Allow snap access to nfs mounts

What is the correct way to allow a snap package access a filesystem that is mounted via nfs?

I have seen many issues here that deal with the specific problem that the home folder is an nfs mount, but my problem seems to be more basic than that.

Since I am crafting the package myself, I have no problem giving it access to the “network” interface (one of the earlier reported problems seems to be that nfs access requires for this).

But it still does not work for me. I get this on the kernel log

[290079.508354] nfs: RPC call returned error 13

I get this in journalctl:
Sep 06 18:17:00 rotatoria audit[29964]: AVC apparmor="DENIED" operation="sendmsg" profile="/snap/snapd/12883/usr/lib/snapd/snap-confine" pid=29964 comm="snap-confine" laddr= lport=744 faddr= fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"

network is connected:

> snap connections atlatec-annotate
  network                 atlatec-annotate:network          :network                          -

I have the feeling I miss something very basic.

Any help appreciated!

Btw, snap is installed with “–devmode”.

Also, I have bind-mounted the nfs below /media (this is a trick that I think worked in the past to make it believe that “removable-media” plug is sufficient.)

for sockets you also want the network-bind plug … it also helps to run the snappy-debug tool from the snappy-debug snap in a second terminal while executing your app, that will give you some useful interface hints …

Adding network-bind did not change anything, unfortunately.

snappy-debug remains quiet, but I still get the same audit messages in journalctl.

Interface               Plug                              Slot                              Notes
content[gtk-2-engines]  atlatec-annotate:gtk-2-engines    gtk2-common-themes:gtk-2-engines  -
content[gtk-2-themes]   atlatec-annotate:gtk-2-themes     gtk-common-themes:gtk-2-themes    -
content[icon-themes]    atlatec-annotate:icon-themes      gtk-common-themes:icon-themes     -
content[sound-themes]   atlatec-annotate:sound-themes     gtk-common-themes:sound-themes    -
home                    atlatec-annotate:home             :home                             -
network                 atlatec-annotate:network          :network                          -
network-bind            atlatec-annotate:network-bind     :network-bind                     -
opengl                  atlatec-annotate:opengl           :opengl                           -
removable-media         atlatec-annotate:removable-media  -                                 -

Is it really not possible to use snap packages to access nfs filesystems?

I’m also interested in this topic - I’m trying to set up a remote boot Raspberry PI with Ubuntu on a NFS root partition - everything works fine until I try to install MicroK8s and I get this error in the shell: ubuntu@node1:~$ sudo snap install microk8s --classic error: cannot perform the following tasks:

  • Run install hook of “microk8s” snap if present (run hook “install”: /snap/snapd/14063/usr/lib/snapd/snap-confine: error while loading shared libraries: cannot open shared object file: Permission denied)

And this in the audit log: type=AVC msg=audit(1637626645.144:441): apparmor=“DENIED” operation=“sendmsg” profile="/snap/snapd/14063/usr/lib/snapd/snap-confine" pid=7307 comm=“snap-confine” laddr=xxxx lport=873 faddr=xxxx fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send”

I found some articles online about adding ‘network, inet’ the profile but the profile keeps getting overwritten and I haven’t figured out which process is doing that yet