Cannot share a namespaces created with 'ip netns' between apps in a devmode SNAP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Invalid
|
High
|
Zygmunt Krynicki | ||
snap-confine |
Fix Released
|
Critical
|
Zygmunt Krynicki | ||
snap-confine (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
snap-confine uses linux namespaces (specifically the mount namespace) to give each started snap application process an isolated an unique view of the filesystem. This prevented applications using namespaces through bind mounted files, e.g. using the "ip netns" command as any changes to the namespace would be "locked" in the unique mount namespace of each application process.
Now snap-confine is re-designed to put all applications belonging to a given snap in the same mount namespace. The first started application creates and persists the mount namespace (in a way similar to running the command: unshare -m /path/to/file) and all other processes for all apps in the same snap just join that populated namespace.
For more information about the execution environment, please see this article http://
[Test Case]
The test case can be found here:
https:/
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
Note that this feature affects every application in every snap.
[Regression Potential]
* Regression potential is moderate. This change is large and intrusive and has managed to uncover bugs in the kernel implementation of apparmor (e.g. https:/
The feature was tested extensively by the upstream developers but still a potential for unexpected breakage is significant.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https:/
== # Pre-SRU bug description follows # ==
Please see:
https://<email address hidden>
for additional details. It was requested that I move that discussion to this bug report.
In summary it appears that multions "apps" in a SNAP cannot share the same NETNS namespace. If one app create a namespace the other apps in SNAP cannot use it. They get assorted errors like:
RTNETLINK answers: Invalid argument
Please see the details in the mail archive posting.
Changed in snappy: | |
status: | Confirmed → Triaged |
summary: |
- Cannot share a namespace between apps in a SNAP + Cannot share a namespaces created with 'ip netns' between apps in a SNAP |
summary: |
- Cannot share a namespaces created with 'ip netns' between apps in a SNAP + Cannot share a namespaces created with 'ip netns' between apps in a + devmode SNAP |
Changed in snap-confine: | |
milestone: | none → 1.0.41 |
assignee: | nobody → Zygmunt Krynicki (zyga) |
importance: | Undecided → Critical |
Changed in snap-confine: | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in snap-confine (Ubuntu): | |
status: | New → Fix Released |
Changed in snap-confine (Ubuntu Xenial): | |
status: | New → In Progress |
What version of snap-confine/ ubuntu- core-launcher are you using? I ask because I noticed a bug in snap-confine in xenial-proposed where CLONE_NEWUSER got EPERM but with ubuntu- core-launcher from xenial release it worked. Curious if these are at all related.
Please provide output from: core-launcher snap-confine
$ apt-cache policy ubuntu-