Ubuntu Snaps inside LXC container on Proxmox

[unam]

I tried enable keyctl too. But it still does not work.
Here is my config file

arch: amd64
cores: 1
features: fuse=1,keyctl=1,nesting=1
hostname: ct-wekan
memory: 2048
nameserver: 10.xxx.xxx.xxx
ostype: debian
rootfs: lv_thin_vms:vm-104-disk-0,size=15G
searchdomain: xxx
swap: 1024
unprivileged: 1

I will maybe gie a try with ubuntu image, but I don't believe that there is a link between template and this kind of errors ?

 

[rholighaus]

Note that enabling `fuse` in a container does not play well with backups, or anything that causes an `lxc-freeze` command to be executed on the container, as this can cause deadlocks in the kernel...

Hi Wolfgang, looks like I'm now running exactly into this problem with snapd in an LXC container that about once a dey freezes completely when PVE replications sends an lxc-freeze to the container. Replication is hourly, though, so it doesn't always happen.

Is there a way to prevent issuing the lxc-freeze command in PVE replication? I would like to have some kind of backup and vzdump would also use lxc-freeze / lxc-unfreeze for all I know.

Also, is there a way to restart the container without having to reboot the node?

 

[velko]

Hi,
Here when I try

snap install wekan

I always have an error :

error: system does not fully support snapd: cannot mount squashfs image using "fuse.squashfuse":
       mount: /tmp/sanity-mountpoint-494747820: wrong fs type, bad option, bad superblock on
       /tmp/sanity-squashfs-152452673, missing codepage or helper program, or other error.

I tried both of solutions : manually edit config file / just tick options, but the problem is always the same, it does not work

I had to install squashfuse and fuse.

apt install squashfuse fuse

Also:
features: nesting=1,fuse=1

Now it works (I use priviliged LXC), but snapshots do not...

 

[proxlias]

With those fixes installing stuff works, however runnign any snap app just yields no output in console.

 

[rholighaus]

I still have the occasional container freeze of an Ubuntu container with snap running wekan after either backup (vzdump) or replication issuing an lxc-freeze command. Much less often but every few weeks. Only solution is to reboot the PVE node. Is that a regression or will I have to live with this?

 

[rholighaus]

There is a temporary fix in this thread once the container is frozen:

https://forum.proxmox.com/threads/storage-replication-regulary-hangs-after-upgrade.72690/post-373688

 

[s1x]

I had to install squashfuse and fuse.

apt install squashfuse fuse

Also:
features: nesting=1,fuse=1

Now it works (I use priviliged LXC), but snapshots do not...

3 years later this saved my ass, thanks!

 

[MuttleyDoSomething]

Hey team, just wanted to say I've got wekan running in an LXC container, so I think this thread has maybe come full loop. I don't actually have to hand-modify the conf either, just go to the container > options > features > tick FUSE and Nesting, restart container, snapd install wekan fails first time with errors:

error: cannot perform the following tasks:
- Setup snap "core" (8935) security profiles (cannot setup udev for snap "core": cannot reload udev rules: exit status 2
udev output:
)
- Setup snap "core" (8935) security profiles (cannot reload udev rules: exit status 2
udev output:
)

but then just re-running the exact same command, it completes successfully and works.

This is the way

 

[Jose Avalos]

Snap requires a bit more work. There may soon be a 'fuse' flag for the features option, but fuse can be dangerous. For now you have to do this:

- For unprivileged containers:
1) Put this in /etc/pve/lxc/$vmid.conf:

...
features: mount=fuse,nesting=1
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0

2) Inside the container: `apt install squashfuse`

- For privileged containers, also add:

...
# EDIT:
# We need to allow apparmor administration, by default mac_admin is dropped for privileged containers.
# Note that you do not want this for un-trusted containers...
lxc.cap.drop =
lxc.cap.drop = mac_override sys_time sys_module sys_rawio

Alternatively to squashfuse, privileged containers could use loop devices, but I wouldn't recommend it...


Note that enabling `fuse` in a container does not play well with backups, or anything that causes an `lxc-freeze` command to be executed on the container, as this can cause deadlocks in the kernel...

in redhat/centos/oraclelinux it is necessary to install the package "fuse" and "squashfuse"
#yum install fuse squashfuse

 

[verulian]

It would be nice to have this kind of support directly inlined. I recently ran into issues in this thread and with the greater push we're seeing for snap, it seems like we're going to require this sooner than later.