Cannot mount squashfs image using "squashfs": ... Operation not permitted

causa-sui · October 22, 2019, 8:30pm

Archlinux. I installed snapd from the AUR. squashfs-tools was installed as a dependency, but I explicitly installed squashfuse for good measure. I have rebooted since I installed snapd and since the last kernel update was installed.

$ uname -r && pacman -Q linux
5.3.7-arch1-1-ARCH
linux 5.3.7.arch1-1
$ snap --version
snap    2.42-2
snapd   2.42-2
series  16
arch    -
kernel  5.3.7-arch1-1-ARCH
$ snap changes
ID   Status  Spawn                   Ready                   Summary
1    Done    yesterday at 23:52 PDT  yesterday at 23:52 PDT  Initialize system state
$ grep squashfs /proc/filesystems
     squashfs

SELinux is not installed.

$ /usr/bin/sestatus
-bash: /usr/bin/sestatus: No such file or directory

When attempting to install any snap, I am met with this error:

$ sudo snap install hello_world
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
       /tmp/sanity-mountpoint-408355398: mount failed: Operation not permitted.
$ sudo su root
# snap install hello_world
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
       /tmp/sanity-mountpoint-408355398: mount failed: Operation not permitted.

There are no new messages in dmesg that are interesting. journalctl -xe shows nothing relevant except sudo logging the attempt.

In IRC I was asked to try this, to no avail:

snap download hello-world && mkdir test && sudo mount -o squashfs hello-world*.snap test/

A possibly related forum post is here, but in my case I seem to have no interesting log output.

$ sudo journalctl -u snapd
-- Logs begin at Mon 2019-08-12 19:01:02 PDT, end at Tue 2019-10-22 13:33:48 PDT. --
Oct 21 23:52:07 iris systemd[1]: Starting Snappy daemon...
Oct 21 23:52:07 iris snapd[2489509]: AppArmor status: apparmor not enabled
Oct 21 23:52:07 iris snapd[2489509]: daemon.go:346: started snapd/2.42-2 (series 16; classic; devmode) arch/ (amd64) linux/5.3.5-arch1-1-ARCH.
Oct 21 23:52:07 iris snapd[2489509]: main.go:123: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: /tmp/sanity-mountpoint-003757754:>
Oct 21 23:52:07 iris snapd[2489509]: daemon.go:439: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)
Oct 21 23:52:07 iris snapd[2489509]: helpers.go:104: error trying to compare the snap system key: system-key missing on disk
Oct 21 23:52:07 iris systemd[1]: Started Snappy daemon.
Oct 21 23:52:12 iris snapd[2489509]: daemon.go:540: gracefully waiting for running hooks
Oct 21 23:52:12 iris snapd[2489509]: daemon.go:542: done waiting for running hooks
Oct 21 23:52:12 iris snapd[2489509]: daemon stop requested to wait for socket activation
Oct 21 23:52:12 iris systemd[1]: snapd.service: Succeeded.
Oct 21 23:52:39 iris systemd[1]: Starting Snappy daemon...
Oct 21 23:52:39 iris snapd[2491116]: AppArmor status: apparmor not enabled
Oct 21 23:52:39 iris snapd[2491116]: patch.go:64: Patching system state level 6 to sublevel 1...
Oct 21 23:52:39 iris snapd[2491116]: patch.go:64: Patching system state level 6 to sublevel 2...
Oct 21 23:52:39 iris snapd[2491116]: daemon.go:346: started snapd/2.42-2 (series 16; classic; devmode) arch/ (amd64) linux/5.3.5-arch1-1-ARCH.
Oct 21 23:52:39 iris snapd[2491116]: main.go:123: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: /tmp/sanity-mountpoint-862431413:>
Oct 21 23:52:39 iris snapd[2491116]: daemon.go:439: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)

ijohnson · October 22, 2019, 8:32pm

CC @mborzecki

mborzecki · October 23, 2019, 6:09am

It’s not really clear what is going on there. On the one hand, a mount by the user is successful, on the other snapd running as root gets EPERM. The difference is snapd trying to mount at a location under /tmp, but I don’t think it matters. Just for the record, can you post the output of snap debug sandbox-features?

Then can you add the following to snapd service overrides file?

