I am not able to refresh my snaps and the refreshing process ends with a permission denied error.
Copy snap “rdplot” data (cannot copy “/home/user1/snap/rdplot/18” to “/home/user1/snap/rdplot/20”: failed to copy all: “cp: cannot create directory ‘/home/user1/snap/rdplot/20’: Permission denied” (1))
/home is a NFS drive and home directories are /home/$USER
Obviously I am dealing with a multiuser system.
Actually, I do not quite understand why the refreshing process needs to modify a users homedir. I think the permission error is related to the fact that not all machines have root-access to the NFS share but even if all the data was on a local drive I do not really want an application write to any users homedir.
Is it a bug or a feautre and how can I get around that? I want to run snap refresh nightly on every machine and all snaps should be up-to-date at any point in time. Is that possible?
Snaps have data stored in $SNAP_USER_COMMON and $SNAP_USER_DATA which correspond to ~/snap/<name>/common and ~/snap/<name>/<revision>, respectively. On snap refresh, snapd will copy forward anything from ~/snap/<name>/<previous revision> to ~/snap/<name>/<new revision>.
The only way I can see fixing this would be for snapd to drop privileges to the the owner of these directories. AFAICT, snapdata.go is copying the data by preserving the perms, which wouldn’t be sufficient to handle the NFS case as you describe it.
Do I get this right assuming that there is no solution for this problem? I cannot simply drop the privs to the owner of these directories as the owners are several ones (multi user system).
We’re slowly moving to have what we call “snapshots” replace the current copying of data. Currently (with 2.36 at least) you can manage snapshots manually (see snap help save).
The interesting thing about snapshots, as well as them being compressed, is that they drop privileges. This means they should work on NFS. It should be safe for you to try: snap save, then snap restore, should work without errors.
If it does work without errors, one workaround for your current issue would be to do snap save, rename the relevant snap data directories, refresh, and then snap restore.
Things might break, so don’t go deleting the data before you’ve tried it though.
Thanks to @ogra I managed to run snap save and snap restore. However, snap restore gives me the permission error already mentioned in my initial question.
I am still a little bit confused about the whole process. Which user is performing the refresh operation? Even if it was root, it would / should not be possible to modify any users homedir on my system as the root user would not be same on the NFS drive. If a process (e.g. snap save, snap restore) can manage to modify a users homedir in anyway without the user’s password , this would be really insecure.
IMHO, I really would need to prevent snap refresh to write to users home directories in order to solve that issue.
snap save and snap restore run as the user whose data is being saved or restored. When it’s run for all users, snapd first determines which users have data that needs operating on, and then loops over those users.
$ snap restore 1
error: cannot perform the following tasks:
- Restore data of snap "snappy-debug" from snapshot set #1 (mkdir /home/$USER/snap/snappy-debug/.snapshot980942652: permission denied)
- Restore data of snap "snapcraft" from snapshot set #1 (mkdir /home/$USER/snap/snapcraft/.snapshot671214586: permission denied)
- Restore data of snap "rdplot" from snapshot set #1 (mkdir /home/OTHERUSER/snap/rdplot/.snapshot334990097: permission denied)
I even get a permission denied error for directories I own (see, upper two errors).
$ snap restore 1
error: cannot perform the following tasks:
- Restore data of snap "snappy-debug" from snapshot set #1 (mkdir /home/schneider/snap/snappy-debug/.snapshot524918028: permission denied)
- Restore data of snap "snapcraft" from snapshot set #1 (context canceled)
- Restore data of snap "rdplot" from snapshot set #1 (mkdir /home/mjcho/snap/rdplot/.snapshot093361994: permission denied)
and in the other terminal:
2019/01/11 14:03:12.830378 daemon.go:296: DEBUG: pid=8150;uid=1459;socket=/run/snapd.socket;@ POST /v2/snapshots 3.690722533s 202
2019/01/11 14:03:12.832291 taskrunner.go:420: DEBUG: Running task 22962 on Do: Restore data of snap "snapcraft" from snapshot set #1
2019/01/11 14:03:12.832453 taskrunner.go:420: DEBUG: Running task 22963 on Do: Restore data of snap "rdplot" from snapshot set #1
2019/01/11 14:03:12.832504 taskrunner.go:420: DEBUG: Running task 22961 on Do: Restore data of snap "snappy-debug" from snapshot set #1
2019/01/11 14:03:12.832565 taskrunner.go:420: DEBUG: Running task 22964 on Do: Restore data of snap "core" from snapshot set #1
2019/01/11 14:03:13.156820 reader.go:292: DEBUG: Restoring "archive.tgz" from "/var/lib/snapd/snapshots/1_core_16-2.37~pre1_6233.zip" into "/var/snap/core/.snapshot733111384".
