Better error message for unsupported kernel

Bug #1709155 reported by Andreas Hasenack
42
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Snappy
Wishlist
Unassigned
Ubuntu
Undecided
Unassigned

Bug Description

If I'm running an unsupported kernel for snapd, like a default ubuntu trusty install for example, I get a cryptic error message very late in the process, only when I try to run something from a snap.

This is how far the tools let me go before outputting a cryptic error:
$ sudo apt install snapd
$ sudo snap install hello-world
$ snap list
$ hello-world
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

The snapd package correctly pulls in a newer kernel in this Trusty scenario (4.4.0), but nothing else says it has to be rebooted into. The user might even miss the fact that a newer kernel was installed.

Also the fact that snap commands like "snap install" and "snap list" work just fine add to the confusion that ensues when you try to run something from the snap. At first it looks like the snap itself is not working, and you might be tempted to file a bug against the snap.

Ideally, snapd should somehow tell the user that the running kernel is too old. How and where to send this message can be a bit complicated. Maybe with every snap command? Something like "Warning: your running kernel is unsupported, snaps may not work correctly" when running even "snap list". If we can be very specific about kernel versioning here (considering snappy is not ubuntu exclusive), then even better.

Michael Vogt (mvo)
Changed in snappy:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Felicia Hendrickson (fefeh1) wrote :

It was the same error with kernel 3.13.0-95-generic. Once I updated to 4.4.0-112-generic, the snap works.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Revision history for this message
josh (freedman-joshua) wrote :

Having this problem on 4.18.0-041800rc1-generic

Revision history for this message
Mario Limonciello (superm1) wrote :

I'm also encountering
cannot perform readlinkat() on the mount namespace file descriptor of the init process

When trying to use a snap with an upstream kernel.

Revision history for this message
Tom Seewald (tseewald) wrote :

I can confirm this is affecting mainline 4.18.0-rc4.

Revision history for this message
josh (freedman-joshua) wrote :

Same problem:
4.18.0-041800rc1-generic

Revision history for this message
Axel (nospamforaxel-1) wrote :

I see the same log when trying to start KeePassXC: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied.

4.18.0-041800rc5-generic

Revision history for this message
Axel (nospamforaxel-1) wrote :

Same with nextcloud-client.

Revision history for this message
Axel (nospamforaxel-1) wrote :

So it's not because the kernel is too old, but because it is too new :-\.

This means snaps render unuseful with these new kernels.

Revision history for this message
Ashot Nazaryan (hego555) wrote :

Effecting 4.18.0-041800rc6-generic

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For people seeing the "cannot perform readlinkat() on the mount namespace file descriptor of the init process", are there any security denials in journald at the time of the error?

Revision history for this message
Axel (nospamforaxel-1) wrote :

Do you mean something like this?

kernel: [11610.173703] audit: type=1400 audit(1532519381.361:111): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=4487 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"

Revision history for this message
Zygmunt Krynicki (zyga) wrote : Re: [Bug 1709155] Re: Better error message for unsupported kernel

Yes, that's exactly it.

On Wed, Jul 25, 2018 at 2:20 PM Axel <email address hidden> wrote:

> Do you mean something like this?
>
> kernel: [11610.173703] audit: type=1400 audit(1532519381.361:111):
> apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-
> confine" pid=4487 comm="snap-confine" requested_mask="read"
> denied_mask="read" peer="unconfined"
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to Snappy.
> Matching subscriptions: xxx-bugs-on-snapd
> https://bugs.launchpad.net/bugs/1709155
>
> Title:
> Better error message for unsupported kernel
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snappy/+bug/1709155/+subscriptions
>

Revision history for this message
Axel (nospamforaxel-1) wrote :

Is there any idea or plan when this will be resolved?

Revision history for this message
Axel (nospamforaxel-1) wrote :

Am I the only one really affected by this bug?

Can I contribute more to a solution?

Revision history for this message
Ben Aceler (aceler) wrote :

Got the same bug on Linux 4.18rc6, which is obviously not an outdated kernel.

Revision history for this message
Axel (nospamforaxel-1) wrote :

In my opinion the title of the bug is misleading.

I see rather something like 'Snaps do not work in Linux-Kernels v4.18'.

Can someone update the title to a more precise one?

Revision history for this message
Oliver Grawert (ogra) wrote :

the title is perfectly fine, this bug is about printing a proper error instead of a cryptic readlinkat() message when there is a kernel in use that lacks the necessary features (which a proper ubuntu kernel provides) for snapd to operate correctly. in case there will be 4.18 ubuntu supported kernels (i.e. in 18.10) they will work and not print this error. it is not depending on a version (you'D likely also see it if you'd build 4.2 mainline with upstreams defconfig or some such).

Revision history for this message
Axel (nospamforaxel-1) wrote :

Hmm... I see.

So the misbehavior I see does not fit this bug, because this bug does not deal with the root-cause but with just an error message, a consequence of it.

I've used in the past year always the newest kernels with my Ubuntu installations. They have their hickups here and there but I did never see this behavior. Snaps always worked with the newest kernels.

Doesn't a bug-tracker like launchpad exist to collect the misbehavior of software, here especially Ubuntu?

What do you suggest for this case. Shall I open a new bug for the fact that snaps do not work with the new kernels?

Revision history for this message
John Lenton (chipaca) wrote :

It's always bee the case that a properly configured kernel is needed for snapd to work. There even have been features added, and bugs fixed, in the kernel as a direct result of needing features working for snapd (and in those cases the Ubuntu kernel has often shipped the patches before they were upstream, and in fact there might be still patches that need upstreaming; for example I'm not sure if the fix for https://bugzilla.kernel.org/show_bug.cgi?id=195453 has been picked up or not).

Just saying 'newest' carries no information as to whether the needed features are available and enabled on the kernel you're running.

What snapd should do, what we're trying to have it do, is determine what features are available and use them, and work around those that are missing.

This might result in some snaps not working properly or, in extreme cases, snaps running with only partial confinement (in these cases snapd should be warning about it). _This_ bug is about our failure to do this properly, at least in some scenarios.

If your bug is about something else, yes you should file a new bug. However, if you run a random kernel with an arbitrary feature set, I'm not sure what support you expect beyond snapd printing a warning about things not working properly (which is this bug).

tags: added: affects install. it libreoffice me snap using
Revision history for this message
Lars (dasnetzundich) wrote :

I have the same problem. I would use canonical livepatch, but I get this error also.

Syslogentry:

Aug 11 07:25:15 h2744217 kernel: [47190.238359] audit: type=1400 audit(1533965115.540:93): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=30532 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"

Kernel: 4.18.0-041800rc7-generic

Revision history for this message
Ben Aceler (aceler) wrote :

Found this thread about Apparmor confioguration changes to support kernel 4.18. Give it a try: https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/18

Revision history for this message
Qwerty Chouskie (asdfghrbljzmkd) wrote :

Now you can just `sudo snap refresh core --beta` for the 4.18 problem (tested on 4.18.2 aarch64 from the mainline ppa).

Revision history for this message
Xaver Hugl (xaver-hugl) wrote :

Thanks. 'sudo snap refresh core --beta' worked. Kernel 4.18.3 64bit

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.