Nested LXD is broken with snapd 2.71+ubuntu22.04

We are also seeing issues on Github runners with 24.04 containers.

This is possibly a duplicate of https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2127224

Does not seem to be a duplicate of LP#2127224

I've attempted to reproduce the problem.

It did not fail with 6.8 kernel, confirmed to be using snapd from the deb.

It did fail with the hwe kernel, 6.14.0-33-generic. Confirmed to be using snapd from the deb. LXD installation fails:
```
root@j0:~# snap install --channel=5.21/stable lxd
error: cannot perform the following tasks:
- Start snap "lxd" (35624) services (systemctl command [start snap.lxd.activate.service] failed with exit status 1: stderr:
Job for snap.lxd.activate.service failed because the control process exited with error code.
See "systemctl status snap.lxd.activate.service" and "journalctl -xeu snap.lxd.activate.service" for details.)
```

but attempting to install and run the hello snap works:
```
root@j0:~# snap install hello
hello 2.10 from Canonical✓ installed
root@j0:~# hello
Hello, world!
root@j0:~# su - ubuntu
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@j0:~$ hello
Hello, world!
ubuntu@j0:~$
```

snapd version:
```
root@j0:~# snap version
snap 2.71+ubuntu22.04
snapd 2.71+ubuntu22.04
series 16
ubuntu 22.04
kernel 6.14.0-33-generic
```

Next I tried again with snapd 2.71 from the snap:
```
root@j0:~# dpkg -l snapd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-====================-============-============================================
ii snapd 2.68.5+ubuntu22.04.1 amd64 Daemon and tooling that enable snap packages
root@j0:~# snap version
snap 2.71
snapd 2.71
series 16
ubuntu 22.04
kernel 6.14.0-33-generic
```

and I was able to install lxd.

There is however a difference in apparmor version used. The deb will use:
```
+++-==============-================-============-======================================
ii apparmor 3.0.4-2ubuntu2.4 amd64 user-space parser utility for AppArmor
```

while snapd from a snap will use a bundled version:
```
root@j0:~# /snap/snapd/25202/usr/lib/snapd/apparmor_parser --version
AppArmor parser version 4.0.2
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.
```

Whit help from JJ the problem was identified as an issue with inheriting fds from systemd-journald. It showed up in dmesg like so:

[ 1544.966292] audit: type=1400 audit(1760087870.629:868): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-j0_<var-snap-lxd-common-lxd>" profile="/usr/lib/snapd/snap-confine" name="/run/systemd/journal/stdout" pid=15197 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000
[ 1544.966298] audit: type=1400 audit(1760087870.629:869): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-j0_<var-snap-lxd-common-lxd>" profile="/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=15197 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 1544.966300] audit: type=1400 audit(1760087870.629:870): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-j0_<var-snap-lxd-common-lxd>" profile="/usr/lib/snapd/snap-confine" name="/run/systemd/journal/stdout" pid=15197 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000

Explicitlly allowing access to the stdout inhertied from systemd seems to 'fix' the problem. Specifically this line added to snap-confine deb apparmor profile makes it work again:

  /run/systemd/journal/stdout rw,

Tracked internally: https://warthogs.atlassian.net/browse/SNAPDENG-35767
PR: https://github.com/canonical/snapd/pull/16131

We've spent more time looking at what is failing. Specifically, we've updated the snapd snap to 2.72, so the configuration at the end was:
- snapd deb 2.71+ubuntu22.04
- snapd snap 2.72
- 6.14.0-33-generic

Attempting to enable/install lxd snap was failing the same way.

We used forkstat and were able to identify that the sandbox setup actually completed, so the failure was really occurring in the daemon.activate script in lxd.

Next we patched the daemon.activate script to enable bash tracing and log data $SNAP_COMMON/log file. The script traces stopped at this:

