snap-confine

$SNAP_USER_DATA is no longer created by snap-confine but is not yet created by snapd

Bug #1612120 reported by Zygmunt Krynicki
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
snap-confine
Fix Released
High
Zygmunt Krynicki
snap-confine 1.0.40
snap-confine (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Snaps cannot access $SNAP_USER_DATA directory because snap-confine does not create it.

This bug is fixed by reverting code that was removed from snap-confine that used to create this directory. This was done because at the time snapd developers introduced a feature where snapd itself would create the appropriate directory but this change took longer to enable than anticipated and in result, for a while, neither program did this.

Now snap-confine tries to create the directory even if snapd also does it earlier. This ensures that in the execution environment the snap application can rely on this directory to be in place.

For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html

[Test Case]

The test case can be found here:

https://github.com/snapcore/snap-confine/blob/master/spread-tests/user-data-dir-created/task.yaml

The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.

[Regression Potential]

 * Regression potential is minimal as this code used to exist in snap-confine before.

* The fix was tested on Ubuntu via spread and on several other distributions successfully.

[Other Info]

* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.

* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.

* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates

== # Pre-SRU bug description follows # ==

We've noticed that the code that creates the $SNAP_USER_DATA directory has now been removed from snap-confine for the past few releases but the corresponding code in snapd, that depends on snap-exec, is not yet active. This has lead to some snaps that rely on it to have no way to create per-user data directories.

TEST CASE:
1. sudo snap install bluez
2. sudo systemctl status snap.bluez.obex
3. verify that it fails to start the service
4. install snapd from xenial-proposed
5. snap remove bluez
6. snap install bluez
7. repeat (2)
8. verify that it works this time

See original description
Zygmunt Krynicki (zyga)
Changed in snap-confine:
milestone: none → 1.0.40
assignee: nobody → Zygmunt Krynicki (zyga)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is fixed by https://github.com/snapcore/snap-confine/pull/97

Changed in snap-confine:
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Zygmunt, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.38-0ubuntu0.16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Adam Conrad (adconrad)
Changed in snap-confine (Ubuntu Xenial):
status: New → Fix Committed
Michael Vogt (mvo)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snap-confine (Ubuntu):
status: New → Confirmed
Revision history for this message
Federico Gimenez (fgimenez) wrote :
Download full text (3.1 KiB)

Verified with current snap-confine:

fgimenez@innsmouth:~$ apt-cache policy snap-confine
snap-confine:
  Installed: 1.0.38-0ubuntu0.16.04.4
  Candidate: 1.0.38-0ubuntu0.16.04.4
  Version table:
 *** 1.0.38-0ubuntu0.16.04.4 500
        500 http://es.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
fgimenez@innsmouth:~$ sudo snap installl bluez
[sudo] password for fgimenez:
error: Unknown command `installl', did you mean `install'?
fgimenez@innsmouth:~$ sudo snap install bluez
1.97 MB / 2.27 MB [==================================>______] 86.72 % 1.22 MB/s
fgimenez@innsmouth:~$ systemctl status snap.bluez.obex.service
● snap.bluez.obex.service - Service for snap application bluez.obex
   Loaded: loaded (/etc/systemd/system/snap.bluez.obex.service; enabled; vendor preset: enabled)
   Active: inactive (dead) (Result: exit-code) since lun 2016-08-15 16:10:39 CEST; 35s ago
  Process: 32582 ExecStart=/usr/bin/ubuntu-core-launcher snap.bluez.obex snap.bluez.obex /snap/bluez/6/command-obex.wrapper (code=exited, status=1/FAILURE)
 Main PID: 32582 (code=exited, status=1/FAILURE)

ago 15 16:10:39 innsmouth systemd[1]: snap.bluez.obex.service: Main process exited, code=exited, status=1/FAILURE
ago 15 16:10:39 innsmouth systemd[1]: snap.bluez.obex.service: Unit entered failed state.
ago 15 16:10:39 innsmouth systemd[1]: snap.bluez.obex.service: Failed with result 'exit-code'.
ago 15 16:10:39 innsmouth systemd[1]: snap.bluez.obex.service: Service hold-off time over, scheduling restart.
ago 15 16:10:39 innsmouth systemd[1]: Stopped Service for snap application bluez.obex.
ago 15 16:10:39 innsmouth systemd[1]: snap.bluez.obex.service: Start request repeated too quickly.
ago 15 16:10:39 innsmouth systemd[1]: Failed to start Service for snap application bluez.obex.
fgimenez@innsmouth:~$ sudo snap remove bluez

bluez removed

fgimenez@innsmouth:~$ apt-cache policy snap-confine
snap-confine:
  Installed: 1.0.38-0ubuntu0.16.04.8
  Candidate: 1.0.38-0ubuntu0.16.04.8
  Version table:
 *** 1.0.38-0ubuntu0.16.04.8 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.38-0ubuntu0.16.04.4 500
        500 http://es.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
fgimenez@innsmouth:~$ sudo snap install bluez
1.83 MB / 2.27 MB [===================================================================================================================================>_________________________________] 80.53 % 1.12 MB/s

bluez (stable) 5.37-1 from 'canonical' installed
fgimenez@innsmouth:~$ systemctl status snap.bluez.obex.service
● snap.bluez.obex.service - Service for snap application bluez.obex
   Loaded: loaded (/etc/systemd/system/snap.bluez.obex.service; enabled; vendor preset: enabled)
   Active: active (running) since lun 2016-08-15 16:12:36 CEST; 3s ago
 Main PID: 1180 (obexd)
    Tasks: 1
   Memory: 1.4M
      CPU: 29ms
   CGroup: /system.slice/snap.bluez.obex.service
           └─1180 /snap/bluez/6/usr/lib/bluetooth/obexd

ago 15 16:12:36 innsmouth systemd[1]: Started Service for snap application bluez.obex.
ago 15 16:12:36 innsmouth obexd...

Read more...

tags: added: verification-done
removed: verification-needed
Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: Fix Committed → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

This is fixed with the 1.0.40 upload to yakkety

Changed in snap-confine (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snap-confine - 1.0.38-0ubuntu0.16.04.8

---------------
snap-confine (1.0.38-0ubuntu0.16.04.8) xenial; urgency=medium

  * debian/patches/04_not_die_unknown_locations.patch:
    - move to /tmp if the current location can not be preserved
      (LP: #1612684)

snap-confine (1.0.38-0ubuntu0.16.04.7) xenial; urgency=medium

  * fix apparmor rules when a snap is run on new-style encrypted
    home with sudo (LP: #1612291)

snap-confine (1.0.38-0ubuntu0.16.04.6) xenial; urgency=medium

  * fix apparmor rules when a snap is run on encrypted home
    with sudo (LP: #1612291)

snap-confine (1.0.38-0ubuntu0.16.04.5) xenial; urgency=medium

  * 03_fix_snap_user_data_regression.patch:
    - fix regression in autopkgtest with snap-confine when the
      SNAP_USER_DATA directory is not created for services
      (LP: #1612120)

 -- Michael Vogt <email address hidden> Fri, 12 Aug 2016 16:45:17 +0200

Changed in snap-confine (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for snap-confine has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Zygmunt Krynicki (zyga)
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.