Ubuntu 20.04 Upgrade and Snap Issues

doubleg72 · July 2, 2020, 6:25pm

Hey everyone, I have been stuck on this for a few days now and I have spend over a dozen hours trying to learn the workings of snap and searching various threads. At this point, all I want is my data out of the snap container, whether it is the Wordpress site or docker image, anything I can use to rebuild. Basically, I created a VM on vmware, installed Ubuntu 19.10 and snapd. I added the docker snap and then Wordpress and MariaDB dockers. I then spent a lot of time building a website over a couple of days before updating to Ubuntu 20.04. At one point before updating, I was having issues starting the docker snap, with some permissions issue. I resolved this by creating a docker group, adding my user, and then running “newgrp docker.”

After updating, I had to reboot and went to start docker again. It failed. After running “sudo snap start docker” it would say started, but I was getting the same errors int he journalctl as before:

Jul 01 16:27:00 webuntu systemd[1]: Started Service for snap application docker.dockerd.
Jul 01 16:27:00 webuntu audit[4746]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4746 comm="mount" exe="/snap/docker/471/bin/mount" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f9c8                                                                                                 d005b9a code=0x50000
Jul 01 16:27:00 webuntu audit[4747]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/run/mount/utab" pid=4747 comm="umount" requested_mask="r" denied_mask="r" fsuid=0                                                                                                  ouid=0
Jul 01 16:27:00 webuntu audit[4747]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4747 comm="umount" exe="/snap/docker/471/bin/umount" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7f0                                                                                                 cb3a62487 code=0x50000
Jul 01 16:27:00 webuntu audit[4748]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/4748/mountinfo" pid=4748 comm="umount" requested_mask="r" denied_mask="r" fs                                                                                                 uid=0 ouid=0
Jul 01 16:27:00 webuntu audit[4748]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/4748/mounts" pid=4748 comm="umount" requested_mask="r" denied_mask="r" fsuid                                                                                                 =0 ouid=0
Jul 01 16:27:00 webuntu audit[4749]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/4749/mountinfo" pid=4749 comm="umount" requested_mask="r" denied_mask="r" fs                                                                                                 uid=0 ouid=0
Jul 01 16:27:00 webuntu audit[4749]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/proc/4749/mounts" pid=4749 comm="umount" requested_mask="r" denied_mask="r" fsuid                                                                                                 =0 ouid=0
Jul 01 16:27:00 webuntu audit[4750]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4750 comm="mount" exe="/snap/docker/471/bin/mount" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f601                                                                                                 4f3cb9a code=0x50000
Jul 01 16:27:00 webuntu audit[4751]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/run/mount/utab" pid=4751 comm="umount" requested_mask="r" denied_mask="r" fsuid=0                                                                                                  ouid=0
Jul 01 16:27:00 webuntu audit[4751]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4751 comm="umount" exe="/snap/docker/471/bin/umount" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7fa

I repeated the earlier steps with no luck, then went on to try and disable the apparmor profiles, disable apparmor altogether, and even modify various profiles. Nothing helped. Now, I am at the point where I am sick of snap and just will install docker on Ubuntu itself, but I need to somehow get my data off. Even if I can get the docker snap running long enough to extract the images, I don’t care but I really could use some help. Here is my current situation:

$ sudo snap logs docker
2020-07-02T18:21:00Z systemd[1]: Stopped Service for snap application docker.dockerd.
2020-07-02T18:21:00Z systemd[1]: Started Service for snap application docker.dockerd.
2020-07-02T18:21:00Z docker.dockerd[58861]: cannot change profile for the next exec call: No such file or directory
2020-07-02T18:21:00Z systemd[1]: snap.docker.dockerd.service: Main process exited, code=exited, status=1/FAILURE
2020-07-02T18:21:00Z systemd[1]: snap.docker.dockerd.service: Failed with result 'exit-code'.
2020-07-02T18:21:00Z systemd[1]: snap.docker.dockerd.service: Scheduled restart job, restart counter is at 5.
2020-07-02T18:21:00Z systemd[1]: Stopped Service for snap application docker.dockerd.
2020-07-02T18:21:00Z systemd[1]: snap.docker.dockerd.service: Start request repeated too quickly.
2020-07-02T18:21:00Z systemd[1]: snap.docker.dockerd.service: Failed with result 'exit-code'.
2020-07-02T18:21:00Z systemd[1]: Failed to start Service for snap application docker.dockerd.


$ sudo snap version
snap    2.45.1
snapd   2.45.1
series  16
ubuntu  20.04
kernel  5.4.0-39-generic


Jul 02 18:20:59 webuntu systemd[1]: Started Service for snap application docker.dockerd.
Jul 02 18:20:59 webuntu audit[58756]: AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.docker.dockerd" pid=58756 comm="snap-confine"
Jul 02 18:20:59 webuntu docker.dockerd[58756]: cannot change profile for the next exec call: No such file or directory
Jul 02 18:20:59 webuntu kernel: audit: type=1400 audit(1593714059.193:121): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.docker.dockerd" pid=58756 comm="snap-confine"
Jul 02 18:20:59 webuntu systemd[1]: snap.docker.dockerd.service: Main process exited, code=exited, status=1/FAILURE
Jul 02 18:20:59 webuntu systemd[1]: snap.docker.dockerd.service: Failed with result 'exit-code'.

