Title: Snap inside of proxmox' lxc containers
Date: 2023-05-01 16:00

Because packaging software is hard and nobody cares about disk space nor
[performances](https://www.phoronix.com/news/Firefox-Snap-Performance-2)
anymore, some developers are providing
[snap](https://en.wikipedia.org/wiki/Snap_(software)) images instead of proper
packages. Unfortunately, they don't play nice with proxmox' [lxc containers](https://linuxcontainers.org/) by
default:

```console
root@host:~# snap install core
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
       /tmp/sanity-mountpoint-191525796: mount failed: Operation not permitted.
root@host:~#
```

This is because containers aren't allowed to mount whatever they want.
Fortunately, [fuse](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)
saves the day, we simply need to allow it inside of the container. Oh, and
nesting is required too, since snap needs it as well:

```ini
features: mount=fuse,nesting=1
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
```

In the container, you'll need `squashfuse` and `fuse`, to allow it to, well,
make use of squashfs, via fuse. And because security is hard™ too, you'll now
get this warning from [AppArmor](https://apparmor.net/):

```
2023-04-06T23:27:51Z blablabla.daemon[1564]: aa_is_enabled() failed unexpectedly (No such file or directory): No such file or directory
```

The solution is to export `/sys/kernel/security` inside of the container, which
is acceptable security-wise, since the container is unprivileged anyway, so it
hopefully shouldn't be able to mess around with its own security-shenanigans:

```ini
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
```

Still, it would be nice if [Canonical](https://canonical.com/), the people
driving [apparmor](https://apparmor.net/), [lxc](https://linuxcontainers.org/)
and [snapd](https://snapcraft.io/), could get their shit together and provide
something less shoddy.