Ubuntu
snap-confine package

Comment 0 for bug 1630789

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-10-05:

The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug #1611078) have all landed in Yakkety. We should be able to install squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run snaps inside of unprivileged LXD containers.

I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.

# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety

# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...

# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash

# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed

# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied

# The normal user can't access /snap/hello-world/27 because of some oddness with the dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27

I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.

# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety

# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash

# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed

# The normal user can't access /snap/hello-world/27 because of some oddness with the dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct  5 21:09 .
drwxr-xr-x 5 root root 4096 Oct  5 21:09 ..
drwxrwxr-x 4 root root    0 Jul 11 21:20 27
lrwxrwxrwx 1 root root    2 Oct  5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct  5 21:09 .
drwxr-xr-x 5 root root 4096 Oct  5 21:09 ..
d????????? ? ?    ?       ?            ? 27
lrwxrwxrwx 1 root root    2 Oct  5 21:09 current -> 27

Ubuntusnap-confine package

Comment 0 for bug 1630789

Ubuntu
snap-confine package