Hmm, cgroup:rw has absolutely nothing to do with this. LXD uses a cgroup namespace by default which completely ignores that particular setting.
With the cgroup namespace, root in the container is allowed to do anything it wants to the /sys/fs/cgroup tree.
root@disco:~# mkdir /sys/fs/cgroup/freezer/snap.blah root@disco:~# chown 1000:1000 /sys/fs/cgroup/freezer/snap.blah
The error also quite clearly comes from udev rather than anything cgroup related:
root@disco:~# snap install hello-world error: cannot perform the following tasks: - Setup snap "core" (6531) security profiles (cannot setup udev for snap "core": cannot reload udev rules: exit status 2 udev output: ) - Setup snap "core" (6531) security profiles (cannot reload udev rules: exit status 2 udev output: ) root@disco:~# snap install hello-world 2019-03-27T20:18:56Z INFO Waiting for restart... hello-world 6.3 from Canonical✓ installed root@disco:~#
Hmm, cgroup:rw has absolutely nothing to do with this.
LXD uses a cgroup namespace by default which completely ignores that particular setting.
With the cgroup namespace, root in the container is allowed to do anything it wants to the /sys/fs/cgroup tree.
root@disco:~# mkdir /sys/fs/ cgroup/ freezer/ snap.blah cgroup/ freezer/ snap.blah
root@disco:~# chown 1000:1000 /sys/fs/
The error also quite clearly comes from udev rather than anything cgroup related:
root@disco:~# snap install hello-world 27T20:18: 56Z INFO Waiting for restart...
error: cannot perform the following tasks:
- Setup snap "core" (6531) security profiles (cannot setup udev for snap "core": cannot reload udev rules: exit status 2
udev output:
)
- Setup snap "core" (6531) security profiles (cannot reload udev rules: exit status 2
udev output:
)
root@disco:~# snap install hello-world
2019-03-
hello-world 6.3 from Canonical✓ installed
root@disco:~#