Has anybody ever snapped gunicorn?

Robert Park robert.park at canonical.com
Mon Oct 10 16:51:27 UTC 2016


Hi Alfonso, thanks for the response

On Oct 9, 2016 11:59 PM, "Alfonso Sanchez-Beato" <
alfonso.sanchez-beato at canonical.com> wrote:
> On Mon, Oct 10, 2016 at 1:56 AM, Robert Park <robert.park at canonical.com>
wrote:
>>
>> Right, so that was a $PYTHONPATH issue indeed which I've fixed by
>> setting this in a wrapper script:
>>
>> export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages:$SNAP/src"
>>
>>
>> But still gunicorn is not working. When I run it, I get this error:
>>
>> $ sudo quantifiedself.server
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Starting gunicorn 19.4.5
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Listening at:
>> http://0.0.0.0:8080 (4365)
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Using worker: sync
>> fish: “sudo quantifiedself.server” terminated by signal SIGSYS (Bad
system call)
>>
>>
>> All I can find in kern.log is this, but it doesn't mean much to me:
>>
>> 236:Oct  9 16:30:02 rouge kernel: [1793707.594342] audit: type=1400
>> audit(1476055802.615:377): apparmor="DENIED" operation="capable"
>> profile="snap.quantifiedself.server" pid=4236 comm="gunicorn3"
>> capability=1  capname="dac_override"
>> 237:Oct  9 16:30:13 rouge kernel: [1793718.438376] audit: type=1326
>> audit(1476055813.459:378): auid=1000 uid=0 gid=0 ses=1 pid=4365
>> comm="gunicorn3" exe="/usr/bin/python3.5" sig=31 arch=c000003e
>> syscall=92 compat=0 ip=0x7f861dff2a47 code=0x0
>>
>>
>> Anybody have any ideas how to troubleshoot this?
>
>
> The first trace is for apparmor, you need to have
>
> capability dac_override,
>
> in the apparmor snippet of one of the interfaces you are using.
>
> The second one seems to be from seccomp when calling syscall 92, which
happens to be chown. You would need to have that call in the seccomp
snippet of one interface you are using.
>
> Not sure if you miss some interface/connection or if these need to be
added to one interface you are using.

Well so far the only interfaces i need were network and network-bind. Is
there even a snap interface that provides dac_override and chown? I
couldn't find any in a quick google.

Or am i better off digging into gunicorn and figuring out why it's trying
to chown and patching it to not do that?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20161010/4ca8297b/attachment.html>


More information about the Snapcraft mailing list