I recently attempted to use a couple of snap packages on 20.10. I had troubles with those. So I am back to first principles. As shown in this response:
How to use Snap Packages when $HOME is not /home/$USER?
snap install hello-worldand add the output of the following commands:
SNAP_CONFINE_DEBUG=yes hello-worlddmesg | grep DENIED
Unfortunately the hello-world does not even work. Outputs are at the end of the question. My questions for Ask Ubuntu are simple:
- What other steps are required for a person to run snaps after the bind-mount step?
- Is there some misconfiguration in the console output that I can correct?
- Is this a bug, config error or user error?
- How can I ensure smooth snap execution "most of the time"?
Please read on for details...
After installing hello-world, I attempted to run it with the following outcome:
hello-world
cannot perform operation: mount --rbind /dev /tmp/snap.rootfs_un1MrN//dev: No such file or directory
Also the: SNAP_CONFINE_DEBUG=yes hello-world, diagnostic resulted in the same kind of error:
;
:
cannot perform operation: mount --rbind /dev /tmp/snap.rootfs_sJmTk8//dev: No such file or directory
However this directory exists -- The problem involves permissions. YES directory exists. NO I do not have access to the directory: snap.rootfs_un1MrN/, none whatsoever. Clearly this directory is necessary to run hello-world ...
ls -la -d /tmp/snap*
drwx------ 2 root will 4096 Jan 11 10:18 /tmp/snap.rootfs_sdo6fl/
drwx------ 2 root will 4096 Jan 11 10:16 /tmp/snap.rootfs_sJmTk8/
drwx------ 2 root will 4096 Jan 11 10:17 /tmp/snap.rootfs_un1MrN/
My login is id=(will) and gid=(will). It is my observation that I'd need group access to the directory for anything to work as it stands. I doubt if this is what is indended. I don't think the double slash(//) makes any difference. I wonder though if there is a missing text fragment.
Full disclosure I am running with my home directory bind mount-ed to /home/will/ as:
mount --bind /data/home/will /home/will
To work past the snap home directory short-comings. I am wondering if there is a chance for me to use snap packaged software in the future if the hello-world can't even get started.
Hoping for some ideas to move forward. Unfortunately there are some useful looking tools I can't take advantage of because they only come as a snap at present.
versions
snap list hello-world; snap --version
Name Version Rev Tracking Publisher Notes
hello-world 6.4 29 latest/stable canonical✓ -
snap 2.48+20.10
snapd 2.48+20.10
series 16
ubuntu 20.10
kernel 5.8.0-36-generic
references
- Snap (snapd) hello-world example not working (path not found?)
- How to use Snap Packages when $HOME is not /home/$USER?
output
sudo dmesg | grep DENIED
[ 34.324082] audit: type=1400 audit(1610318223.394:51): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/1040/attr/apparmor/current" pid=1040 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2400.019690] audit: type=1400 audit(1610320590.299:57): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/fast/ubuntu/var/lib/snapd/cookie/snap.hello-world" pid=15128 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
SNAP_CONFINE_DEBUG=yes hello-world
$ sudo snap install hello-world
[sudo] password for will:
hello-world 6.4 from Canonical✓ installed
$ SNAP_CONFINE_DEBUG=yes hello-world
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.hello-world.hello-world
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/hello-world.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope hello-world, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: hello-world
DEBUG: snappy_udev_init
DEBUG: forked support process 15141
DEBUG: unsharing the mount namespace (per-snap)
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: scratch directory for constructing namespace: /tmp/snap.rootfs_sJmTk8DEBUG: helper process waiting for command
DEBUG: DEBUG: sanity timeout initialized and set for 30 seconds performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
cannot perform operation: mount --rbind /dev /tmp/snap.rootfs_sJmTk8//dev: No such file or directory
