OK, I’m a little bit sleep today: the snaps are not seeing the mount because it’s not in the home directory: all the snap sees is a fake root directory…if I the NFS share is mounted in my home directory, snaps with the network plug would be able to access it.
Sorry for the noise!
@zyga-snapd, between this topic and Snapd vs upstream kernel vs apparmor I’m beginning to think we want to create a .d directory for snap-confine to #include so we can drop profile snippets in it. Eg:
#include </var/lib/snapd/apparmor/snap-confine.d>
snap config core set home-nfs idea), creates /var/lib/snapd/apparmor/snap-confine.d/home-nfs with network inet, network inet6, and reloads the snap-confine profilenetwork inet, network inet6, to all generated snapd apparmor policy if detects NFS /home (or we use the snap config core set home-nfs idea)/usr/lib/snapd/snap-exec uxr, (for the other topic) and reloads the snap-confine profileI think this problem is understood enough for someone to work on this.
I agree, I think we can have a quick chat and come with some agreement on what we need to do and then just get it done.
Should the directory not be under /run somewhere? Forced devmode or not, in particular, could well be different per boot on Debian.
@mwhudson - it could be under /run, but that would complicate things because it needs to exist when the profile is loaded. The apparmor unit will start before snapd on boot and then the snap-confine profile would fail to load.
An advantage of having it under /var/lib/snapd/apparmor/snapd-confine.d is that this directory can be shared between re-execs and therefore users can more easily apply workaround policy if they need to. For example, this issue is more painful for people now because it can’t be worked around any more since the re-exec’d snapd may use a profile that is in the readonly snap. Having it in the suggested directory means user changes will be persistent.
I’ve been working on this last week and I think it’s ready for review. I implemented a simple active detection of NFS under /home/ (either fstab or mountinfo must refer to it). When one is detected we inject extra snippets into all application profiles as well as into (and this is a new thing) the profile of snap-confine itself.
The PR is at https://github.com/snapcore/snapd/pull/3958 and I asked @jdstrand for the first review.
NFS support is tagged for 2.29 and I hope it can be a part of the release.
This feature should be available in the edge channel soon. It will be a part of snapd 2.29rc2 release (note that rc1 does not contain it yet).
I have the same symptoms without using NFS. I am using pbis (used to be Likewise-open) to authenticate with a windows domain server on my linux system.
damann@software01-pc ~/workspace/SmcApi $ pycharm-professional cannot create user data directory: /home/SENSOFT/damann/snap/pycharm-professional/46: Permission denied ******* /var/log/syslog ******* Jan 16 08:42:59 software01-pc kernel: [3605620.819201] audit: type=1400 audit(1516110179.689:578): apparmor="DENIED" operation="open" profile="/snap/core/3748/usr/lib/snapd/snap-confine" name="/home/SENSOFT/damann/" pid=11548 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=2076189394 ouid=2076189394 Jan 16 08:44:00 software01-pc kernel: [3605681.454918] audit: type=1400 audit(1516110240.317:579): apparmor="DENIED" operation="open" profile="/snap/core/3748/usr/lib/snapd/snap-confine" name="/home/SENSOFT/damann/" pid=11595 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=2076189394 ouid=2076189394
FYI solved my problem by uninstalling my snap (pycharm-professional), uninstalling snapd, and downloading the tar.gz version. Bye.
Hi, any solution for snaps while installing in NFS… Please help me with this.Thanks in advance. @jdstrand @zyga-snapd
Hey
This is interesting. The denial, dissected, says:
Jan 16 08:42:59 software01-pc kernel: [3605620.819201] audit: type=1400 audit(1516110179.689:578): apparmor="DENIED" operation="open" profile="/snap/core/3748/usr/lib/snapd/snap-confine" name="/home/SENSOFT/damann/" pid=11548 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=2076189394 ouid=2076189394
The process running under profile "/snap/core/3748/usr/lib/snapd/snap-confine (this is a profile used by internal part of snapd itself) tired to access /home/SENSOFT/damann/ for reading (request_mask="r") but reading was denied (denied_mask="r").
What is curious about this is that snap-confine doesn’t need to access one’s home directory. I wonder if any of this is caused by ALL-CAPS home directory.
