This bug was fixed in the package snapd - 2.71+ubuntu25.04
---------------
snapd (2.71+ubuntu25.04) plucky; urgency=medium
* New upstream release, LP: #2118396
- FDE: auto-repair when recovery key is used
- FDE: revoke keys on shim update
- FDE: revoke old TPM keys when dbx has been updated
- FDE: do not reseal FDE hook keys every time
- FDE: store keys in the kernel keyring when installing from initrd
- FDE: allow disabled DMA on Core
- FDE: snap-bootstrap: do not check for partition in scan-disk on
CVM
- FDE: support secboot preinstall check for 25.10+ hybrid installs
via the /v2/system/{label} endpoint
- FDE: support generating recovery key at install time via the
/v2/systems/{label} endpoint
- FDE: update passphrase quality check at install time via the
/v2/systems/{label} endpoint
- FDE: support replacing recovery key at runtime via the new
/v2/system-volumes endpoint
- FDE: support checking recovery keys at runtime via the /v2/system-
volumes endpoint
- FDE: support enumerating keyslots at runtime via the /v2/system-
volumes endpoint
- FDE: support changing passphrase at runtime via the /v2/system-
volumes endpoint
- FDE: support passphrase quality check at runtime via the
/v2/system-volumes endpoint
- FDE: update secboot to revision 3e181c8edf0f
- Confdb: support lists and indexed paths on read and write
- Confdb: alias references must be wrapped in brackets
- Confdb: support indexed paths in confdb-schema assertion
- Confdb: make API errors consistent with options
- Confdb: fetch confdb-schema assertion on access
- Confdb: prevent --previous from being used in read-side hooks
- Components: fix snap command with multiple components
- Components: set revision of seed components to x1
- Components: unmount extra kernel-modules components mounts
- AppArmor Prompting: add lifespan "session" for prompting rules
- AppArmor Prompting: support restoring prompts after snapd restart
- AppArmor Prompting: limit the extra information included in probed
AppArmor features and system key
- Notices: refactor notice state internals
- SELinux: look for restorecon/matchpathcon at all known locations
rather than current PATH
- SELinux: update policy to allow watching cgroups (for RAA), and
talking to user session agents (service mgmt/refresh)
- Refresh App Awareness: Fix unexpected inotify file descriptor
cleanup
- snap-confine: workaround for glibc fchmodat() fallback and handle
ENOSYS
- snap-confine: add support for host policy for limiting users able
to run snaps
- LP: #2114923 Reject system key mismatch advise when not yet seeded
- Use separate lanes for essential and non-essential snaps during
seeding and allow non-essential installs to retry
- Fix bug preventing remodel from core18 to core18 when snapd snap
is unchanged
- LP: #2112551 Make removal of last active revision of a snap equal
to snap remove
- LP: #2114779 Allow non-gpt in fallback mode to support RPi
- Switch from using systemd LogNamespace to manually controlled
journal quotas
- Change snap command trace logging to only log the command names
- Grant desktop-launch access to /v2/snaps
- Update code for creating the snap journal stream
- Switch from using core to snapd snap for snap debug connectivity
- LP: #2112544 Fix offline remodel case where we switched to a
channel without an actual refresh
- LP: #2112332 Exclude snap/snapd/preseeding when generating preseed
tarball
- LP: #1952500 Fix snap command progress reporting
- LP: #1849346 Interfaces: kerberos-tickets | add new interface
- Interfaces: u2f | add support for Thetis Pro
- Interfaces: u2f | add OneSpan device and fix older device
- Interfaces: pipewire, audio-playback | support pipewire as system
daemon
- Interfaces: gpg-keys | allow access to GPG agent sockets
- Interfaces: usb-gadget | add new interface
- Interfaces: snap-fde-control, firmware-updater-support | add new
interfaces to support FDE
- Interfaces: timezone-control | extend to support timedatectl
varlink
