Snaps with classic confinement and NFS /home


#1

For snaps with classic confinement, like conjure-up, is there a workaround to make them work when $HOME is on NFS?

On Ubuntu Xenial server, with snapd 2.25, running conjure-up 2.2.2 fails:
$ conjure-up
cannot create user data directory: /home/ubuntu/snap/conjure-up/549: Permission denied

$ mount | grep home
node09ob28.maas:/mnt/nfs/ubuntu on /home/ubuntu type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.27.28.117,local_lock=none,addr=172.27.28.116)

$ grep -i denied /var/log/syslog
Aug 15 23:35:11 node09ob28 kernel: [ 902.908181] audit: type=1400 audit(1502840111.290:34): apparmor=“DENIED” operation=“sendmsg” profile="/snap/core/2462/usr/lib/snapd/snap-confine" pid=17018 comm=“snap-confine” laddr=172.27.28.117 lport=823 faddr=172.27.28.116 fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send"
Aug 15 23:35:11 node09ob28 kernel: [ 902.908200] audit: type=1400 audit(1502840111.290:35): apparmor=“DENIED” operation=“sendmsg” profile=”/snap/core/2462/usr/lib/snapd/snap-confine" pid=17018 comm=“snap-confine” laddr=172.27.28.117 lport=823 faddr=172.27.28.116 fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send"
Aug 15 23:35:11 node09ob28 kernel: [ 902.908215] audit: type=1400 audit(1502840111.290:36): apparmor=“DENIED” operation=“sendmsg” profile=”/snap/core/2462/usr/lib/snapd/snap-confine" pid=17018 comm=“snap-confine” laddr=172.27.28.117 lport=823 faddr=172.27.28.116 fport=2049 family=“inet” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send”


#2

This is discussed extensively in Snaps and NFS /home. Please feel free to comment in that thread. I’m going to archive this topic since it is a duplicate.


#3