Snaps not running inside containers

[loxK]

Required information

• Distribution: Ubuntu

• Distribution version: 20.04

  incus info

  ```shell # incus info config: {} api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - network_sriov - console - restrict_dev_incus - migration_pre_copy - infiniband - dev_incus_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - dev_incus_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - backup_compression - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl - warnings - projects_restricted_backups_and_snapshots - clustering_join_token - clustering_description - server_trusted_proxy - clustering_update_cert - storage_api_project - server_instance_driver_operational - server_supported_storage_drivers - event_lifecycle_requestor_address - resources_gpu_usb - clustering_evacuation - network_ovn_nat_address - network_bgp - network_forward - custom_volume_refresh - network_counters_errors_dropped - metrics - image_source_project - clustering_config - network_peer - linux_sysctl - network_dns - ovn_nic_acceleration - certificate_self_renewal - instance_project_move - storage_volume_project_move - cloud_init - network_dns_nat - database_leader - instance_all_projects - clustering_groups - ceph_rbd_du - instance_get_full - qemu_metrics - gpu_mig_uuid - event_project - clustering_evacuation_live - instance_allow_inconsistent_copy - network_state_ovn - storage_volume_api_filtering - image_restrictions - storage_zfs_export - network_dns_records - storage_zfs_reserve_space - network_acl_log - storage_zfs_blocksize - metrics_cpu_seconds - instance_snapshot_never - certificate_token - instance_nic_routed_neighbor_probe - event_hub - agent_nic_config - projects_restricted_intercept - metrics_authentication - images_target_project - cluster_migration_inconsistent_copy - cluster_ovn_chassis - container_syscall_intercept_sched_setscheduler - storage_lvm_thinpool_metadata_size - storage_volume_state_total - instance_file_head - instances_nic_host_name - image_copy_profile - container_syscall_intercept_sysinfo - clustering_evacuation_mode - resources_pci_vpd - qemu_raw_conf - storage_cephfs_fscache - network_load_balancer - vsock_api - instance_ready_state - network_bgp_holdtime - storage_volumes_all_projects - metrics_memory_oom_total - storage_buckets - storage_buckets_create_credentials - metrics_cpu_effective_total - projects_networks_restricted_access - storage_buckets_local - loki - acme - internal_metrics - cluster_join_token_expiry - remote_token_expiry - init_preseed - storage_volumes_created_at - cpu_hotplug - projects_networks_zones - network_txqueuelen - cluster_member_state - instances_placement_scriptlet - storage_pool_source_wipe - zfs_block_mode - instance_generation_id - disk_io_cache - amd_sev - storage_pool_loop_resize - migration_vm_live - ovn_nic_nesting - oidc - network_ovn_l3only - ovn_nic_acceleration_vdpa - cluster_healing - instances_state_total - auth_user - security_csm - instances_rebuild - numa_cpu_placement - custom_volume_iso - network_allocations - zfs_delegate - storage_api_remote_volume_snapshot_copy - operations_get_query_all_projects - metadata_configuration - syslog_socket - event_lifecycle_name_and_project - instances_nic_limits_priority - disk_initial_volume_configuration - operation_wait - image_restriction_privileged - cluster_internal_custom_volume_copy - disk_io_bus - storage_cephfs_create_missing - instance_move_config - ovn_ssl_config - certificate_description - disk_io_bus_virtio_blk - loki_config_instance - instance_create_start - clustering_evacuation_stop_options - boot_host_shutdown_action api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls auth_user_name: root auth_user_method: unix environment: addresses: [] architectures: - x86_64 - i686 certificate: | -----BEGIN CERTIFICATE----- [redacted] -----END CERTIFICATE----- certificate_fingerprint: [redacted] driver: lxc | qemu driver_version: 5.0.3 | 8.1.3 firewall: xtables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.15.0-92-generic lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Ubuntu os_version: "20.04" project: default server: incus server_clustered: false server_event_mode: full-mesh server_name: h2.domain.io server_pid: 4849 server_version: "0.5" storage: zfs storage_version: 0.8.3-1ubuntu12.16 storage_supported_drivers: - name: lvm version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.45.0 remote: false - name: zfs version: 0.8.3-1ubuntu12.16 remote: false - name: btrfs version: 5.4.1 remote: false - name: dir version: "1" remote: false ```

Issue description

I migrated from LXD. After that snaps are not running any more inside all my containers:

root@front:~# snap list
Name                 Version   Rev    Tracking       Publisher     Notes
certbot              2.8.0     3566   latest/stable  certbot-eff✓  classic
certbot-dns-rfc2136  2.8.0     3150   latest/beta    certbot-eff✓  -
core18               20231027  2812   latest/stable  canonical✓    base
core20               20231123  2105   latest/stable  canonical✓    base
snapd                2.61.1    20671  latest/stable  canonical✓    snapd
root@front:~# certbot renew
missing profile snap.certbot.certbot.
Please make sure that the snapd.apparmor service is enabled and started

Snapd's running:

