Can't start snaps cannot create /sys/fs/bpf/snap directory

snapd
1

After updating my ubuntu 18.04 with

sudo apt update && sudo apt upgrade I have problems with snaps, if I try to run them I got cannot create /sys/fs/bpf/snap directory: No such file or directory

if i run in debug with

SNAPD_DEBUG=1 snap run todoist

I get

2022/01/26 12:36:53.910244 tool_linux.go:204: DEBUG: restarting into “/snap/core/current/usr/bin/snap” 2022/01/26 12:36:53.929929 cmd_run.go:433: DEBUG: SELinux not enabled 2022/01/26 12:36:53.930654 tracking.go:46: DEBUG: creating transient scope snap.todoist.todoist 2022/01/26 12:36:53.931439 tracking.go:186: DEBUG: using session bus 2022/01/26 12:36:53.932269 tracking.go:319: DEBUG: create transient scope job: /org/freedeskto /systemd1/job/293 2022/01/26 12:36:53.932453 tracking.go:419: DEBUG: job result is “done” 2022/01/26 12:36:53.932462 tracking.go:426: DEBUG: transient scope snap.todoist.todoist.b346bb34-9805-4e14-9c76-d4ac701e8c90.scope created 2022/01/26 12:36:53.932718 tracking.go:146: DEBUG: waited 1.207513ms for tracking DEBUG: umask reset, old umask was 02 DEBUG: security tag: snap.todoist.todoist DEBUG: executable: /usr/lib/snapd/snap-exec DEBUG: confinement: non-classic DEBUG: base snap: core18 DEBUG: ruid: 1000, euid: 0, suid: 0 DEBUG: rgid: 1000, egid: 1000, sgid: 1000 DEBUG: apparmor label on snap-confine is: /snap/core/12603/usr/lib/snapd/snap-confine DEBUG: apparmor mode is: enforce DEBUG: creating lock directory /run/snapd/lock (if missing) DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: opening lock directory /run/snapd/lock DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes) DEBUG: opening lock file: /run/snapd/lock/.lock DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes) DEBUG: sanity timeout initialized and set for 30 seconds DEBUG: acquiring exclusive lock (scope (global), uid 0) DEBUG: sanity timeout reset and disabled DEBUG: ensuring that snap mount directory is shared DEBUG: unsharing snap namespace directory DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes) DEBUG: releasing lock 5 DEBUG: opened snap-update-ns executable as file descriptor 5 DEBUG: opened snap-discard-ns executable as file descriptor 6 DEBUG: creating lock directory /run/snapd/lock (if missing) DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: opening lock directory /run/snapd/lock DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes) DEBUG: opening lock file: /run/snapd/lock/todoist.lock DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes) DEBUG: sanity timeout initialized and set for 30 seconds DEBUG: acquiring exclusive lock (scope todoist, uid 0) DEBUG: sanity timeout reset and disabled DEBUG: initializing mount namespace: todoist DEBUG: setting up device cgroup DEBUG: cannot find current tags symbol: /lib/x86_64-linux-gnu/libudev.so.1: undefined symbol: udev_device_has_current_tag DEBUG: no current tags support present DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) cannot create /sys/fs/bpf/snap directory: No such file or directory

