[SRU] 2.72

Status changed to 'Confirmed' because the bug affects multiple users.

Regarding this change:

      - Add architecture to 'snap version' output

Questing builds may have the amd64v3 architecture available. Some packages build for it already, and it can be enabled in the ppa:

 AMD x86-64 (amd64)
 AMD64 x86-64-v3 (amd64v3) <===

Do you foresee issues with this, if snapd is built and installed on such an arch? Perhaps enable it in your ppa as well, to check?

This 2.72 version seems to be still missing the new coreutils paths introduced in questing[1]. At least I still see references to things like /{,usr/}bin/ls in [2]. Is deb snapd somehow not affected by this change in questing?

1. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870
2. interfaces/apparmor/template.go

This bit of the diff scared me:

--- a/interfaces/builtin/microstack_support.go
+++ b/interfaces/builtin/microstack_support.go
@@ -215,6 +215,17 @@ unmount /run/netns/ovnmeta-*,

 # Required by libvirtd to detect and utilise AMD SEV capabilities for AMD CPU's
 /dev/sev rw,
+
+# Required by OVS to initialize DPDK
+# https://doc.dpdk.org/guides/linux_gsg/enable_func.html
+@{PROC}/@{pids}/pagemap r,
+capability ipc_lock,
+# Allow anonymous files backed by huge pages.
+# https://gitlab.com/apparmor/apparmor/-/issues/545
+# Note that this rule doesn't allow top level files and directories to be removed.
+# At the same time, subpaths are expected to be on squashfs unless modified
+# through layouts.
+owner / rw,
 `

 const microStackSupportConnectedPlugSecComp = `

Even though the comment tries to explain that this rule "does not allow top level files and directories to be removed". Why is that? In which context is this rule used that makes it "safe"?

I saw that one of the failed tests involved "sudo -E", and that is not supported by sudo-rs in questing. What exactly are the implications of that for snap 2.72 on questing? Is "sudo -E" only used in some tests, which we would be skipping, or is it used "for real" by some snap component, at runtime?

A quick grep found "sudo -E" being used in cmd/snap/cmd_run.go by what looks like a helper to debug something.

Regarding comment #5:
---------------------

- I confirmed snapd builds for fine for amd64_v3 on my personal ppa: https://launchpad.net/~ernestl/+archive/ubuntu/snapd2/+build/31361729/+files/snapd_2.72+ubuntu25.10.2_amd64v3.deb

- Its runs fine on my AMD Ryzen 7 2700X (Zen+) which supports amd64_v3.

- Following this, I enabled amd64_v3 on snappy-dev/image (this was checked with all stakeholders first).

- snapd version uses two methods to retrieve arch info: (1) runtime.GOARCH, and secondly (2) uname syscall. Neither would distinguish amd64_v3, it will just show up as amd64.

```
snap version
snap 2.72+ubuntu25.10.2
snapd 2.72+ubuntu25.10.2
series 16
ubuntu 25.10
kernel 6.15.0-4-generic
architecture amd64
```

Regarding comment #6:
---------------------

Thanks for pointing this out.

(1)
interfaces/apparmor/template.go applies inside the snap, so its relevant to the fs view that consist mainly of core<version> base snap provided fs (including core utils) and select mounts from the host.

Core24 is the most recent base, so the questing core utils location changes are not yet relevant.

It is however vital that this gets addressed before Core26.04! There is a PR up already to fix this: https://github.com/canonical/snapd/pull/16068.

I cross linked this to the LP ticket and also informed Georgia was driving it for snapd.

(2)
Snapd daemon itself is not confined, but snap-confine helper come with a profile: /etc/apparmor.d/usr.lib.snapd.snap-confine.real

I looked at this profile, and do not see reference to core-utils, so I believe this is not a problem.

As far as I can tell we are fine for the moment, but have to make changes in preperation for Core26.04.

Regarding comment #7:
---------------------

I think the comment can be improved.

This was detected during review as somewhat problematic: https://github.com/canonical/snapd/pull/15832/files#r2281656504

The comment means to say that inside a snaps mount namespace, there are no writable locations at /, so its inherently safe even though the rule does does not restrict write actions...

Regarding comment #8:
---------------------

We have already dealt with the failing test https://github.com/canonical/snapd/pull/16073.

We have no immediate solution for this issue, but as you say, it only affects `snap run` with option `gdb-server` (so debugging only) which is something we can live with.

The questing version seems wrong.

