Snap interface for runc

Hello together,

currently checking if it is possible to start runc containers inside a strict snap.

From interfaces I don’t see one - because the docker and lxc interfaces just support the communication to docker or lxd sockets which basically means that commands are forwarded to the daemons which running outside a snap.

If i put a rootfs to $SNAP_COMMON and start the snap with “snap run --shell” command and enter "runc run con1 -b “SNAP_COMMON/con1” i get the error : ERRO[0000] chown /run/user/1000/snap.docker/runc/con1: operation not permitted

Is there a snap interface i could use to get permission to start runc containers?

Docker uses runc under the hood, so with docker-support interface in your snap (and connected), you ought to be able to start containers. I suggest starting with --devmode to see if there’s anything missing.

1 Like

thanks for quick reply but doesnt “docker-support” simple mount the sockets into the snap and requires a dockerd outside? i will give it a try :smiley: just curious - documentation says just tells about the sockets.

There are two separate docker related interfaces, docker which simply allows using the docker socket and is intended for apps/clients trying to talk to dockerd over the socket, and docker-support, which is what dockerd itself uses to have permission to operate as the dockerd daemon which creates containers, etc.

Got your point! thanks - i was seeing that one reason didnt work before was that the container OCI rootfs was part of the snap (was bad idea) - after setting the interface docker-support and placing the OCI rootfs in $HOME/snap/{name}/common i at least getting a different error. The container i try to start was setup with runc spec --rootless + a debian based container rootfs.

currently what i am facing :

FATA[0000] nsexec-0[24219]: failed to write ‘deny’ to /proc/24221/setgroups: Permission denied
FATA[0000] nsexec-1[24221]: failed to sync with parent: read(SYNC_USERMAP_ACK): Success
WARN[0000] unable to get oom kill count error=“no directory specified for memory.oom_control”
ERRO[0000] container_linux.go:380: starting container process caused: process_linux.go:402: getting the final child’s pid from pipe caused: EOF

btw thanks for the great hints and explanation :wink:

Please check dmesg or journal for possible denials if the host has apparmor enabled, and paste them here.

good hint : yes dmesg shows a lot of complain when 1st starting the snap via --shell command and then execute runc run c1 -b “$PWD”

------------------------LOG--------------------------------------
[ 99.732506] audit: type=1400 audit(1633091197.637:88): apparmor=“DENIED” operation=“capable” profile="/snap/snapd/13170/usr/lib/snapd/snap-confine" pid=2936 comm=“snap-confine” capability=4 capname=“fsetid”
[ 116.490382] audit: type=1400 audit(1633091214.401:89): apparmor=“DENIED” operation=“open” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/" pid=3026 comm=“runc” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
[ 116.490388] audit: type=1400 audit(1633091214.401:90): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/cpuset/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490390] audit: type=1400 audit(1633091214.401:91): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/devices/user.slice/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490392] audit: type=1400 audit(1633091214.401:92): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490394] audit: type=1400 audit(1633091214.401:93): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/cpu,cpuacct/user.slice/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490396] audit: type=1400 audit(1633091214.401:94): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/cpu,cpuacct/user.slice/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490397] audit: type=1400 audit(1633091214.401:95): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/pids/user.slice/user-1000.slice/user@1000.service/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490399] audit: type=1400 audit(1633091214.401:96): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/blkio/user.slice/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490401] audit: type=1400 audit(1633091214.401:97): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/hugetlb/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
[ 116.490403] audit: type=1400 audit(1633091214.401:98): apparmor=“DENIED” operation=“mkdir” profile=“snap.my-snap.my-runc” name="/sys/fs/cgroup/net_cls,net_prio/c1/" pid=3026 comm=“runc” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000

I suggest installing the snap with --devmode first. Next, there’s clearly some assumptions in the docker-support interface that don’t quite fit what you’re trying to do.

Say this path, /sys/fs/cgroup/cpu,cpuacct/user.slice/c1/ I understand that user.slice is here because it’s a rootless container. I’m not quite sure about c1. From looking at the interface, there are patterns like this: /sys/fs/cgroup/*/docker/, so maybe c1 is just a sub group in your case too? There’s a comment that mentions plugins.cri_systemd_cgroup=true, maybe that’s related to runc as well? But it also lists paths like /sys/fs/cgroup/*/systemd/system.slice/**, expecting the groups to be located under system.slice, which would not be true for rootless.

thanks for the advice - c1 is the container name actually i guess.

i tried today --> docker-snap/docker-snap: https://snapcraft.io/docker (github.com)

this works for me if the rootfs of container lays in $SNAP_HOME

I will check from here how to go on :smiley: