snapd

  1. Bug #2049099
  2. Activity log

Activity log for bug #2049099

Date Who What changed Old value New value Message
2024-01-11 19:59:13 Marc Oppenheimer bug added bug
2024-01-11 19:59:30 Marc Oppenheimer bug added subscriber AppArmor Developers
2024-01-11 20:00:13 Marc Oppenheimer description ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ``` cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ``` cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ```
2024-01-11 20:03:06 Marc Oppenheimer description ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ``` cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ```
2024-01-11 20:03:13 Marc Oppenheimer description ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ```
2024-01-11 20:41:48 Marc Oppenheimer description ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ##### Logs + Additional Info `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/ A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/ Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/ ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ``` ##### Context I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps. ##### Issue When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look. If any additional information is needed I'd be more than happy to provide. ###### `snappy-debug` journalctl logs [ 411.702391] loop11: detected capacity change from 0 to 33408 [ 411.882088] audit: type=1400 audit(1704822630.613:257): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.snappy-debug" pid=8545 comm="apparmor_parser" [ 411.927376] audit: type=1400 audit(1704822630.659:258): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.scanlog" pid=8548 comm="apparmor_parser" [ 411.927408] audit: type=1400 audit(1704822630.659:259): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.audit-arch" pid=8546 comm="apparmor_parser" [ 411.927511] audit: type=1400 audit(1704822630.659:260): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.security" pid=8550 comm="apparmor_parser" [ 411.927592] audit: type=1400 audit(1704822630.659:261): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.snappy-debug" pid=8551 comm="apparmor_parser" [ 411.927637] audit: type=1400 audit(1704822630.659:262): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.id-range" pid=8547 comm="apparmor_parser" [ 411.928038] audit: type=1400 audit(1704822630.659:263): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.scmp-sys-resolver" pid=8549 comm="apparmor_parser" [ 412.245557] audit: type=1400 audit(1704822630.976:264): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=8573 comm="apparmor_parser" [ 412.245562] audit: type=1400 audit(1704822630.976:265): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=8573 comm="apparmor_parser" [ 412.251680] audit: type=1400 audit(1704822630.983:266): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.snappy-debug" pid=8575 comm="apparmor_parser" [ 436.594532] audit: type=1400 audit(1704822655.326:273): apparmor="DENIED" operation="open" class="file" profile="snap.juju.juju" name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 436.955742] audit: type=1400 audit(1704822655.686:274): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0" pid=8915 comm="apparmor_parser" [ 437.001597] audit: type=1400 audit(1704822655.733:275): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0" pid=8920 comm="apparmor_parser" [ 437.047127] audit: type=1400 audit(1704822655.779:276): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs" pid=8924 comm="apparmor_parser" [ 438.662197] audit: type=1400 audit(1704822657.393:277): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs" pid=8947 comm="apparmor_parser" [ 438.726353] lxdbr0: port 1(vethe8cdef92) entered blocking state [ 438.726357] lxdbr0: port 1(vethe8cdef92) entered disabled state [ 438.726363] vethe8cdef92: entered allmulticast mode [ 438.726404] vethe8cdef92: entered promiscuous mode [ 438.836408] audit: type=1400 audit(1704822657.566:278): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>" pid=9022 comm="apparmor_parser" [ 438.936964] physF3pxUH: renamed from vethd8d1dfa0 [ 438.967393] eth0: renamed from physF3pxUH [ 438.983981] lxdbr0: port 1(vethe8cdef92) entered blocking state [ 438.983985] lxdbr0: port 1(vethe8cdef92) entered forwarding state [ 439.220648] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 439.262605] audit: type=1400 audit(1704822657.993:279): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="nvidia_modprobe" pid=9151 comm="apparmor_parser" [ 439.262990] audit: type=1400 audit(1704822657.993:280): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="lsb_release" pid=9150 comm="apparmor_parser" [ 439.263026] audit: type=1400 audit(1704822657.993:281): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="nvidia_modprobe//kmod" pid=9151 comm="apparmor_parser" [ 439.271998] audit: type=1400 audit(1704822658.003:282): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="tcpdump" pid=9154 comm="apparmor_parser" [ 439.275799] audit: type=1400 audit(1704822658.006:283): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/bin/man" pid=9153 comm="apparmor_parser" [ 439.275958] audit: type=1400 audit(1704822658.006:284): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="man_filter" pid=9153 comm="apparmor_parser" [ 439.276194] audit: type=1400 audit(1704822658.006:285): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="man_groff" pid=9153 