group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #08225
[Bug 1630789] Re: normal users can't run snaps inside of LXD containers
This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1
---------------
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium
* Backport from 16.10 (LP: #1630040)
snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium
* New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
* debian/patches/lp1630789.patch: allow running snaps by non-root users in
LXD containers (LP: #1630789)
snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium
* allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
symlink
snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium
* add mmap to AppArmor policy for snap-confine for running snap-confine
under LXD on 4.8 kernels
snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium
* New upstream release
* Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)
snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium
* add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
kernels older than 3.19 (LP: #1625565)
snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium
* New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.41
* Drop all patches (included upstream).
* Add version to apparmor run-time dependency.
snap-confine (1.0.40-1) unstable; urgency=medium
* New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.40
* Drop apparmor profile from the debian/ directory and install it straight
from upstream package. This is now automatically consistent with package
configuration prefix.
* Drop patch: prctl-compatibility.patch(applied upstream)
* Add directory /var/lib/snapd/void to snap-confine
* Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
fixes make check due to a mistake upstream.
* Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)
snap-confine (1.0.39-1) unstable; urgency=medium
* New upstream release.
* Remove d/patches/01_lp1606277.patch, applied upstream.
snap-confine (1.0.38-3) unstable; urgency=medium
* debian/patches/prctl-compatibility.patch: add shadow definitions for
compatibility with older kernel headers.
* drop build-dependency on shellcheck, which is not used at build time
and doesn't exist in trusty.
* make ubuntu-core-launcher "arch:any" to workaround an issue in
rm_conffile which does not deal with changing architectures
* fix log-observer interface regression (LP: #1606277)
snap-confine (1.0.38-2) unstable; urgency=medium
* Fix invocations of rm_conffile.
* Update d/usr.lib.snapd.snap-confine to the latest upstream version to
ensure content-sharing fully works.
snap-confine (1.0.38-1) unstable; urgency=medium
* New upstream release.
-- Jamie Strandboge <jamie@xxxxxxxxxx> Thu, 06 Oct 2016 14:51:26 +0000
** Changed in: snap-confine (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1630789
Title:
normal users can't run snaps inside of LXD containers
Status in Snappy Launcher:
Fix Committed
Status in Snappy:
In Progress
Status in snap-confine package in Ubuntu:
Fix Released
Status in snapd package in Ubuntu:
Fix Released
Status in snap-confine source package in Xenial:
Fix Released
Bug description:
The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd
(2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug
#1611078) have all landed in Yakkety. We should be able to install
squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run
snaps inside of unprivileged LXD containers.
I have verified that it works well for the root user inside of the
container but there are some issues when a normal user attempts to run
a snap command.
# Create yakkety container named "yakkety"
tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
Creating yakkety
Starting yakkety
# Enter the container, enable yakkety-proposed, update, install the dependencies
tyhicks@host:~$ lxc exec yakkety bash
root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
yakkety-proposed restricted main multiverse universe" > \
/etc/apt/sources.list.d/proposed.list
root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
root@yakkety:~# apt-get update && apt-get dist-upgrade -y
...
root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
...
# Rebooting the container should not be needed but is done for completeness
root@yakkety:~# reboot
tyhicks@host:~$ lxc exec yakkety bash
# Install the hello-world snap
root@yakkety:~# snap install hello-world
hello-world (stable) 6.3 from 'canonical' installed
# Snap commands work fine as root inside the container but not as a normal user
root@yakkety:~# /snap/bin/hello-world.env
SNAP_USER_COMMON=/root/snap/hello-world/common
...
root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
internal error, please report: running "hello-world.env" failed: open /snap/hello-world/27/meta/snap.yaml: permission denied
# The normal user can't access /snap/hello-world/27 because of some oddness with the
# dentry
root@yakkety:~# ls -al /snap/hello-world
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
drwxrwxr-x 4 root root 0 Jul 11 21:20 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
ls: cannot access '/snap/hello-world/27': Permission denied
total 8
drwxr-xr-x 3 root root 4096 Oct 5 21:09 .
drwxr-xr-x 5 root root 4096 Oct 5 21:09 ..
d????????? ? ? ? ? ? 27
lrwxrwxrwx 1 root root 2 Oct 5 21:09 current -> 27
To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions
