Cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

markstos · August 8, 2018, 4:42pm

I created the ec2-consistent-snapshot snap on Ubuntu 18.04.

It has been successfully tested by a third party on 18.04.

I installed it on Ubuntu 14.04, but when I try to run it there, I get an error:

 /snap/bin/ec2-consistent-snapshot
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

Can a snap built on 18.04 work on 14.04? Is there something else I need to do?

In any case, it seems like this diagnostic message could be improved. It’s not at clear from the message what should be done to resolve the issue.

Thanks.

jdstrand · August 8, 2018, 6:17pm

Do you have any security denials at the time of the error? ‘grep audit /var/log/syslog’ at the time of the denial.

markstos · August 8, 2018, 7:24pm

Thanks for the reply.

Yes, I have this apparmor denial:

kernel: [1988668.219534] type=1400 audit(1533746473.611:29): apparmor=“DENIED” operation=“ptrace” profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=15364 comm=“snap-confine” requested_mask=“read” denied_mask=“read” peer=“unconfined”

How can I relax App Armor to allow this to work?

jzimm · August 9, 2018, 1:52am

Here’s a workaround that does the trick for me:

1.) Edit /etc/apparmor.d/usr.lib.snapd.snap-confine.real, and /etc/apparmor.d/snap.core.***.usr.lib.snapd.snap-confine

2.) In both files add the following line just before the final ‘}’:

ptrace trace peer=unconfined,

(NB: don’t forget the , at the end)

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.snapd.snap-confine.real
sudo apparmor_parser -r /etc/apparmor.d/snap.core.***.usr.lib.snapd.snap-confine

That should make it work. BUT: it’s not persistent for some reason, sometimes you will need to redo the two last apparmor_parser commands again. Particularly it seems to be required after snap updates. Sometimes repeating the whole procedure is also needed.

markstos · August 9, 2018, 3:45pm

@jzimm, thanks for the reply.

I don’t have those files on Ubuntu 14.04, but I do have ’ /etc/apparmor.d/usr.lib.snapd.snap-confine’

That file already contains the line ptrace trace peer=unconfined.

jdstrand · August 9, 2018, 3:48pm

@markstos - you need this rule: ptrace read peer=unconfined,. This is already fixed in trunk and 2.34 and will be in 2.34.4. For now, you can sudo snap refresh core --edge and it should start to work again.

@mvo - will you be spinning a 2.34.4?

jdstrand · August 9, 2018, 3:49pm

FYI, this is the PR with the fix: https://github.com/snapcore/snapd/pull/5579

markstos · August 9, 2018, 4:09pm

@jdstrand, I can confirm updating snapd on the edge channel resolves the issue. However, solving this issue revealed a second issue, related to setting the locale:

 /snap/bin/ec2-consistent-snapshot -h 2>&1 | head -10
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = "C.UTF-8",
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Usage:
     ec2-consistent-snapshot [opts] VOLUMEID...

It looks like right now this is something that needs to be addressed when building the snap, which I’ll take care of now. Thanks!

Example fix I found: https://github.com/21dotco/two1-python/pull/16/files#diff-184032a532406b07009403e26f4fc62fR13

jzimm · August 9, 2018, 4:11pm

I’m not sure if snap is even supposed to be supported in 14.04. You may been in unknown territory there.

markstos · August 9, 2018, 4:25pm

@jzimm, Support for snaps on 14.04 was announced in March, 2017: https://blog.ubuntu.com/2017/03/30/snaps-are-now-available-for-ubuntu-14-04-lts-desktop-and-server Are you aware of an official reference where support on 14.04 has since expired?

@jdstrand: After prefixing my command with “env” to set some environment variables, it now segfaults when run on Ubuntu 14.04. The change was:

-    command: ec2-consistent-snapshot
+    command: env LC_ALL=C.UTF-8 LANG=C.UTF-8 ec2-consistent-snapshot

The project is: https://github.com/alestic/ec2-consistent-snapshot

This is a particularly interesting use-case for snaps. A bug was found when using the popular backup tool which was actually in a dependency. However, Ubuntu has not upgraded the dependency in Ubuntu 14.04, so users of traditional packages have no fix.

Since snap bundles dependencies, it potentially resolves the packaging issue.

We also look forward to using package format which is better supported on non-Debian-based systems.

ogra · August 9, 2018, 4:38pm

it is supported in 14.04 but you need a HWE kernel …

markstos · August 10, 2018, 2:27pm

Thanks for the note. I rebooted into a 4.4 Kernel on ubuntu 14.04 and tried running the ec2-consistent-snapshot snap again. I still get “Segmentation fault (core dumped)” When trying just the basic “–help” flag:

/snap/bin/ec2-consistent-snapshot --help

I think I’m going to revert adding the “env LC_ALL=C.UTF-8 LANG=C.UTF-8” prefix to the command. I can live with a locale warning-- it seemed to working before, except for the warning about a bad locale.

CubicleNate · September 24, 2018, 6:50pm

Greetings,

I am running openSUSE Tumbleweed and I am having this same error but none of the aforementioned fixes seem to correct the issue. Whether or I run “wavebox” or “env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/wavebox_wavebox.desktop /snap/bin/wavebox %U” I still get:
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

I have gone into the apparmor snap.core file and checked that the aforementioned changes were made as well.

Any help here would be great. Also, any resources I can be pointed to to help with snaps on openSUSE would also be great.

Thanks!