Chris's Wiki :: blog/linux/Ubuntu2004SnapsHomeIssue Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/Ubuntu2004SnapsHomeIssue?atomcommentsDWiki2020-05-01T16:40:50ZRecent comments in Chris's Wiki :: blog/linux/Ubuntu2004SnapsHomeIssue.By Chris Siebenmann on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:2f8c87bfcf1d28dde5c358532ec9fed3b6fa384aChris Siebenmann<div class="wikitext"><p>Not normally, but many things will use <code>$HOME</code> over /etc/passwd so
you can do testing with things like '<code>mkdir /tmp/test; HOME=/tmp/test
chromium-browser</code>'. This doesn't work with Snaps; they appear to care
about <code>/etc/passwd</code> only and ignore <code>$HOME</code>.</p>
</div>2020-05-01T16:40:50ZBy Matt on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:111311a6114c4d511f66749329160f8ba278eb33Matt<div class="wikitext"><p>Wait, on your systems what $HOME says is my home directory and what /etc/passwd says is my home directory are two different things???</p>
</div>2020-05-01T16:21:23ZBy Chris Siebenmann on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:bc5d764bb9ce0d546d4b9d7d7da02d70fd5fae1bChris Siebenmann<div class="wikitext"><p>Alex Xu: if bind mounts into /home work in general, they definitely
don't work for NFS mounted home directories; attempts eventually fail
with mysterious errors once you hack up enough of your system to pacify
Snappy. Also, you definitely do have to change what <code>/etc/passwd</code> lists
as people's home directories; otherwise, things simply don't get off
the ground (even though other bits trace through symlinks and print
real path names).</p>
<p>Since bind mounts fail, I expect that mounting NFS filesystems under
/home won't work either; the two are almost the same from the kernel's
point of view.</p>
<p>(And since Snappy evidently has hard-coded checks for /home that
require an /etc/passwd entry that points there, merely changing the
Apparmor profile is also clearly not enough. We are talking major system
mutilation to even theoretically get this working, with no assurance that
it really will.)</p>
</div>2020-05-01T16:05:37ZBy Andrea Borghi on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:2f0a75a1328d35bd76032e9054ca1270dcf53caeAndrea Borghi<div class="wikitext"><p>Extending Peter Donis comment, this is a real shame that distributions and upstream software maintainer are forcing systems administrators to <em>not use</em> software or <em>radically change</em> their systems on the basis on a perceived idea of how the systems should run, idea that can not be universal as Chris case has demonstrated.</p>
<p>another two examples are VLC and systemd on debian.</p>
<p>the first refuses to run as root, but we are on a mini sistems of mine where there are no users and it is used to convert video content in a file share to a multicast flow, for a distributed display in a commercial setting (resolved by recompliling VLC without the control) </p>
<p>Or Systemd, which has the same problem, by forcing services to run anywere but /home. I historically have the /home mounted from fileservers and start the services under the home of the respective users/service. And then? the new shiny thing is use the ProtectHome on the standard unit delivered in install packages, so the started service starts in a namespace without a readable /home and without its files (this is maxed when instead of copying the systemd unit to /etc/systemd/system; i used the override mechanism of systemd... where i personalized only some setting and all was well... until upstream inserted the protecthome in an update and magically my service does not start anymore, so i returned to copying the entire unit and disabling the oj so automagically magical mechanism of systemd.)</p>
<p>It seems to me that the current state is what was predicted at systemd inception, as time passes more and more highly intelligent developers are forcing all the world (and all the complexity it represents) in a shoebox. </p>
<p>And treating all use cases as they were theis precious notebook.</p>
<p>This is not not not good.</p>
<p>not good as nowadays my worktime is spent more into removing these absurd and artificial limitations than doing my job.</p>
