[SOLVED] Snapd, Certbot inside a Proxmox container

N

new2proxmox

New Member
Jun 8, 2022
16
4
3
I'm trying to install the Certbot snap inside a Proxmox container but having issues. Reading the forum threads, I've added the following features to the container:

Code: 
'nesting=1,fuse=1'

But unfortunately, this doesn't help.

The relevant error messages are:

Code: 
Unpacking squashfs-tools (1:4.4-1ubuntu0.3) ...
Selecting previously unselected package snapd.
Preparing to unpack .../snapd_2.55.5+20.04_amd64.deb ...
Unpacking snapd (2.55.5+20.04) ...
Setting up squashfs-tools (1:4.4-1ubuntu0.3) ...
Setting up snapd (2.55.5+20.04) ...
apparmor_parser: Unable to replace "mount-namespace-capture-helper". Permission denied; attempted to load a profile while confined?
apparmor_parser: Unable to replace "/usr/lib/snapd/snap-confine". Permission denied; attempted to load a profile while confined?
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service -> /lib/systemd/system/snapd.apparmor.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.autoimport.service -> /lib/systemd/system/snapd.autoimport.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.core-fixup.service -> /lib/systemd/system/snapd.core-fixup.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service -> /lib/systemd/system/snapd.recovery-chooser-trigger.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.seeded.service -> /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/cloud-final.service.wants/snapd.seeded.service -> /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service -> /lib/systemd/system/snapd.service.
Created symlink /etc/systemd/system/timers.target.wants/snapd.snap-repair.timer -> /lib/systemd/system/snapd.snap-repair.timer.
Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket -> /lib/systemd/system/snapd.socket.
Created symlink /etc/systemd/system/final.target.wants/snapd.system-shutdown.service -> /lib/systemd/system/snapd.system-shutdown.service.
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.

I'm nowhere near familiar with apparmor to be able to figure out how to resolve the messages thrown above.

Any direction, ideas will be greatly appreciated!

Thanks.
 
Last edited:
So, after banging my head against the wall for a long time, here's the solution that seem to work (got it with the help of a few folks not part of this forum so can't attribute credit.

Step 1
On the proxmox node(s) where containers will be deployed, need to install snapd and certbot using something like this.
Code: 
apt-get install snapd -y
snap install core
snap install --classic certbot
snap set certbot trust-plugin-with-root=ok

Getting this installed on the Proxmox nodes is critical otherwise the next few steps will not work.

Step 2
Create An APPArmor Profile On the Proxmox Nodes where the container will be deployed. The profile should be in the folder /etc/apparmor.d.
So, for example, create a file in /etc/apparmor.d/ called my-snapd. Add the following contents to it.
Code: 
profile my-snapd flags=(attach_disconnected,mediate_deleted) {
mount fstype=fuse,
mount fstype=securityfs -> /sys/kernel/security/,
deny /sys/kernel/security/** rwklx,
}

Step 3
Modify the container configuration file to add in the reference to the new profile:
So, if your container id is 100, modify the file /etc/pve/etc/100.conf to add the following line:
Code: 
lxc.apparmor.raw: #include <my-snapd>

This assumes that the file name from step 2 is my-snapd.

Step 4
Reboot the container.

Step 5
Log into the container and install certbot as follows:

Code: 
apt install -y snapd  # This will show two errors.
snap install core  # this will error out.
snap refresh core
snap install core # this 2nd attempt will work.
snap refresh core
snap install --classic certbot
 
  • Like
Reactions: SanderNL, sojic and Matthias.
new2proxmox said:
So, after banging my head against the wall for a long time, here's the solution that seem to work (got it with the help of a few folks not part of this forum so can't attribute credit.

Step 1
On the proxmox node(s) where containers will be deployed, need to install snapd and certbot using something like this.
Code: 
apt-get install snapd -y
snap install core
snap install --classic certbot
snap set certbot trust-plugin-with-root=ok

Getting this installed on the Proxmox nodes is critical otherwise the next few steps will not work.

