Snaps don't run in the new LTSP

alkisg · October 13, 2019, 10:41am

Hi, we’re developing the new LTSP (netbooted systems similar to live CDs), and snaps fail to run there with the following message (example from Ubuntu 18.04 64 bit):

$ gnome-calculator
cannot create lock directory /run/snapd/lock: Permission denied

At that point, journalctl shows:

Οκτ 13 09:36:42 pc01 audit[3390]: AVC apparmor="DENIED" operation="open" profile="/snap/core/7917/usr/lib/snapd/snap-confine" name="/up/" pid=3390 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Οκτ 13 09:36:42 pc01 kernel: audit: type=1400 audit(1570948602.715:324): apparmor="DENIED" operation="open" profile="/snap/core/7917/usr/lib/snapd/snap-confine" name="/up/" pid=3390 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This file might be related:

$ cat /var/lib/snapd/apparmor/snap-confine/overlay-root 
# snapd autogenerated workaround for systems using '/' on overlayfs. For
# details see: https://bugs.launchpad.net/apparmor/+bug/1703674
"/run/initramfs/ltsp/up/{,**/}" r,

The LTSP rootfs is mounted like this:

initramfs-tools mounts nfsroot=server:/srv/ltsp/images
Then scripts/init-bottom/ltsp loop-mounts /root/ltsp.squashfs to /root. A /dev/loopX device might also be needed, if the image has an MBR.
Then a tmpfs is created in /run/initramfs/ltsp, with up/work dirs,
And finally an overlay of /root and /run/initramfs/ltsp/{up,work} goes in /root.

The related lines from /proc/self/mountinfo are:

25 29 0:22 / /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs rw,size=307384k,mode=755
28 25 0:24 / /run/initramfs/ltsp rw,relatime shared:6 - tmpfs tmpfs rw,mode=755
29 0 0:25 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=/root,upperdir=/run/initramfs/ltsp/up,workdir=/run/initramfs/ltsp/work
90 29 7:16 / /snap/gnome-characters/296 ro,nodev,relatime shared:32 - squashfs /dev/loop1 ro
93 29 7:48 / /snap/gnome-characters/317 ro,nodev,relatime shared:34 - squashfs /dev/loop3 ro
97 29 7:96 / /snap/core/7270 ro,nodev,relatime shared:35 - squashfs /dev/loop6 ro
96 29 7:64 / /snap/gnome-logs/81 ro,nodev,relatime shared:36 - squashfs /dev/loop4 ro
100 29 7:80 / /snap/core18/1074 ro,nodev,relatime shared:37 - squashfs /dev/loop5 ro
104 29 7:128 / /snap/gnome-calculator/406 ro,nodev,relatime shared:38 - squashfs /dev/loop8 ro
103 29 7:144 / /snap/gtk-common-themes/1313 ro,nodev,relatime shared:39 - squashfs /dev/loop9 ro
102 29 7:112 / /snap/gnome-3-26-1604/90 ro,nodev,relatime shared:40 - squashfs /dev/loop7 ro
108 29 7:160 / /snap/gnome-calculator/501 ro,nodev,relatime shared:41 - squashfs /dev/loop10 ro
110 29 7:176 / /snap/gnome-system-monitor/100 ro,nodev,relatime shared:42 - squashfs /dev/loop11 ro
114 29 7:208 / /snap/core/7917 ro,nodev,relatime shared:44 - squashfs /dev/loop13 ro
116 29 7:224 / /snap/gnome-logs/61 ro,nodev,relatime shared:45 - squashfs /dev/loop14 ro
118 29 7:240 / /snap/gnome-3-26-1604/92 ro,nodev,relatime shared:46 - squashfs /dev/loop15 ro
120 29 7:256 / /snap/gnome-3-28-1804/67 ro,nodev,relatime shared:47 - squashfs /dev/loop16 ro
122 29 7:272 / /snap/gnome-system-monitor/57 ro,nodev,relatime shared:48 - squashfs /dev/loop17 ro
124 29 7:288 / /snap/gnome-3-28-1804/71 ro,nodev,relatime shared:49 - squashfs /dev/loop18 ro
126 29 7:304 / /snap/gnome-system-monitor/81 ro,nodev,relatime shared:50 - squashfs /dev/loop19 ro
128 29 7:320 / /snap/core18/1192 ro,nodev,relatime shared:51 - squashfs /dev/loop20 ro
374 25 0:52 / /run/user/121 rw,nosuid,nodev,relatime shared:314 - tmpfs tmpfs rw,size=307380k,mode=700,uid=121,gid=125
821 25 0:54 / /run/user/0 rw,nosuid,nodev,relatime shared:561 - tmpfs tmpfs rw,size=307380k,mode=700
835 29 7:336 / /snap/gtk-common-themes/1353 ro,nodev,relatime shared:571 - squashfs /dev/loop21 ro
440 25 0:53 / /run/user/1101 rw,nosuid,nodev,relatime shared:374 - tmpfs tmpfs rw,size=307380k,mode=700,uid=1101,gid=1101
375 440 0:51 / /run/user/1101/gvfs rw,nosuid,nodev,relatime shared:247 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=1101,group_id=1101
463 440 0:55 / /run/user/1101/doc rw,nosuid,nodev,relatime shared:255 - fuse /dev/fuse rw,user_id=1101,group_id=1101
475 821 0:56 / /run/user/0/gvfs rw,nosuid,nodev,relatime shared:263 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=0,group_id=0
550 821 0:57 / /run/user/0/doc rw,nosuid,nodev,relatime shared:271 - fuse /dev/fuse rw,user_id=0,group_id=0

Any ideas? Can we do something in the LTSP code, or can an exception be added in snapd?

The line that does the overlay in the LTSP code is in

github.com

ltsp/ltsp/blob/main/ltsp/common/ltsp/55-images.sh#L330


            ext*)  options=${options:-ro,noload} ;;
            *)  options=${options:-ro} ;;
        esac
        re omount "$image" "$dst" "$tmpfs" -t "$fstype" ${options:+-o "$options"}
        return 0
    done
    die "I don't know how to mount $src"
}
# Overlay src into dst, unless OVERLAY=0.
# Create a tmpfs on the first call. Create appropriate subdirs there to use
# for up/work dirs; don't use overlayfs subdirs like ltsp-update-image did,
# for efficiency reasons.
omount() {
    local src dst tmpfs i tmpdst
    src=$1
    dst=$2
    tmpfs=$3
    # The rest are parameters to mount
    shift 3

Thank you!

alkisg · October 13, 2019, 7:36pm

OK got it, changing this to notify snapd worked:
re mount -t overlay -o “upperdir=$tmpfs/up,lowerdir=$src,workdir=$tmpfs/work” “$tmpfs” “$dst”