root@j0:~# cat /var/snap/lxd/common/log.log

+ export BASH_XTRACEFD
+ '[' -d /sys/kernel/security/apparmor ']'
++ cat /proc/self/attr/current
+ label='snap.lxd.activate (enforce)'
+ '[' 'snap.lxd.activate (enforce)' '!=' unconfined ']'
+ '[' -n 'snap.lxd.activate (enforce)' ']'
+ aa-exec --help
+ exec aa-exec -p unconfined -- /snap/lxd/36020/commands/daemon.activate
+ exec
+ BASH_XTRACEFD=15
+ export BASH_XTRACEFD
+ '[' -d /sys/kernel/security/apparmor ']'
++ cat /proc/self/attr/current
+ label=unconfined
+ '[' unconfined '!=' unconfined ']'
++ realpath /snap/lxd/36020/..
+ export SNAP_CURRENT=/snap/lxd/current
+ SNAP_CURRENT=/snap/lxd/current
++ readlink -f /snap/lxd/current/lib/x86_64-linux-gnu/
+ LIB_ARCH=/snap/lxd/36020/lib/x86_64-linux-gnu
+ export ARCH=x86_64-linux-gnu
+ ARCH=x86_64-linux-gnu
+ export LD_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/lxd/36020/lib:/snap/lxd/36020/lib/x86_64-linux-gnu:/snap/lxd/current/lib:/snap/lxd/current/lib/x86_64-linux-gnu:/snap/lxd/current/lib/x86_64-linux-gnu/ceph
+ LD_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/lxd/36020/lib:/snap/lxd/36020/lib/x86_64-linux-gnu:/snap/lxd/current/lib:/snap/lxd/current/lib/x86_64-linux-gnu:/snap/lxd/current/lib/x86_64-linux-gnu/ceph
+ export PATH=/snap/lxd/36020/usr/sbin:/snap/lxd/36020/usr/bin:/snap/lxd/36020/sbin:/snap/lxd/36020/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/lxd/current/bin
+ PATH=/snap/lxd/36020/usr/sbin:/snap/lxd/36020/usr/bin:/snap/lxd/36020/sbin:/snap/lxd/36020/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/lxd/current/bin
+ export LXD_DIR=/var/snap/lxd/common/lxd/
+ LXD_DIR=/var/snap/lxd/common/lxd/
+ echo '=> Starting LXD activation'
root@j0:~# cat /var/snap/lxd/common/log.log |grep echo

The script is running with set -xeu. Since echo is the last line in the log, it suggests that it failed and was a direct cause of the service to exit with an error. Our understanding, given previous explanation from JJ, is that since inheritance was denied, the fd table entry for stdout was replaced with fd corresponding to the special /sys/kernel/security/apparmor/.null file. Attempts to write to that file would fail with permission denied.

We next patched the AppArmor profile of snap-confine from the snapd snap, to allow access to the journal socket by adding `/run/systemd/journal/stdout rw,`. In the end snap-confine would be able to inherit the fd, and it would be inherited by every other binary we exec() into i...

I've landed the snapd fix for an apparmor profile of snap-confine. However, AFAIU the investigation and fixing confinues for the apparmor/kernel side of things.

Let me share the findings from my investigation.

First of all, it's important to note that there are two variables that affect the bug's reproducibility.

The first variable is the way snapd is installed — either via a Debian package or as a snap.

Details:

snapd-test:~# snap version
snap 2.71+ubuntu22.04
snapd 2.71+ubuntu22.04
series 16
ubuntu 22.04
kernel 6.14.11+

Problem is NOT reproducible:

snapd-test-ok:~# snap version
snap 2.71
snapd 2.71
series 16
ubuntu 22.04
kernel 6.14.11+

Together with Zygmunt Krynicki and Maciek Borzecki, we discovered that when everything works correctly, we have:

============================
Oct 10 16:28:28 test snapd[2976]: apparmor.go:977: DEBUG: apparmor_parser --version
Oct 10 16:28:28 test snapd[2976]: AppArmor parser version 4.0.2
Oct 10 16:28:28 test snapd[2976]: Copyright (C) 1999-2008 Novell Inc.

root@test:~# snap debug execution apparmor
apparmor-parser: /snap/snapd/25202/usr/lib/snapd/apparmor_parser
apparmor-parser-command: /snap/snapd/25202/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/25202/usr/lib/snapd/apparmor/parser.conf --base /snap/snapd/25202/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/25202/usr/lib/snapd/apparmor.d/abi/4.0
internal: true
============================

When things start to fail, we have instead:
============================
Oct 10 16:30:29 test snapd[2419]: apparmor.go:977: DEBUG: apparmor_parser --version
Oct 10 16:30:29 test snapd[2419]: AppArmor parser version 3.0.4
Oct 10 16:30:29 test snapd[2419]: Copyright (C) 1999-2008 Novell Inc.
Oct 10 16:30:29 test snapd[2419]: Copyright 2009-2018 Canonical Ltd.

root@test:~# snap debug execution apparmor
apparmor-parser: /usr/sbin/apparmor_parser
apparmor-parser-command: /usr/sbin/apparmor_parser --policy-features /etc/apparmor.d/abi/3.0
internal: false
============================

The second variable is the kernel version.
I was able to reproduce the problem on the 6.14.0-33-generic kernel, while everything works perfectly on 6.8.0-85-generic.