# systemctl status snapd.service 
● snapd.service - Snap Daemon
     Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2024-01-28 11:58:34 +11; 6s ago
TriggeredBy: ● snapd.socket
   Main PID: 287 (snapd)
      Tasks: 11 (limit: 38144)
     Memory: 54.5M
     CGroup: /system.slice/snapd.service
             └─287 /usr/lib/snapd/snapd

janv. 28 11:58:29 front.domain.io systemd[1]: Starting Snap Daemon...
janv. 28 11:58:32 front.domain.io snapd[287]: overlord.go:271: Acquiring state lock file
janv. 28 11:58:32 front.domain.io snapd[287]: overlord.go:276: Acquired state lock file
janv. 28 11:58:33 front.domain.io snapd[287]: daemon.go:247: started snapd/2.61.1 (series 16; classic) ubuntu/20.04 (amd64) linux/5.15.0-92-generic.
janv. 28 11:58:33 front.domain.io snapd[287]: daemon.go:340: adjusting startup timeout by 55s (pessimistic estimate of 30s plus 5s per snap)
janv. 28 11:58:33 front.domain.io snapd[287]: backends.go:58: AppArmor status: apparmor is enabled and all features are available (using snapd provided apparmor_parser)
janv. 28 11:58:34 front.domain.io systemd[1]: Started Snap Daemon.

# systemctl status snapd.apparmor.service 
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
     Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sun 2024-01-28 11:58:26 +11; 5min ago
   Main PID: 232 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 38144)
     Memory: 0B
     CGroup: /system.slice/snapd.apparmor.service

janv. 28 11:58:26 front.domain.io systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
janv. 28 11:58:26 front.domain.io snapd-apparmor[232]: main.go:166: Inside container environment without internal policy
janv. 28 11:58:26 front.domain.io systemd[1]: Finished Load AppArmor profiles managed internally by snapd.

journalctl before migration

-- Reboot --
janv. 28 05:09:45 front.domain.io systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
janv. 28 05:09:46 front.domain.io snapd-apparmor[222]: main.go:124: Loading profiles [/var/lib/snapd/apparmor/profiles/snap-confine.snapd.20290 /var/lib/snapd/apparmor/profi>
janv. 28 05:09:47 front.domain.io systemd[1]: Finished Load AppArmor profiles managed internally by snapd.

After migration

-- Reboot --
janv. 28 11:07:16 front.domain.io systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
janv. 28 11:07:17 front.domain.io snapd-apparmor[211]: main.go:166: Inside container environment without internal policy
janv. 28 11:07:17 front.domain.io systemd[1]: Finished Load AppArmor profiles managed internally by snapd.

Steps to reproduce

1. Migrate from LXD to Incus
2. incus shell mycontainer
3. try a command from a snap installed app

Information to attach

• [ ] Any relevant kernel output (dmesg)
• [ ] Container log (incus info NAME --show-log)
• [ ] Container configuration (incus config show NAME --expanded)
• [ ] Main daemon log (at /var/log/incus/incusd.log)
• [ ] Output of the client with --debug
• [ ] Output of the daemon with --debug (alternatively output of incus monitor --pretty while reproducing the issue)

[loxK]

It looks like it has been fixed upstream : https://github.com/snapcore/snapd/pull/13350

Do I have to wait for a new snapd release ? Shouldn't it need to be specified in migration guide ?

[stgraber]

There is a workaround that you can use until apparmor and snapd are both updated with the fix.

https://discuss.linuxcontainers.org/t/weird-snap-behavior-it-is-there-but-won-t-work-i-tried-a-couple-of-different-containers-will-try-on-my-home-machines-later-did-the-snaps-break-all-of-a-sudden-or-is-it-my-imagination-they-worked-before-in-a-container/18682/2?u=stgraber

[stgraber]

Closing as there isn't really anything we can do about it in Incus until the fixes start making their way into Ubuntu images.

[stgraber]

The post linked above shows snaps working on Incus, but for that to be the case given the current state of apparmor and snapd requires manually updating the apparmor startup script to treat Incus as it does LXD.

Because that same trick can't be applied to the equivalent snapd binary, the trick on the snapd side is to pretend that the system is Microsoft' Windows Subsystem for Linux, which then causes snapd to move on and work inside the container.

I wrote and sent an upstream fix to AppArmor a few months ago which got quickly included upstream but hasn't yet made it into Ubuntu.

For snapd, I reported the issue but because of the Canonical CLA being applied to the snapd package, I couldn't send a fix myself. Thankfully, someone else did, so this will also eventually make it into Ubuntu.

[loxK]

That is annoying as AppArmor is many versions behind the latest release, even in Jammy. 3.0.4 was released a year ago.

» dpkg -l | grep apparmor
ii  apparmor                                   3.0.4-2ubuntu2.3                             amd64        user-space parser utility for AppArmor
ii  libapparmor1:amd64                         3.0.4-2ubuntu2.3                             amd64        changehat AppArmor library

Focal is still using 2.13 version and the fix hasn't been back ported to that version (only 3.0 and 3.1)

I think that should be mentioned in the migration guide as it may be an important thing sysadmin should take into account. Personally, I use Snap for easy Certbot and Docker install.