After installation of a snap daemon service is unable to start because of mising apparmor profile

rahul-tt · November 29, 2023, 8:27am

Hi, I have installed a new snap and the install is very inconsistent. Sometime, the services do not work and give an error.

missing profile snap.turftank-mk2m-sw.mk2l.

Please make sure that the snapd.apparmor service is enabled and started

I have recently updated my snapd from 15541 to 20298 revision. Could this be a bug on this snapd version. Could someone help me with this?

baldeuniversel · November 29, 2023, 11:33am

Hi ! @rahul-tt

Try these commands to fix the bug :

sudo systemctl restart snapd

sudo systemctl enable --now snapd.apparmor

sudo snap refresh

rahul-tt · November 29, 2023, 12:47pm

I have tried these commands and they dont help.

baldeuniversel · November 29, 2023, 1:07pm

When you executed this command, did you obtain an error ?

sudo systemctl restart snapd

baldeuniversel · November 29, 2023, 1:16pm

~ @rahul-tt Please, show the output of this command.

I want to see if snap.turftank-mk2m-sw.mk2l is listed as it mentioned in the error message (just above).

sudo apparmor_status

rahul-tt · November 29, 2023, 1:40pm

apparmor module is loaded.
38 profiles are loaded.
38 profiles are in enforce mode.
   /snap/snapd/15541/usr/lib/snapd/snap-confine
   /snap/snapd/15541/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/20298/usr/lib/snapd/snap-confine
   /snap/snapd/20298/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.modem-manager
   snap-update-ns.network-manager
   snap-update-ns.turftank-mk2-gadget
   snap-update-ns.turftank-mk2m-sw
   snap.modem-manager.hook.configure
   snap.modem-manager.mbim-network
   snap.modem-manager.mbimcli
   snap.modem-manager.mmcli
   snap.modem-manager.modemmanager
   snap.modem-manager.qmi-network
   snap.modem-manager.qmicli
   snap.network-manager.hook.configure
   snap.network-manager.hook.remove
   snap.network-manager.networkmanager
   snap.network-manager.nmcli
   snap.network-manager.nmtui
   snap.network-manager.nmtui-connect
   snap.network-manager.nmtui-edit
   snap.network-manager.nmtui-hostname
   snap.turftank-mk2-gadget.hook.configure
   snap.turftank-mk2-gadget.hook.prepare-device
   snap.turftank-mk2m-sw.automount
   snap.turftank-mk2m-sw.hook.install
   snap.turftank-mk2m-sw.ros2-cli
   snap.turftank-mk2m-sw.state-manager
   snap.turftank-mk2m-sw.timesync-off
   snap.turftank-mk2m-sw.udisksd
0 profiles are in complain mode.
17 processes have profiles defined.
17 processes are in enforce mode.
   /snap/modem-manager/471/usr/sbin/ModemManager (1260) snap.modem-manager.modemmanager
   /snap/modem-manager/471/usr/libexec/qmi-proxy (2319) snap.modem-manager.modemmanager
   /snap/network-manager/711/usr/sbin/NetworkManager (1271) snap.network-manager.networkmanager
   /snap/network-manager/711/sbin/dnsmasq (2403) snap.network-manager.networkmanager
   /usr/bin/dash (1298) snap.turftank-mk2m-sw.automount
   /snap/turftank-mk2m-sw/81/usr/bin/udisksctl (2353) snap.turftank-mk2m-sw.automount
   /usr/bin/grep (2354) snap.turftank-mk2m-sw.automount
   /usr/bin/dash (2355) snap.turftank-mk2m-sw.automount
   /usr/bin/python3.8 (2077) snap.turftank-mk2m-sw.state-manager
   /usr/bin/python3.8 (2445) snap.turftank-mk2m-sw.state-manager
   /usr/bin/python3.8 (2447) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/opt/ros/snap/lib/tt_os/os_node (2449) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/opt/ros/snap/lib/tt_mk2_mcu/mcu_node (2451) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/opt/ros/snap/lib/tt_mk2_firmware/firmware_node (2453) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/opt/ros/snap/lib/tt_mk2_id/id_node (2455) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/opt/ros/snap/lib/tt_mk2_launcher/launcher_node (2457) snap.turftank-mk2m-sw.state-manager
   /snap/turftank-mk2m-sw/81/usr/libexec/udisks2/udisksd (1288) snap.turftank-mk2m-sw.udisksd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I dont see snap.turftank-mk2m-sw.mk2l this listed.