2019/01/11 14:03:13.157726 reader.go:292: DEBUG: Restoring "archive.tgz" from "/var/lib/snapd/snapshots/1_snappy-debug_0.31.7-snapd2.34_243.zip" into "/var/snap/snappy-debug/.snapshot261685207".
2019/01/11 14:03:13.159393 reader.go:184: Restore of snapshot "/var/lib/snapd/snapshots/1_rdplot_v1.2.0+git6.3c8a530_18.zip" failed (mkdir /home/mjcho/snap/rdplot/.snapshot093361994: permission denied); undoing.
2019/01/11 14:03:13.171509 reader.go:292: DEBUG: Restoring "user/root.tgz" from "/var/lib/snapd/snapshots/1_snappy-debug_0.31.7-snapd2.34_243.zip" into "/root/snap/snappy-debug/.snapshot419796513".
2019/01/11 14:03:13.176248 reader.go:184: Restore of snapshot "/var/lib/snapd/snapshots/1_snappy-debug_0.31.7-snapd2.34_243.zip" failed (mkdir /home/schneider/snap/snappy-debug/.snapshot524918028: permission denied); undoing.
2019/01/11 14:03:13.176282 restorestate.go:79: DEBUG: Removing "/var/snap/snappy-debug/common".
2019/01/11 14:03:13.176320 restorestate.go:79: DEBUG: Removing "/var/snap/snappy-debug/243".
2019/01/11 14:03:13.176337 restorestate.go:79: DEBUG: Removing "/root/snap/snappy-debug/common".
2019/01/11 14:03:13.176356 restorestate.go:79: DEBUG: Removing "/root/snap/snappy-debug/243".
2019/01/11 14:03:13.176384 restorestate.go:91: DEBUG: Restoring "/var/snap/snappy-debug/common.~WNB81f5M0~" to "/var/snap/snappy-debug/common".
2019/01/11 14:03:13.176408 restorestate.go:91: DEBUG: Restoring "/var/snap/snappy-debug/243.~5962SR0Xq~" to "/var/snap/snappy-debug/243".
2019/01/11 14:03:13.176425 restorestate.go:91: DEBUG: Restoring "/root/snap/snappy-debug/common.~lwR066T55~" to "/root/snap/snappy-debug/common".
2019/01/11 14:03:13.176440 restorestate.go:91: DEBUG: Restoring "/root/snap/snappy-debug/243.~0pRByVDmC~" to "/root/snap/snappy-debug/243".
2019/01/11 14:03:13.256722 task.go:303: DEBUG: 2019-01-11T14:03:13+01:00 ERROR mkdir /home/mjcho/snap/rdplot/.snapshot093361994: permission denied
2019/01/11 14:03:13.357722 task.go:303: DEBUG: 2019-01-11T14:03:13+01:00 ERROR mkdir /home/schneider/snap/snappy-debug/.snapshot524918028: permission denied
2019/01/11 14:03:13.684356 taskrunner.go:420: DEBUG: Running task 22964 on Undo: Restore data of snap "core" from snapshot set #1
2019/01/11 14:03:13.883845 restorestate.go:79: DEBUG: Removing "/var/snap/core/common".
2019/01/11 14:03:13.884002 restorestate.go:79: DEBUG: Removing "/var/snap/core/6233".
2019/01/11 14:03:13.884101 restorestate.go:91: DEBUG: Restoring "/var/snap/core/common.~Lqpft7lwH~" to "/var/snap/core/common".
2019/01/11 14:03:13.884178 restorestate.go:91: DEBUG: Restoring "/var/snap/core/6233.~bFMh2RYqy~" to "/var/snap/core/6233".
2019/01/11 14:03:14.087762 reader.go:184: Restore of snapshot "/var/lib/snapd/snapshots/1_snapcraft_2.42.1_1594.zip" failed (context canceled); undoing.
2019/01/11 14:03:14.087850 task.go:303: DEBUG: 2019-01-11T14:03:14+01:00 ERROR context canceled