ufw

ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting) with snap under LXD

Bug #1808463 reported by Luke Walker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
High
Jamie Strandboge

Bug Description

On fresh 18.04 lxc, I run the following series of commands
1. apt purge ufw
2. snap install ufw
3. /snap/bin/ufw enable
ERROR: problem running ufw-init
Could not find /lib/ufw/ufw-init-functions (aborting)

>find / -name ufw-init-functions
/var/snap/ufw/120/lib/ufw/ufw-init-functions
/snap/ufw/120/lib/ufw/ufw-init-functions

>ufw --version
ufw 0.36rc

>snap version
snap 2.36.2
snapd 2.36.2
series 16
ubuntu 18.04
kernel 4.15.0-42-generic

>snap info ufw
name: ufw
summary: ufw - Uncomplicated Firewall
publisher: Canonical✓
contact: https://bugs.launchpad.net/ufw/+filebug
license: unset
description: |
  ufw is a program for managing a netfilter firewall and aims to provide an easy to use experience
  for the user.
commands:
  - ufw.conntrack
  - ufw.doc
  - ufw.init
  - ufw.ipset
  - ufw
services:
  ufw.srv: oneshot, enabled, inactive
snap-id: Jb8klqgs5djfejP5egB9Za8KYVK686Pe
tracking: stable
refresh-date: today at 02:18 UTC
channels:
  stable: 0.36rc (120) 737kB -
  candidate: 0.36rc (120) 737kB -
  beta: 0.36rc (95) 733kB -
  edge: 0.36rc (200) 737kB -
installed: 0.36rc (120) 737kB -

Tags: snap
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for filing a bug. I'm unable to reproduce:

$ sudo dpkg -l|grep ufw

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

$ sudo snap install ufw
ufw 0.36rc from Canonical✓ installed

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
jamie@server:~$ snap info ufw
name: ufw
summary: ufw - Uncomplicated Firewall
publisher: Canonical✓
contact: https://bugs.launchpad.net/ufw/+filebug
license: unset
description: |
  ufw is a program for managing a netfilter firewall and aims to provide an easy
  to use experience for the user.
commands:
  - ufw.conntrack
  - ufw.doc
  - ufw.init
  - ufw.ipset
  - ufw
services:
  ufw.srv: oneshot, enabled, inactive
snap-id: Jb8klqgs5djfejP5egB9Za8KYVK686Pe
tracking: stable
refresh-date: today at 08:49 CST
channels:
  stable: 0.36rc (120) 737kB -
  candidate: 0.36rc (120) 737kB -
  beta: 0.36rc (95) 733kB -
  edge: 0.36rc (200) 737kB -
installed: 0.36rc (120) 737kB -

The snap should never be looking for /lib/ufw/ufw-init-functions because we are specifying --rootdir and --datadir in /snap/ufw/current/bin/cli, which is what is invoked by /snap/bin/ufw.

Can you retry your reproducer, ideally as a separate user, to see if you are seeing it? If so, can you provide more details on your environment and anything you might have done to make snaps work in general, etc? If as a separate user you don't see it, but as your user you do, can you examine any shell aliases, local-to-your-user wrapper commands or your shell's environment to try to determine the cause?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

As a datapoint, can you also:

$ sudo snap remove ufw
$ sudo snap install ufw --beta

(beta has the previous snap revision that was in the store up until this week).

Changed in ufw:
importance: Undecided → High
status: New → Incomplete
Revision history for this message
Luke Walker (alexdee) wrote : Re: [Bug 1808463] Re: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting)

I think it's related to LXC. I installed ufw from snap on my host without
issue.