- Interfaces: cpu-control | fix rules for accessing IRQ sysfs and
procfs directories
- Interfaces: microstack-support | allow SR-IOV attachments
- Interfaces: modify AppArmor template to allow snaps to read their
own systemd credentials
- Interfaces: posix-mq | allow stat on /dev/mqueue
- LP: #2098780 Interfaces: log-observe | add capability
dac_read_search
- Interfaces: block-devices | allow access to ZFS pools and datasets
- LP: #2033883 Interfaces: block-devices | opt-in access to
individual partitions
- Interfaces: accel | add new interface to support accel kernel
subsystem
- Interfaces: shutdown | allow client to bind on its side of dbus
socket
- Interfaces: modify seccomp template to allow pwritev2
- Interfaces: modify AppArmor template to allow reading
/proc/sys/fs/nr_open
- Packaging: drop snap.failure service for openSUSE
- Packaging: add SELinux support for openSUSE
- Packaging: disable optee when using nooptee build tag
- Packaging: add support for static PIE builds in snapd.mk, drop
pie.patch from openSUSE
- Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
- Packaging: use snapd.mk for packaging on Fedora
- Packaging: exclude .git directory
- Packaging: fix DPKG_PARSECHANGELOG assignment
- Packaging: fix building on Fedora with dpkg installed
snapd (2.70+ubuntu25.04) plucky; urgency=medium
- FDE: Fix reseal with v1 hook key format
- FDE: set role in TPM keys
- AppArmor prompting (experimental): add handling for expired
requests or listener in the kernel
- AppArmor prompting: log the notification protocol version
negotiated with the kernel
- AppArmor prompting: implement notification protocol v5 (manually
disabled for now)
- AppArmor prompting: register listener ID with the kernel and
resend notifications after snapd restart (requires protocol v5+)
- AppArmor prompting: select interface from metadata tags and set
request interface accordingly (requires protocol v5+)
- AppArmor prompting: include request PID in prompt
- AppArmor prompting: move the max prompt ID file to a subdirectory
of the snap run directory
- AppArmor prompting: avoid race between closing/reading socket fd
- Confdb (experimental): make save/load hooks mandatory if affecting
ephemeral
- Confdb: clear tx state on failed load
- Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g.
confdb-schema)
- Confdb: add NestedEphemeral to confdb schemas
- Confdb: add early concurrency checks
- Simplify building Arch package
- Enable snapd.apparmor on Fedora
- Build snapd snap with libselinux
- Emit snapd.apparmor warning only when using apparmor backend
- When running snap, on system key mismatch e.g. due to network
attached HOME, trigger and wait for a security profiles
regeneration
- Avoid requiring state lock to get user, warnings, or pending
restarts when handling API requests
- Start/stop ssh.socket for core24+ when enabling/disabling the ssh
service
- Allow providing a different base when overriding snap
- Modify snap-bootstrap to mount snapd snap directly to /snap
- Modify snap-bootstrap to mount /lib/{modules,firmware} from snap
as fallback
- Modify core-initrd to use systemctl reboot instead of /sbin/reboot
- Copy the initramfs 'manifest-initramfs.yaml' to initramfs file
creation directory so it can be copied to the kernel snap
- Build the early initrd from installed ucode packages
- Create drivers tree when remodeling from UC20/22 to UC24
- Load gpio-aggregator module before the helper-service needs it
- Run 'systemctl start' for mount units to ensure they are run also
when unchanged
- Update godbus version to 'v5 v5.1.0'
- Add support for POST to /v2/system-info with system-key-mismatch
indication from the client
- Add 'snap sign --update-timestamp' flag to update timestamp before
signing
- Add vfs support for snap-update-ns to use to simulate and evaluate
mount sequences
- Add refresh app awareness debug logging
- Add snap-bootstrap scan-disk subcommand to be called from udev
- Add feature to inject proxy store assertions in build image
- Add OP-TEE bindings, enable by default in ARM and ARM64 builds
- Fix systemd dependency options target to go under 'unit' section
- Fix snap-bootstrap reading kernel snap instead of base resulting
in bad modeenv
- Fix a regression during seeding when using early-config
- LP: #2107443 reset SHELL to /bin/bash in non-classic snaps
- Make Azure kernels reboot upon panic
- Fix snap-confine to not drop capabilities if the original user is
already root
- Fix data race when stopping services
- Fix task dependency issue by temporarily disable re-refresh on
prerequisite updates
- Fix compiling against op-tee on armhf
- Fix dbx update when not using FDE
- Fix potential validation set deadlock due to bases waiting on
snaps
- LP: #2104066 Only cancel notices requests on stop/shutdown
- Interfaces: bool-file | fix gpio glob pattern as required for
'[XXXX]*' format
- Interfaces: system-packages-doc | allow access to
/usr/local/share/doc
- Interfaces: ros-snapd-support interface | added new interface
- Interfaces: udisks2 | allow chown capability
- Interfaces: system-observe | allow reading cpu.max
- Interfaces: serial-port | add ttyMAXX to allowed list
- Interfaces: modified seccomp template to disallow
'O_NOTIFICATION_PIPE'
- Interfaces: fwupd | add support for modem-manager plugin
- Interfaces: gpio-chardev | make unsupported and remove
experimental flag to hide this feature until gpio-aggregator is
available
- Interfaces: hardware-random | fix udev match rule
- Interfaces: timeserver-control | extend to allow timedatectl
timesync commands
- Interfaces: add symlinks backend
- Interfaces: system key mismatch handling
snapd (2.69+ubuntu25.04) plucky; urgency=medium
- FDE: re-factor listing of the disks based on run mode model and
model to correctly resolve paths
- FDE: run snapd from snap-failure with the correct keyring mode
- Snap components: allow remodeling back to an old snap revision
that includes components
- Snap components: fix remodel to a kernel snap that is already
installed on the system, but not the current kernel due to a
previous remodel.
- Snap components: fix for snapctl inputs that can crash snapd
- Confdb (experimental): load ephemeral data when reading data via
snapctl get
- Confdb (experimental): load ephemeral data when reading data via
snap get
- Confdb (experimental): rename {plug}-view-changed hook to observe-
view-{plug}
- Confdb (experimental): rename confdb assertion to confdb-schema
- Confdb (experimental): change operator grouping in confdb-control
assertion
- Confdb (experimental): add confdb-control API
- AppArmor: extend the probed features to include the presence of
files, as well as directories
- AppArmor prompting (experimental): simplify the listener
- AppArmor metadata tagging (disabled): probe parser support for
tags
- AppArmor metadata tagging (disabled): implement notification
protocol v5
- Confidential VMs: sysroot.mount is now dynamically created by
snap-bootstrap instead of being a static file in the initramfs
- Confidential VMs: Add new implementation of snap integrity API
- Non-suid snap-confine: first phase to replace snap-confine suid
with capabilities to achieve the required permissions
- Initial changes for dynamic security profiles updates
- Provide snap icon fallback for /v2/icons without requiring network
access at runtime
- Add eMMC gadget update support
- Support reexec when using /usr/libexec/snapd on the host (Arch
Linux, openSUSE)
- Auto detect snap mount dir location on unknown distributions
- Modify snap-confine AppArmor template to allow all glibc HWCAPS
subdirectories to prevent launch errors
- LP: #2102456 update secboot to bf2f40ea35c4 and modify snap-
bootstrap to remove usage of go templates to reduce size by 4MB
- Fix snap-bootstrap to mount kernel snap from
/sysroot/writable/system-data
- LP: #2106121 fix snap-bootstrap busy loop
- Fix encoding of time.Time by using omitzero instead of omitempty
(on go 1.24+)