My first conclusion was that something changed between 6.8.0-85-generic and 6.14.0-33-generic, altering AppArmor's behavior and triggering the issue.
And I found what it was — the change in the __aa_path_perm function:

From git diff Ubuntu-6.8.0-85.85 Ubuntu-hwe-6.14-6.14.0-33.33_24.04.1 security/apparmor/file.c:

-int __aa_path_perm(const char *op, const struct cred *subj_cred,
+int __aa_path_perm(const char *op, const struct cred *subj_cred,
                   struct aa_profile *profile, const char *name,
                   u32 request, struct path_cond *cond, int flags,
                   struct aa_perms *perms, bool prompt)
 {
- struct aa_ruleset *rules = list_first_entry(&profile->rules,
- typeof(*rules), list);
+ struct aa_ruleset *rules = profile->label.rules[0];
        int e = 0;

        if (profile_unconfined(profile) ||
- ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_AF(rules, AF_UNIX))) // <<< THIS
+ ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_UNIX(rules)))

RULE_MEDIATES_AF() checked whether the ruleset mediates the UNIX socket family:

1. RULE_MEDIAT...

Status changed to 'Confirmed' because the bug affects multiple users.

If you can install the snapd snap then using 2.72 inside the container works around the issue and allows LXD to start (because its built with a newer version of Go that re-opens the stdout file handle that apparmor closes to /dev/null).

```
snapd 2.72 25577 latest/stable canonical✓ snapd,in-cohort
```

> If you can install the snapd snap then using 2.72 inside the container works around the issue and allows LXD to start (because its built with a newer version of Go that re-opens the stdout file handle that apparmor closes to /dev/null).

This doesn't quite work as a workaround in some cases. For example, jammy LXD container images seed the LXD snap and it fails to install as part of snapd.seeded.service and it blocks subsequent tasks so the boot doesn't complete.

And if snapd.seeded.service is not complete, snapd doesn't accept an operation to install or refresh snapd.

# snap install snapd
error: too early for operation, device not yet seeded or device model not acknowledged

# systemctl list-jobs
JOB UNIT TYPE STATE
139 cloud-init.target start waiting
145 cloud-final.service start waiting
105 snapd.autoimport.service start waiting
140 cloud-config.service start waiting
1 graphical.target start waiting
2 multi-user.target start waiting
146 snapd.seeded.service start running
107 systemd-update-utmp-runlevel.service start waiting

8 jobs listed.

This is my reproducer fwiw from the duplicate bug, LP: #2130710. It's NOT nested LXD but two LXD containers with images with different dates respectively in a KVM machine. The only differences I can think of between two images are the deb versions of snapd and systemd. But somehow, the second image doesn't install the seeded snapd.

# plucky to use v6.14 kernel
lxc launch --vm -e ubuntu:plucky test-vm-plucky -c limits.cpu=2 -c limits.memory=2GiB

sleep 30

lxc exec test-vm-plucky -- bash -xc '
    snap install lxd --channel 5.21/stable
    lxd init --auto
    # 3afbdbe6e57b: jammy 20251002, 6dcf029719ba: jammy 20251015
    for image in 3afbdbe6e57b 6dcf029719ba; do
        lxc launch -e ubuntu-daily:$image c-jammy-$image \
            -c user.user-data="#cloud-config
bootcmd: [\"echo CLOUD-INIT BOOTCMD RUN ✅\"]
runcmd: [\"echo CLOUD-INIT RUNCMD RUN ✅\"]
"

        lxc exec c-jammy-$image -- bash -xc "
            timeout 30 cloud-init status --wait
            grep ✅ /var/log/cloud-init-output.log
            strings /snap/snapd/*/usr/lib/snapd/snap-exec | grep \"go1\.\"
            strings /usr/lib/snapd/snap-exec | grep \"go1\.\"
            systemctl list-jobs
            cat /var/lib/snapd/seed/seed.yaml
            snap version
            snap list
        "

    done

    diff -U0 <(lxc exec c-jammy-3afbdbe6e57b -- dpkg -l) <(lxc exec c-jammy-6dcf029719ba -- dpkg -l)
'

