Comment 3 for bug 1994453

I also see this on a 20.04 host with a 20.04 container.

$ lxc version
Client version: 5.0.2
Server version: 5.0.2
$ lxc launch ubuntu:20.04 foo
$ lxc stop foo
$ lxc config set foo security.nesting true
$ lxc start foo
$ lxc shell foo
root@foo:~# snap install firefox
error: cannot perform the following tasks:
- Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell":
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
-----)

No AppArmor denials on the host or within the container.

root@foo:~# journalctl -xe | cat
Mar 28 14:26:26 foo snapd[196]: -----
Mar 28 14:26:26 foo systemd[1]: snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit snap.firefox.hook.connect-plug-host-hunspell.a7817955-d538-4a15-ae4e-1f7f00c4d00d.scope has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: run-snapd-ns-firefox.mnt.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit run-snapd-ns-firefox.mnt.mount has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[370]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: snap-firefox-2487.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit snap-firefox-2487.mount has successfully entered the 'dead' state.
Mar 28 14:26:28 foo systemd[1]: Reloading.
Mar 28 14:26:28 foo systemd[1]: Cannot find unit for notify message of PID 1318, ignoring.
Mar 28 14:26:29 foo snapd[196]: handlers.go:662: Reported install problem for "firefox" as Crash report successfully submitted.