<p>Let's see the snap packages or docker containers from a high level perspective. They are good at isolating and sandboxing, and they are good at gruping all the dependencies of an application with that application.</p>
<p>but but we are replicating also the basic libraries so we are witnessing the birth of another dll hell, because the upstream developers will <em>not</em> track of all the updates and security fixes on <em>dependencies</em> of their applications so we end up with multiple versions of libraries, tools, applications of dubious updating schedule and affidability. In small words, <em>a very big mess</em></p>
</div>2020-05-01T12:30:46ZBy Alex Xu on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:df01bb9815995338d56382dbbb5cd924cbaba485Alex Xu<div class="wikitext"><p>I interpret "A workaround is to bind mount the home directory outside /home into /home." to mean that if your home directory is in /usr/home/myuser, then snap will work if you execute "mount --bind /usr/home/myuser /home/myuser" before running the program.</p>
<p>Assuming this is the case, pam_mount is perfectly capable of performing this task upon log in based on the user's actual registered home directory.</p>
<p>Linux is also perfectly capable of handling large numbers of mounts. The default maximum is apparently 100000. With 100 mounts, each mount/umount takes about 1ms, which ought to be negligible if you're using Ubuntu anyways. With 10000 mounts, the userspace utilities stop working properly though. If you have 10000 simultaneous active logins on a single machine, probably nothing else will work anyways, so it's a moot point.</p>
<p>I agree that snaps are terrible, but this particular problem seems reasonably easy to work around. It's possible (probable) that there are other issues, the sum of which amount to "not worth it anymore", but that doesn't bear on whether this particular issue is a dealbreaker.</p>
</div>2020-05-01T03:44:04ZBy Chris Siebenmann on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:c1b8079466c377e260f1ec6bb70da4eeaf0506b5Chris Siebenmann<div class="wikitext"><p>I don't believe that symlinks will work, because the underlying problem
is that snaps are sandboxed, with limited access to areas of the
filesystem. So I expect that your home directory must be under /home as
the kernel sees it, which is after symlinks are resolved. Bind mounts
will do this; other mechanisms mostly not.</p>
<p>As far as pam_mount goes, it's not just the /home mount that
matters, it's also what /etc/passwd says. Changing user real home
directories to appear in /home is a disruptive change that affects
everyone who previously used other paths, as well as programs that
'known' where your home directory is (or was), and it would require
significant changes to our overall passwd distribution system. Also,
our login servers routinely have upwards of 40 different people logged
in. We're not willing to do this much work and go through this much
disruption for Chromium, or indeed for any Snaps.</p>
</div>2020-04-30T16:00:43ZBy Alex Xu on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:87a6b30eb78bafcf00478e85ecc0025553cbb722Alex Xu<div class="wikitext"><p>this seems like it could be worked around reasonably easily with pam_mount. you wouldn't need to pre-compile a list of all users that might log in, and installing and testing a new software isn't so bad if you're already upgrading the whole OS anyways.</p>
</div>2020-04-30T14:18:10ZFrom 87.91.255.227 on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:6664ea8652ce4ca278cf8a43f3b4ff06ae943b20From 87.91.255.227<div class="wikitext"><p>Just out of curiosity, is symlinking your "$HOME" into "/home" enough to trick chromium into working? If not, why?</p>
</div>2020-04-30T13:33:02ZBy Peter Donis on /blog/linux/Ubuntu2004SnapsHomeIssuetag:CSpace:blog/linux/Ubuntu2004SnapsHomeIssue:d0c5c3df99fe64567f18e55cafcba50cc54bb2a0Peter Donishttp://blog.peterdonis.com<div class="wikitext"><blockquote><p>I have to say that Canonical's Snappy system does not appear to be designed for anything except small environments, such as desktops and laptops used by one or a few people.</p>
</blockquote>
<p>I'm "one or a few people" and I don't like the idea of snaps. To me it seems like another shiny new thing trying to "fix" something that isn't broken. What's wrong with "apt-get install"?</p>
</div>2020-04-30T07:25:04Z