apparmor.service fails to start when apt install/remove snapd due to snapd profile error

Bug #1825298 reported by Kleber Sacilotto de Souza on 2019-04-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Unassigned
snapd (Ubuntu)
High
Unassigned
Cosmic
Undecided
Unassigned

Bug Description

On Bionic (18.04) and others, running:

systemd 239-7ubuntu10.13
snapd 2.37.4+18.10.1
kernel 4.18.0-17.18,

the apparmor systemd service fails to start:

$ systemctl status apparmor.service
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-04-17 18:00:06 CEST; 9s ago
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/
  Process: 1295 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)
 Main PID: 1295 (code=exited, status=123)

Looking at the logs it seems to be cause by the following error:

Apr 17 17:44:18 autopkgtest apparmor[358]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.core.6673 in /var/lib/snapd/apparmor/profiles/snap-confine.core.6673 at line 11: Could not open '/var/lib/snapd/apparmor/snap-confine'

I will attach the full log from the service.

summary: - apparmos.service fails to start on Cosmic due to snapd profile error
+ apparmor.service fails to start on Cosmic due to snapd profile error

Hello

Is this bug reproducible? I'm running cosmic and I'm not seeing this at all.

The error would happen when the directory /var/lib/snapd/apparmor/snap-confine is absent but said directory is a part of the package *and* is created by snapd on demand.

Hi,

I could reproduce it by creating a new Cosmic VM using autopkgtest-buildvm-ubuntu-cloud. I first spotted this issue on ADT tests, so it might be related to how the packages are installed/updated.

Michael Vogt (mvo) wrote :

I can reproduce this on cosmic, installing snapd and removing (but not purging) snapd gives me this error. It seems like removing removes the /var/lib/snapd/apparmor/snap-confine dir but keeps the /etc/apparmor.d/...snap-confine conf file in place (oh the joy of conffiles).

To reproduce:
1. apt update
2. apt install snapd
3. apt remove snapd
4. reboot
5. systemctl status apparmor

This also appears to be happening on 18.04 with the latest apparmor version available for 18.04. So we need to look into this.

Michael Vogt (mvo) wrote :

Closing the cosmic task as its EOL but keeping the other tasks open.

Changed in snapd (Ubuntu Cosmic):
status: New → Won't Fix
Changed in snapd:
status: New → Triaged
importance: Undecided → High
Changed in snapd (Ubuntu):
status: New → Triaged
importance: Undecided → High
description: updated
summary: - apparmor.service fails to start on Cosmic due to snapd profile error
+ apparmor.service fails to start when apt install/remove snapd due to
+ snapd profile error
Zygmunt Krynicki (zyga) wrote :

We discussed this issue on IRC and we believe to understand the cause.

One way to solve it would be to move all snapd apparmor profiles to /var, so that they are not regarded as conf-files simply because they are stored in /etc. This would also allow us to remove the silly .real suffix from snap-confine apparmor profile.

We need to look at the details of how this would interplay with rollbacks though.

Changed in snapd:
status: Triaged → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers