kyrofa
May 22, 2018, 10:44pm
1
In an unpriviledged container, when I try to run something that I’ve snap tryd:
$ my-snap-name.hello
cannot remount /tmp/snap.rootfs_ylvYEe/var/lib/snapd/lib/vulkan as read-only: Permission denied
Okay, so just for the heck of it I make the container privileged, and that doesn’t work either:
ubuntu@snapcraft:~$ my-snap-name.hello
cannot perform operation: mount --rbind /snap /snap: Permission denied
How can we make this work? I want to use snap try, but I have an encrypted home which has never worked, and it doesn’t work in lxd either.
@jdstrand do you have any thoughts on this?
Sorry for just getting to this now. I tried this and it works for me with 2.33.1. I know that some work was done surrounding nvidia/vulkan recently, so perhaps try with a newer version?
Fyi, I just used a modified hello-world snap which added the ‘opengl’ interface and it ran fine. There was a snap-update-ns denial on the host though:
Jul 6 13:50:00 localhost kernel: [454665.057928] audit: type=1400 audit(1530903000.971:1885): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-grown-garfish_<var-snap-lxd-common-lxd>" profile="snap-update-ns.snap-example" name="/dev/pts/0" pid=23268 comm="3" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1001000
I was able to make this go away by adding the following to the snap-update-ns profile:
/dev/pts/0 rw,
(again, that denial seemed non-fatal)
Thanks @jdstrand . It ended up being this:
I recently started working on a machine that has an nvidia card. As I often do, I launched an ephemeral, unprivileged LXD instance and tried to use a snap:
$ hello-world
cannot remount /tmp/snap.rootfs_o6dcBz/var/lib/snapd/lib/vulkan as read-only: Permission denied
This is caused by an apparmor denial:
[61955.378584] audit: type=1400 audit(1530126985.909:482): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-brave-drum_</var/snap/lxd/common/lxd>" name="/tmp…
