I’ve recently had cause to install snapd on a fresh Debian bullseye installation, and while everything else seems to be working fine, snaps which need network access don’t appear to be getting it, and are failing accordingly.
(This is under WSL 2, but I don’t think that’s relevant; I’m using genie to run it inside a systemd bottle, and this exact same configuration worked perfectly using Debian buster. If anyone out there’s tried it on bullseye and is having a similar issue or not having a similar issue, I’d appreciate hearing that…)
So, for example, non-network-using snaps such as hello-world
and lsd
work as expected, but those which need the network fail variously. For example:
❯ tldr ln
Page not found. Updating cache ..
{ Error: getaddrinfo ENOTFOUND tldr-pages.github.io tldr-pages.github.io:80
at errnoException (dns.js:28:10)
at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:76:26)
code: 'ENOTFOUND',
errno: 'ENOTFOUND',
syscall: 'getaddrinfo',
hostname: 'tldr-pages.github.io',
host: 'tldr-pages.github.io',
port: 80 }
[1] 2556 exit 1 tldr ln
or
❯ snap-store
15:13:24:0730 GLib-GIO g_app_info_get_name: assertion 'G_IS_APP_INFO (appinfo)' failed
Unable to init server: Unable to create socket: Permission denied
15:13:24:0734 Gtk cannot open display: 172.16.1.2:0.0
[1] 2698 exit 1 snap-store
or
❯ chromium
[1] 3407 trace trap chromium
…and so forth.
Edited to add: I think this is an AppArmor issue, because I’m seeing long lists of denied operations for sockets in the system log for snap profiles. One example:
Oct 27 10:12:08 localhost kernel: [47344.839719] audit: type=1400 audit(1572189128.786:44499): apparmor="DENIED" operation="create" profile="snap.tldr.tldr" pid=12308 comm="node" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
Oct 27 10:12:08 localhost kernel: [47344.839724] audit: type=1400 audit(1572189128.786:44500): apparmor="DENIED" operation="create" profile="snap.tldr.tldr" pid=12308 comm="node" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
Oct 27 10:12:08 localhost kernel: [47344.839726] audit: type=1400 audit(1572189128.786:44501): apparmor="DENIED" operation="create" profile="snap.tldr.tldr" pid=12308 comm="node" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
Oct 27 10:12:08 localhost kernel: [47344.840289] audit: type=1400 audit(1572189128.786:44502): apparmor="DENIED" operation="create" profile="snap.tldr.tldr" pid=12308 comm="node" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
Oct 27 10:12:08 localhost kernel: [47344.840292] audit: type=1400 audit(1572189128.786:44503): apparmor="DENIED" operation="create" profile="snap.tldr.tldr" pid=12308 comm="node" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"