Is there anyone that can help me out here? Even if we don’t fix the snap problems, is there anyway I can take the snap and move it to another host to extract my data? Thanks in advance!

doubleg72 · July 2, 2020, 6:29pm

Here is some more information I forgot to add to initial post:

$ sudo snap services
Service              Startup  Current   Notes
docker.dockerd       enabled  inactive  -
lxd.activate         enabled  inactive  -
lxd.daemon           enabled  inactive  socket-activated
mosquitto.mosquitto  enabled  inactive  -

$ uname -r
5.4.0-39-generic

$ sudo snap list
Name       Version    Rev    Tracking          Publisher     Notes
core       16-2.45.1  9436   latest/stable     canonical✓    core
core18     20200427   1754   latest/stable     canonical✓    base
docker     19.03.11   471    latest/candidate  canonical✓    -
lxd        4.2        15896  latest/stable/…   canonical✓    -
mosquitto  1.6.10     298    latest/candidate  mosquitto✓    -
wormhole   0.11.2     112    latest/stable     snapcrafters  -

$ sudo aa-status
apparmor module is loaded.
45 profiles are loaded.
45 profiles are in enforce mode.
   /snap/core/9436/usr/lib/snapd/snap-confine
   /snap/core/9436/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.core
   snap-update-ns.docker
   snap-update-ns.lxd
   snap-update-ns.mosquitto
   snap-update-ns.wormhole
   snap.core.hook.configure
   snap.docker.compose
   snap.docker.docker
   snap.docker.help
   snap.docker.hook.install
   snap.docker.hook.post-refresh
   snap.docker.machine
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
   snap.mosquitto.mosquitto
   snap.mosquitto.passwd
   snap.mosquitto.pub
   snap.mosquitto.rr
   snap.mosquitto.sub
   snap.wormhole.wormhole
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

$ sudo snap interfaces
Slot                       Plug
:account-control           -
:accounts-service          -
:adb-support               -
:alsa                      -
:appstream-metadata        -
:audio-playback            -
:audio-record              -
:autopilot-introspection   -
:avahi-control             -
:avahi-observe             -
:block-devices             -
:bluetooth-control         -
:bluez                     -
:broadcom-asic-control     -
:browser-support           -
:calendar-service          -
:camera                    -
:can-bus                   -
:cifs-mount                -
:classic-support           -
:contacts-service          -
:core-support              -
:cpu-control               -
:cups-control              -
:daemon-notify             -
:dcdbas-control            -
:desktop                   -
:desktop-legacy            -
:device-buttons            -
:display-control           -
:docker-support            -
:dvb                       -
:firewall-control          -
:framebuffer               -
:fuse-support              -
:fwupd                     -
:gpg-keys                  -
:gpg-public-keys           -
:gpio-control              -
:gpio-memory-control       -
:greengrass-support        -
:gsettings                 -
:hardware-observe          -
:hardware-random-control   -
:hardware-random-observe   -
:home                      -
:hostname-control          -
:intel-mei                 -
:io-ports-control          -
:jack1                     -
:joystick                  -
:juju-client-observe       -
:kernel-module-control     -
:kernel-module-observe     -
:kubernetes-support        -
:kvm                       -
:libvirt                   -
:locale-control            -
:log-observe               -
:login-session-control     -
:login-session-observe     -
:lxd-support               lxd
:modem-manager             -
:mount-observe             -
:multipass-support         -
:netlink-audit             -
:netlink-connector         -
:network                   lxd
:network-bind              lxd
:network-control           -
:network-manager           -
:network-manager-observe   -
:network-observe           -
:network-setup-control     -
:network-setup-observe     -
:network-status            -
:ofono                     -
:opengl                    -
:openvswitch               -
:openvswitch-support       -
:optical-drive             -
:packagekit-control        -
:password-manager-service  -
:personal-files            -
:physical-memory-control   -
:physical-memory-observe   -
:power-control             -
:ppp                       -
:process-control           -
:pulseaudio                -
:raw-usb                   -
:removable-media           -
:screen-inhibit-control    -
:screencast-legacy         -
:shutdown                  -
:snapd-control             -
:ssh-keys                  -
:ssh-public-keys           -
:system-backup             -
:system-files              -
:system-observe            lxd
:system-trace              -
:time-control              -
:timeserver-control        -
:timezone-control          -
:tpm                       -
:u2f-devices               -
:udisks2                   -
:uhid                      -
:unity7                    -
:upower-observe            -
:wayland                   -
:x11                       -
docker:docker-daemon       docker:docker-cli
docker:docker-executables  -
lxd:lxd                    -
-                          docker:firewall-control
-                          docker:home
-                          docker:network
-                          docker:network-bind
-                          docker:network-control
-                          docker:privileged
-                          docker:removable-media
-                          docker:support
-                          mosquitto:home
-                          mosquitto:network
-                          mosquitto:network-bind
-                          wormhole:home
-                          wormhole:network
-                          wormhole:network-bind
-                          wormhole:removable-media

ogra · July 2, 2020, 6:32pm

moved to the snapd category so it gets the right teams attention …

doubleg72 · July 2, 2020, 6:40pm

Thanks, sorry to post in wrong forum.

After searching this site, I did find a post on Advanced snap usage. I went through and manually connected slot/plugs, ran through all commands advised for installed docker snap (aside from installing), and then rebooted VM. Upon boot, I was surprised to see that the docker snap was running, but it cannot find my images. Both are still showing that they are int he /var/snap/docker folder so it seems there may be a connection issue. Can anyone advise?

Also, I now believe I have found the solution to the original issue which might have prevented all of this. If having permissions issues with the docker snap (mosquitto in my case), make sure to connect docker:docker-cli to docker:docker-daemon, and inmy case I only installed snapd and not snapcraft (if it makes a difference).

ijohnson · July 13, 2020, 5:06pm

What is snap changes on this system ?