Snap being refused to access its own $SNAP_USER_DATA files?

lucyllewy · May 23, 2020, 10:48am

Here’s a fun one:

= AppArmor =
Time: May 23 11:38:58
Log: apparmor="DENIED" operation="open" profile="snap.lando.lando" name="/home/dllewellyn/snap/lando/x4/.lando/certs/lndo.site.pem" pid=726494 comm="node" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /home/dllewellyn/snap/lando/x4/.lando/certs/lndo.site.pem (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

The yaml used to build this is at https://github.com/diddlesnaps/lando. I’m not sure why this is failing, although the usage of docker might be an issue?

Once built and installed, you will need to:

snap connect lando:docker docker:docker-daemon
snap connect lando:docker-executables docker:docker-executables

snap version, snap connections (docker|lando), and snap list docker

$ snap version:
snap    2.44.3+20.04
snapd   2.44.3+20.04
series  16
ubuntu  20.04
kernel  5.4.0-31-generic

$ snap connections lando
Interface                    Plug                      Slot                       Notes
content[docker-executables]  lando:docker-executables  docker:docker-executables  manual
docker                       lando:docker              docker:docker-daemon       manual
home                         lando:home                :home                      -
network                      lando:network             :network                   -
removable-media              lando:removable-media     -

$ snap list docker
Name    Version  Rev  Tracking          Publisher   Notes
docker  19.03.8  443  latest/candidate  canonical✓  -

$ snap connections docker
Interface                    Plug                      Slot                       Notes
content[docker-executables]  lando:docker-executables  docker:docker-executables  manual
docker                       docker:docker-cli         docker:docker-daemon       -
docker                       lando:docker              docker:docker-daemon       manual
docker-support               docker:privileged         :docker-support            -
docker-support               docker:support            :docker-support            -
firewall-control             docker:firewall-control   :firewall-control          -
home                         docker:home               :home                      -
network                      docker:network            :network                   -
network-bind                 docker:network-bind       :network-bind              -

To replicate my test, once you’ve installed and connected the plugs:

mkdir $HOME/landotest
cd $HOME/landotest
lando init --name "Lando Test" --recipe wordpress --webroot . --source cwd
lando start

To cleanup once you’ve finished:

cd $HOME/landotest
lando destroy --yes
cd $HOME
rm -rf $HOME/landotest

ijohnson · May 23, 2020, 1:34pm

What are the file permissions? Looks like root is trying to access a user owned file, for which you need the read: all variant of the home interface.

lucyllewy · May 23, 2020, 2:03pm

With read:all:

= AppArmor =
Time: May 23 15:02:30
Log: apparmor="DENIED" operation="open" profile="snap.lando.lando" name="/home/dllewellyn/snap/lando/x5/.lando/certs/lndo.site.pem" pid=840793 comm="node" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /home/dllewellyn/snap/lando/x5/.lando/certs/lndo.site.pem (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

I don’t see where root is coming into play when starting lando from my user (1000).

Although,

$ ls -l /home/dllewellyn/snap/lando/x5/.lando/certs/lndo.site.pem
-rw-r--r-- 1 root root 1395 May 23 11:21 /home/dllewellyn/snap/lando/x5/.lando/certs/lndo.site.pem

Aah, I think I see the sequence of events:

lando starts a docker container which generates some files that are saved with root ownership into lando’s $SNAP_USER_DATA
~~lando tries to read those files as the original user (me) and gets a permission denied due to root ownership~~ EDIT: actually it’s failing in a second docker container that is also running as root

So I need to figure out a way for ~~lando as me~~ docker containers to be able to read the root-owned files in lando’s $SNAP_USER_DATA ~~OR somehow get those files generated as my user account-owned~~.