[output]

Launching test-vm-plucky
+ snap install lxd --channel 5.21/stable
2025-11-06T14:44:14Z INFO Waiting for automatic snapd restart...
Warning: /snap/bin was not found in your $PATH. If you've not restarted your session since you
         installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469 for more
         details.

lxd (5.21/stable) 5.21.4-7b6bd68 from Canonical✓ installed
+ lxd init --auto
+ for image in 3afbdbe6e57b 6dcf029719ba
+ lxc launch -e ubuntu-daily:3afbdbe6e57b c-jammy-3afbdbe6e57b -c 'user.user-data=#cloud-config
bootcmd: ["echo CLOUD-INIT BOOTCMD RUN ✅"]
runcmd: ["echo CLOUD-INIT RUNCMD RUN ✅"]
'
Launching c-jammy-3afbdbe6e57b
+ lxc exec c-jammy-3afbdbe6e57b -- bash -xc '
            timeout 30 cloud-init status --wait
            grep ✅ /var/log/cloud-init-output.log
            strings /snap/snapd/*/usr/lib/snapd/snap-exec | grep "go1\."
            strings /usr/lib/snapd/snap-exec | grep "go1\."
            systemctl list-jobs
            cat /var/lib/snapd/seed/seed.yaml
            snap version
            snap list
        '
+ timeout 30 cloud-init status --wait
.................................status: done
+ grep ✅ /var/log/cloud-init-output.log
CLOUD-INIT BOOTCMD RUN ✅
CLOUD-INIT RUNCMD RUN ✅
+ grep 'go1\.'
+ strings /snap/snapd/25202/usr/lib/snapd/snap-exec /snap/snapd/current/usr/lib/snapd/snap-exec
go1.23.10
        go1.23.10
go1.23.10
        go1.23.10
+ strings /usr/lib/snapd/snap-exec
+ grep 'go1\.'
go1.18.1
go1.18.1
+ systemctl list-jobs
No jobs running.
+ cat /var/lib/snapd/seed/seed.yaml
snaps:
  -
    name: core20
    channel: stable
    file: core20_2669.snap
  -
    name: snapd
    channel: stable
    file: snapd_25202.snap
  -
    name: lxd
    channel: 5.0/stable/ubuntu-22.04
    file: lxd_35819....

Can we do a SRU of https://github.com/canonical/snapd/commit/079605bdacc82243efdd44ec6d81bc4a93d2859f with some priority?

In the latest LXD image for jammy, the preinstalled snapd deb is 2.71+ubuntu22.04 and seeded snapd is 2.71 so the deb version is used and it hits to this issue.

$ curl -s https://cloud-images.ubuntu.com/releases/jammy/release-20251021/ubuntu-22.04-server-cloudimg-amd64.squashfs.manifest | grep snapd
snapd 2.71+ubuntu22.04
snap:snapd stable 25202

The latest daily image is fine since the preinstalled snapd deb is 2.71+ubuntu22.04 but the seeded snap is 2.72 so the snap version is used and can avoid this issue.

$ curl -s https://cloud-images.ubuntu.com/jammy/20251023/jammy-server-cloudimg-amd64.squashfs.manifest | grep snapd
snapd 2.71+ubuntu22.04
snap:snapd stable 25577

So when the next image gets released to the released stream, the issue is not going to be triggered. However, there is another SRU ongoing for 2.72 https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2124239 and once it completes for jammy then we will get into the same situation that the deb version of snapd is used. In my understanding, ultimately we need the patch above into the snapd deb itself so that it always works regardless of the revision of the seeded snapd snap.

The next snap release 2.73 will contain the fix. We will start the release process on 10 Nov, and iam to have it release by around mid December. There is a chance that it will only be ready in early Jan.

While waiting for the SRU, another trick possible would be to release 2.73 or 2.72.1 to the snap store so images to have pre installed snapd deb 2.72 and something newer as preseeded snapd snap. So we can workaround the issue.

