Snapcraft cleanbuild on Arch Linux with LXD - Apparmor permission error

I’m trying to set up a development environment for snaps on Arch Linux, but I’ve ran into a problem when building snaps with snapcraft cleanbuild.

So far I’ve set up the following:

  1. Installed snapd from AUR
  2. Installed and enabled apparmor.service
  3. Enable snapd.service and snapd.apparmor.service
  4. Installed LXD from AUR
  5. Configured permissions to allow unprivileged containers
  6. Verified that LXD works by starting a couple of containers and checking network connectivity
  7. Installed the snapcraft snap from edge/stable (tried both) channel

LXD and snap installation seems to work as expected, however whenever I try to run snapcraft cleanbuild I get the following error:

Creating snapcraft-parsimoniously-apostolic-flo
Starting snapcraft-parsimoniously-apostolic-flo
Waiting for a network connection...
Network connection established
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:3 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Get:4 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [7532 kB]
Get:5 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Get:6 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [627 kB]
Get:7 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [432 kB]
Get:8 http://archive.ubuntu.com/ubuntu xenial/universe Translation-en [4354 kB]
Get:9 http://security.ubuntu.com/ubuntu xenial-security/universe Translation-en [174 kB]
Get:10 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [5604 B]
Get:11 http://security.ubuntu.com/ubuntu xenial-security/multiverse Translation-en [2676 B]
Get:12 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [144 kB]
Get:13 http://archive.ubuntu.com/ubuntu xenial/multiverse Translation-en [106 kB]
Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [926 kB]
Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [742 kB]
Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [307 kB]
Get:17 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [16.7 kB]
Get:18 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse Translation-en [8440 B]
Get:19 http://archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages [7280 B]
Get:20 http://archive.ubuntu.com/ubuntu xenial-backports/main Translation-en [4456 B]
Get:21 http://archive.ubuntu.com/ubuntu xenial-backports/universe amd64 Packages [7804 B]
Get:22 http://archive.ubuntu.com/ubuntu xenial-backports/universe Translation-en [4184 B]
Fetched 15.7 MB in 4s (3508 kB/s)
Reading package lists... Done
error: system does not fully support snapd: apparmor detected but insufficient permissions to use it
Stopping local:snapcraft-parsimoniously-apostolic-flo
An error occurred when trying to execute 'sudo snap set core refresh.hold=2019-03-29T19:44:38.135422Z' with 'lxd': returned exit code 1.

It seems to suggest that the apparmor inside the LXD container is not supported. Is there a way to make LXD run apparmor inside the container?

I managed to fix the issue by opening the default profile configuration:

lxc profile edit default

And adding the following configuration options to fix the permission issues for nested containers:

config:
  security.nesting: "true"
  security.privileged: "true"

I also had to add the following options to fix a udev problem with snapd:

raw.lxc: |-
  lxc.cgroup.devices.allow=a
  lxc.mount.auto=proc:rw sys:rw
1 Like

When I need to build something using snapcraft, I usually fall back to forcing the multipass backend. The VM is probably not as fast, though there’s definitely less hassle than setting up LXD (especially from AUR).