Cannot launch snap applications with cgroup v2

Whenever I launch a graphical snap application, I get the error

/user.slice/user-1000.slice/session-1.scope is not a snap cgroup

Example:

$ SNAPD_DEBUG=1 snap run firefox
2021/11/25 21:58:24.238323 tool_linux.go:204: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2021/11/25 21:58:24.257650 cmd_run.go:425: DEBUG: SELinux not enabled
2021/11/25 21:58:24.258005 tracking.go:45: DEBUG: creating transient scope snap.firefox.firefox
2021/11/25 21:58:24.258047 tracking.go:188: DEBUG: session bus is not available: cannot find session bus
2021/11/25 21:58:24.258057 cmd_run.go:1187: DEBUG: snapd cannot track the started application
2021/11/25 21:58:24.258079 cmd_run.go:1188: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.firefox.firefox
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core20
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/14066/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/firefox.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope firefox, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: firefox
DEBUG: setting up device cgroup
DEBUG: libudev has current tags support
DEBUG: device /sys/devices/pci0000:00/0000:00:02.0/drm/card0 has matching current tag
DEBUG: process in cgroup /user.slice/user-1000.slice/session-1.scope
/user.slice/user-1000.slice/session-1.scope is not a snap cgroup
[1]    865 exit 1     SNAPD_DEBUG=1 snap run firefox

System info:

$ uname -a
Linux info03 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ apt list snapd
Listing... Done
snapd/stable,now 2.49-1+b5 amd64 [installed]

$ snap --version
snap    2.53.2
snapd   2.53.2
series  16
debian  11
kernel  5.10.0-9-amd64

$ snap list core
Name  Version    Rev    Tracking       Publisher   Notes
core  16-2.52.1  11993  latest/stable  canonical✓  core
1 Like

This appears to be the source of the problem:

Snap run attempts to create a separate scope (a cgroup actually) for the application by talking to org.freedesktop.systemd1.Manager over session bus. In your case, the session bus is unavailable, so a separate cgroup cannot be created thus it is not possible to set up device access rules or identify processes belonging to a snap.

Hwoever, it does appear that the process was in /user.slice/user-1000.slice/session-1.scope cgroup, what suggest that the session was at least partially set up by systemd. Can you check whether DBUS_SESSION_BUS_ADDRESS is set in your environment? (and in the terminal you execute the command). Does /run/user/1000/bus exist and is it a socket?

Both are not the case. Note that I don’t have any login manager nor desktop environment installed.

It seems a session bus can be set up using dbus-launch, so I tried that (which required installing dbus-x11), obtaining the following output.

$ SNAPD_DEBUG=1 dbus-launch snap run firefox
2021/11/26 10:15:42.629424 tool_linux.go:204: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2021/11/26 10:15:42.649203 cmd_run.go:425: DEBUG: SELinux not enabled
2021/11/26 10:15:42.649606 tracking.go:45: DEBUG: creating transient scope snap.firefox.firefox
2021/11/26 10:15:42.650393 tracking.go:185: DEBUG: using session bus
2021/11/26 10:15:42.653351 tracking.go:290: DEBUG: StartTransientUnit failed with "org.freedesktop.DBus.Error.Spawn.ChildExited": [Process org.freedesktop.systemd1 exited with status 1]
2021/11/26 10:15:42.653378 cmd_run.go:1187: DEBUG: snapd cannot track the started application
2021/11/26 10:15:42.653392 cmd_run.go:1188: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.firefox.firefox
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core20
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/14066/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/firefox.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope firefox, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: firefox
DEBUG: setting up device cgroup
DEBUG: libudev has current tags support
DEBUG: device /sys/devices/pci0000:00/0000:00:02.0/drm/card0 has matching current tag
DEBUG: process in cgroup /user.slice/user-1000.slice/session-1.scope
/user.slice/user-1000.slice/session-1.scope is not a snap cgroup

When installing dbus-user-session (instead of using dbus-launch or dbus-run-session), it works. Why does one way to start the session bus work but not the other?

Perhaps there is a package missing from the image. Specifically, can you try apt install dbus-user-session?

sudo apt-get install dbus-user-session && systemctl --user start dbus.service fixed the issue for me on Ubuntu 21.10. thank you!

sudo apt-get install dbus-user-session && systemctl --user start dbus.service fixed the issue for me on Ubuntu 21.10. thank you!

This didn’t work for me on Ubuntu 21.10. Firefox has stopped working with error

/user.slice/user-1000.slice/session-30.scope is not a snap cgroup

Nor does chromium or waterfox-classic. Same error.

Running MATE inside X2Go

I get the same errors trying to run any SNAP in Ubuntu 22.04 when logged in in a VNC server session (uid=1038):

/user.slice/user-1038.slice/session-30.scope is not a snap cgroup

Everything works fine if I’m logged in on that PC directly. However, inside a vnc-session I cannot run any SNAP. The GNOME-session is started with the following ~/.vnc/xstartup:

#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
export DESKTOP_SESSION=/usr/share/xsessions/ubuntu.desktop
export XDG_CURRENT_DESKTOP=ubuntu:GNOME
export GNOME_SHELL_SESSION_MODE=ubuntu
export XDG_DATA_DIRS=/usr/share/ubuntu:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop
dbus-launch --exit-with-session /usr/bin/gnome-session --systemd --session=ubuntu

I’ve tried to use dbus-user-session instead of dbus-launch but that didn’t change anything. The same happens if I run a XFCE4-session:

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
/usr/bin/startxfce4
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
x-window-manager &

Any ideas what I should add to the session startup to make SNAPs work?

1 Like

Update: I just noticed, that there is one exception: cherrytree works also in the VNC session, while chromium, keepassxc, jabref, zoom-client don’t (giving the error message mentioned above).

this problem does not seem to affect unconfined snaps which might explain why cherrytree works. I have this problem with a nomachine remote xubuntu desktop. 22.04 is not great when snap is broken.

The session is started with

/usr/bin/startxfce4 (in /usr/NX/etc/node.cfg)

No ideas how to fix this? :frowning:

There is a launchpad bug here https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1951491 where it was decided that it was not a snap problem. Unfortunately, the bug report has not got the attention of anyone who seems to know what the problem is. You can disable new cgroups with a kernel parameter, which stops the error. I posted that tip in the bug report.

edit: There are now better workarounds at that bug report, and they hint that the login by the remote client is doing something wrong when setting up DBUS_SESSION_BUS_ADDRESS, which should be set by the systemd login flow somewhere. I think by the time the xsession is being set up, the root cause of the problem has already happened.

I came across this thread during my search for a solution for running ubuntu server 22.04 + firefox snap + geckodriver + python veenv + cron Similar or exactly the same as this post

Your reply was helpful, even if it did not apply to my use-case, because I am not supposed to have (by Ubuntu’s design) a running user-DBUS session , when I start scripts via cron.

I ended up removing the default firefox snap (has strict confinement) and installing the devmode snap with: snap install firefox --devmode

I do not recommend regular users to do this as per the documentation. However, this is enough for my use-case that involves running automated web checks on a set of websites for the next few decades

EDIT: 20220728-1224: there is another proposed solution in the post I linked, which involves using the linger feature of systemd/loginctl. It has much more appeal than using ‘devmode’ for production applications

I encounter the same issue with firefox running an a KVM virtual machine with Ubuntu Mate 22.04 LTS while it runs perfectly on a Ubuntu Mate 22.04 running on bare metal.

i aslo encounter this issue with firefox running on Ubuntu 22.04 within an virtualbox machine. I execute update, then firefox is working finely. Maybe a reference?