Snapcraft cleanbuild on Arch Linux with LXD - Apparmor permission error

I’m trying to set up a development environment for snaps on Arch Linux, but I’ve ran into a problem when building snaps with snapcraft cleanbuild.

So far I’ve set up the following:

  1. Installed snapd from AUR
  2. Installed and enabled apparmor.service
  3. Enable snapd.service and snapd.apparmor.service
  4. Installed LXD from AUR
  5. Configured permissions to allow unprivileged containers
  6. Verified that LXD works by starting a couple of containers and checking network connectivity
  7. Installed the snapcraft snap from edge/stable (tried both) channel

LXD and snap installation seems to work as expected, however whenever I try to run snapcraft cleanbuild I get the following error:

Creating snapcraft-parsimoniously-apostolic-flo
Starting snapcraft-parsimoniously-apostolic-flo
Waiting for a network connection...
Network connection established
Hit:1 xenial InRelease
Get:2 xenial-updates InRelease [109 kB]
Get:3 xenial-backports InRelease [107 kB]
Get:4 xenial/universe amd64 Packages [7532 kB]
Get:5 xenial-security InRelease [109 kB]
Get:6 xenial-security/main amd64 Packages [627 kB]
Get:7 xenial-security/universe amd64 Packages [432 kB]
Get:8 xenial/universe Translation-en [4354 kB]
Get:9 xenial-security/universe Translation-en [174 kB]
Get:10 xenial-security/multiverse amd64 Packages [5604 B]
Get:11 xenial-security/multiverse Translation-en [2676 B]
Get:12 xenial/multiverse amd64 Packages [144 kB]
Get:13 xenial/multiverse Translation-en [106 kB]
Get:14 xenial-updates/main amd64 Packages [926 kB]
Get:15 xenial-updates/universe amd64 Packages [742 kB]
Get:16 xenial-updates/universe Translation-en [307 kB]
Get:17 xenial-updates/multiverse amd64 Packages [16.7 kB]
Get:18 xenial-updates/multiverse Translation-en [8440 B]
Get:19 xenial-backports/main amd64 Packages [7280 B]
Get:20 xenial-backports/main Translation-en [4456 B]
Get:21 xenial-backports/universe amd64 Packages [7804 B]
Get:22 xenial-backports/universe Translation-en [4184 B]
Fetched 15.7 MB in 4s (3508 kB/s)
Reading package lists... Done
error: system does not fully support snapd: apparmor detected but insufficient permissions to use it
Stopping local:snapcraft-parsimoniously-apostolic-flo
An error occurred when trying to execute 'sudo snap set core refresh.hold=2019-03-29T19:44:38.135422Z' with 'lxd': returned exit code 1.

It seems to suggest that the apparmor inside the LXD container is not supported. Is there a way to make LXD run apparmor inside the container?

I managed to fix the issue by opening the default profile configuration:

lxc profile edit default

And adding the following configuration options to fix the permission issues for nested containers:

  security.nesting: "true"
  security.privileged: "true"

I also had to add the following options to fix a udev problem with snapd:

raw.lxc: |-
  lxc.cgroup.devices.allow=a sys:rw
1 Like

When I need to build something using snapcraft, I usually fall back to forcing the multipass backend. The VM is probably not as fast, though there’s definitely less hassle than setting up LXD (especially from AUR).