# /etc/systemd/system/snapd.service.d/override.conf
[Service]
Environment=SNAPD_DEBUG=1
Environment=LIBMOUNT_DEBUG=all
Environment=LOOPDEV_DEBUG=all

Then systemctl daemon-reload && systemctl restart snapd, and post the log.

ogra · October 23, 2019, 10:16am

unless the permissions for /tmp would be wrong (but that would likely also cause other errors in the system)

causa-sui · October 23, 2019, 6:43pm

$ stat /tmp
  File: /tmp
  Size: 400             Blocks: 0          IO Block: 4096   directory
Device: 30h/48d Inode: 3417        Links: 16
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-10-22 16:51:53.655407822 -0700
Modify: 2019-10-23 10:01:20.409214469 -0700
Change: 2019-10-23 10:01:20.409214469 -0700
 Birth: -
$ snap debug sandbox-features
confinement-options:  devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 tagging
$ stat /etc/systemd/system/snapd.service.d
stat: cannot stat '/etc/systemd/system/snapd.service.d': No such file or directory
$ find /etc/systemd/ -iname "*snapd*"
/etc/systemd/system/sockets.target.wants/snapd.socket

Note that I did not find any snapd.service.d directory under /etc/systemd

ogra · October 23, 2019, 6:50pm

you can just create it, systemd will pick up files from there …

causa-sui · October 25, 2019, 11:06pm

Ah I misunderstood. Log is here: http://ix.io/1ZQZ

mborzecki · October 28, 2019, 11:30am

The relevant part of the log:

2797385: libmount: LOOP: [0x555d00479460]: not found; create a new loop device 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: initialize context 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: init: ignore ioctls 
2797385: libmount: LOOP: [0x555d00479460]: enabling AUTOCLEAR flag 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: find_unused requested 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: using loop scan 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: initialize 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next: default check
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop0 name assigned
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop0 does not exist
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop1 name assigned 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop1 does not exist 
...
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop7 name assigned 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop7 does not exist 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next: scanning /dev 
2797385: loopdev: ITER: scan dir: /dev/ 
...
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: find_unused by scan [rc=1] 
...
2797385: libmount: CXT: [0x555d00479460]: mount: preparing failed 
2797385: libmount: CXT: [0x555d00479460]: excode: rc=1 message="mount failed: Operation not
permitted" mount: /tmp/sanity-mountpoint-326453316: mount failed: Operation not permitted.

Which indicates that loopdev cannot for some reason access /dev/loop-control and goes into /dev/scanning mode. The difference is, in the loop-control mode mount would do LOOP_CTL_GET_FREE which allocates a new device when none are free. In the /dev scanning mode, it does not create new devices, but instead tries to use the existing ones, by trying some pre-determined set of device names.

This does not explain why mount invoked by snapd cannot access /dev/loop-control. On my vanilla Arch, with the default systemd setup and the service unit that came from the package, it can.

Looking at util-linux all it does is a simple stat on /dev/loop-control:

github.com

karelzak/util-linux/blob/master/lib/loopdev.c#L189-L192


	if (!(lc->flags & LOOPDEV_FL_CONTROL) && !stat(_PATH_DEV_LOOPCTL, &st)) {
		lc->flags |= LOOPDEV_FL_CONTROL;
		DBG(CXT, ul_debugobj(lc, "init: loop-control detected "));

I would guess there’s some limitation applied in your local system configuration. Maybe check if PrivateDevices isn’t set by systemd on snapd.service.

Edit: and double check that the loop module can actually by loaded into the kernel.

causa-sui · October 29, 2019, 3:59am

sudo modprobe loop seems to have fixed it. I will leave it to others to decide if a more readable error should be printed in this case.

Thank you both very much for your help!

lem0nade · July 27, 2020, 9:20am

snap --version
snap    2.45.1+20.04.2
snapd   2.45.1+20.04.2
series  16
ubuntu  20.04
kernel  5.4.0

Hi all. I have same problem. Snap is running:

 systemctl status snapd
● snapd.service - Snap Daemon
     Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset:>
     Active: active (running) since Mon 2020-07-27 11:21:17 CEST; 2s ago
TriggeredBy: ● snapd.socket
   Main PID: 733 (snapd)
      Tasks: 8 (limit: 19660)
     Memory: 38.1M
     CGroup: /system.slice/snapd.service
             └─733 /usr/lib/snapd/snapd

But after try to install:

snap install hello-world
error: system does not fully support snapd: cannot mount squashfs image using
       "squashfs": mount: /tmp/sanity-mountpoint-396324705: mount failed:
       Operation not permitted.

Become:

systemctl status snapd
● snapd.service - Snap Daemon
     Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset:>
     Active: inactive (dead) since Mon 2020-07-27 11:22:24 CEST; 23s ago
TriggeredBy: ● snapd.socket
    Process: 761 ExecStart=/usr/lib/snapd/snapd (code=exited, status=42)
   Main PID: 761 (code=exited, status=42)

I have tried a lot of things…but need help.

YamiYukiSenpai · June 29, 2021, 5:28am

I’m having that same issue on my new Arch install.

$ snap debug sandbox-features
confinement-options:  devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 tagging

$ systemctl status snapd
* snapd.service - Snap Daemon
     Loaded: loaded (/usr/lib/systemd/system/snapd.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/snapd.service.d
             `-override.conf
     Active: inactive (dead) since Tue 2021-06-29 01:26:44 EDT; 5s ago
TriggeredBy: * snapd.socket
    Process: 8255 ExecStart=/usr/lib/snapd/snapd (code=exited, status=42)
   Main PID: 8255 (code=exited, status=42)
        CPU: 363ms

Jun 29 01:26:29 KUROKA-Z40-Arch snapd[8255]: retry.go:49: DEBUG: Retrying https://api.snapcraft.io/api/v1/snaps>
Jun 29 01:26:29 KUROKA-Z40-Arch snapd[8255]: daemon.go:218: DEBUG: pid=8249;uid=1000;socket=/run/snapd.socket; >
Jun 29 01:26:30 KUROKA-Z40-Arch snapd[8255]: retry.go:61: DEBUG: The retry loop for https://api.snapcraft.io/ap>
Jun 29 01:26:30 KUROKA-Z40-Arch snapd[8255]: retry.go:49: DEBUG: Retrying https://api.snapcraft.io/api/v1/snaps>
Jun 29 01:26:34 KUROKA-Z40-Arch snapd[8255]: retry.go:61: DEBUG: The retry loop for https://api.snapcraft.io/ap>
Jun 29 01:26:34 KUROKA-Z40-Arch snapd[8255]: catalogrefresh.go:120: DEBUG: Catalog refresh succeeded.
Jun 29 01:26:44 KUROKA-Z40-Arch snapd[8255]: daemon.go:508: gracefully waiting for running hooks
Jun 29 01:26:44 KUROKA-Z40-Arch snapd[8255]: daemon.go:510: done waiting for running hooks
Jun 29 01:26:44 KUROKA-Z40-Arch snapd[8255]: daemon stop requested to wait for socket activation
Jun 29 01:26:44 KUROKA-Z40-Arch systemd[1]: snapd.service: Deactivated successfully.

Here’s my system info:

Operating System: Arch Linux
Kernel Version: 5.12.12-arch1-1 (64-bit)

mborzecki · June 29, 2021, 7:11am

Is the squashfs module loaded? Have you rebooted after a kernel update? Note that Arch only keeps a single version of each kernel variant (linux, linux-lts and so on), so it’s easy to end up in a situation where the new kernel is on disk but you’re still running the old one. AFAICT the current kernel 5.12.13 already, yours seems to be 5.12.12.

YamiYukiSenpai · July 3, 2021, 2:58am

I have rebooted, and tried installing the Spectacle snap, and Snap seems to be working so far.

Edit: tried launching Spectacle, and got this:

$ spectacle                                                                      
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
spectacle: symbol lookup error: /snap/spectacle/140/usr/lib/x86_64-linux-gnu/libKF5KIOWidgets.so.5:
undefined symbol: _ZN9KLineEdit16returnKeyPressedERK7QString

Will try with another snap.

Edit: it seems to be just Spectacle, as I was able to launch Firefox.

skswain · July 27, 2021, 12:56pm

Was having the issue on debian buster. issue resolved after loading ‘loop’ and ‘squashfs’ kernel modules.

Ebuzer · January 22, 2024, 2:31pm

I’m having the same issue after do-release-upgrade to 20.04 all my snaps are broken and doesn’t mount at the start

Ebuzer · January 22, 2024, 6:08pm

snap debug paths SNAPD_MOUNT=/snap SNAPD_BIN=/snap/bin SNAPD_LIBEXEC=/usr/lib/snapd