The status as of today (2025-11-14):

[released]

$ lxc launch ubuntu:jammy -e test-jammy-released

$ lxc config show test-jammy-released | yq '.config."image.description"'
"ubuntu 22.04 LTS amd64 (release) (20251031)"

$ lxc exec test-jammy-released -- systemctl is-system-running
running

-> WORKS

$ curl -s https://cloud-images.ubuntu.com/releases/jammy/release-20251031/ubuntu-22.04-server-cloudimg-amd64.squashfs.manifest | grep snapd
snapd 2.71+ubuntu22.04
snap:snapd stable 25577

-> snap:snapd 2.72 > deb:snapd 2.71

[daily]

$ lxc launch ubuntu-daily:jammy -e test-jammy-daily

$ lxc config show test-jammy-daily | yq '.config."image.description"'
"ubuntu 22.04 LTS amd64 (daily) (20251113)"

$ lxc exec test-jammy-daily -- systemctl is-system-running
starting

-> DOES NOT WORK. Stuck in starting due to snapd.seeded.service.

$ curl -s https://cloud-images.ubuntu.com/jammy/20251113/jammy-server-cloudimg-amd64.squashfs.manifest | grep snapd
snapd 2.72+ubuntu22.04
snap:snapd stable 25577

-> snap:snapd 2.72, deb:snapd 2.72 (after the SRU, LP: #2124239)

So the next image in the released stream will be broken again unless the snapd in the snap store changes.

https://github.com/canonical/snapd/pull/16131

Status changed to 'Confirmed' because the bug affects multiple users.

Hi @Simon Fels,

Would you mind verifying snapd 2.73 deb package on resolute-proposed?

One of the must-have conditions to trigger the issue was "snapd deb is built with go < 1.21 (jammy one is built with go 1.18)" so that's why noble or any newer images weren't affected. So the snapd binary in resolute is not affected by the issue by nature.

Hello Simon, or anyone else affected,

Accepted snapd into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.73+ubuntu25.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Simon, or anyone else affected,

Accepted snapd into plucky-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.73+ubuntu25.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-plucky to verification-done-plucky. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-plucky. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Simon, or anyone else affected,

Accepted snapd into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.73+ubuntu24.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Simon, or anyone else affected,

Accepted snapd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.73+ubuntu22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted snapd (2.73+ubuntu24.04) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~24.04.1 (amd64, arm64, ppc64el, s390x)
livecd-rootfs/24.04.94 (arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.73+ubuntu25.04) for plucky have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~25.04.1 (amd64, arm64, ppc64el, s390x)
livecd-rootfs/25.04.27 (arm64, ppc64el, s390x)
systemd/257.4-1ubuntu3.2 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/plucky/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.73+ubuntu25.10) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

linux-realtime/6.17.0-1003.4 (amd64)
livecd-rootfs/25.10.24 (ppc64el, s390x)
systemd/257.9-0ubuntu2 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.73+ubuntu22.04) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~22.04.1 (amd64, ppc64el, s390x)
livecd-rootfs/2.765.55 (amd64, arm64, ppc64el, s390x)
systemd/249.11-0ubuntu3.17 (armhf, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Verification of noble, questing, plucky, resolute:
==================================================

Not required since its not affected (go >= 2.21).

Nobuto Murata or Simon Fels,

Would you mind verifying the fix for snapd 2.73 deb on jammy?

I've used my initial steps of the problem when we've found it on noble:

$ multipass launch noble --name test -d 10G
test$ sudo apt install -y linux-image-6.14.0-33-generic
test$ sudo reboot
test$ snap install --channel=5.21/stable lxd
test$ sudo lxd init --auto
test$ lxc launch ubuntu:j j0 -c security.nesting=true
test$ lxc shell j0
j0$ sudo snap remove --purge lxd
j0$ cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
j0$ apt update ; apt upgrade
j0$ snap install --channel=5.21/stable lxd

Updating the snapd to 2.73+ubuntu22.04 from proposed works and fixes the following broken state snapd is in after the initial start of the container with snapd 2.72

root@j0:~# snap changes
ID Status Spawn Ready Summary
1 Error 6 days ago, at 10:50 UTC today at 08:26 UTC Initialize system state
2 Done today at 08:26 UTC today at 08:26 UTC Initialize device

root@j0:~# snap tasks 1
Status Spawn Ready Summary
Done 6 days ago, at 10:50 UTC today at 08:26 UTC Ensure prerequisites for "snapd" are available
...
......................................................................
Setup snap "snapd" (25577) security profiles

2025-12-09T08:26:54Z INFO Waiting for automatic snapd restart...
2025-12-09T08:26:56Z INFO Waiting for automatic snapd restart...
2025-12-09T08:26:56Z INFO Waiting for automatic snapd restart...
2025-12-09T08:26:58Z ERROR cannot get current snapd snap info: cannot find current revision for snap snapd: readlink /snap/snapd/current: no such file or directory

......................................................................
Make snap "snapd" (25577) available to the system

2025-12-09T08:26:54Z INFO Requested daemon restart (snapd snap).

......................................................................
Copy snap "lxd" data

2025-12-09T08:26:54Z ERROR unlinkat /var/snap/lxd/common/var/lib/lxcfs/proc/cpuinfo: function not implemented

......................................................................
Start snap "lxd" (36558) services

2025-12-09T08:26:53Z ERROR systemctl command [start snap.lxd.activate.service] failed with exit status 1: stderr:
Job for snap.lxd.activate.service failed because the control process exited with error code.
See "systemctl status snap.lxd.activate.service" and "journalctl -xeu snap.lxd.activate.service" for details.

After the upgrade to snapd 2.73 we get

root@j0:~# snap changes
ID Status Spawn Ready Summary
1 Error 6 days ago, at 10:50 UTC today at 08:26 UTC Initialize system state
2 Done today at 08:26 UTC today at 08:26 UTC Initialize device
3 Done today at 08:28 UTC today at 08:28 UTC Initialize system state

and the system is successfully initialized. LXD is functional after the installation and nested containers can be created.

This bug was fixed in the package snapd - 2.73+ubuntu26.04.1

---------------
snapd (2.73+ubuntu26.04.1) resolute; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/pr...

Verification for jammy
======================

multipass launch noble --name test -d 10G

test$ sudo apt install -y linux-image-generic-hwe-22.04 (linux-image-6.14.0-33-generic not available)
test$ sudo reboot

uname -a
Linux j0 6.8.0-90-generic #91~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 15:20:45 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

test$ snap install --channel=5.21/stable lxd
test$ sudo lxd init --auto
test$ lxc launch ubuntu:j j0 -c security.nesting=true
test$ lxc shell j0

j0$ sudo snap remove --purge lxd
j0$ snap install --channel=5.21/stable lxd

CANNOT REPRODUCE THE ISSUE ON JAMMY

Tried using snapd 2.72+ubuntu22.04 and 2.73+ubuntu22.04 and the error was not encountered:

snap changes
ID Status Spawn Ready Summary
1 Done 21 days ago, at 10:51 UTC today at 06:28 UTC Initialize system state
2 Done today at 06:28 UTC today at 06:28 UTC Initialize device
3 Done today at 06:28 UTC today at 06:28 UTC Remove "lxd" snap
4 Done today at 06:31 UTC today at 06:32 UTC Install "lxd" snap from "5.21/stable" channel
5 Done today at 06:34 UTC today at 06:34 UTC Remove "lxd" snap
6 Done today at 06:35 UTC today at 06:35 UTC Install "lxd" snap from "5.21/stable" channel
7 Done today at 06:46 UTC today at 06:46 UTC Regenerate security profiles
8 Done today at 06:46 UTC today at 06:47 UTC Remove "lxd" snap
9 Done today at 06:47 UTC today at 06:47 UTC Install "lxd" snap from "5.21/stable" channel
10 Done today at 06:51 UTC today at 06:51 UTC Remove "lxd" snap
11 Done today at 06:52 UTC today at 06:52 UTC Install "lxd" snap from "5.21/stable" channel

Verification for Plucky
=======================

multipass launch plucky --name test -d 10G
test$ sudo apt install -y linux-image-6.14.0-33-generic
test$ sudo reboot

test$ snap install --channel=5.21/stable lxd
test$ sudo lxd init --auto

test$ lxc launch ubuntu:j j0 -c security.nesting=true
test$ lxc shell j0

Reproduce with snapd deb < 2.73
-------------------------------

(update to snapd 2.73 to fix initialization issue and revert to 2.72)

j0$ sudo snap remove --purge lxd
j0$ sudo snap install --channel=5.21/stable lxd

root@j0:~# sudo snap install --channel=5.21/stable lxd
error: cannot perform the following tasks:
- Start snap "lxd" (36971) services (systemctl command [start snap.lxd.activate.service] failed with exit status 1: stderr:
Job for snap.lxd.activate.service failed because the control process exited with error code.
See "systemctl status snap.lxd.activate.service" and "journalctl -xeu snap.lxd.activate.service" for details.)