>lxc exec elegant-eft /bin/bash
root@elegant-eft:~# snap remove ufw
ufw removed
root@elegant-eft:~# snap install ufw --beta
ufw (beta) 0.36rc from Canonical✓ installed
root@elegant-eft:~# ufw enable
ERROR: problem running ufw-init
Could not find /lib/ufw/ufw-init-functions (aborting)

root@elegant-eft:~# snap run --shell ufw
root@elegant-eft:/root# echo $SNAP
/snap/ufw/95
root@elegant-eft:/root# echo $SNAP_DATA
/var/snap/ufw/95

On Fri, Dec 14, 2018 at 7:16 AM Jamie Strandboge <email address hidden> wrote:

> As a datapoint, can you also:
>
> $ sudo snap remove ufw
> $ sudo snap install ufw --beta
>
> (beta has the previous snap revision that was in the store up until this
> week).
>
> ** Changed in: ufw
> Importance: Undecided => High
>
> ** Changed in: ufw
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1808463
>
> Title:
> ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-
> functions (aborting)
>
> Status in ufw:
> Incomplete
>
> Bug description:
> On fresh 18.04 lxc, I run the following series of commands
> 1. apt purge ufw
> 2. snap install ufw
> 3. /snap/bin/ufw enable
> ERROR: problem running ufw-init
> Could not find /lib/ufw/ufw-init-functions (aborting)
>
> >find / -name ufw-init-functions
> /var/snap/ufw/120/lib/ufw/ufw-init-functions
> /snap/ufw/120/lib/ufw/ufw-init-functions
>
> >ufw --version
> ufw 0.36rc
>
> >snap version
> snap 2.36.2
> snapd 2.36.2
> series 16
> ubuntu 18.04
> kernel 4.15.0-42-generic
>
> >snap info ufw
> name: ufw
> summary: ufw - Uncomplicated Firewall
> publisher: Canonical✓
> contact: https://bugs.launchpad.net/ufw/+filebug
> license: unset
> description: |
> ufw is a program for managing a netfilter firewall and aims to provide
> an easy to use experience
> for the user.
> commands:
> - ufw.conntrack
> - ufw.doc
> - ufw.init
> - ufw.ipset
> - ufw
> services:
> ufw.srv: oneshot, enabled, inactive
> snap-id: Jb8klqgs5djfejP5egB9Za8KYVK686Pe
> tracking: stable
> refresh-date: today at 02:18 UTC
> channels:
> stable: 0.36rc (120) 737kB -
> candidate: 0.36rc (120) 737kB -
> beta: 0.36rc (95) 733kB -
> edge: 0.36rc (200) 737kB -
> installed: 0.36rc (120) 737kB -
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ufw/+bug/1808463/+subscriptions
>

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting)

It works fine for me using the lxd snap on an 18.04 host with an 18.04 container:

$ lxc launch ubuntu:18.04 c1
Creating c1
Starting c1

$ lxc exec c1 /bin/bash

root@c1:~# sudo snap install ufw
ufw 0.36rc from Canonical✓ installed

root@c1:~# sudo ufw enable
Firewall is active and enabled on system startup

Changed in ufw:
importance: High → Undecided
Revision history for this message
Luke Walker (alexdee) wrote : Re: [Bug 1808463] Re: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting)
Download full text (3.3 KiB)

Running "apt purge ufw" beforehand makes the difference for me.

Regardless, looks like a snappy/AppArmor bug, not ufw. Thanks!

[74152.551988] audit: type=1400 audit(1544822995.473:428):
apparmor="DENIED" operation="ptrace"
namespace="root//lxd-c2_<var-snap-lxd-common-lxd>"
profile="snap.ufw.ufw" pid=18723 comm="python3" requested_mask="trace"
denied_mask="trace" peer="snap.ufw.ufw"
[74152.552268] audit: type=1400 audit(1544822995.477:429):
apparmor="DENIED" operation="ptrace"
namespace="root//lxd-c2_<var-snap-lxd-common-lxd>"
profile="snap.ufw.ufw" pid=18723 comm="python3" requested_mask="trace"
denied_mask="trace" peer="snap.ufw.ufw"
[74152.552917] audit: type=1400 audit(1544822995.477:430):
apparmor="DENIED" operation="ptrace"
namespace="root//lxd-c2_<var-snap-lxd-common-lxd>"
profile="snap.ufw.ufw" pid=18723 comm="python3" requested_mask="trace"
denied_mask="trace" peer="unconfined"
[74152.553151] audit: type=1400 audit(1544822995.477:431):
apparmor="DENIED" operation="ptrace"
namespace="root//lxd-c2_<var-snap-lxd-common-lxd>"
profile="snap.ufw.ufw" pid=18723 comm="python3" requested_mask="trace"
denied_mask="trace" peer="unconfined"

On Fri, Dec 14, 2018 at 1:00 PM Jamie Strandboge <email address hidden> wrote:

> It works fine for me using the lxd snap on an 18.04 host with an 18.04
> container:
>
> $ lxc launch ubuntu:18.04 c1
> Creating c1
> Starting c1
>
> $ lxc exec c1 /bin/bash
>
> root@c1:~# sudo snap install ufw
> ufw 0.36rc from Canonical✓ installed
>
> root@c1:~# sudo ufw enable
> Firewall is active and enabled on system startup
>
> ** Changed in: ufw
> Importance: High => Undecided
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1808463
>
> Title:
> ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-
> functions (aborting)
>
> Status in ufw:
> Incomplete
>
> Bug description:
> On fresh 18.04 lxc, I run the following series of commands
> 1. apt purge ufw
> 2. snap install ufw
> 3. /snap/bin/ufw enable
> ERROR: problem running ufw-init
> Could not find /lib/ufw/ufw-init-functions (aborting)
>
> >find / -name ufw-init-functions
> /var/snap/ufw/120/lib/ufw/ufw-init-functions
> /snap/ufw/120/lib/ufw/ufw-init-functions
>
> >ufw --version
> ufw 0.36rc
>
> >snap version
> snap 2.36.2
> snapd 2.36.2
> series 16
> ubuntu 18.04
> kernel 4.15.0-42-generic
>
> >snap info ufw
> name: ufw
> summary: ufw - Uncomplicated Firewall
> publisher: Canonical✓
> contact: https://bugs.launchpad.net/ufw/+filebug
> license: unset
> description: |
> ufw is a program for managing a netfilter firewall and aims to provide
> an easy to use experience
> for the user.
> commands:
> - ufw.conntrack
> - ufw.doc
> - ufw.init
> - ufw.ipset
> - ufw
> services:
> ufw.srv: oneshot, enabled, inactive
> snap-id: Jb8klqgs5djfejP5egB9Za8KYVK686Pe
> tracking: stable
> refresh-date: today at 02:18 UTC
> channels:
> stable: 0.36rc (120) 737kB -
> candidate: 0.36rc (120) 737kB -
> beta: 0.36rc (95) 733kB -
> edge: 0.36rc (200) 737...

Read more...

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting)

With the 'apt-get remove --purge ufw' before hand, I can reproduce. Thanks for the extra info!

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Incomplete → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Assigning as medium priority for now. This doesn't seem to affect bare metal or VMs, just LXD.

Changed in ufw:
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is a bug in the snap where it was using '-s' instead of '-n' for string emptiness, which is obviously wrong. It worked by luck on non-LXD. Fixed in:

https://git.launchpad.net/ufw/commit/?id=7947dc0f4ce8441dfaf6b79f0a436e7a6d93d85f

I pushed this to master and release/0.36 which means that the edge and beta snaps will have this once the builds complete (ie, not before revision 226 of the snap). Due to a separate issue, you'll need to do an install of the snap. Eg:

root@c1:~# snap remove ufw
root@c1:~# snap install ufw --beta

I plan to publish this fix to stable next week.

