Install snaps locally without `--devmode`

Holger · October 12, 2020, 12:27pm

Hi,

I have locally built snap (lxd) using snapcraft. I can install it fine using the follwing command:

sudo snap install lxd_4.0.2_amd64.snap --devmode --dangerous

If I understand correctly, --devmode means that the application is not confined and is
not refreshed. If I omit the option, I get all sorts of permission errors.

How do official snaps from the store differ in that regard? E.g. how does lxd from the snap
store deal with confinement, so that it can work correctly?

I ask because it would be nice to omit the --devmode and handle confinement issues
correctly (i.e. setting the right permissions, etc.) instead of disabling it altogether.

jamesh · October 12, 2020, 12:55pm

What’s probably happening is that some interfaces your snap relies on are left disconnected.

When you install the LXD snap from the store, snapd will use the corresponding snap declaration assertion to allow additional interfaces to auto-connect. These interfaces modify how LXD will be sandboxed.

We can use the snap known command to print out this declaration (the snap-id field is the one printed by snap info lxd):

$ snap known --remote snap-declaration series=16 snap-id=J60k4JY0HppjwOjW8dZdYc8obXKxujRu
...
plugs:
  lxd-support:
    allow-auto-connection: true
    allow-installation: true
  system-observe:
    allow-auto-connection: true
...

So to test your custom built snap, I would try running the following commands:

sudo snap install lxd_4.0.2_amd64.snap --dangerous
sudo snap connect lxd:lxd-support
sudo snap connect lxd:system-observe

As this snap is installed with --dangerous, it is not considered to be the same as the lxd snap from the store and won’t refresh. If there are particular changes you needed to make to LXD, I would suggest trying to get them into the official packages.

Holger · October 13, 2020, 10:18am

@jamesh Thanks for your reply!

I installed lxd the way you recommended, now I get this error:

Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied

I tried re-starting the lxd service, but it had no effect.

Any ideas?

popey · October 13, 2020, 10:36am

To debug confinement issues (which this might be) I’d recommend using snappy-debug.

snap install snappy-debug

Then:

snappy-debug.security scanlog

Then launch your snap in another terminal and look for errors in the above terminal.

Holger · October 13, 2020, 10:50am

Running snappy-debug.security scanlog gives:

INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
WARN: could not find log mark, is syslog enabled?

I ran sudo service rsyslog restart but it had no effect.

Btw. I’m running Ubuntu 16.04, if that helps.

ogra · October 13, 2020, 11:30am

well, did you read the output above ? just follow the suggestion there …

Holger · October 13, 2020, 12:00pm

@ogra Good point.

I followed the instructions in the output, but no messages occur when I run lxc list in another terminal.

Ther permission error goes away when I run lxc with sudo, but obviously this is not a solution.

ogra · October 13, 2020, 1:09pm

oh !
is your user in the lxd group ? the lxd socket is specifically assigned to that group, so a user who is a member of it should be able to access the socket without permission elevation …

Holger · October 13, 2020, 2:16pm

@ogra Goup settings are o.k.

I found the solution: Doing

sudo snap restart lxd

after the new installation of lxd did the trick!

LXD seems to run fine now with confinement enabled Will further test it in the upcoming days.

Thank you for your help!