Discussion:
[lxc-users] Running snapd within LXC/LXD on a Debian host?
Linus Lüssing
2018-09-24 10:21:31 UTC
Permalink
Hi,

I found the following, excellent article online:

https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers

And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.

The error I'm now getting within the container is the following though:

-----
$ journalctl -xe
[...]
-- Subject: Unit snapd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has begun starting up.
Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network
Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
-- Subject: Unit snapd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has failed.
-----

And I'm also getting some "DENIED" messages from apparmor in dmesg:

https://ybit.ddns.net/f/bbecd4de4bb3480ab91d/

I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for instance:

-----
$ uname -a
Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
-----

The squashfuse package is installed successfully within the container:

-----
$ dpkg -l | grep squashfuse
ii squashfuse 0.1.100-0ubuntu2 amd64 FUSE filesystem to mount squashfs archives
-----


Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?

Regards,
Linus
Linus Lüssing
2018-09-14 19:01:40 UTC
Permalink
Hi,

I found the following, excellent article online:

https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers

And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.

The error I'm now getting within the container is the following though:

-----
$ journalctl -xe
[...]
-- Subject: Unit snapd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has begun starting up.
Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network
Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
-- Subject: Unit snapd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has failed.
-----

And I'm also getting some "DENIED" messages from apparmor in dmesg. See attachment.

I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for instance:

-----
$ uname -a
Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
-----

The squashfuse package is installed successfully within the container:

-----
$ dpkg -l | grep squashfuse
ii squashfuse 0.1.100-0ubuntu2 amd64 FUSE filesystem to mount squashfs archives
-----


Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?

Regards,
Linus
b***@vulpin.com
2018-09-28 13:48:19 UTC
Permalink
From what I vaguely remember from the last time I tried, you might need to either disable AppArmor (on the parent container?) or make it privileged. Or possibly both.

Of course, this does mean you lose some of the security/isolation of containerisation.

Bob

-----Original Message-----
From: lxc-users <lxc-users-***@lists.linuxcontainers.org> On Behalf Of Linus Lüssing
Sent: Saturday, 15 September 2018 5:02 AM
To: lxc-***@lists.linuxcontainers.org; ***@ybit.eu
Subject: [lxc-users] Running snapd within LXC/LXD on a Debian host?

Hi,

I found the following, excellent article online:

https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers

And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.

The error I'm now getting within the container is the following though:

-----
$ journalctl -xe
[...]
-- Subject: Unit snapd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has begun starting up.
Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
-- Subject: Unit snapd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has failed.
-----

And I'm also getting some "DENIED" messages from apparmor in dmesg. See attachment.

I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for instance:

-----
$ uname -a
Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux $ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
-----

The squashfuse package is installed successfully within the container:

-----
$ dpkg -l | grep squashfuse
ii squashfuse 0.1.100-0ubuntu2 amd64 FUSE filesystem to mount squashfs archives
-----


Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?

Regards,
Linus
Stéphane Graber
2018-09-28 13:58:12 UTC
Permalink
No need for nesting or privileged, snapd works fine in a fully secure
unprivileged container, so long as the kernel has support for
unprivileged fuse.

Make sure that:
- Your distro kernel has unprivileged fuse enabled, I believe this
would require a 4.18 kernel and may require some specific build options
(unsure about that part).
- You have the "fuse" package installed in the container, this has
sometimes been a problem.
- That /lib/modules exists in the container, if not, create it with
mkdir, snapd is a bit picky about that sometimes.
Post by b***@vulpin.com
From what I vaguely remember from the last time I tried, you might need to either disable AppArmor (on the parent container?) or make it privileged. Or possibly both.
Of course, this does mean you lose some of the security/isolation of containerisation.
Bob
-----Original Message-----
Sent: Saturday, 15 September 2018 5:02 AM
Subject: [lxc-users] Running snapd within LXC/LXD on a Debian host?
Hi,
https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers
And I'm currently trying to achieve the same on an LXD host running Debian Stretch and a Container running Ubuntu 18.04.
-----
$ journalctl -xe
[...]
-- Subject: Unit snapd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has begun starting up.
Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled but some features are missing: dbus, network Sep 14 17:42:09 rocketchat2 snapd[195]: error: cannot start snapd: cannot mount squashfs image using "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing codepage or helper program, or other error.
Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, code=exited, status=1/FAILURE Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Failed with result 'exit-code'.
Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon.
-- Subject: Unit snapd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit snapd.service has failed.
-----
And I'm also getting some "DENIED" messages from apparmor in dmesg. See attachment.
-----
$ uname -a
Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux $ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 security=apparmor
-----
-----
$ dpkg -l | grep squashfuse
ii squashfuse 0.1.100-0ubuntu2 amd64 FUSE filesystem to mount squashfs archives
-----
Are the kernels provided by Debian supposed to work for snapd within LXD? Or are there some non-upstream patches added to the Ubuntu kernel which are necessary to make things work as described in the blog post?
Regards,
Linus
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
Linus Lüssing
2018-09-30 18:40:09 UTC
Permalink
Post by Stéphane Graber
- You have the "fuse" package installed in the container, this has
sometimes been a problem.
Urgh... that was it! Installing the fuse package fixed the snapd startup :-). Many,
many thanks!


Would it make sense to add that remark to the blog post? Would it make sense to
add a dependency for the fuse package to the snapd Debian package? I'd open a
bug on the Debian bug tracker for snapd there then.

What had also confused me a lot was, that I had tested mounting a squashfs file
via /usr/bin/squashfuse. Which worked fine. So it did not cross my mind that
something regarding fuse might still be missing. Looks like snapd does not use the
squashfuse binary though and uses mount.fuse instead?
Post by Stéphane Graber
- That /lib/modules exists in the container, if not, create it with
mkdir, snapd is a bit picky about that sometimes.
I don't have that directory. But according to systemctl, snapd is running fine now,
even without that directory.

Thanks again!

Cheers, Linus

Loading...