Step 2
Create An APPArmor Profile On the Proxmox Nodes where the container will be deployed. The profile should be in the folder /etc/apparmor.d.
So, for example, create a file in /etc/apparmor.d/ called my-snapd. Add the following contents to it.
Code: 
profile my-snapd flags=(attach_disconnected,mediate_deleted) {
mount fstype=fuse,
mount fstype=securityfs -> /sys/kernel/security/,
deny /sys/kernel/security/** rwklx,
}

Step 3
Modify the container configuration file to add in the reference to the new profile:
So, if your container id is 100, modify the file /etc/pve/etc/100.conf to add the following line:
Code: 
lxc.apparmor.raw: #include <my-snapd>

This assumes that the file name from step 2 is my-snapd.

Step 4
Reboot the container.

Step 5
Log into the container and install certbot as follows:

Code: 
apt install -y snapd  # This will show two errors.
snap install core  # this will error out.
snap refresh core
snap install core # this 2nd attempt will work.
snap refresh core
snap install --classic certbot
Click to expand...
I'm sorry, I don't understand this part...
lxc.apparmor.raw: #include <my-snapd>
could you post your string? because once inserted if I reboot lxc it doesn't start anymore... and I have to remove or comment this part.
Thank you

scusami tanto, non capisco questa parte...
lxc.apparmor.raw: #include <my-snapd>
potresti postare la tua striga? perchè una volta inserito se faccio reboot lxc non parte più... e devo togliere o commentare questa parte.
GRazie
 
new2proxmox said:
So, after banging my head against the wall for a long time, here's the solution that seem to work (got it with the help of a few folks not part of this forum so can't attribute credit.

Step 1
On the proxmox node(s) where containers will be deployed, need to install snapd and certbot using something like this.
Code: 
apt-get install snapd -y
snap install core
snap install --classic certbot
snap set certbot trust-plugin-with-root=ok

Getting this installed on the Proxmox nodes is critical otherwise the next few steps will not work.

Step 2
Create An APPArmor Profile On the Proxmox Nodes where the container will be deployed. The profile should be in the folder /etc/apparmor.d.
So, for example, create a file in /etc/apparmor.d/ called my-snapd. Add the following contents to it.
Code: 
profile my-snapd flags=(attach_disconnected,mediate_deleted) {
mount fstype=fuse,
mount fstype=securityfs -> /sys/kernel/security/,
deny /sys/kernel/security/** rwklx,
}

Step 3
Modify the container configuration file to add in the reference to the new profile:
So, if your container id is 100, modify the file /etc/pve/etc/100.conf to add the following line:
Code: 
lxc.apparmor.raw: #include <my-snapd>

This assumes that the file name from step 2 is my-snapd.

Step 4
Reboot the container.

Step 5
Log into the container and install certbot as follows:

Code: 
apt install -y snapd  # This will show two errors.
snap install core  # this will error out.
snap refresh core
snap install core # this 2nd attempt will work.
snap refresh core
snap install --classic certbot
Click to expand...

This procedure was NOT working for me. However, when I modified the LXC "options" and added "FUSE" Feature, it worked to get CORE installed. However, certbot failed:

Run configure hook of "certbot" snap if present (run hook "configure": aa_is_enabled() failed unexpectedly (No such file or directory): No such file or directory)

Without using snap I was able to get certbot working and got a certificate issued by following this post: https://labzilla.io/blog/cloudflare-certbot
 
Last edited:
  • Like
Reactions: networ
Dear all,

some trouble with that and to make

Code: 
snap install core

work, the options for
Code: 
Fuse
and
Code: 
Nesting
in the LXC worked for me.

But hen follows this:

Code: 
snap install --classic certbot

That runs into that error:

Code: 
root@awgERPNext:~# snap install --classic certbot
error: cannot perform the following tasks:
- Run configure hook of "certbot" snap if present (run hook "configure": aa_is_enabled() failed unexpectedly (No such file or directory): No such file or directory)

If have found hints for

Code: 
(No such file or directory)

but that have mentioned problems with access rights
Code: 
(0777 vs 0755)
snaps then decline to install, when it is
Code: 
0777
.



Have anybode a an idea with that?
 
  • Like
Reactions: networ
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back