I am trying to debug juju with snap run –stracve
I installed both strace-static from channel latest/stable and latest edge but none of them is working
$ sudo snap run --strace juju
/snap/strace-static/current/bin/strace: Process 3192369 attached
--- stopped by SIGSTOP ---
--- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=3192323, si_uid=0} ---
execv failed: Permission denied
error: exit status 101
cannot read while waiting for exec() to snap-confine: EOF
versions:
juju
installed: 3.6.19 (34273) 111MB -
strace-static
installed: 6.15 (117) 2MB -
also tried:
latest/stable: 6.8 2025-07-04 (114) 2MB -
What’s the snapd version on this system?
Hi, @mborzecki1
installed: 2.74.1 (26382) 50MB snapd
I forgot to mention the very important fact, that happens on LXD container
Now you will probably tell me that is not possible 
If so then the snap could be better informing the user
I guess the same issue comes when I cannot redirect stdout
ubuntu@plain-noble:~$ juju version
3.6.14-genericlinux-amd64
ubuntu@plain-noble:~$ juju version > stdout
ERROR write /dev/stdout: bad file descriptor
The FD problem looks suspiciously like something that could be related to AppArmor fd inheritance - when the sandboxed process does not have required privileges to access the fd, apparmor will close it and replace with some null file. Any chance you observed a denial in the kernel log? Perhaps @zyga has some ideas.
@mborzecki1 I did, but on one machine
but I cannot see that again on workstation despite changing the ratelimit to 0
root@drakkar:~# cat /proc/sys/kernel/printk_ratelimit
0
root@drakkar:~# cat /proc/sys/kernel/printk_ratelimit_burst
0
On other host while testing juju version > stdout on the hosted LXD container I see the following on the baremetal
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.940:3828): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="/snap/snapd/26382/usr/lib/snapd/snap-confine" name="/home/ubuntu/test" pid=3549456 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1001000 ouid=1001000
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.940:3829): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="/snap/snapd/26382/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=3549456 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1001000 ouid=0
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.944:3830): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="snap-update-ns.juju" name="/dev/pts/10" pid=3549488 comm="snap-update-ns" requested_mask="wr" denied_mask="wr" fsuid=1001000 ouid=1001000
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.944:3831): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="snap-update-ns.juju" name="/dev/pts/10" pid=3549488 comm="snap-update-ns" requested_mask="wr" denied_mask="wr" fsuid=1001000 ouid=1001000
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.944:3832): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="snap-update-ns.juju" name="/apparmor/.null" pid=3549488 comm="snap-update-ns" requested_mask="wr" denied_mask="wr" fsuid=1001000 ouid=0
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.944:3833): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="snap-update-ns.juju" name="/dev/pts/10" pid=3549488 comm="snap-update-ns" requested_mask="wr" denied_mask="wr" fsuid=1001000 ouid=1001000
Mar 25 10:36:01 pc6b-rb4-n1 kernel: audit: type=1400 audit(1774434961.959:3834): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-bastion_<var-snap-lxd-common-lxd>" profile="snap.juju.juju" name="/proc/3393253/mountinfo" pid=3549456 comm="juju" requested_mask="r" denied_mask="r" fsuid=1001000 ouid=1001000
i disccussed also on our internal company chat on snappy channel, but I will not link it here.
