Thank you very much for your guide.
However, the content seems a little different from mine.
It works fine on my x64 system.
If I create a container with lxc on the current x64 system and test it, it works fine.
However, the problem occurs in the aarch64 system. I felt like puppeteer or chromium browser did not work on the aarch64 system, so I performed the test as follows.
I tested it by installing puppeteer and chromium on the aws instance of the aarch64 system and it worked well.
I created an lxc container on the aarch64 system, installed puppeteer and chromium, and tested it, but it did not work properly.
Below is an example of running chromium for debugging. The difference from the normal operating part is
This is device-related matching as shown below. There is no such content in instances created with lxc.
‘DEBUG: device /sys/devices/virtual/dma_heap/system has matching current tag
DEBUG: get bpf object at path /sys/fs/bpf/snap/snap_chromium_chromium
DEBUG: found existing device map’
When running chromium with snap debugging:
test@my-container:~$ LANG=C SNAPD_DEBUG=1 snap run chromium -v --no-sandbox --headless=true
2024/01/24 20:35:45.191518 tool_linux.go:204: DEBUG: restarting into “/snap/snapd/current/usr/bin/snap”
2024/01/24 20:35:45.205020 logger.go:93: DEBUG: – snap startup {“stage”:“start”, “time”:“1706128545.205014”}
2024/01/24 20:35:45.213543 logger.go:93: DEBUG: executing snap-confine from /snap/snapd/20674/usr/lib/snapd/snap-confine
2024/01/24 20:35:45.218816 logger.go:93: DEBUG: SELinux not enabled
2024/01/24 20:35:45.220084 logger.go:93: DEBUG: creating transient scope snap.chromium.chromium
2024/01/24 20:35:45.220888 logger.go:93: DEBUG: using session bus
2024/01/24 20:35:45.222664 logger.go:93: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/45
2024/01/24 20:35:45.240126 logger.go:93: DEBUG: job result is “done”
2024/01/24 20:35:45.240174 logger.go:93: DEBUG: transient scope snap.chromium.chromium-1cdfefdf-288e-4a72-baba-6c7b04e289fe.scope created
2024/01/24 20:35:45.240698 logger.go:93: DEBUG: waited 19.724133ms for tracking
2024/01/24 20:35:45.240736 logger.go:93: DEBUG: – snap startup {“stage”:“snap to snap-confine”, “time”:“1706128545.240732”}
DEBUG: – snap startup {“stage”:“snap-confine enter”, “time”:“1706128545.243317”}
DEBUG: umask reset, old umask was 02
DEBUG: security tag: snap.chromium.chromium
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core22
DEBUG: ruid: 1001, euid: 0, suid: 0
DEBUG: rgid: 1001, egid: 1001, sgid: 1001
DEBUG: apparmor label on snap-confine is: /snap/snapd/20674/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: – snap startup {“stage”:“snap-confine mount namespace start”, “time”:“1706128545.244428”}
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/chromium.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope chromium, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: chromium
DEBUG: setting up device cgroup
DEBUG: libudev has current tags support
DEBUG: no devices tagged with snap_chromium_chromium, skipping device cgroup setup
DEBUG: forked support process 9666
DEBUG: block device of snap core22, revision 1035 is 0:76
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: found base snap device 0:76 on /usr
DEBUG: sanity timeout reset and disabled
DEBUG: DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace chromium
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: chromium
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.chromium
logger.go:93: DEBUG: current mount entries
logger.go:93: DEBUG: desired mount entries (sorted)
logger.go:93: DEBUG: - /run/user/1001/doc/by-app/snap.chromium /run/user/1001/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:93: DEBUG: desiredIDs: map[/run/user/1001/doc:true]
logger.go:93: DEBUG: reuse: map
logger.go:93: DEBUG: processing mount entries
logger.go:93: DEBUG: entry that requires “/run/user/1001”: /run/user/1001/doc/by-app/snap.chromium /run/user/1001/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:93: DEBUG: all mimics:
logger.go:93: DEBUG: - /run/user/1001
logger.go:93: DEBUG: adding entry: /run/user/1001/doc/by-app/snap.chromium /run/user/1001/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:93: DEBUG: mount entries ordered as they will be applied
logger.go:93: DEBUG: - /run/user/1001/doc/by-app/snap.chromium /run/user/1001/doc none bind,rw,x-snapd.ignore-missing 0 0
DEBUG: snap-update-ns finished successfully
DEBUG: set_effective_identity uid:0 (change: no), gid:1001 (change: yes)
DEBUG: NOT preserving per-user mount namespace
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 9666)
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0DEBUG:
DEBUG: helper process exiting
waiting for response from helper
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: – snap startup {“stage”:“snap-confine mount namespace finish”, “time”:“1706128545.258794”}
DEBUG: set_effective_identity uid:1001 (change: yes), gid:1001 (change: yes)
DEBUG: creating user data directory: /home/test/snap/chromium/2735
DEBUG: requesting changing of apparmor profile on next exec to snap.chromium.chromium
DEBUG: ruid: 1001, euid: 1001, suid: 0
DEBUG: setting capabilities bounding set
DEBUG: regaining SYS_ADMIN
DEBUG: loading bpf program for security tag snap.chromium.chromium
DEBUG: read 6072 bytes from /var/lib/snapd/seccomp/bpf//snap.chromium.chromium.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: clearing SYS_ADMIN
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec…)
DEBUG: argv[1] = chromium
DEBUG: argv[2] = -v
DEBUG: argv[3] = --no-sandbox
DEBUG: argv[4] = --headless=true
DEBUG: umask restored to 02
DEBUG: working directory restored to /home/test
DEBUG: – snap startup {“stage”:“snap-confine to snap-exec”, “time”:“1706128545.261558”}
2024/01/24 20:35:45.266731 logger.go:93: DEBUG: – snap startup {“stage”:“snap-exec to app”, “time”:“1706128545.266725”}
[0124/203545.801821:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable.
[0124/203545.930453:WARNING:sandbox_linux.cc(400)] InitializeSandbox() called with multiple threads in process gpu-process.