Snap inside privileged LXD container

younis · March 29, 2022, 1:51pm

Hello! I’m trying to get snap packages to work inside a privileged LXD container.

Here is essentially what I’m doing:

lxc launch ubuntu:focal -c security.privileged=true c1
lxc exec c1 -- snap install hello-world

I get the following error:

error: too early for operation, device not yet seeded or device model not acknowledged

In an unprivileged container I have no issues whatsoever.

I have seen this discussion, but it didn’t help.

Here are some further logs etc.:

root@c1:~# journalctl -u snapd
-- Logs begin at Tue 2022-03-29 13:37:00 UTC, end at Tue 2022-03-29 13:37:33 UTC. --
Mar 29 13:37:03 c1 systemd[1]: Starting Snap Daemon...
Mar 29 13:37:03 c1 snapd[340]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network
Mar 29 13:37:04 c1 snapd[340]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network
Mar 29 13:37:04 c1 snapd[340]: patch.go:63: Patching system state level 6 to sublevel 1...
Mar 29 13:37:04 c1 snapd[340]: patch.go:63: Patching system state level 6 to sublevel 2...
Mar 29 13:37:04 c1 snapd[340]: patch.go:63: Patching system state level 6 to sublevel 3...
Mar 29 13:37:04 c1 snapd[340]: daemon.go:246: started snapd/2.54.4 (series 16; classic; devmode) ubuntu/20.04 (amd64) linux/5.16.13-arch1-1.
Mar 29 13:37:04 c1 snapd[340]: daemon.go:339: adjusting startup timeout by 45s (pessimistic estimate of 30s plus 5s per snap)
Mar 29 13:37:05 c1 systemd[1]: Started Snap Daemon.
Mar 29 13:37:06 c1 snapd[340]: taskrunner.go:271: [change 1 "Run install hook of \"lxd\" snap if present" task] failed: run hook "install": cannot perform operation: mount --make-rshared /snap: Permission denied
Mar 29 13:37:08 c1 snapd[340]: api_snaps.go:307: Installing snap "hello-world" revision unset
Mar 29 13:37:08 c1 snapd[340]: copydata.go:82: Cannot remove common data directories for "lxd": unlinkat /var/snap/lxd/common/var/lib/lxcfs/proc/cpuinfo: function not implemented
Mar 29 13:37:08 c1 snapd[340]: taskrunner.go:271: [change 1 "Copy snap \"lxd\" data" task] failed: unlinkat /var/snap/lxd/common/var/lib/lxcfs/proc/cpuinfo: function not implemented
Mar 29 13:37:08 c1 systemd[1]: snapd.service: Got notification message from PID 732, but reception only permitted for main PID 340
Mar 29 13:37:08 c1 snapd[340]: taskrunner.go:271: [change 1 "Mount snap \"lxd\" (22526)" task] failed: systemctl command [stop snap-lxd-22526.mount] failed with exit status 1: Job failed. See "journalctl -xe" for details.
Mar 29 13:37:08 c1 systemd[1]: snapd.service: Got notification message from PID 734, but reception only permitted for main PID 340
Mar 29 13:37:08 c1 snapd[340]: handlers.go:644: Reported install problem for "lxd" as 95ad9b84-af65-11ec-a265-fa163ef35206 OOPSID
Mar 29 13:37:09 c1 systemd[1]: snapd.service: Got notification message from PID 738, but reception only permitted for main PID 340
Mar 29 13:37:09 c1 snapd[340]: taskrunner.go:271: [change 1 "Mount snap \"core20\" (1376)" task] failed: systemctl command [stop snap-core20-1376.mount] failed with exit status 1: Job failed. See "journalctl -xe" for details.
Mar 29 13:37:09 c1 snapd[340]: handlers.go:644: Reported install problem for "core20" as 96398d2c-af65-11ec-a265-fa163ef35206 OOPSID
Mar 29 13:37:09 c1 snapd[340]: daemon.go:509: gracefully waiting for running hooks
Mar 29 13:37:09 c1 snapd[340]: daemon.go:511: done waiting for running hooks
Mar 29 13:37:09 c1 systemd[1]: snapd.service: Got notification message from PID 743, but reception only permitted for main PID 340
Mar 29 13:37:09 c1 snapd[340]: taskrunner.go:271: [change 1 "Setup snap \"snapd\" (15177) security profiles" task] failed: cannot reload udev rules: exit status 1
Mar 29 13:37:09 c1 snapd[340]: udev output:
Mar 29 13:37:09 c1 snapd[340]: Failed to send reload request: No such file or directory
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Got notification message from PID 745, but reception only permitted for main PID 340
Mar 29 13:37:10 c1 snapd[340]: taskrunner.go:271: [change 1 "Mount snap \"snapd\" (15177)" task] failed: systemctl command [stop snap-snapd-15177.mount] failed with exit status 1: Job failed. See "journalctl -xe" for details.
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Got notification message from PID 747, but reception only permitted for main PID 340
Mar 29 13:37:10 c1 snapd[340]: handlers.go:644: Reported install problem for "snapd" as 96aea97c-af65-11ec-a265-fa163ef35206 OOPSID
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Succeeded.
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Consumed 3.141s CPU time.
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Scheduled restart job, restart counter is at 1.
Mar 29 13:37:10 c1 systemd[1]: Stopped Snap Daemon.
Mar 29 13:37:10 c1 systemd[1]: snapd.service: Consumed 3.141s CPU time.
Mar 29 13:37:10 c1 systemd[1]: Starting Snap Daemon...
Mar 29 13:37:10 c1 snapd[750]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network
Mar 29 13:37:10 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 1...
Mar 29 13:37:11 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 2...
Mar 29 13:37:11 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 3...
Mar 29 13:37:11 c1 snapd[750]: daemon.go:246: started snapd/2.54.3+20.04.1ubuntu0.2 (series 16; classic; devmode) ubuntu/20.04 (amd64) linux/5.16.13-arch1-1.
Mar 29 13:37:11 c1 snapd[750]: daemon.go:339: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)
Mar 29 13:37:11 c1 systemd[1]: Started Snap Daemon.

