snapd

'aws-iot-greengrass' snap fails to start due to apparmor deny on mounting of "/proc/latency_stats". [interface/greengrass-support]

Bug #1862007 reported by Alvyl Consulting
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Undecided
Unassigned
snapd 2.43.3

Bug Description

## Problem Summary

'aws-iot-greengrass' snap fails to start. I am not sure why nobody has reported this problem so far.

## Error

Lambda container fails to start. I think the error is originating from runc/libcontainer

    $ sudo tail /var/snap/aws-iot-greengrass/current/ggc-writable/var/log/system/runtime.log

    Runtime execution error: unable to start lambda container: failed to run container sandbox: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"mask path /proc/latency_stats: permission denied\""

## Root Cause

Snap's apparmor profile doesn't allow mask mounting the path `/proc/latency_stat`

    $ sudo journalctl --system -k | grep apparmor

    localhost kernel: audit: type=1400 audit(1580900786.074:19): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="snap.aws-iot-greengrass.greengrassd" name="/proc/latency_stats" pid=1309 comm="runc:[2:INIT]" srcname="/dev/null" flags="rw, bind"

## System Information

### Ubuntu

    $ uname -a

    Linux localhost 4.15.0-1054-raspi2 #58-Ubuntu SMP PREEMPT Wed Jan 15 19:28:59 UTC 2020 armv7l armv7l armv7l GNU/Linux

### Snap

    $ snap --version

    snap 2.42.5
    snapd 2.42.5
    series 16
    kernel 4.15.0-1054-raspi2

### AWS IoT Greengrass Snap

    $ snap info aws-iot-greengrass

    name: aws-iot-greengrass
    services:
      aws-iot-greengrass.greengrassd: forking, enabled, active
    snap-id: SRDuhPJGj4XPxFNNZQKOTvURAp0wxKnd
    tracking: stable
    refresh-date: yesterday at 10:28 UTC
    channels:
      stable: 1.8.0 2019-04-01 (3) 167MB -
      candidate: 1.8.0 2019-03-29 (3) 167MB -
      beta: 1.8.0 2019-03-29 (3) 167MB -
      edge: 1.8.0 2019-03-29 (3) 167MB -
    installed: 1.8.0 (3) 167MB -

Revision history for this message
Alvyl Consulting (alvyl-consulting) wrote :

I have done extensive research on the problem, and I have come to a conclusion that this problem can be solved by updating apparmor profile for interface/greengrass-support.

I have a patch ready, and I can contribute a fix.

Would like to know if I am heading in the right direction and this error is reproducible by the community.

- Hari
Founder & Head of Products,
Alvyl Consulting.

summary: - 'aws-iot-greengrass' snap fails to start due to apparmor
+ 'aws-iot-greengrass' snap fails to start due to apparmor profile deny on
+ "/proc/latency_stats"
summary: - 'aws-iot-greengrass' snap fails to start due to apparmor profile deny on
- "/proc/latency_stats"
+ 'aws-iot-greengrass' snap fails to start due to apparmor deny on
+ mounting of "/proc/latency_stats". [interface/greengrass-support]
Alvyl Consulting (alvyl-consulting)
affects: snappy → snapd
Revision history for this message
Hari Krishna Ganji (dostiharise) wrote :

I raised a pull request with a fix.

https://github.com/snapcore/snapd/pull/8091

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

The PR landed. This should be in 2.43 patch release (if any) and 2.44.

Changed in snapd:
status: New → Fix Committed
milestone: none → 2.44
Revision history for this message
Hari Krishna Ganji (dostiharise) wrote :

@maciek-borzecki,

Thanks for assigning a milestone.

Can you kindly give me an ETA on when this patch might be reach stable release?

Good day!

Revision history for this message
Ian Johnson (anonymouse67) wrote :

This was cherry-picked into 2.43 IIRC, and 2.43 has been released as of today, so you should get this shortly.

Changed in snapd:
milestone: 2.44 → 2.43.2
milestone: 2.43.2 → 2.43.3
status: Fix Committed → Fix Released
Revision history for this message
Ian Johnson (anonymouse67) wrote :

Ah actually it will go into 2.43.3, which has not yet been released, but 2.43.2 has been released. I imagine this will reach stable within 2-3 weeks. You can follow the snapd release roadmap here: https://forum.snapcraft.io/t/the-snapd-roadmap/1973

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.