| 2016-09-20 11:32:39 |
Zygmunt Krynicki |
description |
root@edfu:~# lxd.lxc list
+------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+------+------+------------+-----------+
| blah | STOPPED | | | PERSISTENT | 0 |
+------+---------+------+------+------------+-----------+
root@edfu:~# dpkg -l | grep core-launcher
ii ubuntu-core-launcher 1.0.27.1 amd64 Launcher for ubuntu-core (snappy) apps
root@edfu:~# sudo apt install ubuntu-core-launcher
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
snap-confine
The following NEW packages will be installed:
snap-confine
The following packages will be upgraded:
ubuntu-core-launcher
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.1 kB of archives.
After this operation, 51.2 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com//ubuntu xenial-proposed/main amd64 ubuntu-core-launcher amd64 1.0.38-0ubuntu0.16.04.3 [2,696 B]
Get:2 http://us.archive.ubuntu.com//ubuntu xenial-proposed/main amd64 snap-confine amd64 1.0.38-0ubuntu0.16.04.3 [20.4 kB]
Fetched 23.1 kB in 0s (0 B/s)
(Reading database ... 101267 files and directories currently installed.)
Preparing to unpack .../ubuntu-core-launcher_1.0.38-0ubuntu0.16.04.3_amd64.deb ...
Unpacking ubuntu-core-launcher (1.0.38-0ubuntu0.16.04.3) over (1.0.27.1) ...
Selecting previously unselected package snap-confine.
Preparing to unpack .../snap-confine_1.0.38-0ubuntu0.16.04.3_amd64.deb ...
Unpacking snap-confine (1.0.38-0ubuntu0.16.04.3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up snap-confine (1.0.38-0ubuntu0.16.04.3) ...
Setting up ubuntu-core-launcher (1.0.38-0ubuntu0.16.04.3) ...
Removing obsolete conffile /etc/apparmor.d/usr.bin.ubuntu-core-launcher ...
root@edfu:~# lxd.lxc list
error: mkdir /root/snap: read-only file system
So looks like /root/snap isn't bind-mounted anymore. I also had to set HOME for my daemon to point to /tmp as apparently that's not set anymore either, causing HOME in my daemon to resolve to / which obviously is read-only. |
[Impact]
Snaps (even in running in devmode) cannot put any files in the /root directory.
This bug is fixed by adding /root to a list of directories that are bind mounted and thus visible to snaps in their execution environment.
For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-tests/regression/lp-1607796/task.yaml
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted.
* The fix was tested on Ubuntu via spread and on several other distributions successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
root@edfu:~# lxd.lxc list
+------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+------+------+------------+-----------+
| blah | STOPPED | | | PERSISTENT | 0 |
+------+---------+------+------+------------+-----------+
root@edfu:~# dpkg -l | grep core-launcher
ii ubuntu-core-launcher 1.0.27.1 amd64 Launcher for ubuntu-core (snappy) apps
root@edfu:~# sudo apt install ubuntu-core-launcher
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
snap-confine
The following NEW packages will be installed:
snap-confine
The following packages will be upgraded:
ubuntu-core-launcher
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.1 kB of archives.
After this operation, 51.2 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com//ubuntu xenial-proposed/main amd64 ubuntu-core-launcher amd64 1.0.38-0ubuntu0.16.04.3 [2,696 B]
Get:2 http://us.archive.ubuntu.com//ubuntu xenial-proposed/main amd64 snap-confine amd64 1.0.38-0ubuntu0.16.04.3 [20.4 kB]
Fetched 23.1 kB in 0s (0 B/s)
(Reading database ... 101267 files and directories currently installed.)
Preparing to unpack .../ubuntu-core-launcher_1.0.38-0ubuntu0.16.04.3_amd64.deb ...
Unpacking ubuntu-core-launcher (1.0.38-0ubuntu0.16.04.3) over (1.0.27.1) ...
Selecting previously unselected package snap-confine.
Preparing to unpack .../snap-confine_1.0.38-0ubuntu0.16.04.3_amd64.deb ...
Unpacking snap-confine (1.0.38-0ubuntu0.16.04.3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up snap-confine (1.0.38-0ubuntu0.16.04.3) ...
Setting up ubuntu-core-launcher (1.0.38-0ubuntu0.16.04.3) ...
Removing obsolete conffile /etc/apparmor.d/usr.bin.ubuntu-core-launcher ...
root@edfu:~# lxd.lxc list
error: mkdir /root/snap: read-only file system
So looks like /root/snap isn't bind-mounted anymore. I also had to set HOME for my daemon to point to /tmp as apparently that's not set anymore either, causing HOME in my daemon to resolve to / which obviously is read-only. |
|
