snapd

refresh with layouts in both revisions fails

Bug #1856093 reported by Ian Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Triaged
Medium
Zygmunt Krynicki

Bug Description

With one snap with layouts like this:

```
name: kubernetes-thing
version: "0.0.1"
summary: kubernetes things
description: things
base: core18
architectures:
  - amd64
confinement: strict
grade: devel
layout:
  /var/lib/kubelet:
    bind: $SNAP_DATA/kubelet
  /var/log:
    bind: $SNAP_DATA/log
apps:
  containerd:
    command: snap/command-chain/snapcraft-runner bin/bash -c sleep 1000
    daemon: simple
```

I can't refresh the snap if I have daemons or apps that ran and saved the mount ns, because snap-update-ns fails to run when refreshing. The specific error message with debug logs:

```
error: cannot perform the following tasks:
- Setup snap "kubernetes-thing" (unset) security profiles (cannot update mount namespace of snap "kubernetes-thing": cannot update preserved namespace of snap "kubernetes-thing":
-----
common.go:60: DEBUG: locking mount namespace of snap "kubernetes-thing"
common.go:81: DEBUG: freezing processes of snap "kubernetes-thing"
change.go:514: DEBUG: reusing synthetic entry "tmpfs /var/lib tmpfs x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,mode=0755,uid=0,gid=0 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/cloud /var/lib/cloud none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/console-conf /var/lib/console-conf none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/dbus /var/lib/dbus none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/dhcp /var/lib/dhcp none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/extrausers /var/lib/extrausers none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/misc /var/lib/misc none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/pam /var/lib/pam none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/polkit-1 /var/lib/polkit-1 none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/private /var/lib/private none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/python /var/lib/python none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/snapd /var/lib/snapd none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/sudo /var/lib/sudo none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/systemd /var/lib/systemd none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/ucf /var/lib/ucf none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:514: DEBUG: reusing synthetic entry "/var/lib/vim /var/lib/vim none rbind,x-snapd.synthetic,x-snapd.needed-by=/var/lib/kubelet,x-snapd.detach 0 0"
change.go:529: DEBUG: desiredIDs: map[/var/log:true /var/lib/kubelet:true]
change.go:530: DEBUG: reuse: map[/var/lib:true /var/lib/dhcp:true /var/lib/extrausers:true /var/lib/misc:true /var/lib/console-conf:true /var/lib/snapd:true /var/lib/sudo:true /var/lib/dbus:true /var/lib/python:true /var/lib/ucf:true /var/lib/cloud:true /var/lib/pam:true /var/lib/polkit-1:true /var/lib/private:true /var/lib/systemd:true /var/lib/vim:true]
change.go:353: DEBUG: mount --make-rprivate "/var/log" (error: <nil>)
change.go:363: DEBUG: umount "/var/log" UMOUNT_NOFOLLOW|MNT_DETACH (error: <nil>)
change.go:408: DEBUG: remove "/var/log" (error: remove /var/log: read-only file system)
common.go:89: DEBUG: unlocking mount namespace of snap "kubernetes-thing"
common.go:91: DEBUG: thawing processes of snap "kubernetes-thing"
cannot update snap namespace: read-only file system
-----)
```

See original description
Ian Johnson (anonymouse67)
description: updated
Zygmunt Krynicki (zyga)
Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

Which version of snapd was that? There was a fix for robust mount ns updates, but it's only in 2.42.3 and requires manual feature flag to be enabled: experimental.robust-mount-namespace-updates=true

Changed in snapd:
status: New → Incomplete
Revision history for this message
Ian Johnson (anonymouse67) wrote :

Maciek, I also tested on master with experimental.robust-mount-namespace-updates=true and could still reproduce this.

Changed in snapd:
status: Incomplete → New
Samuele Pedroni (pedronis)
Changed in snapd:
status: New → Triaged
Claudio Matsuoka (cmatsuoka)
Changed in snapd:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.