Changed in ufw:
status: Confirmed → Fix Committed
importance: Medium → High
summary: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-
- functions (aborting)
+ functions (aborting) with snap under LXD
Revision history for this message
Luke Walker (alexdee) wrote : Re: [Bug 1808463] Re: ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-functions (aborting)
Download full text (3.7 KiB)

Beta looks good to me. Thanks!

root@c2:~# sudo snap refresh ufw --beta
ufw (beta) 0.36 from Canonical✓ refreshed
root@c2:~# ufw enable
Firewall is active and enabled on system startup
root@c2:~# ufw --version
ufw 0.36
Copyright 2008-2015 Canonical Ltd.
root@c2:~# snap info ufw
name: ufw
summary: ufw - Uncomplicated Firewall
publisher: Canonical✓
contact: https://bugs.launchpad.net/ufw/+filebug
license: GPL-3.0 AND GPL-2.0+
description: |
  ufw is a program for managing a netfilter firewall and aims to
provide an easy to use experience
  for the user.
commands:
  - ufw.conntrack
  - ufw.doc
  - ufw.init
  - ufw.ipset
  - ufw
services:
  ufw.srv: oneshot, enabled, inactive
snap-id: Jb8klqgs5djfejP5egB9Za8KYVK686Pe
tracking: beta
refresh-date: today at 20:03 UTC
channels:
  stable: 0.36rc (120) 737kB -
  candidate: 0.36 (270) 737kB -
  beta: 0.36 (286) 737kB -
  edge: 0.36+git (289) 737kB -
installed: 0.36 (286) 737kB -

On Sat, Dec 15, 2018 at 7:30 AM Jamie Strandboge <email address hidden> wrote:

> This is a bug in the snap where it was using '-s' instead of '-n' for
> string emptiness, which is obviously wrong. It worked by luck on non-
> LXD. Fixed in:
>
>
> https://git.launchpad.net/ufw/commit/?id=7947dc0f4ce8441dfaf6b79f0a436e7a6d93d85f
>
> I pushed this to master and release/0.36 which means that the edge and
> beta snaps will have this once the builds complete (ie, not before
> revision 226 of the snap). Due to a separate issue, you'll need to do an
> install of the snap. Eg:
>
> root@c1:~# snap remove ufw
> root@c1:~# snap install ufw --beta
>
> I plan to publish this fix to stable next week.
>
> ** Changed in: ufw
> Status: Confirmed => Fix Committed
>
> ** Changed in: ufw
> Importance: Medium => High
>
> ** Summary changed:
>
> - ERROR: problem running ufw-init Could not find
> /lib/ufw/ufw-init-functions (aborting)
> + ERROR: problem running ufw-init Could not find
> /lib/ufw/ufw-init-functions (aborting) with snap under LXD
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1808463
>
> Title:
> ERROR: problem running ufw-init Could not find /lib/ufw/ufw-init-
> functions (aborting) with snap under LXD
>
> Status in ufw:
> Fix Committed
>
> Bug description:
> On fresh 18.04 lxc, I run the following series of commands
> 1. apt purge ufw
> 2. snap install ufw
> 3. /snap/bin/ufw enable
> ERROR: problem running ufw-init
> Could not find /lib/ufw/ufw-init-functions (aborting)
>
> >find / -name ufw-init-functions
> /var/snap/ufw/120/lib/ufw/ufw-init-functions
> /snap/ufw/120/lib/ufw/ufw-init-functions
>
> >ufw --version
> ufw 0.36rc
>
> >snap version
> snap 2.36.2
> snapd 2.36.2
> series 16
> ubuntu 18.04
> kernel 4.15.0-42-generic
>
> >snap info ufw
> name: ufw
> summary: ufw - Uncomplicated Firewall
> publisher: Canonical✓
> contact: https://bugs.launchpad.net/ufw/+filebug
> license: unset
> description: |
> ufw is a program for managing a netfilter firewall and aims to provide
> an easy to use experience
> for the user.
> co...

Read more...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is now fixed in the snap in the stable channel.

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.