NVIDIA · zyga · May 29, 2026 · May 29, 2026 · May 29, 2026 · May 29, 2026
@@ -75,6 +75,65 @@ To keep the user service running after logout, enable linger:
 sudo loginctl enable-linger $USER
 ```
 
+## Snap
+
+Install the OpenShell snap from the Snap Store:
+
+```shell
+sudo snap install openshell --classic
+```
+
+The snap defines two apps: the `openshell` CLI and the `openshell.gateway`
+systemd-style service. The gateway listens on `https://127.0.0.1:17670` and
+stores its database at `$SNAP_COMMON/gateway.db` (typically
+`/var/snap/openshell/common/gateway.db`). Create `$SNAP_COMMON/gateway.toml`
+when you need to override gateway settings.
+
+### Snap store installs
+
+When installing from the Snap Store, snapd automatically connects the `home`,
+`network`, `network-bind`, and `ssh-keys` plugs. The `docker` plug still
+requires manual connection:
+
+```shell
+sudo snap connect openshell:docker docker:docker-daemon
+```
+
+The snap declares `default-provider: docker` on the Docker plug so snapd will
+offer to install the Docker snap, but the connection itself must be made
+manually.
+
+### Locally built snap packages
+
+When installing a locally built `.snap` file, no plugs are connected by default:
+
+```shell
+sudo snap install ./openshell_*.snap --dangerous --classic
+sudo snap connect openshell:home
+sudo snap connect openshell:network
+sudo snap connect openshell:network-bind
+sudo snap connect openshell:ssh-keys
+sudo snap connect openshell:docker docker:docker-daemon
+sudo snap connect openshell:log-observe
+sudo snap connect openshell:system-observe
+```
+
+The `log-observe` and `system-observe` plugs are needed for the gateway service
+to read logs and inspect system processes. The `docker` plug requires the
+`docker:docker-daemon` slot from the Docker snap and does not work with
+system-installed Docker.
+
+### Gateway service
+
+The gateway runs as a snap daemon with `refresh-mode: endure`, meaning snapd
+will not restart it during snap refreshes. This prevents the gateway from
+killing active sandbox sessions mid-refresh. Restart the service manually after
+a snap refresh when you need the updated binary:
+
+```shell
+sudo systemctl restart snap.openshell.gateway
+```
+
 ## Kubernetes
 
 Kubernetes deployments use the OpenShell Helm chart. For step-by-step installation, refer to [Kubernetes Setup](/kubernetes/setup). For chart values and packaging details, refer to the [Helm chart README](https://github.com/NVIDIA/OpenShell/blob/main/deploy/helm/openshell/README.md).

@@ -96,7 +96,7 @@ def test_generate_homebrew_formula_uses_tagged_macos_driver_asset_without_defaul
 
 def test_snap_wrapper_uses_optional_gateway_config_without_generating_toml() -> None:
     repo_root = Path(__file__).resolve().parents[2]
-    wrapper = (repo_root / "deploy/snap/bin/openshell-gateway-wrapper").read_text(
+    wrapper = (repo_root / "tasks/scripts/snap-gateway-wrapper.sh").read_text(
         encoding="utf-8"
     )
 

@@ -38,12 +38,21 @@ apps:
   gateway:
     command: bin/openshell-gateway-wrapper
     daemon: simple
+    # refresh-mode: endure prevents snapd from restarting the gateway daemon
+    # during snap refreshes, which would kill active sandbox sessions.
+    # Operators must manually restart the service after a refresh if needed.
     refresh-mode: endure
+    # The wrapper sets OPENSHELL_DISABLE_TLS=true and OPENSHELL_DB_URL to
+    # use $SNAP_COMMON/gateway.db. If $SNAP_COMMON/gateway.toml exists it is
+    # passed to the gateway as --config, allowing operators to override
+    # settings without rebuilding the snap.
     environment:
       XDG_DATA_HOME: "$SNAP_COMMON"
       XDG_RUNTIME_DIR: "$SNAP_COMMON"
     plugs:
       - docker
+      # Docker snap is required because the snap uses the docker:docker-daemon
+      # interface slot. It does not work with system-installed Docker.
       - log-observe
       - network
       - network-bind
@@ -82,7 +91,7 @@ parts:
         "$CRAFT_PART_INSTALL/bin/openshell-gateway"
       install -D -m 0755 "$CRAFT_PART_BUILD/target/release/openshell-sandbox" \
         "$CRAFT_PART_INSTALL/bin/openshell-sandbox"
-      install -D -m 0755 "$CRAFT_PROJECT_DIR/deploy/snap/bin/openshell-gateway-wrapper" \
+      install -D -m 0755 "$CRAFT_PROJECT_DIR/tasks/scripts/snap-gateway-wrapper.sh" \
         "$CRAFT_PART_INSTALL/bin/openshell-gateway-wrapper"
       install -D -m 0644 "$CRAFT_PROJECT_DIR/LICENSE" \
         "$CRAFT_PART_INSTALL/usr/share/doc/openshell/LICENSE"

@@ -23,26 +23,3 @@ hide = true
 ["package:deb:install"]
 description = "Build OpenShell from source and install the deb locally (requires sudo)"
 run = "tasks/scripts/package-deb-install.sh"
-
-["package:snap"]
-description = "Build a snap package from supplied OpenShell binaries"
-run = "tasks/scripts/package-snap.sh"
-hide = true
-
-["package:snap:amd64"]
-description = "Build an amd64 snap package from supplied OpenShell binaries"
-env = { OPENSHELL_SNAP_ARCH = "amd64" }
-run = "tasks/scripts/package-snap.sh"
-hide = true
-
-["package:snap:arm64"]
-description = "Build an arm64 snap package from supplied OpenShell binaries"
-env = { OPENSHELL_SNAP_ARCH = "arm64" }
-run = "tasks/scripts/package-snap.sh"
-hide = true
-
-["package:snap:stage"]
-description = "Stage a snap root from supplied OpenShell binaries without running snap pack"
-env = { OPENSHELL_SNAP_PACK = "0", OPENSHELL_SNAP_STAGE_DIR = "artifacts/snap-root" }
-run = "tasks/scripts/package-snap.sh"
-hide = true