You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add strict confinement to the snap. This may require patching the upstream project and/or involving the snap team.
Background
At the moment, the snap can't be strictly confined because bess requires the CAP_NET_ADMIN capability. Multiple plugs have been tested out to make this work without success.
logs
From journalctl:
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: I0201 12:52:11.049211 2136363 dpdk.cc:169] Initializing DPDK EAL with options: ["bessd", "--main-lcore", "127", "--lcore", "127@0-11", "--no-shconf", "--legacy-mem", "--no-huge", "-m", "512"]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected 12 lcore(s)
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected 1 NUMA nodes
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Detected static linkage of DPDK
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Failed to create thread for interrupt handling
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: FATAL: Cannot init interrupt-handling thread
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: EAL: Cannot init interrupt-handling thread
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: F0201 12:52:11.051115 2136363 dpdk.cc:172] rte_eal_init() failed: ret = -1 rte_errno = 1 (Operation not permitted)
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: *** Check failure stack trace: ***
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: F0201 12:52:11.059525 2136363 debug.cc:407] Backtrace (recent calls first) ---
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x8cc582) [0x55b07fc21582]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x73) [0x55b07fc21773]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x3a) [0x55b07fc1a61a]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x238) [0x55b07f9c1a98]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (4): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf2) [0x7fbd61c89082]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: (5): /snap/sdcore-upf/x1/bin/bessd(_start+0x2d) [0x55b07fc17efd]
Feb 01 12:52:11 potiron sdcore-upf.bessd[2136363]: *** Check failure stack trace: ***
From snappy-debug:
= AppArmor =
Time: 2024-02-01T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=2134867 comm="snap-confine" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)
The text was updated successfully, but these errors were encountered:
Description
Add strict confinement to the snap. This may require patching the upstream project and/or involving the snap team.
Background
At the moment, the snap can't be strictly confined because bess requires the
CAP_NET_ADMIN
capability. Multiple plugs have been tested out to make this work without success.logs
From
journalctl
:From
snappy-debug
:The text was updated successfully, but these errors were encountered: