Nested LXD install fails with snapd 2.42.4 (current stable core snap)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned | ||
snapd |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The LXD daily cross-architecture testing this day ended up failing for all tracks, channels and architectures.The result is: https:/
Unfortunately, those test instances test using the stable core snap, unlike our non-nested snapd enabled test runners which use the candidate core snap, so this wasn't detected until the new snapd hit stable. Also, the snapd test for lxd never attempts to install a nested lxd, so that didn't catch the issue either.
I tracked this down to upstream commit e7afbc34b1d630a
So far the only snap I could find which is affected is the LXD snap, but that does mean that anyone who's using nested lxd and uses the snap to install it is currently broken with a non-obvious way to fix things as a "snap revert" of lxd won't do anything, you need to revert the core snap and make sure that snapd is restarted and the apparmor profile loaded from the reverted core.
A reproducer is:
- lxc launch ubuntu:18.04 c1 -c security.
- lxc exec c1 -- snap install lxd
The issue was confirmed by Jamie, where he noted:
"""
I downgrading to 8159 (2.42.2) and it does not have the unix rule. I then added to /var/lib/
"""
He also added:
"""
fyi, this is a more specific rule (ie, to address the thing that prompted the PR in the first place): deny unix (receive, send) type=stream addr=none peer=(addr=none), and it also causes lxd to fail
"""
We'd appreciate if this particular rule could be removed from the affected apparmor profile and the stable snap be updated with the fix ASAP so not to leave our users of nested LXD affected.
It's also unclear to me why only LXD is affected, but trying a small selection of similar snaps, I couldn't find another one which failed.I wonder if this is somehow tied to LXD's use of socket activation though the socket isn't accessed at all in that part of the startup process so that'd still be odd.
Changed in snapd: | |
importance: | Undecided → Critical |
status: | Confirmed → In Progress |
Changed in snapd: | |
status: | Fix Committed → Fix Released |
https:/ /github. com/snapcore/ snapd/pull/ 7856