Snapd from hirsute-proposed won't allow snaps to run

YamiYukiSenpai · February 14, 2021, 2:04am

I know that being in the devel branch, and on proposed is pretty much digging myself in a hole, but I figured I should point this out before this becomes stable.

My snapd version from the repo is 2.49+21.04. When I try to have any Snaps I installed (e.g. Firefox & Discord), they won’t launch, and when I use the terminal, here’s what I get:

ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (failed to map segment from shared object): ignored.
need to run as root or suid

I tried with sudo to see if it’ll launch, but that didn’t work either.

popey · February 14, 2021, 10:57pm

I’m running Ubuntu 21.04, and recently updated my machine, then rebooted. Now I can’t launch any snaps at all. null is the simplest snap, and won’t launch, but the same happens for every snap I test.

alan@robot:~$ null
need to run as root or suid

alan@robot:~$ SNAPD_DEBUG=1 SNAP_DEBUG_CONFINE=1 null
2021/02/14 22:53:11.604668 tool_linux.go:93: DEBUG: snap (at "/snap/snapd/current") is older ("2.48.2.1") than distribution package ("2.49+21.04")
2021/02/14 22:53:11.611982 cmd_run.go:407: DEBUG: SELinux not enabled
2021/02/14 22:53:11.612077 tracking.go:44: DEBUG: creating transient scope snap.null.null
2021/02/14 22:53:11.612736 tracking.go:173: DEBUG: using session bus
2021/02/14 22:53:11.613600 tracking.go:305: DEBUG: created transient scope as object: /org/freedesktop/systemd1/job/2436
2021/02/14 22:53:11.613668 tracking.go:135: DEBUG: systemd could not associate process 40654 with transient scope snap.null.null.6d4f911a-82c5-448e-bae4-13b9d08b1644.scope
2021/02/14 22:53:11.613677 cmd_run.go:1162: DEBUG: snapd cannot track the started application
2021/02/14 22:53:11.613683 cmd_run.go:1163: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.null.null
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 1000, euid: 2001, suid: 2001
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
need to run as root or suid

I have proposed enabled, which I did because I believe I need 5.10 kernel because a bug in 5.8 makes my nvme go read only periodically.

Something may have come down from proposed on hirsute which messed my machine? I don’t know.

alan@robot:~$ snap version
snap    2.49+21.04
snapd   2.49+21.04
series  16
ubuntu  21.04
kernel  5.10.0-14-generic

Any ideas what I can do to debug/fix this? My machine is pretty useless right now.

popey · February 14, 2021, 11:09pm

Could this be related to the private home dir change in 21.04 which just landed in proposed? https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533
@alexmurray?

alexmurray · February 14, 2021, 11:16pm

So the private home dirs stuff landed a few weeks ago and it will only apply to new installs since then so if you upgraded to hirsute then it probably is not at fault - to check you can take a look at your /home permissions to see:

ls -l /home
drwxr-x--- 8 amurray amurray 4096 Feb 11 22:15 amurray

ie. in this case we see others have no access to /home/amurray (ie my home dirs).

I can’t reproduce this on a hirsute VM with private home dirs but it is a couple days out of date so I will update it and see if that changes anything…

popey · February 14, 2021, 11:17pm

drwxr-x--- 86 alan alan 4096 Feb 14 23:06 alan
Ok, thanks. So likely not that then.
I have no idea where the “need to run as root or suid” comes from.

James-Carroll · February 14, 2021, 11:20pm

This thread from yesterday has the same issue as you, so it’s likely somewhat reproducible

( I’m clueless otherwise but I thought it’d be helpful to show it’s possibly worth investigating )

popey · February 14, 2021, 11:22pm

Thanks, I’ll merge these threads.

popey · February 14, 2021, 11:30pm

Ok, so I did get a snapd update today:

alan@robot:~$ grep snapd /var/log/dpkg.log
2021-02-14 20:50:15 upgrade snapd:amd64 2.48+21.04 2.49+21.04
2021-02-14 20:50:15 status half-configured snapd:amd64 2.48+21.04
2021-02-14 20:50:15 status unpacked snapd:amd64 2.48+21.04
2021-02-14 20:50:15 status half-installed snapd:amd64 2.48+21.04
2021-02-14 20:50:18 status unpacked snapd:amd64 2.49+21.04
2021-02-14 20:52:03 configure snapd:amd64 2.49+21.04 <none>
2021-02-14 20:52:03 status unpacked snapd:amd64 2.49+21.04
2021-02-14 20:52:03 status half-configured snapd:amd64 2.49+21.04
2021-02-14 20:54:53 status installed snapd:amd64 2.49+21.04

Which I am now running:

alan@robot:~$ snap version
snap    2.49+21.04
snapd   2.49+21.04
series  16
ubuntu  21.04
kernel  5.8.0-38-generic

I see there’s a “newer” snapd in edge:-

alan@robot:~$ snap info snapd | tail -n 6
channels:
  latest/stable:    2.48.2.1             2021-02-08 (11036) 32MB -
  latest/candidate: 2.48.2.1             2021-02-08 (11036) 32MB -
  latest/beta:      2.49                 2021-02-10 (11107) 33MB -
  latest/edge:      2.49+git313.gda8011a 2021-02-13 (11168) 33MB -
installed:          2.48.2.1                        (11036) 32MB snapd

The one in edge looks “newer” so let’s get that:

alan@robot:~$ snap refresh snapd --edge
2021-02-14T23:24:37Z INFO Waiting for automatic snapd restart...

