[lxc-users] Running snapd within LXC/LXD on a Debian host?

Stéphane Graber stgraber at ubuntu.com
Fri Sep 28 13:58:12 UTC 2018 

No need for nesting or privileged, snapd works fine in a fully secure
unprivileged container, so long as the kernel has support for
unprivileged fuse.

Make sure that:
 - Your distro kernel has unprivileged fuse enabled, I believe this
   would require a 4.18 kernel and may require some specific build options
   (unsure about that part).
 - You have the "fuse" package installed in the container, this has
   sometimes been a problem.
 - That /lib/modules exists in the container, if not, create it with
   mkdir, snapd is a bit picky about that sometimes.

On Fri, Sep 28, 2018 at 01:48:19PM +0000, bob-lists at vulpin.com wrote:
> From what I vaguely remember from the last time I tried, you might need to either disable AppArmor (on the parent container?) or make it privileged. Or possibly both.
> 
> Of course, this does mean you lose some of the security/isolation of containerisation.
> 
> Bob
> 
> -----Original Message-----
> From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> On Behalf Of Linus Lüssing
> Sent: Saturday, 15 September 2018 5:02 AM
> To: lxc-users at lists.linuxcontainers.org; dev at ybit.eu
> Subject: [lxc-users] Running snapd within LXC/LXD on a Debian host?
> 
> Hi,
> 
> I found the following, excellent article online:
> 
> https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers
> 
> And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.
> 
> The error I'm now getting within the container is the following though:
> 
> -----
> $ journalctl -xe
> [...]
> -- Subject: Unit snapd.service has begun start-up
> -- Defined-By: systemd
> -- Support: http://www.ubuntu.com/support
> --
> -- Unit snapd.service has begun starting up.
> Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
> Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
> Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
> -- Subject: Unit snapd.service has failed
> -- Defined-By: systemd
> -- Support: http://www.ubuntu.com/support
> --
> -- Unit snapd.service has failed.
> -----
> 
> And I'm also getting some "DENIED" messages from apparmor in dmesg. See attachment.
> 
> I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for instance:
> 
> -----
> $ uname -a
> Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux $ cat /proc/cmdline
> BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
> -----
> 
> The squashfuse package is installed successfully within the container:
> 
> -----
> $ dpkg -l | grep squashfuse
> ii  squashfuse                  0.1.100-0ubuntu2                  amd64        FUSE filesystem to mount squashfs archives
> -----
> 
> 
> Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?
> 
> Regards,
> Linus
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180928/717c7a36/attachment.sig>

More information about the lxc-users mailing list