Today we have:
 snapd | 2.71+ubuntu25.04 | plucky-updates | source
 snapd | 2.71.1+ubuntu25.10.1 | questing | source
 snapd | 2.71.1+ubuntu25.10.1 | resolute | source

Questing in the ppa linked to this SRU is 2.72+ubuntu25.10.2. It should be 2.72+ubuntu25.10.1, no? I'm ok changing that before sponsoring, just need your +1 on this.

There are some broken symlinks in these packages, is that expected?

For example:

$ l snapd-2.72+ubuntu26.04.1/core-initrd/latest/factory/
total 16K
drwxrwxr-x 4 andreas andreas 4.0K Sep 18 05:00 .
drwxrwxr-x 10 andreas andreas 4.0K Sep 18 05:00 ..
drwxrwxr-x 3 andreas andreas 4.0K Sep 18 05:00 etc
lrwxrwxrwx 1 andreas andreas 23 Sep 18 05:00 init -> usr/lib/systemd/systemd ### broken
drwxrwxr-x 5 andreas andreas 4.0K Sep 18 05:00 usr

$ l snapd-2.72+ubuntu26.04.1/core-initrd/latest/factory/usr/lib/systemd
total 20K
drwxrwxr-x 5 andreas andreas 4.0K Sep 18 05:00 .
drwxrwxr-x 5 andreas andreas 4.0K Sep 18 05:00 ..
drwxrwxr-x 2 andreas andreas 4.0K Sep 18 05:00 bootchart.conf.d
drwxrwxr-x 2 andreas andreas 4.0K Sep 18 05:00 journald.conf.d
drwxrwxr-x 15 andreas andreas 4.0K Sep 18 05:00 system ### here it's "system", not "systemd"

Regarding comment #13:
----------------------

Questing should be snapd - 2.72+ubuntu25.10.2.

-> Version snapd - 2.72+ubuntu25.10 had to have changelog modified due to late out of order arrival of 2.71.1

-> Then Version snapd - 2.72+ubuntu25.10.1 again required tiny patch to fix a seccomp related test issue.

So this brings us to 2.72+ubuntu25.10.2.

So as things stand now:

(1) snapd - 2.72+ubuntu26.04.1
(2) snapd - 2.72+ubuntu25.10.2
(3) snapd - 2.72+ubuntu25.04
(4) snapd - 2.72+ubuntu24.04

Regarding comment #14:
----------------------

From Alfonso:
```
those folders are used to build UC initramfs, they might not point anywhere until the initramfs is built
so yes, that is expected
```

This makes sense. We could consider excluding it from the source tarball in the future, but its harmless as is.

Sponsored for resolute, questing, plucky, noble, jammy.

-> Then Version snapd - 2.72+ubuntu25.10.1 again required tiny patch to fix a seccomp related test issue.

This also of course applies to the 26.04.1 change and both of these should have that mentioned in the changelog as the code usually is exactly the same and only the changelog differs.

Hello Ernest, or anyone else affected,

Accepted snapd into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.72+ubuntu25.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ernest, or anyone else affected,

Accepted snapd into plucky-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.72+ubuntu25.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-plucky to verification-done-plucky. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-plucky. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ernest, or anyone else affected,

Accepted snapd into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.72+ubuntu24.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ernest, or anyone else affected,

Accepted snapd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.72+ubuntu22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

-> Then Version snapd - 2.72+ubuntu25.10.1 again required tiny patch to fix a seccomp related test issue.

Please ensure that going forward, tarballs have no different content outside of debian/. snapd is a native package at this point purely for some obscure technical reasons, but that's no reason to take advantage of it: the upstream portions should be the same across all releases.

All autopkgtests for the newly accepted snapd (2.72+ubuntu24.04) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~24.04.1 (amd64, arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.72+ubuntu22.04) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~22.04.1 (amd64, ppc64el, s390x)
livecd-rootfs/2.765.55 (amd64)
systemd/249.11-0ubuntu3.17 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.72+ubuntu25.10.2) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

linux-realtime/6.17.0-1002.3 (amd64)
livecd-rootfs/25.10.24 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted snapd (2.72+ubuntu25.04) for plucky have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io-app/28.2.2-0ubuntu1~25.04.1 (amd64, arm64, ppc64el, s390x)
systemd/257.4-1ubuntu3.2 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/plucky/update_excuses.html#snapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Validation on -proposed in progress: https://warthogs.atlassian.net/browse/SNAPDENG-34863

Please note we do not currently have resolute images available for spread testing so this will be skipped.

