** Description changed:
[SRU] 2.70: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2112209
[ Impact ]
Systems running snapd 2.70 contain additional features in seed-restart-
- system-key which aren't in `livecd-rootfs` for Focal. Specifically, the
- `policy/outofband` preseed file is missing which when performing
- preseeding in a LXD container. This also causes boot times to slow down,
- which is a side effect and not the actual bug.
+ system-key which aren't in `livecd-rootfs` for Focal and Jammy.
+ Specifically, the `policy/outofband` preseed file is missing which when
+ performing preseeding in a LXD container. This also causes boot times to
+ slow down, which is a side effect and not the actual bug.
[ Test Plan ]
1. Produce error with snapd 2.70 (existing evidence is fine)
2. Switch to snapd 2.71
3. Proof the preseeding works and preseeding files are not missing.
[ Initial Investigation ]
Systems running snapd 2.70 (revision 24792) contain additional features
in seed-restart-system-key. This breaks automated tests that validate
snap pre-seeding behavior. Not every Ubuntu series is affected.
focal-2.68/apparmor-features.diff:
```
--- livecd-rootfs-apparmor-features.list 2025-06-24 16:25:52.262557956
+0200
+++ sys-kernel-security-apparmor-features.list 2025-06-24
16:25:30.719172692 +0200
@@ -31,6 +31,7 @@
- ./network_v8/
- ./network_v8/af_mask
- ./policy/
+ ./network_v8/
+ ./network_v8/af_mask
+ ./policy/
+./policy/outofband
- ./policy/set_load
- ./policy/versions/
- ./policy/versions/v5
+ ./policy/set_load
+ ./policy/versions/
+ ./policy/versions/v5
```
The example above shows difference between AppArmor features listed in
livecd-rootfs (focal) and those present when the system boots in
/sys/kernel/security/apparmor/features on the image running snapd
2.68.4.1. My guess is that the new file in sysfs was introduced by new
kernel version.
focal-2.70/apparmor-features.diff: same as above
The image with snapd 2.70 was built with the same livecd-rootfs and is
running the same kernel as the image with snapd 2.68. There’s no
difference.
focal-2.68/system-key.diff: empty
The image with snapd 2.68 does not register the new AppArmor feature
neither `preseed-system-key` nor in `seed-restart-system-key`.
focal-2.70/system-key.diff:
```
--- preseed-system-key.json 2025-06-24 16:25:30.471168251 +0200
+++ seed-restart-system-key.json 2025-06-24 16:25:30.484168484 +0200
@@ -34,6 +34,7 @@
- "network_v8",
- "network_v8:af_mask",
- "policy",
+ "network_v8",
+ "network_v8:af_mask",
+ "policy",
+ "policy:outofband",
- "policy:set_load",
- "policy:versions",
- "policy:versions:v5",
+ "policy:set_load",
+ "policy:versions",
+ "policy:versions:v5",
```
However, the image with snapd 2.70 registers this new feature in seed-
restart-system-key.
** Also affects: ubuntu
Importance: Undecided
Status: New
** No longer affects: ubuntu
** Also affects: snapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116974
Title:
Extra AppArmor features in Snapd 2.70 causes snap preseed to be
unoptimized
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2116974/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
