failure refreshing snap with content interface

Bug #1867193 reported by Alberto Donato on 2020-03-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Zygmunt Krynicki

Bug Description

When manually refreshing the maas snap, I sometimes get this error:

root@mm:~# snap install maas --channel=2.7/edge
2020-03-12T17:26:47Z INFO Waiting for restart...
maas (2.7/edge) 2.7.0-8235-g.fea3a1678 from Canonical✓ installed

root@mm:~# snap refresh maas --channel=edge
error: cannot perform the following tasks:
- Setup snap "maas" (5138) security profiles (cannot update mount namespace of snap "maas": cannot update preserved namespace of snap "maas":
-----
update.go:85: cannot change mount namespace according to change unmount (tmpfs /snap/maas/4977 tmpfs x-snapd.synthetic,x-snapd.needed-by=/snap/maas/4977/maas-cli/lib,mode=0755,uid=0,gid=0,x-snapd.detach 0 0): device or resource busy
cannot update snap namespace: read-only file system
-----)

Note that the maas snap has a content interfaces with the maas-cli one, which gets automatically installed/connected.

Discarding the namespaces fixes the issue:

root@mm:~# /usr/lib/snapd/snap-discard-ns maas

root@mm:~# snap refresh maas --channel=edge
maas (edge) 2.8.0~alpha1-8264-g.acc11a478 from Canonical✓ refreshed

This was run in a clean bionic LXD container.

I've seen similar issues happening in development when running `snap try somedir/` over a previous `snap try otherdir/`

Zygmunt Krynicki (zyga) on 2020-03-16
Changed in snapd:
status: New → In Progress
assignee: nobody → Zygmunt Krynicki (zyga)
importance: Undecided → High
milestone: none → 2.45
Zygmunt Krynicki (zyga) wrote :

I've successfully reproduced and wrote a regression test for this one.

Thank you for the patience, we now have a chance at fixing this bug :)

Zygmunt Krynicki (zyga) wrote :
Download full text (38.4 KiB)

At the time of the failure the mount table of the maas snap inside the bionic-on-bionic lxd container is:

835 963 8:1 /var/snap/lxd/common/lxd/storage-pools/default/containers/bionic/rootfs /var/lib/snapd/hostfs rw,relatime master:298 - ext4 /dev/sda1 rw,data=ordered
882 835 0:56 / /var/lib/snapd/hostfs/var/lib/lxcfs rw,nosuid,nodev,relatime master:225 - fuse.lxcfs lxcfs rw,user_id=0,group_id=0,default_permissions,allow_other
883 835 0:65 / /var/lib/snapd/hostfs/run rw,nosuid,nodev master:346 - tmpfs tmpfs rw,mode=755,uid=1000000,gid=1000000
884 883 0:66 / /var/lib/snapd/hostfs/run/lock rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,size=5120k,uid=1000000,gid=1000000
885 883 0:65 /snapd/ns /var/lib/snapd/hostfs/run/snapd/ns rw,nosuid,nodev - tmpfs tmpfs rw,mode=755,uid=1000000,gid=1000000
886 835 8:1 /var/snap/lxd/common/lxd/storage-pools/default/containers/bionic/rootfs/snap /var/lib/snapd/hostfs/snap rw,relatime master:293 - ext4 /dev/sda1 rw,data=ordered
887 886 0:68 / /var/lib/snapd/hostfs/snap/snapd/6434 ro,nodev,relatime master:294 - fuse.snapfuse snapfuse ro,user_id=0,group_id=0,allow_other
888 886 0:69 / /var/lib/snapd/hostfs/snap/core18/1668 ro,nodev,relatime master:295 - fuse.snapfuse snapfuse ro,user_id=0,group_id=0,allow_other
889 886 0:70 / /var/lib/snapd/hostfs/snap/maas-cli/13 ro,nodev,relatime master:296 - fuse.snapfuse snapfuse ro,user_id=0,group_id=0,allow_other
890 886 0:71 / /var/lib/snapd/hostfs/snap/maas/4977 ro,nodev,relatime master:297 - fuse.snapfuse snapfuse ro,user_id=0,group_id=0,allow_other
892 834 0:69 / / ro,nodev,relatime master:295 - fuse.snapfuse snapfuse ro,user_id=0,group_id=0,allow_other
893 892 0:61 / /dev rw,relatime - tmpfs none rw,size=492k,mode=755,uid=1000000,gid=1000000
894 893 0:6 /fuse /dev/fuse rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
895 893 0:6 /net/tun /dev/net/tun rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
896 893 0:19 / /dev/mqueue rw,relatime master:26 - mqueue mqueue rw
897 893 0:58 / /dev/lxd rw,relatime - tmpfs tmpfs rw,size=100k,mode=755
898 893 0:57 /bionic /dev/.lxd-mounts rw,relatime master:226 - tmpfs tmpfs rw,size=100k,mode=711
899 893 0:6 /full /dev/full rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
900 893 0:6 /null /dev/null rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
901 893 0:6 /random /dev/random rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
902 893 0:6 /tty /dev/tty rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
903 893 0:6 /urandom /dev/urandom rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
904 893 0:6 /zero /dev/zero rw,nosuid,relatime master:2 - devtmpfs udev rw,size=1877916k,nr_inodes=469479,mode=755
905 893 0:48 /0 /dev/console rw,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
906 893 0:63 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=1000005,mode=620,ptmxmode=666,max=1024
907 893 0:63 /ptmx /dev/ptmx rw,nosuid,noexec,relatime - devpts devpts rw,gid=10000...

Zygmunt Krynicki (zyga) wrote :

Enabling robust mount namespace updates inside the container fixes the issue for me.

I will add a regression test I've used for clarity.

Zygmunt Krynicki (zyga) wrote :

The regression test that passes (with robust mount namespace updates enabled) is now at https://github.com/snapcore/snapd/pull/8265

Björn Tillenius (bjornt) wrote :

FWIW, I've ran into this issue outside of containers as well. On both focal and eoan systems.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers