[apparmor] [Bug 2049099] [NEW] AppArmor blocking snap install nested in LXD container

Marc Oppenheimer 2049099 at bugs.launchpad.net
Thu Jan 11 19:59:13 UTC 2024 

Public bug reported:

##### Context
I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.

##### Issue
When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.

If any additional information is needed I'd be more than happy to
provide.

##### Logs + Additional Info
`snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/
A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/
Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
`juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
`usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/

##### Reproduce Steps
Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:


```bash
cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
makepkg -si
sudo systemctl enable --now snapd.socket

# log-out, log-in

sudo snap install lxd --channel latest/edge
lxd init --auto

sudo snap install juju --channel 3.3/stable

juju bootstrap localhost lh --debug --bootstrap-timeout=180

# check snappy-debug or dmesg for AppArmor denials
```

** Affects: snapd
     Importance: Undecided
         Status: New

** Description changed:

  ##### Context
  I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.
  
  ##### Issue
  When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.
+ 
+ If any additional information is needed I'd be more than happy to
+ provide.
  
  ##### Logs + Additional Info
  `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/
  A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/
  Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
  `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
  `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/
  
  ##### Reproduce Steps
  Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:
  ```
  cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
  makepkg -si
  sudo systemctl enable --now snapd.socket
  
  # log-out, log-in
  
  sudo snap install lxd --channel latest/edge
  lxd init --auto
  
  sudo snap install juju --channel 3.3/stable
  
  juju bootstrap localhost lh --debug --bootstrap-timeout=180
  
  # check snappy-debug or dmesg for AppArmor denials
  ```

** Description changed:

  ##### Context
  I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.
  
  ##### Issue
  When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.
  
  If any additional information is needed I'd be more than happy to
  provide.
  
  ##### Logs + Additional Info
  `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/
  A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/
  Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
  `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
  `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/
  
  ##### Reproduce Steps
  Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:
- ```
+ ```bash
  cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
  makepkg -si
  sudo systemctl enable --now snapd.socket
  
  # log-out, log-in
  
  sudo snap install lxd --channel latest/edge
  lxd init --auto
  
  sudo snap install juju --channel 3.3/stable
  
  juju bootstrap localhost lh --debug --bootstrap-timeout=180
  
  # check snappy-debug or dmesg for AppArmor denials
  ```

** Description changed:

  ##### Context
  I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.
  
  ##### Issue
  When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.
  
  If any additional information is needed I'd be more than happy to
  provide.
  
  ##### Logs + Additional Info
  `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/
  A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/
  Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
  `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
  `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/
  
  ##### Reproduce Steps
  Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:
+ 
+ 
  ```bash
  cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
  makepkg -si
  sudo systemctl enable --now snapd.socket
  
  # log-out, log-in
  
  sudo snap install lxd --channel latest/edge
  lxd init --auto
  
  sudo snap install juju --channel 3.3/stable
  
  juju bootstrap localhost lh --debug --bootstrap-timeout=180
  
  # check snappy-debug or dmesg for AppArmor denials
  ```

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2049099

Title:
  AppArmor blocking snap install nested in LXD container

Status in snapd:
  New

Bug description:
  ##### Context
  I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.

  ##### Issue
  When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.

  If any additional information is needed I'd be more than happy to
  provide.

  ##### Logs + Additional Info
  `snappy-debug` journalctl logs - https://pastebin.canonical.com/p/N5wxYggMyz/
  A rough grab from dmesg - https://pastebin.canonical.com/p/4JhTX38GBF/
  Snapd installed using - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
  `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
  `usr.lib.snapd.snap-confine` default on Arch, in case it's useful - https://pastebin.canonical.com/p/84WGfgrCz6/

  ##### Reproduce Steps
  Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:

  
  ```bash
  cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
  makepkg -si
  sudo systemctl enable --now snapd.socket

  # log-out, log-in

  sudo snap install lxd --channel latest/edge
  lxd init --auto

  sudo snap install juju --channel 3.3/stable

  juju bootstrap localhost lh --debug --bootstrap-timeout=180

  # check snappy-debug or dmesg for AppArmor denials
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2049099/+subscriptions

More information about the AppArmor mailing list