I've had the same "cannot set privileged capabilities" problem on 24.04 with snapd 2.72 when trying to use microk8s as a non-privileged user. It turned out to be a strange (to me at least) capabilities problem with "/usr/lib/snapd/snap-confine". See below for the commands I tried and what fixed it in the end. This was a fresh Ubuntu image from our cloud provider (IONOS), and we didn't have the same issues on other servers from the same provider that we installed a few weeks earlier.
In summary: The apparmor profile for snap-confine was active, but getcap still returned no capabilities. Then I checked getcap and also getfattr on a known-good installation (also 24.04 with snapd 2.72). The difference was that the capabilities are present as an extended attribute on snap-confine on the known-good machine, but missing on the other. However, I have no idea why, and my apparmor knowledge is very limited. Manually calling setcap seems to have fixed it, but I don't know yet if that persists (e.g. when snapd updates itself). Output on known-good machine: root# getcap /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p root# getfattr -d -m '' -- /usr/lib/snapd/snap-confine getfattr: Removing leading '/' from absolute path names # file: usr/lib/snapd/snap-confine security.capability=0sAAAAAs8ALAAAAAAAAAAAAAAAAAA= Output and fix on fresh machine: root# getcap /usr/lib/snapd/snap-confine root# root# getfattr -d -m '' -- /usr/lib/snapd/snap-confine root# root# aa-status apparmor module is loaded. 7 profiles are loaded. 7 profiles are in enforce mode. /snap/snapd/25577/usr/lib/snapd/snap-confine /snap/snapd/25577/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/26001/usr/lib/snapd/snap-confine /snap/snapd/26001/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper rsyslogd 0 profiles are in complain mode. 0 profiles are in prompt mode. 0 profiles are in kill mode. 0 profiles are in unconfined mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/rsyslogd (1198) rsyslogd 0 processes are in complain mode. 0 processes are in prompt mode. 0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. root# apparmor_parser -r -v /etc/apparmor.d/usr.lib.snapd.snap-confine.real Cached reload succeeded for "/var/cache/apparmor/2693c843.0/usr.lib.snapd.snap-confine.real". root# getcap /usr/lib/snapd/snap-confine root# root# setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p /usr/lib/snapd/snap-confine root# root# getcap /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p root# getfattr -d -m '' -- /usr/lib/snapd/snap-confine getfattr: Removing leading '/' from absolute path names # file: usr/lib/snapd/snap-confine security.capability=0sAAAAAs8ALAAAAAAAAAAAAAAAAAA= -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127224 Title: all snaps fail to run To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2127224/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
