Snap confinement: read only if not in the same filesystem

snapcraft
1

First-time post. I noticed that if I install ethereum:

1 it will work if I log in and run it as user weiwu
2 it will not work if I log in and run it as user ethereum, which complains that the file system is read-only. ‘ethereum’ is a user I created for running that service.

I observe the difference between user weiwu and ethereum and all I can find is that the user ‘ethereum’ has a home directory at /var/ethereum and the user weiwu has a home directory /home/weiwu. (both contains snap/ethereum with rw access for corrisponding users). The former is mounted to a standalone HDD, the latter is under the same HDD that mounts to /

My theory so far is that snap confinement has a rule that if the home directory (~/snap/ethereum) is found located on a foreign media then write access is disabled. I couldn’t find any doucment mentioning this rule so I could be entirely wrong. In that case I’m stuck. Where to look?

Thanks.

P.S. The user ‘ethereum’ is created to run that service and that user’s home directory is located on a standardalone HDD intentionally so that if the storage for that user is filled up it won’t halt the system.

2

This is essentially How can I use snap when I don't use /home/$USER?, which is a known limitation. The easiest thing might be since you are creating the ethereum user to just move its home directory to /home. Otherwise, as per the other thread, use a bind mount.

3

Thank you. From the post you linked it seems people struggle to get apparmor configured, so I resorted to mount to /home instead.

That workaround isn’t good. Because /home should be backed up, yet /home/ethereum should not. If I could rehome /home/ethereum to /var/local/ethereum I can do a categorical backup of /home. Now I have to write a exclusive rule in my backup script to skip /home/ethereum and include everything else under /home)

Having service dæmon’s home configured under /var is a long-time tradition. I guess that tradition is gone when people stopped backing up things altogether because every server is an AWS node nowadays. For now it works and I’m glad snap is the package manager that has inbuilt support for apparmor.