No need for nesting or privileged, snapd works fine in a fully secure unprivileged container, so long as the kernel has support for unprivileged fuse.
Make sure that: - Your distro kernel has unprivileged fuse enabled, I believe this would require a 4.18 kernel and may require some specific build options (unsure about that part). - You have the "fuse" package installed in the container, this has sometimes been a problem. - That /lib/modules exists in the container, if not, create it with mkdir, snapd is a bit picky about that sometimes. On Fri, Sep 28, 2018 at 01:48:19PM +0000, bob-li...@vulpin.com wrote: > From what I vaguely remember from the last time I tried, you might need to > either disable AppArmor (on the parent container?) or make it privileged. Or > possibly both. > > Of course, this does mean you lose some of the security/isolation of > containerisation. > > Bob > > -----Original Message----- > From: lxc-users <lxc-users-boun...@lists.linuxcontainers.org> On Behalf Of > Linus Lüssing > Sent: Saturday, 15 September 2018 5:02 AM > To: lxc-users@lists.linuxcontainers.org; d...@ybit.eu > Subject: [lxc-users] Running snapd within LXC/LXD on a Debian host? > > Hi, > > I found the following, excellent article online: > > https://blog.ubuntu.com/2016/02/16/running-snaps-in-lxd-containers > > And I'm currently trying to achieve the same on an LXD host running Debian > Stretch and a Container running Ubuntu 18.04. > > The error I'm now getting within the container is the following though: > > ----- > $ journalctl -xe > [...] > -- Subject: Unit snapd.service has begun start-up > -- Defined-By: systemd > -- Support: http://www.ubuntu.com/support > -- > -- Unit snapd.service has begun starting up. > Sep 14 17:42:09 rocketchat2 snapd[195]: AppArmor status: apparmor is enabled > but some features are missing: dbus, network Sep 14 17:42:09 rocketchat2 > snapd[195]: error: cannot start snapd: cannot mount squashfs image using > "fuse.squashfuse": mount: /tmp/selftest-mountpoint-412081678: wrong fs type, > bad option, bad superblock on /tmp/selftest-squashfs-971713707, missing > codepage or helper program, or other error. > Sep 14 17:42:09 rocketchat2 systemd[1]: snapd.service: Main process exited, > code=exited, status=1/FAILURE Sep 14 17:42:09 rocketchat2 systemd[1]: > snapd.service: Failed with result 'exit-code'. > Sep 14 17:42:09 rocketchat2 systemd[1]: Failed to start Snappy daemon. > -- Subject: Unit snapd.service has failed > -- Defined-By: systemd > -- Support: http://www.ubuntu.com/support > -- > -- Unit snapd.service has failed. > ----- > > And I'm also getting some "DENIED" messages from apparmor in dmesg. See > attachment. > > I tried both a 4.17 kernel provided by Debian Stretch-Backports and a 4.18 > kernel from Debian Testing. The kernel cmdline looks like this for 4.18 for > instance: > > ----- > $ uname -a > Linux yServer 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 > GNU/Linux $ cat /proc/cmdline > BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 > root=UUID=f59f51b8-93ba-45e7-b0d7-c7013c52c11c ro quiet apparmor=1 > security=apparmor > ----- > > The squashfuse package is installed successfully within the container: > > ----- > $ dpkg -l | grep squashfuse > ii squashfuse 0.1.100-0ubuntu2 amd64 > FUSE filesystem to mount squashfs archives > ----- > > > Are the kernels provided by Debian supposed to work for snapd within LXD? Or > are there some non-upstream patches added to the Ubuntu kernel which are > necessary to make things work as described in the blog post? > > Regards, > Linus > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users