root@c1:~# systemctl status snapd
● snapd.service - Snap Daemon
     Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-03-29 13:37:11 UTC; 3min 52s ago
TriggeredBy: ● snapd.socket
   Main PID: 750 (snapd)
      Tasks: 16 (limit: 19013)
     Memory: 15.9M
        CPU: 721ms
     CGroup: /system.slice/snapd.service
             └─750 /usr/lib/snapd/snapd

Mar 29 13:37:10 c1 systemd[1]: Starting Snap Daemon...
Mar 29 13:37:10 c1 snapd[750]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network
Mar 29 13:37:10 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 1...
Mar 29 13:37:11 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 2...
Mar 29 13:37:11 c1 snapd[750]: patch.go:63: Patching system state level 6 to sublevel 3...
Mar 29 13:37:11 c1 snapd[750]: daemon.go:246: started snapd/2.54.3+20.04.1ubuntu0.2 (series 16; classic; devmode) ubuntu/20.04 (amd64) linux/5.16.13-arch1-1.
Mar 29 13:37:11 c1 snapd[750]: daemon.go:339: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap)
Mar 29 13:37:11 c1 systemd[1]: Started Snap Daemon.
root@c1:~# systemctl status snapd.seeded
● snapd.seeded.service - Wait until snapd is fully seeded
     Loaded: loaded (/lib/systemd/system/snapd.seeded.service; enabled; vendor preset: enabled)
     Active: activating (start) since Tue 2022-03-29 13:37:05 UTC; 4min 9s ago
   Main PID: 540 (snap)
      Tasks: 13 (limit: 19013)
     Memory: 34.0M
        CPU: 711ms
     CGroup: /system.slice/snapd.seeded.service
             └─540 /usr/bin/snap wait system seed.loaded

Mar 29 13:37:05 c1 systemd[1]: Starting Wait until snapd is fully seeded...

