Unable to install firefox (snap) in Ubuntu 22.04 container

I’ve created a Ubuntu 22.04 container with a desktop environment to access via VNC. The desktop environment and VNC runs fine, but when trying to install Firefox I run into this issue:

root@vdi02:~# snap install firefox
error: cannot perform the following tasks:

• Run hook connect-plug-host-hunspell of snap “firefox” (run hook “connect-plug-host-hunspell”:

update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory “/usr/share/cups/
doc-root”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory “/usr/share/gimp/
2.0”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory “/usr/share
/libreoffice/help”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory “/var/lib”: permissio
n denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-ho
st\x2dhunspell.mount failed. See ‘journalctl -xe’ for details.
-----)

Do I need to configure some setting on the container to allow bind mounts inside the container or something similar?

Did you try setting lxc config set <instance> security.nested=true on the container and restarting?

Yes, I have that set:

➜ ~ lxc config get vdi02 security.nesting
true

Also, to add some more context:

Host OS is Ubuntu 22.04, more or less vanilla install
lxd is version 5.6-794016a, according to snap list
The container I’m running is the standard ubuntu:22.04 container

Can you show your reproducer steps so we can try it?

These steps should be able to reproduce it:

➜ ~ lxc launch ubuntu:22.04 snaptest
Creating snaptest
Starting snaptest
➜ ~ lxc stop snaptest
➜ ~ lxc config set snaptest security.nesting=true
➜ ~ lxc start snaptest
➜ ~ lxc exec snaptest bash
root@snaptest:~# snap install firefox
error: cannot perform the following tasks:

• Run hook connect-plug-host-hunspell of snap “firefox” (run hook “connect-plug-host-hunspell”:

update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /usr/share/cups/doc-root none bind,ro 0 0): cannot create directory “/usr/share/cups/doc-root”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot create directory “/usr/share/gimp/2.0”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory “/var/lib”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory “/usr/share/libreoffice/help”: permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory “/var/lib”: permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See ‘journalctl -xe’ for details.
-----)
root@snaptest:~#

same problem with ubuntu:22.10

lxc init ubuntu:22.10 snaptest
lxc config set snaptest security.nesting true
lxc start snaptest 
lxc exec snaptest -- sh -c "apt -y update && apt -y upgrade"
lxc restart snaptest
lxc exec snaptest -- sh -c "apt install firefox"

with the same error.

Hello,
I have installed a simple snaptest container which is ubuntu/22.10 and everything is working.
Here are the steps:

lxc launch images:ubuntu/22.10 snaptest
lxc config set snaptest security.nesting=true
lxc shell snaptest

Inside the container

apt install snapd
systemctl status snapd -> check the status of the snapd if it doesnt work execute the following
systemctl start/restart snapd -> start or restart the snap service
snap install firefox

Regards.

Thanks for your answer.
Thats your host machine?

I’m running ubuntu 22.04 on btrfs.
I also found this:

Yep, that looks like an btrfs problem, my storage filesystem is zfs.
Thanks for the reply.
Regards.

The SNAP version of chromum-browser runs fine with BTRFS… ?

So I don’t see how the SNAP version of Firefox failing to run is a “BTRFS problem”?

Seems to me its something related to the Firefox SNAP.

Possible, we dont know the version of the snap firefox.

@cemzafer BTW, I’m having same problem w Firefox (only very recently) running Firefox in 22.04 Host w 22.04 containers.

Oddly, works fine w 22.04 Host & 20.04 containers ??

My comment was wrong, it not related with the filesystem, thanks for the correction.
Regards.

I’m running 22.04 LTS on BTRFS including GRUB-BTRFS

@qupfer - great find thx. Good someone had already filed a bug on this. Anyone having this problems should include themselves in “it affects me” count on launchpad.

@tomp

I found out that only the ubuntu-desktop fails to install in an Ubuntu 22.04 LXD Container!

Installing the Mate Desktop into an LXD container works:

sudo apt install ubuntu-mate-desktop -y

Its the installation of ubuntu-desktop in an LXD container that does NOT work unless you execute both of the following “in” the LXD Container:

$ sudo apt-get install -y acpid
$ sudo systemctl disable --now acpid.service acpid.socket acpid.path

then ubuntu-desktop fully installs in the LXD contaienr.