Hmm, cgroup:rw has absolutely nothing to do with this. LXD uses a cgroup namespace by default which completely ignores that particular setting.
With the cgroup namespace, root in the container is allowed to do anything it wants to the /sys/fs/cgroup tree. root@disco:~# mkdir /sys/fs/cgroup/freezer/snap.blah root@disco:~# chown 1000:1000 /sys/fs/cgroup/freezer/snap.blah The error also quite clearly comes from udev rather than anything cgroup related: root@disco:~# snap install hello-world error: cannot perform the following tasks: - Setup snap "core" (6531) security profiles (cannot setup udev for snap "core": cannot reload udev rules: exit status 2 udev output: ) - Setup snap "core" (6531) security profiles (cannot reload udev rules: exit status 2 udev output: ) root@disco:~# snap install hello-world 2019-03-27T20:18:56Z INFO Waiting for restart... hello-world 6.3 from Canonical✓ installed root@disco:~# -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1712808 Title: udev interface fails in privileged containers To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1712808/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