Hi snapd team.
Please beware of this regression: https://bugs.launchpad.net/ubuntu/+source/malcontent/+bug/2128350
I'm working on SRUing the fix to all series; ideally we would have that land in -updates before this.

Executed automated tests and the results are ok. Left a comment in the jira ticket about which prs address each test failure.

See https://warthogs.atlassian.net/browse/SNAPDENG-34863

Also all manual tests passed for ubuntu 22.04 24.04 25.04 and 25.10.

This bug was fixed in the package snapd - 2.72+ubuntu26.04.1

---------------
snapd (2.72+ubuntu26.04.1) resolute; urgency=medium

  * New upstream release, LP: #2124239
    - FDE: support replacing TPM protected keys at runtime via the
      /v2/system-volumes endpoint
    - FDE: support secboot preinstall check fix actions for 25.10+
      hybrid installs via the /v2/system/{label} endpoint
    - FDE: tweak polkit message to remove jargon
    - FDE: ensure proper sealing with kernel command line defaults
    - FDE: provide generic reseal function
    - FDE: support using OPTEE for protecting keys, as an alternative to
      existing fde-setup hooks (Ubuntu Core only)
    - Confdb: 'snapctl get --view' supports passing default values
    - Confdb: content sub-rules in confdb-schemas inherit their parent
      rule's "access"
    - Confdb: make confdb error kinds used in API more generic
    - Confdb: fully support lists and indexed paths (including unset)
    - Prompting: add notice backend for prompting types (unused for now)
    - Prompting: include request cgroup in prompt
    - Prompting: handle unsupported xattrs
    - Prompting: add permission mapping for the camera interface
    - Notices: read notices from state without state lock
    - Notices: add methods to get notice fields and create, reoccur, and
      deepcopy notice
    - Notices: add notice manager to coordinate separate notice backends
    - Notices: support draining notices from state when notice backend
      registered as producer of a particular notice type
    - Notices: query notice manager from daemon instead of querying
      state for notices directly
    - Packaging: Ubuntu | ignore .git directory
    - Packaging: FIPS | bump deb Go FIPS to 1.23
    - Packaging: snap | bump FIPS toolchain to 1.23
    - Packaging: debian | sync most upstream changes
    - Packaging: debian-sid | depends on libcap2-bin for postint
    - Packaging: Fedora | drop fakeroot
    - Packaging: snap | modify snapd.mk to pass build tags when running
      unit tests
    - Packaging: snap | modify snapd.mk to pass nooptee build tag
    - Packaging: modify Makefile.am to fix snap-confine install profile
      with 'make hack'
    - Packaging: modify Makefile.am to fix out-of-tree use of 'make
      hack'
    - LP: #2122054 Snap installation: skip snap icon download when
      running in a cloud or using a proxy store
    - Snap installation: add timeout to http client when downloading
      snap icon
    - Snap installation: use http(s) proxy for icon downloads
    - LP: #2117558 snap-confine: fix error message with /root/snap not
      accessible
    - snap-confine: fix non-suid limitation by switching to root:root to
      operate v1 freezer
    - core-initrd: do not use writable-paths when not available
    - core-initrd: remove debian folder
    - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev
      interface now with the more robust gpio-aggregator configfs kernel
      interface
    - Interfaces: gpio-chardev | exclusive snap connections, raise a
      conflict when both gpio-chardev and gpio are connected
    - Interfaces: gpio-chardev | fix gpio-aggregator module lo...

Verification of associated LP bugs completed.

Update verification
===================

Snap up/downgrade:
------------------
As part of other LP bug tests, I completed multiple snapd deb updates and downgrades for each targeted Ubuntu release version and can confirm that it works.

Distribution upgrade:
---------------------

(1)

Upgrade from Jammy all the way to Questing:

snap version
snap 2.72+ubuntu22.04
snapd 2.72+ubuntu22.04
series 16
ubuntu 22.04
kernel 5.15.0-163-generic
architecture amd64

(2)

snap 2.72+ubuntu24.04
snapd 2.72+ubuntu24.04
series 16
ubuntu 24.04
kernel 6.8.0-87-generic
architecture amd64

(3)

snap 2.72+ubuntu25.04
snapd 2.72+ubuntu25.04
series 16
ubuntu 25.04
kernel 6.14.0-35-generic
architecture amd64

(4)

snap 2.72+ubuntu25.10.2
snapd 2.72+ubuntu25.10.2
series 16
ubuntu 25.10
kernel 6.17.0-6-generic
architecture amd64