Thanks to @mwhudson for arranging access to the test host. Per his
comments I launched both 20210903 and 20210904 snapshots of impish.
Debugging, I noticed that there was an apparmor denial logged when snap
(the snap binary from snapd) was transitioning to snap-confine. While
snap-confine runs under an apparmor profile that's coming from the
package, or the core snap, or the snapd snap.
The denial is:
audit: type=1400 audit(1632477434.031:8902): apparmor="DENIED"
operation="file_mmap"
namespace="root//lxd-happy-impish_<var-snap-lxd-common-lxd>"
profile="/snap/snapd/12886/usr/lib/snapd/snap-confine"
name="/usr/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1"
pid=1101743 comm="snap-confine" requested_mask="m" denied_mask="m"
fsuid=1000000 ouid=1000000
I've switched the container to privileged and disabled the confinement
at lxd level via `lxc config set broken-impish raw.lxc
"lxc.apparmor.profile=unconfined"`, so I was only left with the apparmor
profile shipped by snapd.
Looking at what we have in the profile for snap-confine in the snapd
source tree:
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
So /usr/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 does not match the
expected pattern and things fail in a weird and funny way.
I've updated the profile to
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so* mrix, and
things are working again.
I was told that this is an upstream change, so I'll open a PR for snapd
to update the profile.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944004
Title:
snapd.seeded.service never finishes on non-amd64
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1944004/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
