script

There is no "exact-same" apt(-get) way of saving more space with snap , but amongst the top-tips there are:

  • Lower the "old versions" snapd keeps: sudo snap set system refresh.retain=2

    The refresh.retain value can be a number between 2 and 20. The default is refresh.retain=3 on Ubuntu Core systems and refresh.retain=2 on classic Ubuntu systems, such as those running Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus).

  • clear the cache: sudo find /var/lib/snapd/cache/ -exec rm -v {} \; # Remove cache

The "Dangerous" non-moving part: locking against updates with refresh --hold

Preamble: You might run into outdated software and resulting security issues , so please be careful and update regularly by reinstalling or unholding the lock.

Your inital question also included:

even limiting unattended installation to Canonical-supported software well

There was currently no way found to do this, except "pinning"( snap term "refresh hold")

How-To: snapd pinning

  • since 2.58+, there is refresh lock holding ( apt pinning equivalent )
  • it might be issued for one or all packages , with and without timelimit
  • snap refresh --hold "should" lock all updates
  • a specific example is sudo snap refresh --hold=24h firefox

How-To: update snapd "pinned" software

  • Variant A to update (firefox example), either sudo snap remove --purge firefox,sudo snap install ,sudo snap refresh --hold ,
  • Variant B to update sudo snap refresh --unhold firefox,sudo snap refresh firefox,sudo snap refresh --hold
Benji over_9000 'benchonaut'
  • 666