Which I am now running:

alan@robot:~$ snap version
snap    2.49+git313.gda8011a
snapd   2.49+git313.gda8011a
series  16
ubuntu  21.04
kernel  5.8.0-38-generic

Which works now.

alan@robot:~$ SNAPD_DEBUG=1 SNAP_DEBUG_CONFINE=1 null
2021/02/14 23:28:49.860905 tool_linux.go:204: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2021/02/14 23:28:49.878138 cmd_run.go:409: DEBUG: SELinux not enabled
2021/02/14 23:28:49.878234 tracking.go:44: DEBUG: creating transient scope snap.null.null
2021/02/14 23:28:49.878841 tracking.go:173: DEBUG: using session bus
2021/02/14 23:28:49.879689 tracking.go:305: DEBUG: created transient scope as object: /org/freedesktop/systemd1/job/2020
2021/02/14 23:28:49.879774 tracking.go:135: DEBUG: systemd could not associate process 14858 with transient scope snap.null.null.c5b4a13e-e119-4d30-86b8-324835f76352.scope
2021/02/14 23:28:49.879782 cmd_run.go:1169: DEBUG: snapd cannot track the started application
2021/02/14 23:28:49.879787 cmd_run.go:1170: DEBUG: snap refreshes will not be postponed by this process
DEBUG: umask reset, old umask was   02
DEBUG: security tag: snap.null.null
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/snapd/11168/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/null.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope null, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: null
DEBUG: setting up device cgroup
DEBUG: no devices tagged with snap_null_null, skipping device cgroup setup
DEBUG: forked support process 14881
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core, revision 10823 is 7:95
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: block device of the root filesystem is 7:95
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace null
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: null
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: moved process 14858 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.null
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 14881)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: DEBUG: helper process exitingwaiting for the helper process to exit

DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: set_effective_identity uid:1000 (change: yes), gid:1000 (change: yes)
DEBUG: creating user data directory: /home/alan/snap/null/3
DEBUG: requesting changing of apparmor profile on next exec to snap.null.null
DEBUG: ruid: 1000, euid: 1000, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.null.null
DEBUG: read 6736 bytes from /var/lib/snapd/seccomp/bpf//snap.null.null.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG:  argv[1] = null
DEBUG: umask restored to   02
DEBUG: working directory restored to /home/alan

alan@robot:~$ snap run emoj explode
💥  💣  🧨

Looks “good”. @mvo @pedronis - I’m on vacation tomorrow - you may want to look at this in the morning.

alexmurray · February 14, 2021, 11:32pm

After updating and rebooting snaps still work fine for me, but I am running the stock kernel:

amurray@sec-hirsute-amd64:~$ snap version
snap    2.48.3+21.04
snapd   2.48.3+21.04
series  16
ubuntu  21.04
kernel  5.8.0-36-generic
amurray@sec-hirsute-amd64:~$ uname -a
Linux sec-hirsute-amd64 5.8.0-36-generic #40+21.04.1-Ubuntu SMP Thu Jan 7 11:35:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

That message comes from snap-confine - it is launched to setup confinement for the snap and it expects to be run as root (so it can load apparmor profiles, setup seccomp filters etc) - but it would seem it is not root in your case - it is normally SUID root itself:

amurray@sec-hirsute-amd64:~$ ll /usr/lib/snapd/snap-confine 
-rwsr-xr-x 1 root root 133960 Feb  8 10:53 /usr/lib/snapd/snap-confine*
amurray@sec-hirsute-amd64:~$ ll /snap/snapd/current/usr/lib/snapd/snap-confine 
-rwsr-xr-x 1 root root 110792 Feb  3 06:52 /snap/snapd/current/usr/lib/snapd/snap-confine*

alexmurray · February 15, 2021, 12:08am

So the ownership of the snap-confine binary from snapd 2.49+21.04 currently in hirsute-proposed is wrong:

amurray@sec-hirsute-amd64:~$ dpkg -l snapd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-============================================
ii  snapd          2.49+21.04   amd64        Daemon and tooling that enable snap packages
amurray@sec-hirsute-amd64:~$ ll /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 2001 2501 134216 Feb 10 20:17 /usr/lib/snapd/snap-confine*

Sadly this is a known issue (ie setuid binaries ending up with the wrong owner) - https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250 - but perhaps not widely enough known…

mvo · February 15, 2021, 10:45am

Indeed, we noticed this issue too. The tooling in hirsute seems to mishandle the permissions currently and that broke snapd. It looks like it’s a general bug that also breaks the permissions of more builds. Happy to rebuild/reupload snapd once the tooling is fixed.

xnox · February 15, 2021, 12:42pm

During development release running devel is fine.

Enabling devel-proposed is not supported at all, as devel-proposed during release development is not meant for human consumption.

It contains knowingly broken packages that are in progress being fixed and are held back from migrating to devel because they are broken, uninstallable, contain critical bugs, and some may never be released.

Please disable devel-proposed on your system, and please downgrade all packages to versions from devel.

Alternatively you may wish to contribute fixes to upgrade things in devel-proposed. See ProposedMigration - Ubuntu Wiki for more details of all the things that must be fixed for things to mgirate.