The output of

sudo journalctl --no-pager | tail -100

is

Jan 26 12:27:39 smith org.debian.apt[700]: 12:27:39 AptDaemon [INFO]: UpdateCache() was called Jan 26 12:27:39 smith AptDaemon.Trans[4651]: INFO: Queuing transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:39 smith org.debian.apt[700]: 12:27:39 AptDaemon.Trans [INFO]: Queuing transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:39 smith AptDaemon.Worker[4651]: INFO: Simulating trans: /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:39 smith org.debian.apt[700]: 12:27:39 AptDaemon.Worker [INFO]: Simulating trans: /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:39 smith AptDaemon.Worker[4651]: INFO: Processing transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:39 smith org.debian.apt[700]: 12:27:39 AptDaemon.Worker [INFO]: Processing transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:40 smith AptDaemon.Worker[4651]: INFO: Updating cache Jan 26 12:27:40 smith org.debian.apt[700]: 12:27:40 AptDaemon.Worker [INFO]: Updating cache Jan 26 12:27:44 smith AptDaemon.Worker[4651]: INFO: Finished transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:44 smith org.debian.apt[700]: 12:27:44 AptDaemon.Worker [INFO]: Finished transaction /org/debian/apt/transaction/6d7e0def5bd84ccdb25db785382fb635 Jan 26 12:27:48 smith gnome-software[2578]: Only 0 apps for recent list, hiding Jan 26 12:27:48 smith gnome-software[2578]: failed to call gs_plugin_add_updates on fwupd: ignoring OptiPlex 3040 TPM 1.2 [17767aff36e478e69d7b885646f23e0b939e6ab8] as not updatable Jan 26 12:27:48 smith gnome-software[2578]: tried overwriting io.snapcraft.spotify-pOBIoZ2LrCB3rDohMxoYGnbN14EHOgD7 key GnomeSoftware::FeatureTile-css from border-color: #000000; text-shadow: 0 1px 1px rgba(255,255,255,0.5); color: #000000; outline-offset: 0; outline-color: alpha(#ffffff, 0.75); outline-style: dashed; outline-offset: 2px; background: url(‘/home/abettati/.cache/gnome-software/cssresource/d41109772367d9176255aae48ada07072724beca-banner-icon_WaLCF17.png’) left center / auto 100% no-repeat, url(‘/home/abettati/.cache/gnome-software/cssresource/49fefcf8aa37528235d9e84184b84e8ffac44ea7-banner_dSwF9EF.png’) center / cover no-repeat;; to border-color: #000000; text-shadow: 0 1px 1px rgba(255,255,255,0.5); color: #000000; outline-offset: 0; outline-color: alpha(#ffffff, 0.75); outline-style: dashed; outline-offset: 2px; background: url(‘https://dashboard.snapcraft.io/site_media/appmedia/2017/12/banner-icon_WaLCF17.png’) left center / auto 100% no-repeat, url(‘https://dashboard.snapcraft.io/site_media/appmedia/2017/12/banner_dSwF9EF.png’) center / cover no-repeat;; Jan 26 12:27:49 smith PackageKit[1816]: resolve transaction /2418_adeedcbc from uid 1000 finished with success after 596ms Jan 26 12:27:49 smith PackageKit[1816]: search-file transaction /2419_daecbdac from uid 1000 finished with success after 587ms Jan 26 12:27:49 smith gnome-software[2578]: Failed to find one package for mplab.desktop, /usr/share/applications/mplab.desktop, [0] Jan 26 12:27:50 smith PackageKit[1816]: search-file transaction /2420_abaacbcd from uid 1000 finished with success after 567ms Jan 26 12:27:50 smith gnome-software[2578]: Failed to find one package for mplab_ipe.desktop, /usr/share/applications/mplab_ipe.desktop, [0] Jan 26 12:27:50 smith PackageKit[1816]: get-details transaction /2421_aceeebac from uid 1000 finished with success after 492ms Jan 26 12:27:57 smith polkitd(authority=local)[785]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action com.ubuntu.release-upgrader.release-upgrade for unix-process:4639:80577 [/bin/sh -c /usr/bin/do-release-upgrade --frontend=DistUpgradeViewGtk3] (owned by unix-user:abettati) Jan 26 12:27:57 smith pkexec[5413]: abettati: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/abettati] [COMMAND=/usr/bin/do-release-upgrade --frontend=DistUpgradeViewGtk3] Jan 26 12:27:57 smith update-manager.desktop[4639]: Error executing command as another user: Request dismissed Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Activating service name=‘org.gnome.Nautilus’ requested by ‘:1.21’ (uid=1000 pid=2113 comm=“/usr/bin/gnome-shell " label=“unconfined”) Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Activating service name=‘org.gnome.Boxes.SearchProvider’ requested by ‘:1.21’ (uid=1000 pid=2113 comm=”/usr/bin/gnome-shell " label=“unconfined”) Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Activating