| 2016-10-05 22:27:32 |
Tyler Hicks |
bug |
|
|
added bug |
| 2016-10-05 22:29:54 |
Zygmunt Krynicki |
snappy: status |
New |
Triaged |
|
| 2016-10-05 22:35:01 |
Tyler Hicks |
description |
The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug #1611078) have all landed in Yakkety. We should be able to install squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run snaps inside of unprivileged LXD containers.
I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.
# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety
# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...
# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash
# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed
# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied
# The normal user can't access /snap/hello-world/27 because of some oddness with the dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27 |
The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug #1611078) have all landed in Yakkety. We should be able to install squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run snaps inside of unprivileged LXD containers.
I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.
# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety
# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...
# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash
# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed
# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied
# The normal user can't access /snap/hello-world/27 because of some oddness with the
# dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27 |
|
| 2016-10-05 22:39:00 |
Jon Grimm |
bug |
|
|
added subscriber Jon Grimm |
| 2016-10-05 23:06:09 |
Tyler Hicks |
attachment added |
|
dmesg https://bugs.launchpad.net/snappy/+bug/1630789/+attachment/4755507/+files/dmesg |
|
| 2016-10-06 01:03:28 |
Tyler Hicks |
bug task added |
|
snapd (Ubuntu) |
|
| 2016-10-06 01:03:42 |
Tyler Hicks |
bug task added |
|
snap-confine (Ubuntu) |
|
| 2016-10-06 01:03:52 |
Tyler Hicks |
snap-confine (Ubuntu): importance |
Undecided |
High |
|
| 2016-10-06 01:03:54 |
Tyler Hicks |
snapd (Ubuntu): importance |
Undecided |
High |
|
| 2016-10-06 01:03:56 |
Tyler Hicks |
snap-confine (Ubuntu): status |
New |
Triaged |
|
| 2016-10-06 01:03:59 |
Tyler Hicks |
snapd (Ubuntu): status |
New |
Triaged |
|
| 2016-10-06 13:56:32 |
Jamie Strandboge |
snap-confine (Ubuntu): status |
Triaged |
In Progress |
|
| 2016-10-06 13:56:32 |
Jamie Strandboge |
snap-confine (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2016-10-06 15:15:32 |
Jamie Strandboge |
snap-confine (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2016-10-06 15:19:33 |
Jamie Strandboge |
bug task added |
|
snap-confine |
|
| 2016-10-06 15:19:48 |
Jamie Strandboge |
snap-confine: importance |
Undecided |
High |
|
| 2016-10-06 15:19:48 |
Jamie Strandboge |
snap-confine: status |
New |
Fix Committed |
|
| 2016-10-06 15:19:48 |
Jamie Strandboge |
snap-confine: assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2016-10-06 16:47:46 |
Andy Whitcroft |
snap-confine (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2016-10-06 16:47:49 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-10-06 16:47:55 |
Andy Whitcroft |
bug |
|
|
added subscriber SRU Verification |
| 2016-10-06 16:48:04 |
Andy Whitcroft |
tags |
|
verification-needed |
|
| 2016-10-06 16:57:57 |
Tyler Hicks |
snappy: status |
Triaged |
In Progress |
|
| 2016-10-06 16:58:00 |
Tyler Hicks |
snappy: assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-10-06 17:47:33 |
Launchpad Janitor |
snap-confine (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2016-10-06 19:43:29 |
Tyler Hicks |
snapd (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-10-06 19:43:34 |
Tyler Hicks |
snapd (Ubuntu): status |
Triaged |
In Progress |
|
| 2016-10-07 01:51:59 |
Tyler Hicks |
snapd (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2016-10-07 05:29:59 |
Launchpad Janitor |
snapd (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2016-10-10 19:33:09 |
Leo Arias |
tags |
verification-needed |
verification-done |
|
| 2016-10-10 20:20:51 |
Launchpad Janitor |
snap-confine (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-10-10 20:21:50 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2016-10-14 00:46:14 |
Zygmunt Krynicki |
snap-confine: milestone |
|
1.0.44 |
|
| 2016-10-20 10:54:02 |
Zygmunt Krynicki |
snap-confine: status |
Fix Committed |
Fix Released |
|
| 2016-11-03 08:19:45 |
Zygmunt Krynicki |
description |
The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug #1611078) have all landed in Yakkety. We should be able to install squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run snaps inside of unprivileged LXD containers.
I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.
# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety
# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...
# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash
# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed
# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied
# The normal user can't access /snap/hello-world/27 because of some oddness with the
# dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27 |
[Impact]
TBD
[Test Case]
Look below for a test case.
[Regression Potential]
TBD
[Other Info]
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug #1611078) have all landed in Yakkety. We should be able to install squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run snaps inside of unprivileged LXD containers.
I have verified that it works well for the root user inside of the container but there are some issues when a normal user attempts to run a snap command.
# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety
# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...
# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash
# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed
# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied
# The normal user can't access /snap/hello-world/27 because of some oddness with the
# dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27 |
|
| 2016-11-04 09:38:51 |
Andy Whitcroft |
snap-confine (Ubuntu Yakkety): status |
New |
Fix Committed |
|
| 2016-11-04 09:38:53 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-11-04 09:38:58 |
Andy Whitcroft |
tags |
verification-done |
|
|
| 2016-11-04 09:39:00 |
Andy Whitcroft |
tags |
|
verification-needed |
|
| 2016-11-04 10:00:17 |
Andy Whitcroft |
snap-confine (Ubuntu Xenial): status |
Fix Released |
In Progress |
|
| 2016-11-04 10:00:27 |
Andy Whitcroft |
snap-confine (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2017-01-03 22:34:16 |
Mathew Hodson |
snap-confine (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2017-01-03 22:34:18 |
Mathew Hodson |
snap-confine (Ubuntu Yakkety): importance |
Undecided |
High |
|
| 2017-02-03 17:24:38 |
Andreas Hasenack |
bug |
|
|
added subscriber Landscape |
| 2017-02-21 12:25:50 |
Vincent Ladeuil |
bug |
|
|
added subscriber Vincent Ladeuil |
| 2019-10-29 18:08:41 |
Zygmunt Krynicki |
snappy: status |
In Progress |
Fix Released |
|
| 2019-10-29 18:08:49 |
Zygmunt Krynicki |
affects |
snappy |
snapd |
|
