Using ROS2 snaps in strict mode gives error

I made a strict snap with ros2 simple daemon services for Ubuntu Core system.

It runs without any issue in devmode, but when in try running it on strict mode. it outputs “getifaddrs: Operation not permitted”

and when i check the log it displays “2021-09-24 14:03:04.543 [RTPS_TRANSPORT_SHM Error] Failed to create segment e8a3e74e78b78e78: Permission denied -> Function compute_per_allocation_extra_size”

I tried with snappy debug and it said to add home to plugs which I did , but nothing changed

I couldnt debug this issue, why does this happen?

that sounds more like something like network-control or network-observe would help here, are you sure snappy-debug referred to exactly that error (it usually prints the actual denial alongside)

also, are you running your snap on Ubuntu Core ? there the home plug does not get auto-connected, you need to connect it manually

snappy-debug output:

Time: Oct 15 08:36:10 Log: apparmor=“DENIED” operation=“open” profile=“snap.turftank-software.eeprom-read” name="/home/ttank/" pid=4571 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=1000 File: /home/ttank/ (read) Suggestions:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
  • add ‘home’ to ‘plugs’

I am running it on Ubuntu core and i did connect the plugs mannually

I will try it with network-control and observe now Thanks

are you running the command with sudo ? (that does not update $HOME to /root like it should and where the snap would have access through the connected home plug) …

Yeah i removed sudo and the home plug recommendation in the snppy-debug does not appear. But i tried using network-control and observe plugs but nothing has changed.

I still get “getifaddrs: Operation not permitted”

The new snappy debug output when i run a ros2 client node:

= Seccomp = Time: Oct 15 11:14:40 Log: auid=1000 uid=1000 gid=1000 ses=3 pid=13349 comm=“python3” exe="/usr/bin/python3.8" sig=0 arch=c00000b7 198(socket) compat=0 ip=0xffff8f695978 code=0x50000 Syscall: socket Suggestions:

  • add account-control (if using NETLINK_AUDIT)
  • add audio-playback (if using NETLINK_KOBJECT_UEVENT)
  • add bluetooth-control (if using AF_{ALG,BLUETOOTH})
  • add firewall-control (if using NETLINK_{FIREWALL,IP6_FW,NETFILTER,NF_LOG,ROUTE})
  • add hardware-observe (if using NETLINK_{GENERIC,KOBJECT_UEVENT})
  • add netlink-audit (if using NETLINK_AUDIT)
  • add netlink-connector (if using NETLINK_CONNECTOR)
  • add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
  • add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
  • add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_{GENERIC,INET_DIAG,KOBJECT_UEVENT,ROUTE})
  • add raw-usb (if using NETLINK_KOBJECT_UEVENT)
  • add time-control (if using NETLINK_AUDIT)
  • add upower-observe (if using NETLINK_KOBJECT_UEVENT)
  • add x11 (if using NETLINK_KOBJECT_UEVENT)

snappy debug output when i restart the ros2 service:

= AppArmor = Time: Oct 15 11:17:44 Log: apparmor=“DENIED” operation=“mknod” profile=“snap.turftank-software.os-ros-server” name="/dev/shm/fastrtps_ff5dc87d62bcc531" pid=13425 comm=“python3” requested_mask=“c” denied_mask=“c” fsuid=0 ouid=0 File: /dev/shm/fastrtps_ff5dc87d62bcc531 (write) Suggestions:

the socket() syscall needs network-bind, try adding that to your plugs … you should also keep using sudo (but put your files into the right directories root can read) since i doubt a normal user even has permissions to even run getifaddrs()

regarding the /dev/shm access, just follow the suggestion of using the snapcraft_preload plugin … (or make your app not try to use /dev/shm directly … i think there is work going on to eventually have a shared-memory interface plug eventually, but that’s still in the planning phase and will take a while) …

Hi @ogra , I tried adding snapcraft_preload. It works now. But it always gives an error of

“2021-09-24 14:12:02.347 [RTPS_TRANSPORT_SHM Error] Failed to create segment 212c65e604b6d84c: Permission denied -> Function compute_per_allocation_extra_size 2021-09-24 14:12:02.347 [RTPS_MSG_OUT Error] Permission denied -> Function init”

Can I know why do we need to add snapcraft preload?

Also when trying to run some apps in my snap. it displays

“ERROR: object ‘/snap/turftank-software/x11/lib/’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.”

and it fails

this rather looks like your inclusion of snapcraft preload did not properly work yet …

snaps do not have direct access to /dev/shm under confinement, snapcraft preload should re-write this to an allowed location (/dev/shm/snap.$SNAP_NAME/):

   plugin: cmake
      - on arm64:
        - g++-multilib-arm-linux-gnueabihf
        - gcc-multilib-arm-linux-gnueabihf
        usr/local/bin/snapcraft-preload: bin/snapcraft-preload
         command: bin/snapcraft-preload opt/ros/foxy/bin/ros2 run tt2_os_ros_server os_service
         extensions: [ros2-foxy]
         plugs: [network, network-bind, i2c-1, network-manager, network-control]
         daemon: simple
              PYTHONPATH: $SNAP/usr/lib/python3/dist-packages:$PYTHONPATH

This is how i did in my snapcraft yaml file, is this right?

it surely looks like … perhaps @sergiusens can chime in here


I am using network manager in my snap. When i try to run it though a shell script it displays “ERROR: object ‘/snap//x11/lib/’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.”

But i tried to create an app which run network-manager, but that doesnt give out any errors.

I did not wrap either of them in snapcraft-preloaded.

in snappy-debug i get

“adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*”

How do i add my snap files outside the snap folder in /dev/shm?

you can not, for security reasons access to /dev/shm is blocked … for apps inside the same snap you can use /dev/shm/snap.$SNAP_NAME.* …

and to have your code dynamically re-use that path without having to patch all the functions that are trying to write to /dev/shm you can use the preload library that does dynamically re-write it …

to manager network-manager you should use the network-manager interface and talk to NM via dbus (which this interface fully grants) …


The /dev/shm access issue is related to FAST-RTPS(DDS) newly introduced shared-memory functionality. This is a known issue (referenced e.g. here) and we’re working on it together with eProsima. If you still have issues with snapcraft-preload, you could also try to build fastrtps/dds from source in your snap while disabling the shared-memory option; with the CMake flag SHM_TRANSPORT_DEFAULT if I’m not mistaken.

1 Like