service name=‘org.gnome.clocks’ requested by ‘:1.21’ (uid=1000 pid=2113 comm="/usr/bin/gnome-shell " label=“unconfined”) Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Successfully activated service ‘org.gnome.Boxes.SearchProvider’ Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Successfully activated service ‘org.gnome.clocks’ Jan 26 12:28:06 smith dbus-daemon[1998]: [session uid=1000 pid=1998] Successfully activated service ‘org.gnome.Nautilus’ Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:06 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:07 smith gnome-clocks[5436]: g_variant_new_string: assertion ‘string != NULL’ failed Jan 26 12:28:08 smith systemd[1964]: snap.todoist.todoist.b8bd5b9f-d34f-4641-91b8-1d0645f34676.scope: Failed to add PIDs to scope’s control group: Permission denied Jan 26 12:28:08 smith systemd[1964]: snap.todoist.todoist.b8bd5b9f-d34f-4641-91b8-1d0645f34676.scope: Failed with result ‘resources’. Jan 26 12:28:08 smith systemd[1964]: Failed to start snap.todoist.todoist.b8bd5b9f-d34f-4641-91b8-1d0645f34676.scope. Jan 26 12:28:08 smith todoist_todoist.desktop[5537]: internal error, please report: running “todoist” failed: transient scope could not be started, job /org/freedesktop/systemd1/job/284 finished with result failed Jan 26 12:28:13 smith sudo[5556]: abettati : TTY=pts/0 ; PWD=/home/abettati ; USER=root ; COMMAND=/usr/bin/snap refresh todoist Jan 26 12:28:13 smith sudo[5556]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 26 12:28:13 smith sudo[5556]: pam_unix(sudo:session): session closed for user root Jan 26 12:28:16 smith systemd[1964]: Started snap.todoist.todoist.bca44f4d-fe46-494c-878a-ad5516694639.scope. Jan 26 12:28:25 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:25 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:33 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:33 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:33 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:33 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:35 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:28:35 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:29:13 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:29:13 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:29:18 smith systemd[1]: Starting Cleanup of Temporary Directories… Jan 26 12:29:18 smith systemd[1]: Started Cleanup of Temporary Directories. Jan 26 12:30:46 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:30:46 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:41 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:41 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:55 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:55 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:55 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:55 smith rtkit-daemon[1600]: Supervising 4 threads of 2 processes of 1 users. Jan 26 12:31:55 smith rtkit-daemon[1600]: Successfully made thread 6000 of process 5711 (n/a) owned by ‘1000’ RT at priority 10. Jan 26 12:31:55 smith rtkit-daemon[1600]: Supervising 5 threads of 3 processes of 1 users. Jan 26 12:31:57 smith rtkit-daemon[1600]: Supervising 5 threads of 3 processes of 1 users. Jan 26 12:31:57 smith rtkit-daemon[1600]: Supervising 5 threads of 3 processes of 1 users. Jan 26 12:32:30 smith org.gnome.Shell.desktop[2113]: ###!!! [Parent][MessageChannel] Error: (msgtype=0x6B0008,name=PMessagePort::Msg___delete__) Channel closing: too late to send/recv, messages will be lost Jan 26 12:32:30 smith org.gnome.Shell.desktop[2113]: ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost Jan 26 12:32:31 smith systemd[1964]: Started snap.drawio.drawio.97879367-0947-4a7b-bd36-de6efc1feae9.scope. Jan 26 12:36:53 smith systemd[1964]: Started snap.todoist.todoist.b346bb34-9805-4e14-9c76-d4ac701e8c90.scope. Jan 26 12:38:28 smith sudo[6223]: abettati : TTY=pts/0 ; PWD=/home/abettati ; USER=root ; COMMAND=/bin/journalctl --no-pager Jan 26 12:38:28 smith sudo[6223]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 26 12:38:39 smith AptDaemon[4651]: INFO: Quitting due to inactivity Jan 26 12:38:39 smith AptDaemon[4651]: INFO: Quitting was requested Jan 26 12:38:39 smith org.debian.apt[700]: 12:38:39 AptDaemon [INFO]: Quitting due to inactivity Jan 26 12:38:39 smith org.debian.apt[700]: 12:38:39 AptDaemon [INFO]: Quitting was requested

any idea?

Best, Andrea

2

Please attach the output of:

  • snap version
  • stat -f /sys/fs/cgroup
  • ls -l /sys/fs
3

Hi @mborzecki,

snap version snap 2.54.2 snapd 2.54.2 series 16 ubuntu 20.04 kernel 5.4.0-96-generic

stat -f /sys/fs/cgroup

File: “/sys/fs/cgroup” ID: 0 Namelen: 255 Type: cgroup2fs Block size: 4096 Fundamental block size: 4096 Blocks: Total: 0 Free: 0 Available: 0 Inodes: Total: 0 Free: 0

ls -l /sys/fs

total 0 drwx-----T 2 root root 0 Jan 26 16:11 bpf dr-xr-xr-x 6 root root 0 Jan 26 16:11 cgroup drwxr-xr-x 2 root root 0 Jan 26 18:33 ecryptfs drwxr-xr-x 4 root root 0 Jan 26 18:33 ext4 drwxr-xr-x 3 root root 0 Jan 26 16:11 fuse drwxr-x— 2 root root 0 Jan 26 16:11 pstore

4

This is confusing, AFAIK Ubuntu 20.04 was not configured to use cgroup v2, but your system is. I’m not sure whether the version of systemd in 20.04 will automatically mount bpffs /sys/fs/bpf. Can you attach the output of stat -f /sys/fs/bpf?

5

I’m sorry for the bad formatting, I realized now I need a new-line before code.

The output is

  File: "/sys/fs/bpf"
    ID: 0        Namelen: 255     Type: bpf_fs
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 0          Free: 0          Available: 0
Inodes: Total: 0          Free: 0
6

Hm so bpf is mounted, have you tried to run a snap again? If it still doesn’t work, can you run sudo apt install strace -y, and then run SNAPD_DEBUG=1 snap run --strace='--raw -v -s 256' todoist and attach the output?

7

Thanks @mborzecki for the support.

 SNAPD_DEBUG=1 snap run drawio --strace='--raw -v -s 256' 
2022/01/27 12:01:52.449869 tool_linux.go:204: DEBUG: restarting into "/snap/core/current/usr/bin/snap"
2022/01/27 12:01:52.467977 cmd_run.go:433: DEBUG: SELinux not enabled
2022/01/27 12:01:52.468492 tracking.go:46: DEBUG: creating transient scope snap.drawio.drawio
2022/01/27 12:01:52.469345 tracking.go:186: DEBUG: using session bus
2022/01/27 12:01:52.470708 tracking.go:319: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/840
2022/01/27 12:01:52.471283 tracking.go:419: DEBUG: job result is "done"
2022/01/27 12:01:52.471296 tracking.go:426: DEBUG: transient scope snap.drawio.drawio.814cba02-a76b-4714-9bbe-daa224f71238.scope created
2022/01/27 12:01:52.476609 tracking.go:146: DEBUG: waited 7.193941ms for tracking
DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.drawio.drawio
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/core/12603/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/drawio.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope drawio, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: drawio
DEBUG: setting up device cgroup
DEBUG: cannot find current tags symbol: /lib/x86_64-linux-gnu/libudev.so.1: undefined symbol: udev_device_has_current_tag
DEBUG: no current tags support present
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: get bpf object at path /sys/fs/bpf/snap/snap_drawio_drawio
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: device map not present yet
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: create bpf map of type 0x1, key size 9, value size 1, entries 500
DEBUG: got bpf map at fd: 8
DEBUG: pin bpf object 8 to path /sys/fs/bpf/snap/snap_drawio_drawio
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: load program of type 0xf, 33 instructions
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: v2 allow c 1:3
DEBUG: v2 allow c 1:5
DEBUG: v2 allow c 1:7
DEBUG: v2 allow c 1:8
DEBUG: v2 allow c 1:9
DEBUG: v2 allow c 5:0
DEBUG: v2 allow c 5:1
DEBUG: v2 allow c 5:2
DEBUG: v2 allow c 136:4294967295
DEBUG: v2 allow c 137:4294967295
DEBUG: v2 allow c 138:4294967295
DEBUG: v2 allow c 139:4294967295
DEBUG: v2 allow c 140:4294967295
DEBUG: v2 allow c 141:4294967295
DEBUG: v2 allow c 142:4294967295
DEBUG: v2 allow c 143:4294967295
DEBUG: v2 allow c 10:239
DEBUG: v2 allow c 10:200
DEBUG: inspecting type of device: /dev/dri/card0
DEBUG: v2 allow c 226:0
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-DP-1
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-DP-2
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-2
DEBUG: inspecting type of device: /dev/dri/renderD128
DEBUG: v2 allow c 226:128
DEBUG: process in cgroup /user.slice/user-1000.slice/user@1000.service/snap.drawio.drawio.814cba02-a76b-4714-9bbe-daa224f71238.scope
DEBUG: cgroup /sys/fs/cgroup//user.slice/user-1000.slice/user@1000.service/snap.drawio.drawio.814cba02-a76b-4714-9bbe-daa224f71238.scope opened at 10
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: attach type 0x6 program 9 to cgroup 10
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
cannot attach cgroup program: Operation not permitted
8

