[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Various fixes to remove such stale snap-confine profiles have landed now. ** Changed in: snapd (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
$ ls -latr usr.lib.snapd.snap-confine -rw-r--r-- 1 root root 14496 Dec 21 2016 usr.lib.snapd.snap-confine $ md5sum usr.lib.snapd.snap-confine 2a38d40fe662f46fedd0aefbe78f23e9 usr.lib.snapd.snap-confine In snapd.postinst I see: # Automatically added by dh_installdeb/12ubuntu1 dpkg-maintscript-helper rm_conffile /etc/apparmor.d/usr.lib.snapd.snap-confine 2.23.6~ -- "$@" Which looks correct. I don't have the apt logs but it might be that the rm_conffile was added after 2.23.6 shipped, which wouldn't be correct. Or like I 2.23.6+XX.YY would be always higher and not match the removal. cause one normally needs to specify the version when the rm_conffile was added, not when it was dropped from the packaging. Anyway, the test you are adding in the pull request should fix all the things. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Thanks for the report. I created a PR that should fix the issue: https://github.com/snapcore/snapd/pull/6484 The original cause for this is still a bit puzzling, we renamed the files a long time ago: 2.23.6 (and added a maintscript to handle the transition to the packaging), would be nice to get the timestamps of the /etc/apparmor.d/usr.lib.snapd.snap-confine file and please double check that you have the same 2a38d40fe662f46fedd0aefbe78f23e9 hash. I will try to reproduce with a xenial upgrade. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Please remove the profile at /etc/apparmor.d/usr.lib.snapd.snap-confine - on Ubuntu the profile with the suffix .real is the one to keep. After removing the profile please restart apparmor.service - things should be back to normal. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
My apparmor files are the same as the ones pasted by Marc. So what should I do? Wait for distro package to have the same profile as the ones that come from a refresh? Freeze core refreshes somehow? Remove the .deb package shipped profile? I cannot stress this enough, but this is impacting my productivity, and I am unable to do my job at the moment to the full capacity. Please suggest workarounds to unblock my daily work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Ah, I see your point now Jamie, thank you for clarifying that. Here the situation looks different though. I wonder if snapd should move the snap-confine profile out of /etc entirely and actively remove any stale profiles present there on startup. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
"AFAIK, last time I looked at apparmor_parser, it was smart enough to ignore .dpkg-dist and similar files." You missed my point: yes, apparmor will ignore it and it will use the *old* one that the user left instead of the new one with any new rules. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
I don't know, whether this matters: I still get some apparmor="DENIED"-messages as shown in the attachment. Snapd and snap.nextcloud seem to be up and running. Thanks again! ** Attachment added: "journalctl__grep_DENIED__tail.txt" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+attachment/5236611/+files/journalctl__grep_DENIED__tail.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Thanks a lot for the hint! The following fixed the problem here: $ sudo mv /etc/apparmor.d/usr.lib.snapd.snap-confine $HOME/tmp $ sudo service apparmor restart -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
** Attachment added: "usr.lib.snapd.snap-confine" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+attachment/5236594/+files/usr.lib.snapd.snap-confine -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
According to apt-file usr.lib.snapd.snap-confine.real seems to be from snapd: $ apt-file find usr.lib.snapd.snap-confine snapd: /etc/apparmor.d/usr.lib.snapd.snap-confine.real ** Attachment added: "usr.lib.snapd.snap-confine.real" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+attachment/5236593/+files/usr.lib.snapd.snap-confine.real -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
I believe the issue is directly caused by: /etc/apparmor.d/usr.lib.snapd.snap-confine /etc/apparmor.d/usr.lib.snapd.snap-confine.real Can you provide those files as attachments? Can you check which packages they belong to? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
$ find /etc/apparmor.d/ -name '*snap-confine*' /etc/apparmor.d/usr.lib.snapd.snap-confine /etc/apparmor.d/usr.lib.snapd.snap-confine.real /etc/apparmor.d/local/usr.lib.snapd.snap-confine /etc/apparmor.d/local/usr.lib.snapd.snap-confine.real /etc/apparmor.d/cache/usr.lib.snapd.snap-confine /etc/apparmor.d/cache/usr.lib.snapd.snap-confine.real /etc/apparmor.d/cache/snap.core.4486.usr.lib.snapd.snap-confine /etc/apparmor.d/snap.core.4486.usr.lib.snapd.snap-confine I changed none of these myself byhand. I never touch apparmor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
AFAIK, last time I looked at apparmor_parser, it was smart enough to ignore .dpkg-dist and similar files. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
What may be happening is there is a .dpkg-dist file in /etc/apparmor.d for snap-confine indicating that the user made changes to it prior to upgrade, upgraded but chose to keep the changed profile instead of the distro profile so now there are missing rules. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Interesting, thank you for the feedback. So we have snapd that is not re-executing (snap 2.37.1.1+18.04) and using snap-confine from the distribution (denials have profile="/usr/lib/snapd/snap-confine") that somehow doesn't allow snap- confine to operate: Feb 06 11:39:56 cnb012 kernel: audit: type=1400 audit(1549449596.241:315): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=14442 comm="snap-confine" requested_mask="trace" denied_mask="trace" peer="unconfined" Feb 06 12:24:24 cnb012 audit[25395]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=25395 comm="snap-confine" capability=19 capname="sys_ptrace" Dear reporters, can you please check how many files you have in /etc/apparmor.d/ that match *snap-confine*? My hunch: there are more than one, the old one is loaded after the new one. Here by old and new I mean past releases vs current release. Perhaps we renamed a conf-file and now pay the price? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
$ snap version snap2.37.1.1+18.04 snapd 2.37.1.1+18.04 series 16 ubuntu 18.04 kernel 4.15.0-43-generic $ snap changes ID Status Spawn Ready Summary 566 Doneyesterday at 23:04 CET yesterday at 23:04 CET Running service command 567 Doneyesterday at 23:04 CET yesterday at 23:04 CET Running service command 568 Doneyesterday at 23:04 CET yesterday at 23:04 CET Running service command 569 Doneyesterday at 23:43 CET yesterday at 23:43 CET Alle Snaps auffrischen: keine Aktualisierungen 570 Error yesterday at 23:43 CET yesterday at 23:44 CET "nextcloud" Snap wiederherstellen $ journalctl | grep DENIED | tail (see attachment) "dpkg --configure -a" has no effect Mixed German/English output is due to the fact that I usually work with German settings but changed to English to simplify tracking this issue. ** Attachment added: "Output of ''journalctl | grep DENIED | tail"" https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+attachment/5236344/+files/journalctl__grep_DENIED__tail.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
I updated one of my machines to disco (taking note of the 4.19 kernel) but I was unable to reproduce this. Reporters: can you please provide the following information: - snap info - snap changes - journalctl | grep DENIED - does running "dpkg --configure -a" fixes the issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Er, above when I said "snap info" I really meant "snap version" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: snapd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814141] Re: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix
I observe a similar behaviour since latest upgrade of snapd (update from around 2019-02-02): $ /snap/bin/nextcloud.occ cannot read mount namespace identifier of pid 1: Permission denied $ uname -a Linux cnb012 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ snap info core installed: 16-2.37.1(6350) 95MB core -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814141 Title: fail to run any snap after snapd refresh, reinstalling snapd from the archive is a temporary fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs