Ubuntu
snapd package

Bug #1964636
Comment #6

Comment 6 for bug 1964636

Revision history for this message

Maciej Borzecki (maciek-borzecki) wrote on 2022-03-12:

I pulled a clean 20.04 cloud image VM from https://cloud-images.ubuntu.com/focal/current/

root@ubuntu:/home/guest# grep PRETTY /etc/os-release
PRETTY_NAME="Ubuntu 20.04.4 LTS"
root@ubuntu:/home/guest# uname -a
Linux ubuntu 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

root@ubuntu:/home/guest# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.

as expected:

root@ubuntu:/home/guest# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

root@ubuntu:/home/guest# snap list lxd
Name Version Rev Tracking Publisher Notes
lxd 4.0.9 22526 4.0/stable/… canonical✓ -
root@ubuntu:/home/guest# lxd init --auto
root@ubuntu:/home/guest# lxc launch images:ubuntu/20.04 c1
Creating c1
Starting c1
root@ubuntu:/home/guest# lxc exec c1 -- apt install snapd -y
..
root@ubuntu:/home/guest# lxc exec c1 -- snap list
No snaps are installed yet. Try 'snap install hello-world'.

As expected bpf isn't supported by apparmor_parser:

root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess

restarted the guest:
root@ubuntu:/home/guest# lxc restart c1

and it's still the same:
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

The only difference is that I didn't install or run distrobuilder. So I proceeded to do it.

root@c1:~# snap install distrobuilder --edge --classic
2022-03-12T09:17:52Z INFO Waiting for automatic snapd restart...
distrobuilder (edge) git-f883431 from Stéphane Graber (stgraber) installed
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

and restart:

root@c1:~# systemctl status snapd.apparmor
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
     Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled; vendor preset: enabled)
    Drop-In: /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (exited) since Sat 2022-03-12 09:18:46 UTC; 47s ago
    Process: 134 ExecStart=/usr/lib/snapd/snapd-apparmor start (code=exited, status=0/SUCCESS)
   Main PID: 134 (code=exited, status=0/SUCCESS)

Mar 12 09:18:46 c1 systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 47: ns_stacked: not found
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 48: ns_name: not found
Mar 12 09:18:46 c1 systemd[1]: Finished Load AppArmor profiles managed internally by snapd.
root@c1:~# exit
root@ubuntu:/home/guest# lxc exec c1 -- distrobuilder
System container image builder for LXC and LXD

Usage:
distrobuilder [command]

Available Commands:
  build-dir Build plain rootfs
  build-lxc Build LXC image from scratch
  build-lxd Build LXD image from scratch
  help Help about any command
  pack-lxc Create LXC image from existing rootfs
  pack-lxd Create LXD image from existing rootfs
  repack-windows Repack Windows ISO with drivers included

Flags:
      --cache-dir Cache directory
      --cleanup Clean up cache directory (default true)
      --debug Enable debug output
      --disable-overlay Disable the use of filesystem overlays
  -h, --help help for distrobuilder
  -o, --options Override options (list of key=value)
  -t, --timeout Timeout in seconds
      --version Print version number

Use "distrobuilder [command] --help" for more information about a command.

The I proceeded to refresh lxd from latest:

root@ubuntu:/home/guest# snap refresh --channel latest/stable lxd
lxd 4.23 from Canonical✓ refreshed

The rest of the steps are the same, everything works OOTB, there's no cap-bpf as snapd did not detect such support in apparmor_parser and I can't reproduce the problem.

If `echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess` fails, then snapd will generate the snippet for snap-confine.

I pulled a clean 20.04 cloud image VM from https://cloud-images.ubuntu.com/focal/current/

root@ubuntu:/home/guest# grep PRETTY /etc/os-release 
PRETTY_NAME="Ubuntu 20.04.4 LTS"
root@ubuntu:/home/guest# uname -a
Linux ubuntu 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

root@ubuntu:/home/guest# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.

as expected:

root@ubuntu:/home/guest# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

root@ubuntu:/home/guest# snap list lxd
Name  Version  Rev    Tracking      Publisher   Notes
lxd   4.0.9    22526  4.0/stable/…  canonical✓  -
root@ubuntu:/home/guest# lxd init --auto
root@ubuntu:/home/guest# lxc launch images:ubuntu/20.04 c1        
Creating c1                                                                     
Starting c1                                                  
root@ubuntu:/home/guest# lxc exec c1 -- apt install snapd -y 
..
root@ubuntu:/home/guest# lxc exec c1 -- snap list
No snaps are installed yet. Try 'snap install hello-world'.

As expected bpf isn't supported by apparmor_parser:

root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess

restarted the guest:
root@ubuntu:/home/guest# lxc restart c1

and it's still the same:
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~# 
root@c1:~# 
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

The only difference is that I didn't install or run distrobuilder. So I proceeded to do it.

root@c1:~# snap install distrobuilder --edge --classic                 
2022-03-12T09:17:52Z INFO Waiting for automatic snapd restart...                              
distrobuilder (edge) git-f883431 from Stéphane Graber (stgraber) installed
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.                              
profile snap-test { capability bpf
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf                                                                                                  
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

and restart:

root@c1:~# exit
root@ubuntu:/home/guest# lxc restart c1     
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash                                                                                                                                               
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess                                                                                                          
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~# 
root@c1:~# 
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory

Usage:
  distrobuilder [command]

Available Commands:
  build-dir      Build plain rootfs
  build-lxc      Build LXC image from scratch
  build-lxd      Build LXD image from scratch
  help           Help about any command
  pack-lxc       Create LXC image from existing rootfs
  pack-lxd       Create LXD image from existing rootfs
  repack-windows Repack Windows ISO with drivers included

Flags:
      --cache-dir         Cache directory
      --cleanup           Clean up cache directory (default true)
      --debug             Enable debug output
      --disable-overlay   Disable the use of filesystem overlays
  -h, --help              help for distrobuilder
  -o, --options           Override options (list of key=value)
  -t, --timeout           Timeout in seconds
      --version           Print version number

Use "distrobuilder [command] --help" for more information about a command.

The I proceeded to refresh lxd from latest:

root@ubuntu:/home/guest# snap refresh --channel latest/stable lxd
lxd 4.23 from Canonical✓ refreshed

The rest of the steps are the same, everything works OOTB, there's no cap-bpf as snapd did not detect such support in apparmor_parser and I can't reproduce the problem.

If `echo 'profile snap-test { capability bpf, }' | apparmor_parser --preprocess` fails, then snapd will generate the snippet for snap-confine.

Ubuntusnapd package

Comment 6 for bug 1964636

Ubuntu
snapd package