The order of arguments has to be like this: SNAPD_DEBUG=1 snap run --strace='--raw -v -s 256' drawio

9

Output was too long, had to put here.

10

This is all I get:

The file you requested has been deleted

11

That’s proabably because I tried to download it to check if it was working. New link.

12

From the log:

getegid()                               = 0
mkdir("/sys/fs/bpf/snap", 0700)         = -1 EEXIST (File exists)
write(2, "DEBUG: ", 7DEBUG: )                  = 7

so this part was successful, but then:

bpf(BPF_PROG_ATTACH, {target_fd=10, attach_bpf_fd=9, attach_type=BPF_CGROUP_DEVICE, attach_flags=0}, 128) = -1 EPERM (Operation not permitted)
write(2, "DEBUG: ", 7DEBUG: )                  = 7
write(2, "set_effective_identity uid:0 (change: no), gid:1000 (change: yes)", 65set_effective_identity uid:0 (change: no), gid:1000 (change: yes)) = 65
write(2, "\n", 1
)                       = 1
getegid()                               = 0
setresgid(-1, 1000, -1)                 = 0
getegid()                               = 1000
write(2, "cannot attach cgroup program", 28cannot attach cgroup program) = 28
write(2, ": Operation not permitted\n", 26: Operation not permitted
) = 26
exit_group(1)                           = ?
+++ exited with 1 +++
error: exit status 1

Could be different reasons, like mode of the cgorup, missing BPF patches in the kernel. I’m sorry but I’m out of ideas at this point. You are using a relatively new feature on an old kernel and userland. I suggest disabling cgroup v2, if you really need it, update to a release which has a compatible userland. You may try 20.04, but AFAIK Ubuntu only enabled cgroup v2 in 21.10.

13

I updated to 20.04 in an effort to get snaps running. Searching on google is not clear to me how to disable cgroup v2, I think I set it up a while ago when trying to limit the amount of memory firefox can use. But there’s a chance I will be able to use cgroup v2 on 20.04? I would like to keep an LTS release.

14

Do the snaps work now after an upgrade to 20.04?

15

No, it is still broken. I updated yesterday. All the the commands from today are in 20.04

16

Does the snap work if you run it through sudo?

17

unfortunately no. Example:

~$ sudo snap run todoist
cannot attach cgroup program: Operation not permitted
18

I still don’t think this setup will work. Can you attach the output of snap debug sandbox-features ?

19

Here it is

apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:qipcrtr-socket parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 tagging

do you think 22.04 will fix this?

20

Clearly the apparmor_parser in 20.04 is missing capability bpf support, so the policy is incomplete.

Yes, 22.04 will work once it’s released. Cgroup v2 has been enabled in 21.10 already.

Another option is to reevaluate if you need the unified hierarchy support. It’s isn’t clear to me how that helps your firefox use case. The memory controller was in v1 already.