[Solved] Launching snaps in network namespace fails with "error: cannot find tracking cgroup"

pellaeon · August 2, 2022, 8:54am

I’m trying to launch firefox snap from a shell inside network namespace managed by vopono, and it fails.

$ snap run --debug-log --shell firefox
2022/08/02 16:31:31.619292 cmd_run.go:486: DEBUG: enabled debug logging of early snap startup
2022/08/02 16:31:31.619850 cmd_run.go:1035: DEBUG: executing snap-confine from /snap/core/13425/usr/lib/snapd/snap-confine
2022/08/02 16:31:31.620216 cmd_run.go:438: DEBUG: SELinux not enabled
2022/08/02 16:31:31.620490 tracking.go:46: DEBUG: creating transient scope snap.firefox.firefox
2022/08/02 16:31:31.621077 tracking.go:186: DEBUG: using session bus
2022/08/02 16:31:31.621981 tracking.go:319: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/822
error: cannot find tracking cgroup

When launched directly:

$ firefox -ProfileManager
internal error, please report: running "firefox" failed: cannot find tracking cgroup

The shell (bash) was created with:

vopono exec --dns "1.1.1.1" --provider privateinternetaccess --server jp "bash"

The error seems to originate from ProcessPathInTrackingCgroup. I checked /proc/self/cgroup:

$ cat /proc/self/cgroup 
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.kde.yakuake-93dfbf7d91b44295bf8ca397d8bd220f.scope

sudo dmesg | grep DENIED does not log any lines when launching firefox snap from the network namespace.

Any ideas how I can debug this further to fix it?

pellaeon · August 2, 2022, 8:54am

Might be related to: Snaps interfere with mount namespaces

pellaeon · August 2, 2022, 9:18am

OK, it seems that ProcessPathInTrackingCgroup is getting very different things when inside and outside network namespaces.

I used the following command to trace the cgroup file:

strace --trace=openat,read -v -s 200 -f firefox -ProfileManager

Outside the network namespace:

[pid 296602] openat(AT_FDCWD, "/proc/296602/cgroup", O_RDONLY|O_CLOEXEC) = 5
[pid 296602] read(5, "0::/user.slice/user-1000.slice/user@1000.service/app.slice/snap.firefox.firefox.92552251-24b0-42b3-95f0-d5f1e8a5147b.scope\n", 4096) = 123

Inside the network namespace:

[pid 297025] openat(AT_FDCWD, "/proc/297014/cgroup", O_RDONLY|O_CLOEXEC) = 6
[pid 297025] read(6, "0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.kde.yakuake-93dfbf7d91b44295bf8ca397d8bd220f.scope\n", 4096) = 118
[pid 297025] read(6, "", 3978)          = 0
internal error, please report: running "firefox" failed: cannot find tracking cgroup

pellaeon · August 3, 2022, 7:43am

Turns out it’s because /sys/fs/cgroup not being mounted. securityfs is also required. (Got this inspiration from https://github.com/diddlesnaps/snapcraft-container/issues/8#issuecomment-1070825050)

Mount cgroup2 and securityfs inside the netns shell:

sudo mount -t cgroup2 cgroup2 /sys/fs/cgroup
sudo mount -t securityfs securityfs /sys/kernel/security/

After doing so, firefox snap could be launched in the network namespace.