restarted the guest:
root@ubuntu:/home/guest# lxc restart c1
and it's still the same:
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
The only difference is that I didn't install or run distrobuilder. So I proceeded to do it.
root@c1:~# snap install distrobuilder --edge --classic
2022-03-12T09:17:52Z INFO Waiting for automatic snapd restart...
distrobuilder (edge) git-f883431 from Stéphane Graber (stgraber) installed
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
and restart:
root@c1:~# exit
root@ubuntu:/home/guest# lxc restart c1
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
root@c1:~# systemctl status snapd.apparmor
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled; vendor preset: enabled)
Drop-In: /run/systemd/system/service.d └─zzz-lxc-service.conf
Active: active (exited) since Sat 2022-03-12 09:18:46 UTC; 47s ago
Process: 134 ExecStart=/usr/lib/snapd/snapd-apparmor start (code=exited, status=0/SUCCESS)
Main PID: 134 (code=exited, status=0/SUCCESS)
Mar 12 09:18:46 c1 systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 47: ns_stacked: not found
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 48: ns_name: not found
Mar 12 09:18:46 c1 systemd[1]: Finished Load AppArmor profiles managed internally by snapd.
root@c1:~# exit
root@ubuntu:/home/guest# lxc exec c1 -- distrobuilder
System container image builder for LXC and LXD
Usage:
distrobuilder [command]
Available Commands:
build-dir Build plain rootfs
build-lxc Build LXC image from scratch
build-lxd Build LXD image from scratch
help Help about any command
pack-lxc Create LXC image from existing rootfs
pack-lxd Create LXD image from existing rootfs
repack-windows Repack Windows ISO with drivers included
Flags:
--cache-dir Cache directory
--cleanup Clean up cache directory (default true)
--debug Enable debug output
--disable-overlay Disable the use of filesystem overlays
-h, --help help for distrobuilder
-o, --options Override options (list of key=value)
-t, --timeout Timeout in seconds
--version Print version number
Use "distrobuilder [command] --help" for more information about a command.
The rest of the steps are the same, everything works OOTB, there's no cap-bpf as snapd did not detect such support in apparmor_parser and I can't reproduce the problem.
If `echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess` fails, then snapd will generate the snippet for snap-confine.
I pulled a clean 20.04 cloud image VM from https:/ /cloud- images. ubuntu. com/focal/ current/
root@ubuntu: /home/guest# grep PRETTY /etc/os-release /home/guest# uname -a
PRETTY_NAME="Ubuntu 20.04.4 LTS"
root@ubuntu:
Linux ubuntu 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu: /home/guest# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
as expected:
root@ubuntu: /home/guest# cat /var/lib/ snapd/apparmor/ snap-confine/ cap-bpf snapd/apparmor/ snap-confine/ cap-bpf: No such file or directory
cat: /var/lib/
root@ubuntu: /home/guest# snap list lxd /home/guest# lxd init --auto /home/guest# lxc launch images:ubuntu/20.04 c1 /home/guest# lxc exec c1 -- apt install snapd -y /home/guest# lxc exec c1 -- snap list
Name Version Rev Tracking Publisher Notes
lxd 4.0.9 22526 4.0/stable/… canonical✓ -
root@ubuntu:
root@ubuntu:
Creating c1
Starting c1
root@ubuntu:
..
root@ubuntu:
No snaps are installed yet. Try 'snap install hello-world'.
As expected bpf isn't supported by apparmor_parser:
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
restarted the guest: /home/guest# lxc restart c1
root@ubuntu:
and it's still the same: /home/guest# lxc exec c1 -t /bin/bash snapd/apparmor/ snap-confine/ cap-bpf snapd/apparmor/ snap-confine/ cap-bpf: No such file or directory
root@ubuntu:
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/
cat: /var/lib/
The only difference is that I didn't install or run distrobuilder. So I proceeded to do it.
root@c1:~# snap install distrobuilder --edge --classic 12T09:17: 52Z INFO Waiting for automatic snapd restart... snapd/apparmor/ snap-confine/ cap-bpf snapd/apparmor/ snap-confine/ cap-bpf: No such file or directory
2022-03-
distrobuilder (edge) git-f883431 from Stéphane Graber (stgraber) installed
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf
root@c1:~# cat /var/lib/
cat: /var/lib/
and restart:
root@c1:~# exit /home/guest# lxc restart c1 /home/guest# lxc exec c1 -t /bin/bash snapd/apparmor/ snap-confine/ cap-bpf snapd/apparmor/ snap-confine/ cap-bpf: No such file or directory
root@ubuntu:
root@ubuntu:
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/
cat: /var/lib/
root@c1:~# systemctl status snapd.apparmor service - Load AppArmor profiles managed internally by snapd system/ snapd.apparmor. service; enabled; vendor preset: enabled) system/ service. d
└ ─zzz-lxc- service. conf /usr/lib/ snapd/snapd- apparmor start (code=exited, status=0/SUCCESS)
● snapd.apparmor.
Loaded: loaded (/lib/systemd/
Drop-In: /run/systemd/
Active: active (exited) since Sat 2022-03-12 09:18:46 UTC; 47s ago
Process: 134 ExecStart=
Main PID: 134 (code=exited, status=0/SUCCESS)
Mar 12 09:18:46 c1 systemd[1]: Starting Load AppArmor profiles managed internally by snapd... 134]: /usr/lib/ snapd/snapd- apparmor: 47: ns_stacked: not found 134]: /usr/lib/ snapd/snapd- apparmor: 48: ns_name: not found /home/guest# lxc exec c1 -- distrobuilder
Mar 12 09:18:46 c1 snapd-apparmor[
Mar 12 09:18:46 c1 snapd-apparmor[
Mar 12 09:18:46 c1 systemd[1]: Finished Load AppArmor profiles managed internally by snapd.
root@c1:~# exit
root@ubuntu:
System container image builder for LXC and LXD
Usage:
distrobuilder [command]
Available Commands:
build-dir Build plain rootfs
build-lxc Build LXC image from scratch
build-lxd Build LXD image from scratch
help Help about any command
pack-lxc Create LXC image from existing rootfs
pack-lxd Create LXD image from existing rootfs
repack-windows Repack Windows ISO with drivers included
Flags: -disable- overlay Disable the use of filesystem overlays
--cache-dir Cache directory
--cleanup Clean up cache directory (default true)
--debug Enable debug output
-
-h, --help help for distrobuilder
-o, --options Override options (list of key=value)
-t, --timeout Timeout in seconds
--version Print version number
Use "distrobuilder [command] --help" for more information about a command.
The I proceeded to refresh lxd from latest:
root@ubuntu: /home/guest# snap refresh --channel latest/stable lxd
lxd 4.23 from Canonical✓ refreshed
The rest of the steps are the same, everything works OOTB, there's no cap-bpf as snapd did not detect such support in apparmor_parser and I can't reproduce the problem.
If `echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess` fails, then snapd will generate the snippet for snap-confine.