LXD, Snap, Debian and Let's Encrypt

nahuelange · January 13, 2021, 7:48am

Hello,

I was trying to install let’s encrypt on my unprivileged containers using the snap package, but it fails installer snap “core” package:

● snap-core-10583.mount - Mount unit for core
   Loaded: loaded (/etc/systemd/system/snap-core-10583.mount; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2021-01-13 08:42:15 CET; 1min 44s ago
    Where: /snap/core/10583
     What: /var/lib/snapd/snaps/core_10583.snap
  Process: 6500 ExecMount=/bin/mount /var/lib/snapd/snaps/core_10583.snap /snap/core/10583 -t squashfs (code=exited, status=32)

Jan 13 08:42:15 instance systemd[1]: snap-core-10583.mount: Failed to reset devices.list: Operation not permitted
Jan 13 08:42:15 instance systemd[1]: snap-core-10583.mount: Failed to set invocation ID on control group /system.slice/snap-core-10583.mount, ignoring: Operation not permitted
Jan 13 08:42:15 instance systemd[1]: Mounting Mount unit for core...
Jan 13 08:42:15 instance systemd[1]: snap-core-10583.mount: Mount process exited, code=exited status=32
Jan 13 08:42:15 instance systemd[1]: Failed to mount Mount unit for core.
Jan 13 08:42:15 instance systemd[1]: snap-core-10583.mount: Unit entered failed state.

I read that I need to install squashfuse, but this package is not available since the containers are under Debian 9, and this package is only available since Buster release.

Does it exist an alternative way to make it working ?

Thanks for you answers

tomp · January 13, 2021, 9:18am

Take a look at, or are you trying to install snap core inside your container? Maybe installing it separately first will help anyway.

nahuelange · January 13, 2021, 9:22am

certbot snap package, needs core package. So yes, it’s inside the container.
Installing separatly also fail with the same error:

~# snap install core
error: cannot perform the following tasks:

Mount snap “core” (10583) ([start snap-core-10583.mount] failed with exit status 1: Job for snap-core-10583.mount failed.
See “systemctl status snap-core-10583.mount” and “journalctl -xe” for details.
)

tomp · January 13, 2021, 10:12am

So installing the certbot snap works in the LXD Ubuntu Focal image, so this is at least possible to run inside a container.

lxc launch images:ubuntu/focal ctest
lxc exec ctest -- apt install snapd -y
lxc exec ctest -- snap install certbot --classic

I’ve also got it working in Debian Buster:

lxc launch images:debian/buster ctest
lxc exec ctest -- apt install fuse squashfuse -y
lxc exec ctest -- apt install snapd -y
lxc exec ctest -- snap install core
lxc exec ctest -- snap install certbot --classic

As for Debian Stretch, as you say the squashfuse package isn’t available and this is preventing installing the core snap.

Have you considered using something like https://github.com/acmesh-official/acme.sh?

nahuelange · January 18, 2021, 12:59pm

I could use acme, or any other let’s encrypt client.
But does it mean I can’t use snap in Debian stretch containers ?

stgraber · January 18, 2021, 1:30pm

You may need to fetch the squashfuse package from a more recent release or backport it yourself by the looks of it.

simos · January 18, 2021, 3:52pm

On a sidenote, Let’s Encrypt promotes the snap package of certbot. It may not be very clear from that page but if you go through the pages, the suggested option is for the snap package.