Bug#1121128: /usr/bin/snap: Unable to install any snaps

Wed, 26 Nov 2025 05:17:52 -0800 

Hey Armin

W dniu 26.11.2025 o 13:48, [email protected] pisze:

Q: Are you using apparmor.d project with extra AppArmor profiles?
A: Yes, 127 custom profiles are loaded, but they do not appear to block snapd.



Last time I looked apparmor.d DID contain an apparmor profile that was 
nowhere near being finished.



Q: Additional notes
A: Snapd failing to mount snaps is likely due to squashfs/mount issues, such as 
missing kernel support for squashfs or loop devices, snap-confine helper 
issues, or the snaps being stored on a non-native filesystem. AppArmor does not 
appear to be responsible.



Can you double check that none of those come from a profile like "snapd" 
or something like that? Snapd is NOT sandboxed by default. Apparmor.d is 
a 3rd party effort that will take a long time to mature in general, but 
snapd is even more complex so I think it's best if you could eliminate 
that as the possiblity.



If you don't mind sharing, can you show me all the apparmor denials 
(anything with DENIED) on snapd start-up? This is when snapd tries to 
test-mount a toy squashfs file system to ensure it is not broken.



I'm testing snapd on Debian with 
https://github.com/canonical/snapd-smoke-tests/. All of the tests there 
run in a Debian cloud VM and we have not seen any failures there (but we 
do not test apparmor.d)



If you can help me to understand how to install and enable apparmor.d, 
we might be able to reproduce the problem. In [1] you can see how a 
Debian cloud image is initialized with cloud-init - on top of the 
automatic user needed for testing, we install a few packages including 
snapd. Then in a test such as [2] we install a snap and ensure this works.



We can easily modify that setup to install apparmor.d and see what would 
happen. Can you help me to understand how you did that on your system?


Best regards
ZK



[1] 
https://github.com/canonical/snapd-smoke-tests/blob/f5e8b472d3ad04caa9ba219ae87ad4d1b20658f3/.image-garden.mk#L106



[2] 
https://github.com/canonical/snapd-smoke-tests/blob/f5e8b472d3ad04caa9ba219ae87ad4d1b20658f3/tests/server/hello/task.yaml#L6
























					Reply via email to