Open Bug 1789695 Opened 2 years ago Updated 1 year ago

[snap] connect-plug-host-hunspell failed to mount /usr/share/hunspell from the host

Categories

(Firefox Build System :: Third Party Packaging, defect, P3)

Product:
Firefox Build System
Component:
Third Party Packaging
Version:
Firefox 106
Platform:
Desktop
Linux
Type:
defect

Tracking

(firefox106 affected)

Tracking Flags:
Tracking Status
firefox106 --- affected

People

(Reporter: olivier, Unassigned)

References

(Blocks 1 open bug)

Details

Since bug 1732755, the firefox snap uses the mount-control interface to bind-mount the host's /usr/share/hunspell to $SNAP_COMMON/host-hunspell in order to inspect the list of dictionaries installed by the user that should be exposed in the UI.

When testing the functionality, I observed what seems to be a race condition in the hooks. Most of the time it works as expected, but I've got an install of the edge snap that I refreshed to the revision that has these changes, and when I shell in the snap I can see that $SNAP_COMMON/host-hunspell exists, but it's empty. The connections happened correctly, and the refresh wasn't reverted to the previous revision (which AIU would have happened if the connect-plug-host-hunspell hook had returned an error.

I'm suspecting that the snapctl mount … command silently failed, but I don't have evidence of this.

Here is the relevant output from the journal around the time I refreshed the snap:

sep 07 18:19:30 dantian systemd[4358]: Starting snapd user session agent...
sep 07 18:19:30 dantian systemd[4358]: Started snapd user session agent.
sep 07 18:19:38 dantian systemd[1]: Reloading.
sep 07 18:19:38 dantian systemd[1]: Mounting Mount unit for firefox_nightly, revision 1818...
sep 07 18:19:38 dantian systemd[1]: Mounted Mount unit for firefox_nightly, revision 1818.
sep 07 18:19:39 dantian audit[36487]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.post-refresh" pid=36487 comm="apparmor_parser"
sep 07 18:19:39 dantian kernel: audit: type=1400 audit(1662567579.740:300): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.post-refresh" pid=36487 comm="apparmor_parser"
sep 07 18:19:39 dantian audit[36486]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.disconnect-plug-host-hunspell" pid=36486 comm="apparmor_parser"
sep 07 18:19:39 dantian kernel: audit: type=1400 audit(1662567579.804:301): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.disconnect-plug-host-hunspell" pid=36486 comm="apparmor_parser"
sep 07 18:19:39 dantian systemd[1]: man-db.service: Deactivated successfully.
sep 07 18:19:39 dantian systemd[1]: Finished Daily man-db regeneration.
sep 07 18:19:39 dantian audit[36485]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.connect-plug-host-hunspell" pid=36485 comm="apparmor_parser"
sep 07 18:19:39 dantian kernel: audit: type=1400 audit(1662567579.856:302): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.firefox_nightly.hook.connect-plug-host-hunspell" pid=36485 comm="apparmor_parser"
sep 07 18:19:39 dantian audit[36484]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.configure" pid=36484 comm="apparmor_parser"
sep 07 18:19:39 dantian kernel: audit: type=1400 audit(1662567579.896:303): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.configure" pid=36484 comm="apparmor_parser"
sep 07 18:19:40 dantian audit[36482]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.firefox_nightly" pid=36482 comm="apparmor_parser"
sep 07 18:19:40 dantian kernel: audit: type=1400 audit(1662567580.220:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.firefox_nightly" pid=36482 comm="apparmor_parser"
sep 07 18:19:41 dantian audit[36483]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.firefox" pid=36483 comm="apparmor_parser"
sep 07 18:19:41 dantian kernel: audit: type=1400 audit(1662567581.380:305): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.firefox" pid=36483 comm="apparmor_parser"
sep 07 18:19:42 dantian audit[36563]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.connect-plug-host-hunspell" pid=36563 comm="apparmor_parser"
sep 07 18:19:42 dantian audit[36564]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.disconnect-plug-host-hunspell" pid=36564 comm="apparmor_parser"
sep 07 18:19:42 dantian audit[36565]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.post-refresh" pid=36565 comm="apparmor_parser"
sep 07 18:19:42 dantian audit[36562]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.hook.configure" pid=36562 comm="apparmor_parser"
sep 07 18:19:42 dantian audit[36560]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.firefox_nightly" pid=36560 comm="apparmor_parser"
sep 07 18:19:43 dantian audit[36561]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox_nightly.firefox" pid=36561 comm="apparmor_parser"
sep 07 18:19:43 dantian systemd[1]: Started snap.firefox_nightly.hook.connect-plug-host-hunspell.84dfe913-1832-413a-8011-df7a01e62cf1.scope.
sep 07 18:19:43 dantian systemd[1]: tmp-snap.rootfs_vc5bfH.mount: Deactivated successfully.
sep 07 18:19:43 dantian audit[36588]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox_nightly" name="/usr/share/cups/doc-root/" pid=36588 comm="6" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
sep 07 18:19:43 dantian audit[36588]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox_nightly" name="/usr/share/gimp/2.0/" pid=36588 comm="6" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
sep 07 18:19:43 dantian audit[36588]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.firefox_nightly" name="/usr/share/libreoffice/help/" pid=36588 comm="6" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
sep 07 18:19:43 dantian audit[36588]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.firefox_nightly" name="/var/lib/" pid=36588 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
sep 07 18:19:43 dantian systemd[1]: Reloading.
sep 07 18:19:44 dantian systemd[1]: Mounting Mount unit for firefox_nightly, revision 1818 via mount-control...
sep 07 18:19:44 dantian systemd[1]: Mounted Mount unit for firefox_nightly, revision 1818 via mount-control.
sep 07 18:19:44 dantian systemd[1]: snap.firefox_nightly.hook.connect-plug-host-hunspell.84dfe913-1832-413a-8011-df7a01e62cf1.scope: Deactivated successfully.
sep 07 18:19:44 dantian systemd[1]: Started snap.firefox_nightly.hook.post-refresh.9cf4140a-648e-4bef-8205-ec311f70a2f0.scope.
sep 07 18:19:44 dantian systemd[1]: snap.firefox_nightly.hook.post-refresh.9cf4140a-648e-4bef-8205-ec311f70a2f0.scope: Deactivated successfully.
sep 07 18:19:45 dantian systemd[1]: snap-firefox_nightly-1803.mount: Deactivated successfully.
sep 07 18:19:45 dantian systemd[1]: Reloading.
sep 07 18:19:45 dantian systemd[1]: Started snap.firefox_nightly.hook.configure.f10fb028-8389-4f30-9b44-4f8dc46f8253.scope.
sep 07 18:19:48 dantian systemd[1]: snap.firefox_nightly.hook.configure.f10fb028-8389-4f30-9b44-4f8dc46f8253.scope: Deactivated successfully.
Blocks: snap

The Bugbug bot thinks this bug should belong to the 'Core::Spelling checker' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Spelling checker
Product: Firefox → Core
Component: Spelling checker → Third Party Packaging
Product: Core → Firefox Build System

The severity field is not set for this bug.
:gerard-majax, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(lissyx+mozillians)
Severity: -- → S3
Flags: needinfo?(lissyx+mozillians)
Priority: -- → P3

Olivier, have you been able to figure out what is happening?

Flags: needinfo?(olivier)

i have the same or a similar issue. snap install.

Ubuntu 22.04.1 LTS, after upgrade from LTS 20.
when trying to install firefox inside a lxd container. host and guest OS are the same. xorg works, other browsers work.
i myself did not instaLL cups, gimp or libreoffice, etc.

default container to my knowledge, no non default mounts.
the issue i seems to be that a mount is tried under a non existing directory. i tried to manually work around it, but couldn't easily.
already present the last 3+ months.

same result when running snap install firefox.

sudo apt-get install firefox  
Reading package lists... Done                                                                                           
Building dependency tree... Done                                                                                        
Reading state information... Done                                                                                       
The following NEW packages will be installed:                                                                           
  firefox                                                                                                               
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.                                                          
Need to get 72.3 kB of archives.                            
After this operation, 261 kB of additional disk space will be used.                                                     
Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 firefox amd64 1:1snap1-0ubuntu2 [72.3 kB]                       
Fetched 72.3 kB in 0s (302 kB/s)                            
debconf: delaying package configuration, since apt-utils is not installed                                               
Selecting previously unselected package firefox.
(Reading database ... 41292 files and directories currently installed.)                                                 
Preparing to unpack .../firefox_1%3a1snap1-0ubuntu2_amd64.deb ...                                                       
debconf: unable to initialize frontend: Dialog              
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/D
ebconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
=> Installing the firefox snap               
==> Checking connectivity with the snap store               
==> Installing the firefox snap

- Run hook connect-plug-host-hunspell of snap "firefox" (run hook "connect-plug-host-hunspell":                         
-----                         
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/cups/doc-root /us
r/share/cups/doc-root none bind,ro 0 0): cannot create directory "/usr/share/cups/doc-root": permission denied          
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /us
r/share/gimp/2.0/help none bind,ro 0 0): cannot create directory "/usr/share/gimp/2.0": permission denied               
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/shar
e/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied                                        
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help 
/usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied 
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr
/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied                              
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell
.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'jour
nalctl -xe' for details.                                                                                                
-----)

journalctrl -xe
Dec 31 18:11:04 abc cups.cups-browsed[28790]: + [ -r /var/snap/cups/872/var/run/cupsd.pid ]
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit snap.cups.cups-browsed.service has entered the 'failed' state with result 'exit-code'.

Dec 31 18:09:18 abc systemd[1]: Stopped Service for snap application cups.cups-browsed.
░░ Subject: A stop job for unit snap.cups.cups-browsed.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A stop job for unit snap.cups.cups-browsed.service has finished.
░░
░░ The job identifier is 18216 and the job result is done.
Dec 31 18:09:18 abc systemd[1]: Started Service for snap application cups.cups-browsed.
░░ Subject: A start job for unit snap.cups.cups-browsed.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit snap.cups.cups-browsed.service has finished successfully.
░░
░░ The job identifier is 18216.
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + mkdir -p /var/snap/cups/872/var/log
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + mkdir -p /var/snap/cups/872/var/cache
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + mkdir -p /var/snap/cups/872/var/run
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + mkdir -p /var/snap/cups/common/etc/cups
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + CONF=/var/snap/cups/common/etc/cups/cups-browsed.conf
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + CLIENTCONF=/var/snap/cups/common/etc/cups/client.conf
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + DAEMON=cups-browsed
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + export LC_ALL=C.UTF-8
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + export LANG=C.UTF-8
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + TMPDIR=/var/snap/cups/872/tmp
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + mkdir -p /var/snap/cups/872/tmp
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + CUPSSTARTED=0
Dec 31 18:09:18 abc cups.cups-browsed[28716]: + seq 60
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + [ -r /var/snap/cups/872/var/run/cupsd.pid ]
Dec 31 18:09:18 abc cups.cups-browsed[28685]: + sleep 1
Dec 31 18:09:19 abc cups.cups-browsed[28685]: + [ -r /var/snap/cups/872/var/run/cupsd.pid ]
Dec 31 18:09:19 abc cups.cups-browsed[28685]: + sleep 1

/var/lib/snapd/hostfs/ is empty (before and after the install attempt).

Amin, is it a known isssue that /var/lib/snapd/hostfs/ is empty? Is it legit?

Flags: needinfo?(olivier) → needinfo?(bandali)

/var/lib/snapd/hostfs/ is empty for me as well, but I'm not sure if that's expected or not. Seb?

Also I can't reproduce the issue; $SNAP_COMMON/host-hunspell is properly mounted and nonempty for me. Can you please provide the output from snap version and snap info firefox (if you were able to install the Firefox snap, that is)?

Looks like we have an upstream snapd bug report for this: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1991691

Flags: needinfo?(bandali) → needinfo?(seb128)

I can confirm it relates to running the install from a lxc container. Installing on the host itself works fine. Trying the install a new ubuntu jammy lxc container fails. i.e. lxc launch ubuntu:jammy ffox0.

This is likely also not a common setup. So feel free to close this.

snap info firefox
name:      firefox
summary:   Mozilla Firefox web browser
publisher: Mozilla✓
store-url: https://snapcraft.io/firefox
contact:   https://support.mozilla.org/kb/file-bug-report-or-feature-request-mozilla
license:   MPL-2.0
description: |
  Firefox is a powerful, extensible web browser with support for modern web application
  technologies.
snap-id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
channels:
  latest/stable:    113.0-2       2023-05-09 (2645) 253MB -
  latest/candidate: 113.0-2       2023-05-05 (2645) 253MB -
  latest/beta:      114.0b2-1     2023-05-10 (2659) 255MB -
  latest/edge:      115.0a1       2023-05-10 (2661) 261MB -
  esr/stable:       102.11.0esr-2 2023-05-09 (2642) 186MB -
  esr/candidate:    102.11.0esr-2 2023-05-04 (2642) 186MB -
  esr/beta:         ↑                                     
  esr/edge:         ↑      


sudo snap install firefox
...
Setup snap "firefox" (2645) security profiles for auto-connections
Run hook connect-plug-host-hunspell of snap "firefox"
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gimp/2.0/help /usr/share/gimp/2.0/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/gtk-doc /usr/share/gtk-doc none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot open directory "/var/lib": permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/xubuntu-docs /usr/share/xubuntu-docs none bind,ro 0 0): cannot open directory "/var/lib": permission denied
error: error running snapctl: cannot start mount unit: systemctl command [start var-snap-firefox-common-host\x2dhunspell.mount] failed with exit status 1: A dependency job for var-snap-firefox-common-host\x2dhunspell.mount failed. See 'journalctl -xe' for details.
-----)

Sorry but I don't know how /var/lib/snapd/hostfs/ is supposed to be handled by snapd exactly, that's probably worth asking on the snapcraft forum

Flags: needinfo?(seb128)
You need to log in before you can comment on or make changes to this bug.