Unable to run snap app from privileged lxc container

Steps to reproduce:

  1. Create a new unprivileged xenial lxc container. Make sure it’s up-to-date and has squashfuse installed

  2. Install the hello-world snap: snap install hello-world

  3. Run hello-world. Note that it works

  4. Now create a new PRIVILEGED xenial lxc container (e.g. lxc launch ubuntu:xenial -e -c security.privileged=true). Make sure it’s up-to-date and has squashfuse installed

  5. Install the hello-world snap: snap install hello-world

  6. Run hello-world. Note that it does NOT work, failing with the message “cannot perform operation: mount --rbind /snap /snap: Permission denied”. Also note a denial like the following in your syslog:

    Jul 20 19:56:23 still-chigger kernel: [ 8872.278527] audit: type=1400 audit(1500580583.874:335): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-still-chigger_</var/lib/lxd>” name="/snap/" pid=8595 comm=“snap-confine” srcname="/snap/" flags=“rw, rbind”

@zyga-snapd @niemeyer this issue may also interest you.

That apparmor profile looks like something that was loaded by lxd itself.

@stgraber Any ideas here?

@jdstrand any chance you have insight into this issue?

It looks like the container is running under confinement and that confinement is not allowing snap-confine to do its business. Note that the profile name is ‘lxd-still-chigger_’, which is not the snap-confine profile. I suspect that lxd is not using LXD stacking here and apparmor policy for snap-confine is not being loaded.

What kernel are you using? Is this an Ubuntu kernel?

Yeah, just good old xenial, 4.4.0-96-generic.