Default shell environment: A hook script can only assume a POSIX-compliant shell environment for its execution. If your script needs a specific shell, such as Bash or Zsh, it needs to be explicitly declared within the script’s hashbang header (#!/bin/bash, for example). Your snap also needs to ensure your chosen shell is available.
If a hook requires access to system resources outside of a snap’s confined environment, it will need to use slots and plugs via the interface mechanism to access those resources.
When using Snapcraft to build the snap, the interface definition will go inside snapcraft.yaml, and the snapcraft command create a snap.yaml within the snap to hold the required metadata.
For example, the following excerpt registers an install hook making use of a network plug:
Hooks are called with no parameters. When a hook needs to request or modify information within snapd, they can do so via the snapctl tool, which is always available within a snap’s environment. See Using the snapctl tool for further details.
Transactions and rollback
A hook is executed as a single transaction, where a transaction object holds all the configuration changes for that hook. These changes are invisible to the running system until the hook completely finishes.
This allows for changes to be rolled back or unset if errors occur during the execution of a hook. This happens if a non-zero value is returned with either the configure or default-configure hooks, for example, or if an error occurs with any hook involved with an interface auto-connection.
The configure hook is called every time one the following actions happen:
initial snap installation
whenever the user runs snap set|unset to change a configuration option
Note that this hook will not get called when the snap itself changes configuration options using snapctl get|set|unset.
The hook should use snapctl get to retrieve configuration values from snapd. If the hook exits with a non-zero status code, the configuration will not be applied.
For example, given the following command:
$ snap set mysnap username=foo password=bar
The configure hook located within the mysnap snap at meta/hooks/configure would be called to apply the configuration changes, if necessary.
The hook might look similar to:
username="$(snapctl get username)"
password="$(snapctl get password)"
if [ -z "$username" -o -z "$password" ]; then
echo "Username and password are required."
mkdir -m 0600 $SNAP_DATA/options
echo "username: $username" > $SNAP_DATA/options/credentials
echo "password: $password" >> $SNAP_DATA/options/credentials
The same hook can also modify the configuration of a snap within the context of the current transaction. This is accomplished using snapctl set and snapctl unset. For more information see Adding Snap configuration and Using the snapctl tool.
Note that configuration options do not need to be defined anywhere. snapctl set and snap set will accept any (valid) option name.
The default-configure hook
The default-configure-hook is an optional extension to the configure hook that executes only on snap installation and before services are started to provide access to the default configuration values stored in a device’s gadget snap.
The default-configure hook should be located within meta/hooks and requires a configure hook to be present. A missing configure hook will result in an error.
The hook should use snapctl get to retrieve default configuration options and snapctl set and snapctl unset to create/modify options. If the hook exits with a non-zero status code, the default configuration provided by the gadget snap as well as modifications by the hook will not be applied.
Example default-configure hook:
gadget_option="$(snapctl get gadget-option)"
if [ -z "$gadget_option" ]; then
mkdir -m 0600 $SNAP_DATA/options
echo "option: $gadget_option" > $SNAP_DATA/options/gadget
Ubuntu Core 20 (UC20) uses full disk encryption (FDE) whenever the hardware allows, protecting both the confidentiality and integrity of a device’s data when there’s physical access to a device, or after a device has been lost or stolen.
Creating a verifiable boot process on a non-standard (non-UEFI+TPM platform) FDE platform, such as a Raspberry Pi or other ARM devices, is board-specific and will typically involve creating custom gadget and kernel snaps. UC20, however, does provide a helper mechanism, via a hook interface, to ensure the integrity of any subsequently executed or accessed data.
The gate-auto-refresh hook is executed by snapd for every snap that will be updated with the next automatic refresh. It’s also executed for every snap that is dependent on a snap that will be updated.
This hook is capable of executing the snapctl refresh command with 3 specific arguments, hold, proceed and pending.
This feature is currently considered experimental. See Refresh control for more details.
The install hook
The install hook is called upon initial install only, i.e. it’s not called on subsequent refreshes.
The hook is executed before starting snap services (if it has any) and before the configure hook. The install hook is the place for one-time actions, such as an early initialisation of a resource when installed for the first time.
The install-device hook
This hook is supported in Ubuntu Core 20 and subsequent releases.
The pre-refresh hook is called whenever the snap gets refreshed.
This hook is executed for the already installed revision of the snap with its services still running (if the snap has any services) and before switching to the newly installed revision.
This hook is a good place for any maintenance or cleanup actions that prepare the snap for switching to the new revision. It’s also a good place to test whether a refresh will succeed, because if the test causes the hook to fail, the refresh will not proceed.
The post-refresh hook
The post-refresh hook is similar to pre-refresh (above) in that it is called whenever the snap gets refreshed.
This hook is executed for the newly installed snap, before starting new services (if applicable). This hook is a good place for any extra actions that need to be performed for the new revision of the snap. It’s also a good place to test whether a refresh has succeeded, because if the test causes the hook to fail, the refresh will be rolled-back and the original state of the snap restored.
The remove hook
The remove hook is called when the last revision of the snap gets removed from the system.
This hook is executed after stopping the services of the snap (if the snap has any services), therefore it’s useful for any custom cleanup logic.