Support snapd (AppArmor 2.4 compatibility patch) #7318

Open
johnsca opened this Issue Feb 14, 2017 · 6 comments

Comments

Projects
None yet
4 participants

johnsca commented Feb 14, 2017

Attempting to use snaps in Travis results in an AppArmor error, as seen in https://travis-ci.org/juju-solutions/layer-cwr/builds/201647356

- Setup snap "charm" (11) security profiles (cannot setup apparmor for snap "charm": cannot load apparmor profile "snap.charm.charm": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Owner

BanzaiMan commented Feb 14, 2017

I'm not familiar with AppArmor, but can't you just use sudo to address whatever problem it is complaining about?

@johnsca johnsca referenced this issue in juju-solutions/layer-cwr Feb 22, 2017

Merged

Containerize build using LXD #92

chuckbutler commented Feb 22, 2017

@BanzaiMan I don't think that's going to work, we're running in constrained containers. This would need to be allowed through the hosts apparmor restrictions. We don't have access to tune that in jobs from what I'm aware of.

There's some debugging information here:
https://developer.ubuntu.com/en/snappy/guides/security/

-- edit --

But this doesn't focus on the requirements for snapd, so it's not as helpful as I originally thought when I scanned for the info this morning.

And I've also reached out to the snappy folks and xreffed with this bug.

Owner

BanzaiMan commented Feb 22, 2017

What does this mean?

Warning: unable to find a suitable fs in /proc/mounts, is it mounted?

What sort of file system is "suitable"?

chuckbutler commented Feb 22, 2017

I think this is related to the kernel version. I don't have the expertise in this to make a proper recommendation yet, but I'm confident we'll confer with the snap devs and get a proper recommendation.

As this issue has gone silent for quite some time, as an update. This is certainly related to the version of the kernel shipping with the trusty image that in use in Travis.

The required update is the linux-image-generic-lts-xenial package that ships a 4.4 kernel. Snapd is using the features of the 4.4 kernel for security and isolation. Without it, snaps will not work in trusty, and a xenial alternative would need to be made available.

elopio commented Jun 23, 2017

Hey everybody! Good news, with the recent update of the trusty machines, I am now able to install snaps! This issue can be closed.

Take a look here: https://travis-ci.org/elopio/ipfs-snap/builds/246040583#L2182

I haven't checked how well the snap runs. I will start trying that now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment