Optimise boot speed

degville · January 24, 2023, 11:41am

When Ubuntu Core boots for the first time, a seeding process installs an initial set of snaps and runs their respective hooks (see Snaps in Ubuntu Core for more details).

Each installed snap needs to be verified and have their respective AppArmor and seccomp security profiles, systemd units and mount points created. The time this takes is proportional to the number of asserted snaps being seeded but installing many snaps can impact first boot speed.

Preseeding

Preseeding speeds up the seeding process by performing as many of these administrative tasks as possible in advance when an image is being created.

During deployment, snapd still performs the seeding process but it automatically skips any parts successfully completed during pre-seeding.

Building a preseeded image

When Building an image, preseeded images are created with the same ubuntu-image tool, or the snap prepare-image command, with an additional --preseed argument.

Pre-seeding requirements:

snapd 2.56 or newer, both on the host system (where the image is created) and in the resultant preseeded system.
Preseeding is supported in Ubuntu Core 20 onwards.
The same architecture on both the host and pre-seeded system (during pre-seeding, snapd from the target system is executed to perform seeding).
It’s recommended that the kernel on the host should have the same AppArmor features as that of the target system. Differing AppArmor features will nullify the pre-created security profiles which will subsequently need to be recreated on first boot.

Usage:

snap prepare-image --preseed --preseed-sign-key=<gpg-key-name> --channel=stable --snap=... <model-assertion> <target directory>

or with ubuntu-image:

sudo ubuntu-image snap --preseed --preseed-sign-key=<gpg-key-name> -i 8G --snap [...] <model-assertion>

The --preseed-sign-key argument is optional and the default GPG key will be used if omitted. This is the brand GPG key.

A custom AppArmor features directory may be specified with --apparmor-features-dir=.... The target should be a snapshot of sys/kernel/security/apparmor/features from the target system. If not specified, the sys/kernel/security/apparmor/features from the host system will be used.

On a new device, snaps are installed from the ubuntu-seed volume (see Inside Ubuntu Core). On a classic system, this set of snaps to install is defined in /var/lib/snapd/seed/seed.yaml.

Single boot installation

During the installation of an Ubuntu Core system, the target device will undergo a reboot to finalize the installation process. If a system is preseeded, the installation can be completed without necessitating a system reboot. Note that this feature requires snapd version 2.62 and greater.

glancr · March 30, 2023, 2:25pm

Is there any update when preseeding will support UC22 images? https://github.com/snapcore/snapd/blob/master/image/image_linux.go#L160 shows it is still a TODO.

masahiro20200511 · December 5, 2023, 11:56pm

@degville Would you please update second bullet point of Preseeding requirements section?
I think preseeding is supported by Ubuntu Core 22(UC22), too.

degville · December 11, 2023, 12:08pm

Thanks for flagging this. I’ve just tested preseeding with UC22 and it works. I’ve updated the requirements accordingly. (cc @glancr)

dilyn-corner · March 12, 2024, 10:03pm

I believe it is also a requirement that for this version of snapd your target is AMD64, but this requirement is later relaxed in subsequent versions of snapd; Ondrej/Samuele would know the details on that.

Is anyone ever meant to be using this command directly, I wonder?
As far as I understand it, we don’t officially encourage doing this for devices which point at a Brand store. Under what conditions is this the correct way of preseeding?

I would turn this text into \ separated lines; this is far cleaner to read for instance (and doesn’t require horizontal scrolling; I hate horizontal scrolling!):

snap prepare-image \
    --preseed \
    --preseed-sign-key=<gpg-key-name> \
    --channel=stable \
    --snap=... \
    <model-assertion> \
    <target directory>

Likewise with the ubuntu-image usage.
Knowing where to get that GPG key name from would be a helpful addition; who has to register that key would also be nice to know.

Where can I get such a thing?