Also, i didnt get any error when i ran ‘sudo systemctl restart snapd’

baldeuniversel · November 29, 2023, 2:11pm

~ @rahul-tt

Okay , execute this command to check if a specific revision labeled mk2l is available for the snap turftank-mk2m-sw .

snap list --all turftank-mk2m-sw

rahul-tt · November 30, 2023, 10:40am

This is what i get

> turftank-mk2m-sw  0.0.0    83   -         turftank   disabled
> turftank-mk2m-sw  5.1.0    49   -         turftank   disabled
> turftank-mk2m-sw  5.1.3    81   -         turftank   -

rahul-tt · November 30, 2023, 10:45am

I can see that when this happens, there is no apparmor profile created for the new services in /var/lib/snapd/apparmor/profiles folder

Is this happening because when snapd and another application are installed at the same time, snapd sometimes unable to create apparmor profiles?

baldeuniversel · November 30, 2023, 7:17pm

Hi @rahul-tt .

You can execute this command, perhaps the issue will be fixed :

sudo snap refresh turftank-mk2m-sw

baldeuniversel · November 30, 2023, 7:38pm

~ @rahul-tt We can reload the profile otherwise (if the above suggestion does not work) .

rahul-tt · December 4, 2023, 12:15pm

How can i reload the profile?

rahul-tt · December 4, 2023, 2:39pm

I have done a lot of testing and i have some idea of what is happening.

when i install gadget, snapd and my software snap. it first updates snapd, then gadget and software. But in midway, gadget asks for a reboot, so It creates a file “/run/systemd/shutdown/scheduled”.

My software snap checks this file and reboots the system. But in the background the snapd is still performing the task of setting security profiles. Which is now interrupted by the reboot.

When the system reboots, these apparmor profiles are not updated to the new revision of the software snap.
When i checked the profiles of the services, the revision mentioned in them is pointing to the old snap revision or some of the profiles are missing.

baldeuniversel · December 4, 2023, 3:01pm

Hi @rahul-tt . I see .

Did you find a solution ?

baldeuniversel · December 4, 2023, 3:07pm

My solution is to reload specific profiles via this command .

Example :

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.turftank-mk2m-sw.*

baldeuniversel · December 4, 2023, 3:24pm

Otherwise, perhaps create the profile manually could be a solution.

I think, you can also prevent this reboot request .

rahul-tt · December 5, 2023, 12:58pm

I havent found a solution. But reloading the apparmor profile doesnt work.

Only way is to reinstall the snap and that solves the issue. i have tried disabled the snap trying to reboot but the Os automatically reboot after 1 min when updating a gadget. Even then i see this issue.

You can reproduce this issue when you try to update a gadget, snapd and another snap together

baldeuniversel · December 5, 2023, 9:09pm

Super ! @rahul-tt

You’ve already found a solution, it’s nice !

pmeulengracht · December 7, 2023, 7:56am

@rahul-tt Hey! Thanks for reporting this. I was wondering if you happen to have any logs lying around from this issue (logs from the upgrade itself), or if its easy for you to reproduce this and produce snapd journal logs from an upgrade where the snap is unable to start afterwards.

Also which ubuntu core is this?

rahul-tt · December 7, 2023, 9:15am

i will collect the journalctl logs of during the update and after the reboot as soon as i can and send them. This is core20 revision 1614