snap list
Name                                  Version  Rev    Tracking       Publisher         Notes
0ad                                   -        592    latest/stable  play0ad✓          broken
acestreamplayer                       -        15     latest/stable  vasilisc          broken
bare                                  -        5      latest/stable  canonical✓        broken
chromium                              -        2734   latest/stable  canonical✓        broken
core                                  -        16202  latest/stable  canonical✓        broken
core18                                -        2812   latest/stable  canonical✓        broken
core20                                -        2105   latest/stable  canonical✓        broken
core22                                -        1033   latest/stable  canonical✓        broken
cups                                  -        872    latest/stable  openprinting✓     disabled,broken
dnslookup                             -        156    latest/stable  ameshkov✓         broken
fast                                  -        4      latest/stable  ddooo             broken
firefox                               -        3626   latest/stable  mozilla✓          broken
flux                                  -        8      latest/stable  the-ricker        broken
gedit                                 -        684    latest/stable  canonical✓        broken
gimp                                  -        418    latest/stable  snapcrafters✪     broken
gnome-3-26-1604                       -        111    latest/stable  canonical✓        broken
gnome-3-28-1804                       -        198    latest/stable  canonical✓        broken
gnome-3-38-2004                       -        143    latest/stable  canonical✓        broken
gnome-42-2204                         -        141    latest/stable  canonical✓        broken
gravit-designer                       -        44     latest/stable  gravitgmbh✓       broken
gtk-common-themes                     -        1535   latest/stable  canonical✓        broken
gtk2-common-themes                    -        13     latest/stable  canonical✓        broken
hello-world                           -        29     latest/stable  canonical✓        broken
inkscape                              -        10555  latest/stable  inkscape✓         broken
intellij-idea-ultimate                -        470    latest/stable  jetbrains✓        broken
kde-frameworks-5-96-qt-5-15-5-core20  -        7      latest/stable  kde✓              broken
kde-frameworks-5-98-qt-5-15-6-core20  -        9      latest/stable  kde✓              broken
kde-frameworks-5-99-qt-5-15-7-core20  -        7      latest/stable  kde✓              broken
kde-frameworks-5-core18               -        35     latest/stable  kde✓              broken
kde-frameworks-5-qt-5-14-core18       -        4      latest/stable  kde✓              broken
kde-frameworks-5-qt-5-15-core20       -        14     latest/stable  kde✓              broken
kf5-5-104-qt-5-15-8-core22            -        9      latest/stable  kde✓              broken
kf5-5-106-qt-5-15-9-core22            -        23     latest/stable  kde✓              broken
kf5-5-110-qt-5-15-11-core22           -        3      latest/stable  kde✓              broken
kimitzu-client                        -        12     latest/beta    kimitzu           broken
ktouch                                -        118    latest/stable  kde✓              broken
libreoffice                           -        302    latest/stable  canonical✓        broken
mathpix-snipping-tool                 -        195    latest/stable  mathpix           broken
microk8s                              -        1551   latest/stable  canonical✓        disabled,broken
mumble                                -        1731   latest/stable  snapcrafters✪     broken
mysql-workbench-community             -        12     latest/stable  tonybolzan        broken
netbeans                              -        89     latest/stable  apache-netbeans✓  broken
notepad-plus-plus                     -        389    latest/stable  mmtrt             broken
qt-2048-snap                          -        11     latest/stable  keshavnrj✪        broken
qt513                                 -        24     latest/stable  keshavnrj✪        broken
qt551                                 -        43     latest/stable  keshavnrj✪        broken
remmina                               -        6134   latest/stable  remmina✓          broken
snap-store                            -        959    latest/stable  canonical✓        broken
snapd                                 -        20671  latest/stable  canonical✓        broken
spotify                               -        74     latest/stable  spotify✓          broken
stellarium-daily                      -        1644   latest/stable  t4saha            broken
tor-mkg20001                          -        16     latest/stable  mkg20001          broken
upnp-server                           -        1      latest/stable  ogra              disabled,broken
vlc                                   -        3721   latest/stable  videolan✓         broken
whatami                               -        96     latest/stable  kz6fittycent      broken
whois-snap                            -        1      latest/stable  marius-quabeck    broken
winds                                 -        95     latest/stable  getstream-io✓     broken
wine-platform                         -        128    latest/stable  mmtrt             broken
wine-platform-3-stable                -        14     latest/stable  mmtrt             broken
wine-platform-5-stable                -        18     latest/stable  mmtrt             broken
wine-platform-5-staging               -        34     latest/stable  mmtrt             broken
wine-platform-6-stable                -        19     latest/stable  mmtrt             broken
wine-platform-7-devel-core20          -        24     latest/stable  mmtrt             broken
wine-platform-runtime                 -        353    latest/stable  mmtrt             broken
wine-platform-runtime-core20          -        95     latest/stable  mmtrt             broken

Ebuzer · January 22, 2024, 6:21pm

sudo modprobe loop didn’t fix it.