Because packaging software is hard and nobody cares about disk space nor performances anymore, some developers are providing snap images instead of proper packages. Unfortunately, they don't play nice with proxmox' lxc containers by default:
root@host:~# snap install core
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
/tmp/sanity-mountpoint-191525796: mount failed: Operation not permitted.
root@host:~#
This is because containers aren't allowed to mount whatever they want. Fortunately, fuse saves the day, we simply need to allow it inside of the container. Oh, and nesting is required too, since snap needs it as well:
features: mount=fuse,nesting=1
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
In the container, you'll need squashfuse and fuse, to allow it to, well,
make use of squashfs, via fuse. And because security is hard™ too, you'll now
get this warning from AppArmor:
2023-04-06T23:27:51Z blablabla.daemon[1564]: aa_is_enabled() failed unexpectedly (No such file or directory): No such file or directory
The solution is to export /sys/kernel/security inside of the container, which
is acceptable security-wise, since the container is unprivileged anyway, so it
hopefully shouldn't be able to mess around with its own security-shenanigans:
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
Still, it would be nice if Canonical, the people driving apparmor, lxc and snapd, could get their shit together and provide something less shoddy.