Un/reinstalling snapd also fails/hangs at 60%:

root@c1:~# apt purge -y snapd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfreetype6 squashfs-tools
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  snapd*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 147 MB disk space will be freed.
(Reading database ... 31896 files and directories currently installed.)
Removing snapd (2.54.3+20.04.1ubuntu0.2) ...
dpkg: warning: while removing snapd, unable to remove directory '/snap': Device or resource busy - directory may be a mount point?
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for dbus (1.12.16-2ubuntu2.1) ...
Processing triggers for mime-support (3.64ubuntu1) ...
(Reading database ... 31811 files and directories currently installed.)
Purging configuration files for snapd (2.54.3+20.04.1ubuntu0.2) ...
Stopping snap-core20-1376.mount
Stopping unit snap-core20-1376.mount
Waiting until unit snap-core20-1376.mount is stopped [attempt 1]
Waiting until unit snap-core20-1376.mount is stopped [attempt 2]
Waiting until unit snap-core20-1376.mount is stopped [attempt 3]
Waiting until unit snap-core20-1376.mount is stopped [attempt 4]
Waiting until unit snap-core20-1376.mount is stopped [attempt 5]
Waiting until unit snap-core20-1376.mount is stopped [attempt 6]
Waiting until unit snap-core20-1376.mount is stopped [attempt 7]
Waiting until unit snap-core20-1376.mount is stopped [attempt 8]
Waiting until unit snap-core20-1376.mount is stopped [attempt 9]
Waiting until unit snap-core20-1376.mount is stopped [attempt 10]
Waiting until unit snap-core20-1376.mount is stopped [attempt 11]
Waiting until unit snap-core20-1376.mount is stopped [attempt 12]
Waiting until unit snap-core20-1376.mount is stopped [attempt 13]
Waiting until unit snap-core20-1376.mount is stopped [attempt 14]
Waiting until unit snap-core20-1376.mount is stopped [attempt 15]
Waiting until unit snap-core20-1376.mount is stopped [attempt 16]
Waiting until unit snap-core20-1376.mount is stopped [attempt 17]
Waiting until unit snap-core20-1376.mount is stopped [attempt 18]
Waiting until unit snap-core20-1376.mount is stopped [attempt 19]
Waiting until unit snap-core20-1376.mount is stopped [attempt 20]
Removing snap core20 and revision 1376
rm: cannot remove '/snap/core20/1376': Device or resource busy
dpkg: error processing package snapd (--purge):
 installed snapd package post-removal script subprocess returned error exit status 1
Errors were encountered while processing:
 snapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

root@c1:~# apt install snapd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
Suggested packages:
  zenity | kdialog
The following NEW packages will be installed:
  snapd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 34.3 MB of archives.
After this operation, 147 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 snapd amd64 2.54.3+20.04.1ubuntu0.2 [34.3 MB]
Fetched 34.3 MB in 1s (46.2 MB/s)
(Reading database ... 31807 files and directories currently installed.)
Preparing to unpack .../snapd_2.54.3+20.04.1ubuntu0.2_amd64.deb ...
Unpacking snapd (2.54.3+20.04.1ubuntu0.2) ...
Setting up snapd (2.54.3+20.04.1ubuntu0.2) ...
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.

Trying to restart snapd.service doesn’t change anything either.

Any idea what I’m missing? Please let me know if I can provide any further information. Thanks a lot!

younis · April 4, 2022, 10:30am

For the sake of posterity I ~~solved~~ got rid of the initial error this by enabling security.nesting:

lxc launch ubuntu:focal \
    -c security.privileged=true \
    -c security.nesting=true \
    c1

tomp · April 4, 2022, 10:37am

I believe that may be a security issue.

@stgraber is that combination a security problem?

stgraber · April 4, 2022, 2:44pm

Well, security.privileged=true pretty much turns off any kind of security, security.nesting=true only makes it slightly worse by making it easier to just mount a new copy of procfs and escape

It looks like snapd or systemd may have changed in a way which requires mounts that can’t be safely allowed inside of privileged containers, explaining why the security.nesting bits are needed.

It’d be interesting to see the dmesg | grep DENIED output in the failing case.

younis · April 4, 2022, 2:53pm

Thanks for your reply.

