snapd

Firefox Snap cannot be installed in an LXC Container

Bug #1994453 reported by Tim Edwards on 2022-10-26

This bug affects 8 people

	Status	Importance	Assigned to
lxd	New	Undecided	Unassigned
snapd	New	Undecided	Unassigned
firefox (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

$ sudo snap install firefox
error: cannot perform the following tasks:
- Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell":
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
-----)

This makes it very difficult to have LXC containers with a GUI (used via VNC), as a web browser is essential.

Workaround:
- Add the Mozillateam PPA (https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu)

- Create /etc/apt/preferences.d/mozilla-firefox with:
Package: firefox*
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001

- sudo apt install firefox

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: firefox 1:1snap1-0ubuntu2
ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53
Uname: Linux 5.15.0-48-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Wed Oct 26 14:16:04 2022
InstallationDate: Installed on 2020-11-02 (722 days ago)
InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
Snap.Changes: no changes found
SourcePackage: firefox
UpgradeStatus: Upgraded to jammy on 2022-10-03 (22 days ago)

Tags:

Revision history for this message

Tim Edwards (tkedwards) wrote on 2022-10-26:

Dependencies.txt Edit (4.2 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (138 bytes, text/plain; charset="utf-8")
Snap.Connections.txt Edit (3.1 KiB, text/plain; charset="utf-8")
Snap.Info.core20.txt Edit (736 bytes, text/plain; charset="utf-8")
Snap.Info.firefox.txt Edit (1.1 KiB, text/plain; charset="utf-8")
Snap.Info.gnome-3-38-2004.txt Edit (784 bytes, text/plain; charset="utf-8")
Snap.Info.gtk-common-themes.txt Edit (803 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-10-26:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2023-03-28:

Download full text (3.4 KiB)

I also see this on a 20.04 host with a 20.04 container.

$ lxc version
Client version: 5.0.2
Server version: 5.0.2
$ lxc launch ubuntu:20.04 foo
$ lxc stop foo
$ lxc config set foo security.nesting true
$ lxc start foo
$ lxc shell foo
root@foo:~# snap install firefox
error: cannot perform the following tasks:
- Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell":
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
-----)

No AppArmor denials on the host or within the container.

root@foo:~# journalctl -xe | cat
Mar 28 14:26:26 foo snapd[196]: -----
Mar 28 14:26:26 foo systemd[1]: snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit run-snapd-ns-firefox.mnt.mount has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit snap-firefox-2487.mount has successfully entered the 'dead' s...

I also see this on a 20.04 host with a 20.04 container.

$ lxc version
Client version: 5.0.2
Server version: 5.0.2
$ lxc launch ubuntu:20.04 foo
$ lxc stop foo
$ lxc config set foo security.nesting true
$ lxc start foo
$ lxc shell foo
root@foo:~# snap install firefox
error: cannot perform the following tasks:
- Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell": 
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
-----)

No AppArmor denials on the host or within the container.

root@foo:~# journalctl -xe | cat
Mar 28 14:26:26 foo snapd[196]: -----
Mar 28 14:26:26 foo systemd[1]: snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit run-snapd-ns-firefox.mnt.mount has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit snap-firefox-2487.mount has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: Reloading.
Mar 28 14:26:28 foo systemd[1]: Cannot find unit for notify message of PID 1318, ignoring.
Mar 28 14:26:29 foo snapd[196]: handlers.go:662: Reported install problem for "firefox" as Crash report successfully submitted.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.