While the approach above works to cut off all access to the snap store, it will also keep you from getting any emergency security update we may roll out. Those happen reasonably often and don’t always get advertised unless they directly related to LXC, LXD or LXCFS.
For example a security fix in OpenSSL will require a new core package to be fixed, so you will need to stay pretty up to date as to potential security issues and manually apply those as needed.
The recommended way to handle snaps in production is:
- Set your refresh window
- To be able to easily control the snap revisions that you roll out in your production environment, consider setting up a snap store proxy. This does allow you to keep specific snaps to specific revisions, then once you’re satisfied the new revision works for you, you can bump it in the proxy and all your systems will refresh to that (at the scheduled time).
Details on the snap proxy can be found here: https://docs.ubuntu.com/snap-store-proxy/en/
The download+ack+install approach from @TomvB will also work fine, though you may need to prevent store connectivity on top of that as it’s likely that the assertion will effectively tell snapd about what channel this came from, causing it to attempt to handle regular refreshes (unlike a fully sideloaded snap which is missing that assertion data).
On our side, one thing I’m looking at setting up and automating is a set of extra tracks.
If we had the setup I have in mind right now, it would look like:
- 2.0
- 3.0
- 3.14 (new)
- 3.15 (new)
- latest
The 3.14 track would contain whatever was in latest at the time 3.15 released.
The 3.15 track would mirror latest until 3.16 releases.
When 3.16 releases, we’d get rid of the 3.14 track. So you’d just have 3.15 and 3.16 at that point.
Because track changes aren’t automatic, those deciding to use 3.14, will have to manually refresh to 3.15, … If you don’t do anything, you end up staying behind on an unsupported release.
We’d only keep the current and previous release open so that we don’t end up with users attempting to install very old releases by following outdated howtos and the like.