With security.nesting=true:

root@c1:~# snap install hello-world
hello-world 6.4 from Canonical✓ installed
root@c1:~# dmesg | grep DENIED
[  762.778997] audit: type=1400 audit(1649073058.966:331): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=19815 comm="snap-confine"
[  791.087761] audit: type=1400 audit(1649073087.276:418): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=19991 comm="snap-confine" capability=4  capname="fsetid"
[  791.088164] audit: type=1400 audit(1649073087.276:419): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20009 comm="snap-confine"
[  840.792539] audit: type=1400 audit(1649073136.980:420): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=20145 comm="snap-confine" capability=4  capname="fsetid"
[  840.793325] audit: type=1400 audit(1649073136.980:421): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20167 comm="snap-confine"
[ 1002.016017] audit: type=1400 audit(1649073298.203:429): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=20455 comm="snap-confine" capability=4  capname="fsetid"
[ 1002.016478] audit: type=1400 audit(1649073298.203:430): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20476 comm="snap-confine"
[ 2244.222304] audit: type=1400 audit(1649074540.410:757): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c1-rootfs" pid=22706 comm="unsquashfs" capability=27  capname="mknod"
[ 3569.785134] audit: type=1400 audit(1649075865.973:1542): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c2-rootfs" pid=28098 comm="unsquashfs" capability=27  capname="mknod"
[ 4123.735015] audit: type=1400 audit(1649076419.923:2011): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c3-rootfs" pid=30863 comm="unsquashfs" capability=27  capname="mknod"
[ 6922.231292] audit: type=1400 audit(1649079218.420:2118): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-rhone-rootfs" pid=37735 comm="unsquashfs" capability=27  capname="mknod"
[11122.875725] audit: type=1400 audit(1649083419.066:2146): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c1-rootfs" pid=43058 comm="unsquashfs" capability=27  capname="mknod"
[11148.680159] audit: type=1400 audit(1649083444.870:2348): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c2-rootfs" pid=44341 comm="unsquashfs" capability=27  capname="mknod"
[11160.793211] audit: type=1400 audit(1649083456.983:2495): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxd-c2_</var/snap/lxd/common/lxd>" name="/snap/" pid=45083 comm="snap-confine" flags="rw, rshared"

Without security.nesting (i.e. failing case):

root@c2:~# snap install hello-world
error: too early for operation, device not yet seeded or device model not acknowledged
root@c2:~# dmesg | grep DENIED
[  762.778997] audit: type=1400 audit(1649073058.966:331): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=19815 comm="snap-confine"
[  791.087761] audit: type=1400 audit(1649073087.276:418): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=19991 comm="snap-confine" capability=4  capname="fsetid"
[  791.088164] audit: type=1400 audit(1649073087.276:419): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20009 comm="snap-confine"
[  840.792539] audit: type=1400 audit(1649073136.980:420): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=20145 comm="snap-confine" capability=4  capname="fsetid"
[  840.793325] audit: type=1400 audit(1649073136.980:421): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20167 comm="snap-confine"
[ 1002.016017] audit: type=1400 audit(1649073298.203:429): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=20455 comm="snap-confine" capability=4  capname="fsetid"
[ 1002.016478] audit: type=1400 audit(1649073298.203:430): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap-update-ns.lxd" pid=20476 comm="snap-confine"
[ 2244.222304] audit: type=1400 audit(1649074540.410:757): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c1-rootfs" pid=22706 comm="unsquashfs" capability=27  capname="mknod"
[ 3569.785134] audit: type=1400 audit(1649075865.973:1542): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c2-rootfs" pid=28098 comm="unsquashfs" capability=27  capname="mknod"
[ 4123.735015] audit: type=1400 audit(1649076419.923:2011): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c3-rootfs" pid=30863 comm="unsquashfs" capability=27  capname="mknod"
[ 6922.231292] audit: type=1400 audit(1649079218.420:2118): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-rhone-rootfs" pid=37735 comm="unsquashfs" capability=27  capname="mknod"
[11122.875725] audit: type=1400 audit(1649083419.066:2146): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c1-rootfs" pid=43058 comm="unsquashfs" capability=27  capname="mknod"
[11148.680159] audit: type=1400 audit(1649083444.870:2348): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-c2-rootfs" pid=44341 comm="unsquashfs" capability=27  capname="mknod"
[11160.793211] audit: type=1400 audit(1649083456.983:2495): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxd-c2_</var/snap/lxd/common/lxd>" name="/snap/" pid=45083 comm="snap-confine" flags="rw, rshared"

