microk8s: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
Hello,
Trying to quick-start microk8s, yet running into following error:
toor@suey:~$ sudo snap install microk8s --classic
[sudo] password for toor:
microk8s v1.13.0 from Canonical✓ installed
toor@suey:~$ sudo microk8s.start
sudo: microk8s.start: command not found
toor@suey:~$ microk8s.kubectl get all --all-namespaces
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ sudo snap refresh --channel=latest/beta microk8s
microk8s (beta) v1.13.1 from Canonical✓ refreshed
Channel latest/beta for microk8s is closed; temporarily forwarding to beta.
toor@suey:~$ microk8s.kubectl get all --all-namespaces
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ microk8s.inspect
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks
toor@suey:~$ sudo microk8s.kubectl get all --all-namespaces
sudo: microk8s.kubectl: command not found
toor@suey:~$
Please advise.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 4
- Comments: 35 (3 by maintainers)
@a1exus you can also fix it with
According to the conversation in [Ubuntu Forum], this particular answer, fixed my problem.
So, just install
apparmorif don’t have it already, and then enable it by:systemctl enable --now apparmor.serviceNote: For some reasons, it asks for password multiple times. In my case, 5 times!! Don’t give up! 😃
$ snap list$ sudo apt-get install apparmorNow everything will work
fixed the issue for me. Asked for password once 👅
The same error occurs if apparmor service stopped or disabled.
@dxas90 after running this I got
cannot change profile for the next exec call: No such file or directorytrying to up docker containers.fixed my problem thanks ^_^
Yep, that did it. Open
/lib/apparmor/rc.apparmor.functionsand look for the lineADDITIONAL_PROFILE_DIR=and paste your snapd profile directory into that line. For me, the profile directory was/var/lib/snapd/apparmor/profiles/.Had same issue too after dist-upgrade today (all snaps didn’t started), reinstalling apparmor and snapd did not helped…
After running “sudo apparmor_parser…” suggested here there was another error (exact same like @HassanAmed posted). And after some digging deeper got working snaps with
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*It turns out that you should do this every time after reboot… and because of that i’ve found what caused all trouble:So finally
systemctl enable --now snapd.apparmor.servicefixed this for good. Hope this helps somebody.Note: I think that if
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*helps to fix your issue than reinstalling could fix this with high chancesThis works for me, but I have to do it after every reboot
The minimum number of files needed to have their definitions replaced (at least on Kali) is:
The real question is, how do I get it to stay fixed across reboots and how do I do this without requiring root privileges?
i have the same issue. basically all snap apps doesn’t work
service snapd force-reloadorsystemctl restart snapdapparmor is fine. no changes and also tried the profile changing, and this happenedWARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1apt remove snapd|apt install snapdis not my option i have limited screentime online every bytes is goldKali, Fedora, Linux Mintbasically distributions that doesn’t have snapcraft pre-installed likepop_os, manjaro, ubuntuSolved it with
sudo snap refresh