comm="apparmor_parser" [ 439.325135] audit: type=1400 audit(1704822658.056:286): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=9152 comm="apparmor_parser" [ 439.325403] audit: type=1400 audit(1704822658.056:287): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=9152 comm="apparmor_parser" [ 439.325644] audit: type=1400 audit(1704822658.056:288): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=9152 comm="apparmor_parser" [ 439.326140] audit: type=1400 audit(1704822658.056:289): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/{,usr/}sbin/dhclient" pid=9152 comm="apparmor_parser" [ 439.356289] audit: type=1400 audit(1704822658.086:290): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=9155 comm="apparmor_parser" [ 439.356526] audit: type=1400 audit(1704822658.086:291): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9155 comm="apparmor_parser" [ 439.531185] audit: type=1400 audit(1704822658.263:292): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9178 comm="apparmor_parser" [ 439.593477] audit: type=1400 audit(1704822658.319:293): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9177 comm="apparmor_parser" [ 439.593486] audit: type=1400 audit(1704822658.319:294): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9177 comm="apparmor_parser" [ 439.594919] audit: type=1400 audit(1704822658.326:295): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9179 comm="apparmor_parser" [ 439.609341] audit: type=1400 audit(1704822658.339:296): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9185 comm="apparmor_parser" [ 439.617405] audit: type=1400 audit(1704822658.349:297): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9180 comm="apparmor_parser" [ 439.621261] audit: type=1400 audit(1704822658.353:298): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9186 comm="apparmor_parser" [ 439.625205] audit: type=1400 audit(1704822658.356:299): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9181 comm="apparmor_parser" [ 439.625267] audit: type=1400 audit(1704822658.356:300): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check-kernel" pid=9182 comm="apparmor_parser" [ 439.625861] audit: type=1400 audit(1704822658.356:301): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9188 comm="apparmor_parser" [ 439.626255] audit: type=1400 audit(1704822658.356:302): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9190 comm="apparmor_parser" [ 439.626606] audit: type=1400 audit(1704822658.356:303): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9187 comm="apparmor_parser" [ 439.627179] audit: type=1400 audit(1704822658.359:304): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9189 comm="apparmor_parser" [ 439.639671] audit: type=1400 audit(1704822658.369:305): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9184 comm="apparmor_parser" [ 439.642412] audit: type=1400 audit(1704822658.373:306): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9183 comm="apparmor_parser" [ 439.645081] audit: type=1400 audit(1704822658.376:307): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9191 comm="apparmor_parser" [ 439.713482] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 441.714898] audit: type=1400 audit(1704822660.446:308): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9421 comm="apparmor_parser" [ 441.756809] audit: type=1400 audit(1704822660.489:309): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9421 comm="apparmor_parser" [ 441.760434] audit: type=1400 audit(1704822660.493:310): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9423 comm="apparmor_parser" [ 441.762440] audit: type=1400 audit(1704822660.493:311): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9424 comm="apparmor_parser" [ 441.762939] audit: type=1400 audit(1704822660.493:312): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9425 comm="apparmor_parser" [ 441.763142] audit: type=1400 audit(1704822660.493:313): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9426 comm="apparmor_parser" [ 441.763213] audit: type=1400 audit(1704822660.493:314): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9431 comm="apparmor_parser" [ 441.763364] audit: type=1400 audit(1704822660.493:315): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check-kernel" pid=9427 comm="apparmor_parser" [ 441.763491] audit: type=1400 audit(1704822660.496:316): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9430 comm="apparmor_parser" [ 441.763665] audit: type=1400 audit(1704822660.496:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9433 comm="apparmor_parser" [ 441.763688] audit: type=1400 audit(1704822660.496:318): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9434 comm="apparmor_parser" [ 441.763742] audit: type=1400 audit(1704822660.496:319): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9435 comm="apparmor_parser" [ 441.763869] audit: type=1400 audit(1704822660.496:320): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9432 comm="apparmor_parser" [ 441.764036] audit: type=1400 audit(1704822660.496:321): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9429 comm="apparmor_parser" [ 441.764117] audit: type=1400 audit(1704822660.496:322): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9428 comm="apparmor_parser" [ 441.764418] audit: type=1400 audit(1704822660.496:323): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9436 comm="apparmor_parser" [ 442.313495] audit: type=1400 audit(1704822661.046:324): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive" [ 442.323720] audit: type=1400 audit(1704822661.056:325): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.477442] audit: type=1400 audit(1704822661.209:326): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.884305] audit: type=1400 audit(1704822661.616:327): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" [ 442.884311] audit: type=1400 audit(1704822661.616:328): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" [ 442.886474] audit: type=1400 audit(1704822661.616:329): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.886479] audit: type=1400 audit(1704822661.616:330): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.897436] audit: type=1400 audit(1704822661.629:331): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.897439] audit: type=1400 audit(1704822661.629:332): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ 442.926817] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 442.976813] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 443.263929] audit: type=1400 audit(1704822661.996:333): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9602 comm="apparmor_parser" [ 443.263934] audit: type=1400 audit(1704822661.996:334): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9602 comm="apparmor_parser" [ 443.267568] audit: type=1400 audit(1704822661.999:335): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9604 comm="apparmor_parser" [ 443.270731] audit: type=1400 audit(1704822662.003:336): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9605 comm="apparmor_parser" [ 443.270893] audit: type=1400 audit(1704822662.003:337): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9607 comm="apparmor_parser" [ 443.271121] audit: type=1400 audit(1704822662.003:338): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9606 comm="apparmor_parser" [ 443.271208] audit: type=1400 audit(1704822662.003:339): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9611 comm="apparmor_parser" [ 443.271319] audit: type=1400 audit(1704822662.003:340): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check- kernel" pid=9608 comm="apparmor_parser" [ 443.271426] audit: type=1400 audit(1704822662.003:341): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9612 comm="apparmor_parser" [ 443.271595] audit: type=1400 audit(1704822662.003:342): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9613 comm="apparmor_parser" [ 443.271815] audit: type=1400 audit(1704822662.003:343): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9614 comm="apparmor_parser" [ 443.271827] audit: type=1400 audit(1704822662.003:344): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9615 comm="apparmor_parser" [ 443.271901] audit: type=1400 audit(1704822662.003:345): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9616 comm="apparmor_parser" [ 443.271915] audit: type=1400 audit(1704822662.003:346): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9609 comm="apparmor_parser" [ 443.272098] audit: type=1400 audit(1704822662.003:347): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9610 comm="apparmor_parser" [ 443.272532] audit: type=1400 audit(1704822662.003:348): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9617 comm="apparmor_parser" [ 445.556120] audit: type=1400 audit(1704822664.286:349): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=9767 comm="apparmor_parser" [ 445.570529] audit: type=1400 audit(1704822664.303:350): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9767 comm="apparmor_parser" ##### A rough grab from dmesg ~ ❯ sudo journalctl --output=short --follow --all | sudo snappy-debug kernel.printk_ratelimit = 0 = AppArmor = Time: Jan 09 17:50:55 Log: apparmor="DENIED" operation="open" class="file" profile="snap.juju.juju" name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 File: /var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem (read) Suggestions: * adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON * adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207) = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive" Suggestion: * add one of 'account-control, hardware-observe, kernel-crypto-api, network-control, network-observe, raw-input, unity7, x11' to 'plugs' = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 File: /apparmor/.null (write) Suggestion: * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 File: /apparmor/.null (write) Suggestion: * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 File: /apparmor/.null (write) Suggestion: * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON = AppArmor = Time: Jan 09 17:51:01 Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 File: /apparmor/.null (write) Suggestion: * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON ##### Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd ##### `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3 ##### `usr.lib.snapd.snap-confine` default on Arch, in case it's useful https://pastebin.com/M5t6gySa ##### Reproduce Steps Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled: ```bash cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd makepkg -si sudo systemctl enable --now snapd.socket # log-out, log-in sudo snap install lxd --channel latest/edge lxd init --auto sudo snap install juju --channel 3.3/stable juju bootstrap localhost lh --debug --bootstrap-timeout=180 # check snappy-debug or dmesg for AppArmor denials ```