[lxc-users] Running snapd within LXC/LXD on a Debian host?

Fri Sep 28 13:48:19 UTC 2018

From what I vaguely remember from the last time I tried, you might need to either disable AppArmor (on the parent container?) or make it privileged. Or possibly both.

Of course, this does mean you lose some of the security/isolation of containerisation.

Bob

-----Original Message-----
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> On Behalf Of Linus Lüssing
Sent: Saturday, 15 September 2018 5:02 AM
To: lxc-users at lists.linuxcontainers.org; dev at ybit.eu
Subject: [lxc-users] Running snapd within LXC/LXD on a Debian host?

Hi,

I found the following, excellent article online:

https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers

And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.

The error I'm now getting within the container is the following though:

-----
$ journalctl -xe
[...]
-- Subject: Unit snapd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has begun starting up.
Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
-- Subject: Unit snapd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has failed.
-----

And I'm also getting some "DENIED" messages from apparmor in dmesg. See attachment.

I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for instance:

-----
$ uname -a
Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux $ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
-----

The squashfuse package is installed successfully within the container:

-----
$ dpkg -l | grep squashfuse
ii  squashfuse                  0.1.100-0ubuntu2                  amd64        FUSE filesystem to mount squashfs archives
-----

Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?

Regards,
Linus