Issue with system-packages-doc auto connection (snap-update-ns confinement issue)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
Undecided
|
Zygmunt Krynicki |
Bug Description
Hi,
I'm looking to migrate an existing Snap to the bare base from core22 (i.e. the "build-base" is still core22 but the "base" is bare). I'm running into an issue only on the new bare base snap where the system-packages-doc interface doesn't seem to autoconnect properly until I manually disconnect and reconnect but I don't observe this problem on the core22 snap.
The snap in question is the canonical-livepatch client snap - https:/
Working:
To see the Snap working properly you can do the following
`sudo snap install canonical-livepatch --channel=
`snap run --shell canonical-
`stat /usr/share/
We do this in order to try and determine the build date of the currently running kernel and it works fine.
This snap is built from the following snapcraft.yaml - https:/
Not working:
To observe the problem with the bare base snap run the following,
`sudo snap remove canonical-
`sudo snap install canonical-livepatch --channel=
`canonical-
`stat /usr/share/
The above should fail with "No such file or directory"
`exit`
`sudo snap disconnect canonical-
`sudo snap connect canonical-
`canonical-
`stat /usr/share/
This now works.
The snapcraft.yaml for this Snap can be found here - https:/
affects: | snapcraft → snapd |
Changed in snapd: | |
status: | New → Confirmed |
Changed in snapd: | |
assignee: | nobody → Zygmunt Krynicki (zyga) |
Changed in snapd: | |
status: | Confirmed → In Progress |
summary: |
- Issue with system-packages-doc auto connection + Issue with system-packages-doc auto connection (snap-update-ns + confinement issue) |
I've reproduced this issue as instructed. What is interesting is that the issue re-appears if one discards the snap mount namespace with:
``` snapd/snap- discard- ns canonical-livepatch
sudo /usr/lib/
```
This shows the following failures during snap-update-ns called from snap-confine:
``` /run/snapd/ ns$ canonical- livepatch. bash snapd/hostfs/ boot /boot none bind,ro 0 0): cannot create directory "/boot": permission denied snapd/hostfs/ usr/local/ share/doc /usr/local/ share/doc none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ cups/doc- root /usr/share/ cups/doc- root none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ doc /usr/share/doc none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ gimp/2. 0/help /usr/share/ gimp/2. 0/help none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ libreoffice/ help /usr/share/ libreoffice/ help none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied snapd/hostfs/ usr/share/ xubuntu- docs /usr/share/ xubuntu- docs none bind,ro 0 0): cannot create writable mimic over "/usr": permission denied
zyga@novigrad:
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
update.go:85: cannot change mount namespace according to change mount (/var/lib/
```
I think this works because when snap-update-ns is called from snapd, it is doing so without apparmor profile, so the changes (whatever those are) are applied. When the changes are happening from snap-confine, snap-update-ns is confined, thus hitting the problem.