I will add this to my backlog to investigate.
what the hell it s taht.
i am not expert no special user but why we can’t simplify snap modification of applications ?
i install pycharm and i get the same errors i can’t launch pycharm without using sudo ?
i heat that application realy bad one.
Hi everybody,
I’ve got the same issue. My home dir isn’t mounted at /home, but on /Users, using NFS from AWS EFS.
dmesg output is:
audit: type=1400 audit(1532535640.798:165): apparmor=“DENIED” operation=“sendmsg” profile="/usr/lib/snapd/snap-confine" pid=5570 comm=“snap-confine” laddr=172.30.2.79 lport=53172 faddr=172.30.2.25 fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send”
Like the others, I can only use docker as superuser… otherwise it throws this error:
cannot create user data directory: /Users/arkaitz/snap/docker/179: Read-only file system
Eclipse, which is not suitable for been executed like superuser, throws this error:
cannot create user data directory: /Users/arkaitz/snap/eclipse/29: Stale file handle
If I understood, the problem is going to be solved in a future release. Will it be available on Ubuntu 18.04’s repos?
Hey there,
for me it’s the same. I’d prefer to keep my nfs mounted home but with that I can not use any snap.
In the case of vectr i.e.:
$vectr
$2018/08/15 19:04:34.854496 system_key.go:127: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: open /etc/fstab: permission denied
$2018/08/15 19:04:34.858470 cmd_run.go:708: WARNING: cannot create user data directory: cannot update the 'current' symlink of "/gpfs01/berens/user/slaturnus/snap/vectr/current": symlink 2 /gpfs01/berens/user/slaturnus/snap/vectr/current: operation not supported
$cannot create user data directory: /gpfs01/berens/user/slaturnus/snap/vectr/2: Read-only file system
executing with sudo yields
snap run vectr
mkdir: cannot create directory '/run/user/0': Permission denied
No protocol specified
It’ll be great if someone could come back to it
A followup on the current fix committed at https://github.com/snapcore/snapd/pull/3958
This only handles the case where NFS directories are mounted on boot (typically from /etc/fstab). This has always been strongly discouraged by Ubuntu/Debian because of the race conditions between networking and filesystem mounting.
For that reason, as well as performance and mounting-storms, most people use AutoFS /home/* directories which only mount on first access.
This fix doesn’t handle this use case because when snapd starts it detects no NFS mounted directories and doesn’t enable NFS support. If a user logs in and snapd is restart, NFS support is then enabled.
Hi @zyga-snapd ,
I am seeing similar error when using lxc with snap.
Running lxc info gives “cannot create user data directory: /home/sbavikere/snap/lxd/12631: Permission denied” error.
My home directory is NFS mounted.
Syslog has following entry:
Jan 20 15:28:32 sbavikere-ud kernel: [4246558.473615] audit: type=1400 audit(1579552112.674:4008): apparmor=“DENIED” operation=“open” profile="/snap/core/8268/usr/lib/snapd/snap-confine" name="/home/" pid=97768 comm=“snap-confine” requested_mask=“r” denied_mask=“r” fsuid=7099 ouid=0
Hmm, snap-confine's appamor profile does not include /home/ r, - I wonder what is going on here.
Can you please edit /var/lib/snapd/apparmor/profiles/snap-confine.8268, add /home/ r, somewhere inside the part between braces ({ … }) and run sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.core.8268 to re-load the profile in memory. Note that this will be automatically corrected by snapd, in many circumstances, so don’t rely on it lasting.
Having done that, can you reproduce the issue?
I modified the profile file and reloaded it. I still see same error. But syslog entry has “/home/sbavikere/snap/lxd/” instead of “/home/” now. I tried adding “/home/sbavikere/snap/lxd/” to the profile file. It doesn’t help.
Jan 22 12:28:42 sbavikere-ud kernel: [4408567.562004] audit: type=1400 audit(1579714122.290:4170): apparmor="DENIED" operation="open" profile="/snap/core/8268/usr/lib/snapd/snap-confine" name="/home/sbavikere/snap/lxd/" pid=93240 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=7099 ouid=7099