Not able to start/configure custom built ubuntu core

@ogra Oh, thanks it works.
One more thing, so I guess this is a bug, because it should work with standard installation, without devmode, right ?

yes, that is right and @pstolowski and @ijohnson are the right guys to fix it, so all is in good hands :wink:

2 Likes

There was a bug in the kernel where ‘k’ was not properly mediated in all cases. I suspect the current policy works on kernels with that bug but not on kernels where this bug is fixed (ie, ‘k’ is always properly mediated). We should add ‘k’ to the policy.

2 Likes

Great, where can I check if the fix for it was merged to ubuntu core ? or where can I find a ticket for this issue to follow?

Apart from this, I have a question regarding this workaround with devmode flag set you mentioned. Can I somehow provide this flag, while I am creating a custom core image with my snap attached?

Like in this example:

sudo ubuntu-image snap --channel stable -O ubuntu-core-18-terminal-amd64 --snap ubuntu-core/pc-amd64-gadget-terminal/terminal-device_0.1.0_amd64.snap --snap terminal-app_0.1.3_amd64.snap --snap ubuntu-core/mir-kiosk_2593.snap ubuntu-core/terminal-device.model

I provide my gadget.snap, mir-kiosk and my terminal app. Is there a way to set devmode flag here ?
Also, is there a way to provide some additional config here ? E.g I want to set default orientation for mir-kiosk from a different layout. Is there a way to provide it during custom image build? Or maybe the only way here is to rebuild a mir-kiosk with custom hooks ?

@jdstrand has submitted the PR fixing this here: https://github.com/snapcore/snapd/pull/7779

After that is merged, the fix will be available in the snapd/core snap edge channels and will likely be released with 2.43, which I think should be out in the next couple weeks. See The snapd roadmap for more details

1 Like

Thanks. I will check them in next weeks.

FYI, I found How to preconfigure custom image? topic so I guess I have all answers I need regarding preconfigured custom image.

Hi,
Today, I tried to switch back to strict confinement to check if the fix was already in place for it (it is not in stable yet, I found out), but I found another issue maybe related to this.

My app writes to a file, this file is in /var/snap dir, so it should be writable by it, but I get following apparmor error:

8.715146] audit: type=1400 audit(1577789331.199:173): apparmor="DENIED" operation="open" profile="snap.terminal-app.terminal-kiosk" name="/var/snap/terminal-app/x1/config/html/qr.html" pid=12648 comm="terminal" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

Is it related to same thing ? Or am I just missing something again?

writing underneath /var typically needs root permissions, this is not snap specific though …

if you want to write stuff as a user, make your app use $SNAP_USER_DATA (~/snap/<package>/current/) and not $SNAP_DATA (/var/snap/<package>/current/)…

1 Like

hmm what do you mean as a user, system one ? In my case application run in a snap wants RW access to this file, system user is not going to write it, only app itself and it is running as a root. Shouldn’t it have rw access then ?

@ogra Thanks, your suggestion helped.