- Fix setting snapd permissions through permctl for openSUSE
- Fix snap struct json tags typo
- Fix snap pack configure hook permissions check incorrect file mode
- Fix gadget snap reinstall to honor existing sizes of partitions
- Fix to update command line when re-executing a snapd tool
- Fix 'snap validate' of specific missing newline and add error on
missed case of 'snap validate --refresh' without another action
- Workaround for snapd-confine time_t size differences between
architectures
- Disallow pack and install of snapd, base and os with specific
configure hooks
- Drop udev build dependency that is no longer required and add
missing systemd-dev dependency
- Build snap-bootstrap with nomanagers tag to decrease size by 1MB
- Interfaces: polkit | support custom polkit rules
- Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is
confined by AppArmor
- Interfaces: log-observe | add missing udev rule
- Interfaces: hostname-control | fix call to hostnamectl in core24
- Interfaces: network-control | allow removing created network
namespaces
- Interfaces: scsi-generic | re-enable base declaration for scsi-
generic plug
- Interfaces: u2f | add support for Arculus AuthentiKey
-- Ernest Lotter <[email protected]> Fri, 25 Jul 2025
13:18:47 +0200
** Changed in: snapd (Ubuntu Plucky)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-raspi in Ubuntu.
https://bugs.launchpad.net/bugs/2114779
Title:
Unable to boot to 6.8.0-1029.33 pi-kernel
Status in canonical-kernel-snaps:
Invalid
Status in snapd:
Fix Committed
Status in linux-raspi package in Ubuntu:
Invalid
Status in snapd package in Ubuntu:
Fix Released
Status in snapd source package in Jammy:
Fix Released
Status in snapd source package in Noble:
Fix Released
Status in snapd source package in Plucky:
Fix Released
Bug description:
[SRU] 2.71:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2118396
[ Impact ]
Ubuntu Core & snapd snap only.
Requires a new version of initrd and per implication a new kernel build.
Unable to boot after refresh to 6.8.0-1029.33 and this triggers
automatic rollback to previous kernel.
[ Test Plan ]
This test is best suited for the reporting team using the same setup
as was used when the issue was encountered. Alfonso B confirmed the
new initrd and kernel was released.
1. Not required to reproduce the issue, it is clear that non-gpt was
not supported in fallback mode for RPi.
2. Prove fix with new kernel that includes the initrd with the changes
in snap-bootstrap based on snapd 2.71
Provision a rpi4b8g with UC24 dangerous grade ARM64 raspi image with
Testflinger.
Run `sudo snap refresh pi-kernel --channel=24/edge` on the target
system.
---original---
Test steps:
1. Provision a rpi4b8g with UC24 dangerous grade ARM64 raspi image with
Testflinger.
2. Run `sudo snap refresh pi-kernel --channel=24/edge` on the target system.
Expected result:
* System can boot with 6.8.0-1029.33 pi-kernel.
Actual result:
* System failed to boot with 6.8.0-1029.33 pi-kernel and it automatically
rollback to the previous kernel.
Output from `snap changes`
ubuntu@localhost:~$ snap changes
ID Status Spawn Ready Summary
1 Done today at 13:05 UTC today at 13:07 UTC Initialize system state
2 Done today at 13:07 UTC today at 13:07 UTC Initialize device
3 Done today at 13:07 UTC today at 13:11 UTC Auto-refresh 4 snaps
4 Error today at 13:43 UTC today at 13:44 UTC Refresh "pi-kernel" snap
from "24/edge" channel
ubuntu@localhost:~$ sudo snap change 4
Status Spawn Ready Summary
Done today at 13:43 UTC today at 13:44 UTC Ensure prerequisites for
"pi-kernel" are available
Undone today at 13:43 UTC today at 13:44 UTC Download snap "pi-kernel"
(989) from channel "24/edge"
Done today at 13:43 UTC today at 13:44 UTC Fetch and check assertions
for snap "pi-kernel" (989)
Undone today at 13:43 UTC today at 13:44 UTC Mount snap "pi-kernel" (989)
Undone today at 13:43 UTC today at 13:44 UTC Run pre-refresh hook of
"pi-kernel" snap if present
Undone today at 13:43 UTC today at 13:44 UTC Stop snap "pi-kernel" services
Undone today at 13:43 UTC today at 13:44 UTC Remove aliases for snap