~~Both outputs look pretty identical as far as I can tell.~~ I can see that there is output from other containers (e.g. c3) mashed into this output. The very last line mentioning operation="mount" might perhaps be of interest.

Side note: setting security.nesting=true only made the dummy hello-world snap work, but packages such as chromium (which I was actually trying to install) ended up failing during installation with yet a different error:

root@c1:~# snap install chromium
error: cannot perform the following tasks:
- Setup snap "chromium" (1951) security profiles (cannot setup udev for snap "chromium": cannot reload udev rules: exit status 1
udev output:
Failed to send reload request: No such file or directory
)
- Setup snap "chromium" (1951) security profiles (cannot reload udev rules: exit status 1
udev output:
Failed to send reload request: No such file or directory
)
- Setup snap "chromium" (1951) security profiles for auto-connections (cannot reload udev rules: exit status 1
udev output:
Failed to send reload request: No such file or directory
)

Again, this is only an issue with privileged containers.

stgraber · April 4, 2022, 7:50pm

Does it happen when doing the install a second time?

snapd in privileged containers has very long had a bug where the first snap install fails…

younis · April 5, 2022, 7:44am

Yes, it definitely keeps happening even after retrying the install.

stgraber · April 6, 2022, 4:28am

There seems to be too problems at play here:

snapd for some reason keeps over-mounting /snap, hiding its own snaps…
udevadm fails and snapd still gets very confused by it

The first point is what’s causing the main issue here. The mount table looks like:

rpool/lxd/containers/foo /snap zfs rw,relatime,xattr,posixacl 0 0
snapfuse /snap/snapd/15177 fuse.snapfuse ro,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
snapfuse /snap/core20/1376 fuse.snapfuse ro,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
snapfuse /snap/lxd/22526 fuse.snapfuse ro,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
rpool/lxd/containers/foo /snap zfs rw,relatime,xattr,posixacl 0 0

As you can see, there are two entries for /snap and the second one effectively masks all the snaps that were already mounted, causing snapd to fail to initialize.

Annoyingly, it looks like it’s snapd itself causing that second mount, so you can’t just umount /snap and restart snapd.

This is likely related to:

Apr 06 04:23:50 foo snapd[38349]: taskrunner.go:271: [change 11 "Run install hook of \"lxd\" snap if present" task] failed: run hook "install": cannot perform operation: mount --make-rshared /snap: Permission denied

This is one of those apparmor things where we can’t allow this rule without allowing a lot of more dangerous things. Looks like when snapd gets denied, it just goes and setup a new bind-mount, breaking things even further…

Thankfully security.nesting=true lets you workaround that issue.

At which point you’re just left with the usual udevadm badness. For most snaps, installing twice lets you workaround it. This however doesn’t work with chromium.
You can however use the big hammer of ln -s /bin/true /usr/local/bin/udevadm to make snapd happy and get the snap installed.

v3ss0n · August 18, 2022, 5:41pm

I still cannot use snap even after both set to true.

my output

root@mk8s:~# dmesg | grep DENIED
[15015.147973] audit: type=1400 audit(1660843305.545:4035): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_iLGWq6/" pid=287621 comm="snap-confine" srcname="/snap/core20/1587/" flags="rw, rbind"
[16091.941944] audit: type=1400 audit(1660844382.338:5882): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_tlzC3B/" pid=315469 comm="snap-confine" srcname="/snap/core20/1587/" flags="rw, rbin

tried

ln -s /bin/true /usr/local/bin/udevadm inside container and it dosen’t work too.

v3ss0n · August 18, 2022, 5:48pm

did you get it to work ?