snapd

"snap refresh" does not report failure to update because snap switched to classic confinement

Bug #1811063 reported by Trent Lloyd
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
snapd
Confirmed
Low
Unassigned

Bug Description

I had an issue where my "charm" (tools) snap was very out of date. Running "snap refresh" suggested it was up to date. However only in the syslog for snapd did it mention that it failed to update it because it had switched to classic confinement, and required confirmation to do so.

Unfortunately I can no longer reproduce this to make a better bug report, since it's not easy for me to publish a snap as normal confinement then switch it to classic.

While I imagine this scenario is not super-common right now however I suspect this may leave older users of the charm tools at least stranded on an older version.

It would be great if someone with the appropriate snap store powers can confirm this bug and then it can get fixed, so that "snap refresh" will report this information rather than having it silently logged only.

Trent Lloyd (lathiat)
Changed in snappy:
status: New → Invalid
Revision history for this message
John Lenton (chipaca) wrote :

Thank you for the report!

We should be able to leverage warnings to let the user know about this. I'll look into it.

Changed in snapd:
importance: Undecided → Low
status: New → In Progress
assignee: nobody → John Lenton (chipaca)
no longer affects: snappy
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

John are you still working on this?

Zygmunt Krynicki (zyga)
Changed in snapd:
assignee: John Lenton (chipaca) → nobody
status: In Progress → Confirmed
Revision history for this message
Trent Lloyd (lathiat) wrote :

I ran into this again with the 'hotsos' snap. It's frustrating because you get no warning that the snap isn't being updated. It does log this to syslog repeatedly:
Oct 08 13:33:06 optane snapd[2463]: snapstate.go:1334: cannot update "hotsos": snap "hotsos" requires classic confinement

But a plain "snap refresh" makes no mention and a "snap info hotsos" shows that the installed version is old but otherwise does not remark why or that there is a problem.

The only way to realise this is to run "sudo snap refresh hotsos" and then it complains with the same exact same error as the install phase:

$ sudo snap refresh hotsos
[sudo] password for lathiat:
error: This revision of snap "hotsos" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.

I think this could really do with improvement to:
- List an error in the CLI output from "snap refresh"
- Make it more clear in the "snap info hotsos" output that the version is outdated and why
- For desktops, have the snap store pop up an alert about it, since you're much less likely to check the logs on a desktop compared to a server

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.