service with shared libraries

Andrei Porumb anporumb at microsoft.com
Mon Apr 13 23:24:08 UTC 2015 

Hello Jamie,

	I am using the image for Beagle Bone Black as instructed in http://www.ubuntu.com/things (I don't know if I mentioned this before).

	I just redid my whole setup and followed your instructions.

	The service still fails to start, same segmentation fault. The app still runs nicely, no problems. Modifying the profile to allow execution of ldd worked, and ldd prints out exactly the information I was expecting to see, that is, curl and qpid-proton (the shared libraries) are to be loaded from the ./bin folder.

	This is the script I am using to start the service:

#!/bin/sh
export LD_LIBRARY_PATH=./bin
ldd ./bin/FunkyTv
./bin/FunkyTv
echo this line should never be executed.

	This is the output of ldd ./bin/FunkyTv when ran as service:

Apr 13 23:11:42 localhost.localdomain sum.sh[1215]: libcurl.so.4 => ./bin/libcurl.so.4 (0xb6ec6000)
Apr 13 23:11:42 localhost.localdomain sum.sh[1215]: libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0xb6e9e000)
Apr 13 23:11:42 localhost.localdomain sum.sh[1215]: libqpid-proton.so.2 => ./bin/libqpid-proton.so.2 (0xb6e62000)


Journalctl doesn't say much either (you see a lot of output from ldd and then, just when the executable is about to start... Segmentation fault).

ubuntu at localhost:/apps/simplesampleamqp/current$ sudo journalctl -f -u simplesampleamqp_sum_52
-- Logs begin at Thu 2015-02-26 22:05:15 UTC. --
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libgpg-error.so.0 => /lib/arm-linux-gnueabihf/libgpg-error.so.0 (0xb65bb000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libffi.so.6 => /usr/lib/arm-linux-gnueabihf/libffi.so.6 (0xb65a5000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libwind.so.0 => /usr/lib/arm-linux-gnueabihf/libwind.so.0 (0xb656c000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libheimbase.so.1 => /usr/lib/arm-linux-gnueabihf/libheimbase.so.1 (0xb6553000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libhx509.so.5 => /usr/lib/arm-linux-gnueabihf/libhx509.so.5 (0xb6517000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libsqlite3.so.0 => /usr/lib/arm-linux-gnueabihf/libsqlite3.so.0 (0xb648f000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libcrypt.so.1 => /lib/arm-linux-gnueabihf/libcrypt.so.1 (0xb6450000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: libgcc_s.so.1 => /lib/arm-linux-gnueabihf/libgcc_s.so.1 (0xb6426000)
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: Segmentation fault
Apr 13 23:15:42 localhost.localdomain sum.sh[1239]: this line should never be executed.

	I also tried inserting these two shared libraries directly into the snappy image. I seem to have failed that step because the image I am getting is not bootable. 

	At the moment I am sort of out of ideas, sadly :(. I am willing to try anything, I even have 2 microSD cards prepared :)

Best Regards,
Andrei Porumb

	

-----Original Message-----
From: Jamie Strandboge [mailto:jamie at canonical.com] 
Sent: Monday, April 13, 2015 1:22 PM
To: Andrei Porumb; snappy-app-devel at lists.ubuntu.com
Subject: Re: service with shared libraries

On 04/13/2015 03:04 PM, Andrei Porumb wrote:
> Hello Jamie,
> 
> 	Thank you for your email. 
> 
> I would love to edit click_simplesample_...44, I do not believe I can 
> do that, the reason being that click_simplesampleamqp_sum_44 is 
> readonly. I cannot create any files in that folder, I believe that 
> Ubuntu Snappy is on purpose configured to not allow any writes in that 
> folder.
> 
You would have to alter this file as an admin. Eg, on the device:
$ sudo vi /var/lib/apparmor/profiles/*simplesampleamqp_sum_44

However, I just uploaded the fix so it will be on the next devel-proposed image anyway.

> But assuming I would add "/usr/bin/ldd ixr," - would that allow the 
> service to load a shared library? Or that would unblock executing 
> "ldd" from a service context only?
> 
I adjusted the default template to allow any app to execute the 'ldd' command.
Apps are already allowed to load a shared library from their app-specific directories.

> Best Regards,
> Andrei Porumb
> 
> -----Original Message-----
> From: Jamie Strandboge [mailto:jamie at canonical.com]
> Sent: Monday, April 13, 2015 11:54 AM
> To: Andrei Porumb; snappy-app-devel at lists.ubuntu.com
> Subject: Re: service with shared libraries
> 
> On 04/13/2015 12:27 PM, Andrei Porumb wrote:
> ...
>>
>> Further investigation revealed that in the small script that attempts 
>> to start the service there cannot be just any command. For example, 
>> "ldd" cannot be there (if it is, there's going to be a DENIAL 
>> something like : Apr 12 19:53:10 localhost.localdomain kernel: audit: type=1400 audit(1428868390.904:62):
>> apparmor="DENIED" operation="exec" profile="simplesampleamqp_sum_44"
>> name="/usr/bin/ldd" pid=2310 comm="sum.sh" requested_mask="x" denied_mask="x"
>> fsuid=0 ouid=0). Echo is fine to be in the script...
>>
> 
> The apparmor policy is not allowing access to the ldd command. I'll update the policy and upload later today to allow this.
> 
> In the meantime, after you install your snap, you can adjust
> /var/lib/apparmor/profiles/*simplesampleamqp_sum_44 to have this somewhere before the final curl brace (don't forget the comma):
> /usr/bin/ldd ixr,
> 
> Then run:
> $ sudo apparmor_parser -r 
> /var/lib/apparmor/profiles/*simplesampleamqp_sum_44
> 
> Note: this change will be removed if you reinstall the snap.
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

More information about the snappy-app-devel mailing list