"pi-kernel"
Undone today at 13:43 UTC today at 13:44 UTC Make current revision for
snap "pi-kernel" unavailable
Undone today at 13:43 UTC today at 13:44 UTC Prepare kernel driver tree
for "pi-kernel" (989)
Done today at 13:43 UTC today at 13:44 UTC Update assets from kernel
"pi-kernel" (989)
Undone today at 13:43 UTC today at 13:44 UTC Copy snap "pi-kernel" data
Undone today at 13:43 UTC today at 13:44 UTC Setup snap "pi-kernel" (989)
security profiles
Undone today at 13:43 UTC today at 13:44 UTC Make snap "pi-kernel" (989)
available to the system
Error today at 13:43 UTC today at 13:44 UTC Automatically connect
eligible plugs and slots of snap "pi-kernel"
Hold today at 13:43 UTC today at 13:44 UTC Set automatic aliases for
snap "pi-kernel"
Hold today at 13:43 UTC today at 13:44 UTC Setup snap "pi-kernel" aliases
Hold today at 13:43 UTC today at 13:44 UTC Run post-refresh hook of
"pi-kernel" snap if present
Hold today at 13:43 UTC today at 13:44 UTC Discard previous kernel
driver tree for "pi-kernel" (989)
Hold today at 13:43 UTC today at 13:44 UTC Start snap "pi-kernel" (989)
services
Hold today at 13:43 UTC today at 13:44 UTC Clean up "pi-kernel" (989)
install
Hold today at 13:43 UTC today at 13:44 UTC Run configure hook of
"pi-kernel" snap if present
Hold today at 13:43 UTC today at 13:44 UTC Run health check of
"pi-kernel" snap
Done today at 13:43 UTC today at 13:44 UTC Monitoring snap "pi-kernel"
to determine whether extra refresh steps are required
......................................................................
Update assets from kernel "pi-kernel" (989)
2025-06-16T13:43:54Z INFO No gadget assets update needed
......................................................................
Make snap "pi-kernel" (989) available to the system
2025-06-16T13:43:54Z INFO Task set to wait until a system restart
allows to continue
......................................................................
Automatically connect eligible plugs and slots of snap "pi-kernel"
2025-06-16T13:44:07Z ERROR cannot finish pi-kernel installation, there
was a rollback across reboot
......................................................................
Monitoring snap "pi-kernel" to determine whether extra refresh steps are
required
2025-06-16T13:43:54Z INFO Task set to wait until a system restart
allows to continue
The following log is the serial console output that I monitored before
running the `refresh` command and `reboot`:
Ubuntu Core 24 on 127.0.0.1 (ttyS0)
localhost login:
Ubuntu Core 24 on $IP-redacted (ttyS0)
localhost login: [ 224.289681] watchdog: watchdog0: watchdog did not stop!
[ 224.955881] (sd-umoun[2290]: Failed to unmount
/run/shutdown/mounts/f013da2d4005fb00: Device or resource busy
[ 224.981707] (sd-remou[2291]: Failed to remount
'/run/shutdown/mounts/73e1fdd754a5199d' read-only: Device or resource busy
[ 224.996895] (sd-umoun[2292]: Failed to unmount
/run/shutdown/mounts/73e1fdd754a5199d: Device or resource busy
[ 225.025081] shutdown[1]: Could not detach loopback /dev/loop1: Device or
resource busy
[ 225.033540] shutdown[1]: Unable to finalize remaining file systems, loop
devices, ignoring.
[ 225.149315] reboot: Restarting system with command '0 tryboot'
[ 102.135157] watchdog: watchdog0: watchdog did not stop!
[ 102.277385] reboot: Restarting system
[ 16.283965] rcu: INFO: rcu_preempt detected expedited stalls on
CPUs/tasks: { P879 } 21 jiffies s: 429 root: 0x0/T
[ 16.306243] rcu: blocking rcu_node structures (internal RCU debug):
[ 16.538967] rcu: INFO: rcu_preempt detected expedited stalls on
CPUs/tasks: { P879 } 21 jiffies s: 445 root: 0x0/T
[ 16.563957] rcu: blocking rcu_node structures (internal RCU debug):
[ 19.110982] rcu: INFO: rcu_preempt detected expedited stalls on
CPUs/tasks: { P905 } 21 jiffies s: 501 root: 0x0/T
[ 19.137973] rcu: blocking rcu_node structures (internal RCU debug):
Ubuntu Core 24 on 127.0.0.1 (ttyS0)
localhost login:
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-kernel-snaps/+bug/2114779/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