Prove fixed with snapd deb 2.73
-------------------------------

j0$ sudo apt install snapd=2.73+ubuntu22.04

sudo snap install --channel=5.21/stable lxd
lxd (5.21/stable) 5.21.4-9eb1368 from Canonical✓ installed
root@j0:~# snap changes
ID Status Spawn Ready Summary
1 Error 21 days ago, at 10:51 UTC today at 07:30 UTC Initialize system state
2 Done today at 07:30 UTC today at 07:30 UTC Initialize device
3 Done today at 07:32 UTC today at 07:32 UTC Initialize system state
4 Done today at 07:35 UTC today at 07:35 UTC Remove "lxd" snap
5 Error today at 07:35 UTC today at 07:36 UTC Install "lxd" snap from "5.21/stable" channel
6 Done today at 07:38 UTC today at 07:39 UTC Install "lxd" snap from "5.21/stable" channel

Change 6 shows the successfull installation.

Verification for Questing
=========================

multipass launch questing --name test -d 10G

(linux-image-6.14.0-33-generic, or any other HWE kernel is not available non LTS releases)

snap install --channel=5.21/stable lxd
test$ sudo lxd init --auto

test$ lxc launch ubuntu:j j0 -c security.nesting=true
test$ lxc shell j0

Reproduce with snapd deb < 2.73
-------------------------------

root@j0:~# snap version
snap 2.72+ubuntu22.04
snapd 2.72+ubuntu22.04
series 16
ubuntu 22.04
kernel 6.17.0-8-generic
architecture amd64

j0$ sudo snap remove --purge lxd

j0$ sudo snap install --channel=5.21/stable lxd
error: cannot perform the following tasks:
- Start snap "lxd" (36971) services (systemctl command [start snap.lxd.activate.service] failed with exit status 1: stderr:
Job for snap.lxd.activate.service failed because the control process exited with error code.
See "systemctl status snap.lxd.activate.service" and "journalctl -xeu snap.lxd.activate.service" for details.)

Prove fixed with snapd deb 2.73
-------------------------------

root@j0:~# snap version
snap 2.73+ubuntu22.04
snapd 2.73+ubuntu22.04
series 16
ubuntu 22.04
kernel 6.17.0-8-generic
architecture amd64

snap install --channel=5.21/stable lxd
lxd (5.21/stable) 5.21.4-9eb1368 from Canonical✓ installed

snap changes
ID Status Spawn Ready Summary
1 Error 21 days ago, at 10:51 UTC today at 08:02 UTC Initialize system state
2 Done today at 08:02 UTC today at 08:02 UTC Initialize device
3 Error today at 08:07 UTC today at 08:08 UTC Initialize system state
4 Error today at 08:08 UTC today at 08:08 UTC Initialize system state
5 Error today at 08:08 UTC today at 08:08 UTC Initialize system state
6 Error today at 08:08 UTC today at 08:08 UTC Initialize system state
7 Done today at 08:08 UTC today at 08:09 UTC Initialize system state
8 Done today at 08:10 UTC today at 08:11 UTC Remove "lxd" snap
9 Done today at 08:11 UTC today at 08:12 UTC Install "lxd" snap from "5.21/stable" channel
10 Done today at 08:17 UTC today at 08:17 UTC Remove "lxd" snap
11 Error today at 08:18 UTC today at 08:18 UTC Install "lxd" snap from "5.21/stable" channel
12 Done today at 08:21 UTC today at 08:21 UTC Install "lxd" snap from "5.21/stable" channel

Change 12 shows the successfull installation.

This bug was fixed in the package snapd - 2.73+ubuntu25.10

---------------
snapd (2.73+ubuntu25.10) questing; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/profil...

The verification of the Stable Release Update for snapd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package snapd - 2.73+ubuntu25.04

---------------
snapd (2.73+ubuntu25.04) plucky; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/profiles...

This bug was fixed in the package snapd - 2.73+ubuntu24.04

---------------
snapd (2.73+ubuntu24.04) noble; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/profiles ...

This bug was fixed in the package snapd - 2.73+ubuntu22.04

---------------
snapd (2.73+ubuntu22.04) jammy; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/profiles ...