Apparently, security protocols within LXD & Incus containers that run snaps have changed to protect access to the host OS. Services in Linux are managed with systemctl and run as detached daemons. We will learn some interesting concerns regarding service access.
This is about running a service when an incus container starts/boots. In my example, I used running “vlc” as a command line utility in an Incus containerized application.
I had a container running vlc as a snap and I started my application as a service. In recent weeks, I started getting an error with vlc running in my incus container . I discovered that this was an issue with vlc as a snap. The thing is, the snap version of vlc was more up to date than the “apt” version and had features that I needed. In any case, this was the error I received when trying to run vlc in the Incus container.
I noticed that I could reload the snapd profiles in apparmor:
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
After that, vlc would run without error.
However, after a reboot of the incus container, the error occurs again.
My solution was that I created a script called “boot.sh” in my home folder. FYI, system scripts in a home folder are a no-no as they compromise security, but this is my own private incus container.
nano boot.sh
I inserted the following text into the file.
#!/bin/bash
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
I saved the file with CTRL O and enter to write it out and a CTRL X to exit the nano editor.
You must change the script to be executable:
chmod +x boot.sh
I create my “service” to run when the incus container starts:
sudo nano /etc/systemd/system/myvlc.service
Put the following in the file changing the path to the script accordingly:
[Unit]
Description=MyVLC
After=network.target
[Service]
ExecStart=/home/scott/boot.sh
[Install]
WantedBy=default.target
Save the file with CTRL O and enter and CTRL X to exit the nano editor.
Reload the services cache:
sudo systemctl daemon-reload
To enable the service to start when the incus container boots:
sudo systemctl enable myvlc.service
To start the service immediately:
sudo systemctl start myvlc.service
You can also examine your service:
sudo systemctl status myvlc.service
When the incus container starts, the vlc program is able to run without error in virtue of this service.
This “snap confinement” error may occur with running other programs that are snaps because snaps require privileges to run in their own containerization. So, the solution presented here may be helpful with other applications.