need help with freedomotic snappy app

Jamie Strandboge jamie at canonical.com
Mon May 11 22:27:39 UTC 2015


On 05/08/2015 02:10 PM, mauro at freedomotic.com wrote:
> Hi Alexander
> I added
> binaries:
>   - name: bin/start
> 
> When I "start.freedomotic" this is the output:
> 
> (RaspberryPi2)ubuntu at localhost:~$ start.freedomotic
> aa-exec: ERROR: profile 'freedomotic_start_5.6.0' does not exist
> The file freedomotic.apparmor is present. Infact if I launch "start" in
> bin folder with sudo it works.
> After a random time the app is killed.
> 

'start.freedomotic' is not the correct name for the file on either the stable or
the rolling snappy releases-- you should be using 'freedomotic.start'. If
'start.freedomotic' is working for you it indicates either you have some old
files laying around or your system is out of date. Also, running under sudo from
your app's install directory will certainly work-- you are bypassing systemd and
the app launcher (it is useful to know that it works on its own though).

I downloaded the snap from dropbox:
$ click-review /tmp/freedomotic_5.6.0_armhf.snap
/tmp/freedomotic_5.6.0_armhf.snap: pass


and installed on my beaglebone.
$ sudo snappy install --allow-unauthenticated /tmp/freedomotic_5.6.0_armhf.snap
Installing /tmp/freedomotic_5.6.0_armhf.snap
2015/05/11 21:29:36 Signature check failed, but installing anyway as requested
Name        Date       Version   Developer
ubuntu-core 2015-05-08 55        ubuntu
docker      2015-05-08 1.6.1.002
freedomotic 2015-05-11 5.6.0     sideload
beagleblack 2015-05-08 1.7.1

$ start.freedomotic           # <----- your command which correctly doesn't work
-bash: start.freedomotic: command not found

$ freedomotic.start           # <----- what should work based on your comments,
                              # but doesn't
-bash: freedomotic.start: command not found


In looking at your snappy packaging, you are not specifying any 'binaries', only
a service so you won't get a binary you can use from the command line-- only a
systemd service.

Looking at your package.yaml, there are several issues:
$ cat ./package.yaml
name: freedomotic
architecture: armhf
version: 5.6.0
vendor: Freedomotic Team <info at freedomotic.com>
icon: meta/freedomotic.svg
services:
 - name: freedomotic
   description: "freedomotic runtime"
   start: bin/start
integration:
    freedomotic:
        apparmor: meta/freedomotic.apparmor

First, as mentioned, you don't have a 'binaries' entry[1]. Second, you are using
the obsoleted 'integration' hook for specifying security policy[2] (the review
tools should've caught this, and I've added a todo to fix this). Looking at
freedomotic.apparmor, you aren't doing anything out of the ordinary, so I
suggest you change your yaml to simply:


name: freedomotic
architecture: armhf
version: 5.6.0
vendor: Freedomotic Team <info at freedomotic.com>
icon: meta/freedomotic.svg
services:
 - name: freedomotic
   description: "freedomotic runtime"
   start: bin/start
binaries:
 - name: start
   exec: bin/start
   description: "freedomotic runtime cli"


With the above you will get a systemd service (that calls 'bin/start') *and* a
CLI binary in /apps/bin/freedomotic.start (which also happens to call
'bin/start'-- I'm not sure you actually want to do that in your package, but it
illustrates the point I'm trying to make) and you don't have to do anything
special for security.

After making the above change, make sure your target system is up to date. On my
beaglebone black I have:
$ system-image-cli -i
current build number: 55
device name: generic_armhf
channel: ubuntu-core/15.04/edge
last update: 2015-05-08 08:10:00
version version: 55
version ubuntu: 20150508
version raw-device: 20150508

If you are on the stable channel, you will have a different build number (I'm
not sure about rasp pi2). If I were you, I'd reflash to stable and make sure you
have a clean environment. Once you've done that, install the new package with
the packaging changes I suggested.

If you are iterating and installing the same version over and over again, you
will want to do on your target:
$ sudo snappy remove freedomotic
Removing freedomotic
Waiting for freedomotic_freedomotic_5.6.0.service to stop.

$ sudo snappy purge freedomotic
Purging freedomotic

$ sudo snappy install --allow-unauthenticated /tmp/freedomotic_5.6.0_armhf.snap


FYI, I built a package with the above changes and now I can use
'freedomotic.start', and it indicates a problem. Eg:

$ freedomotic.start
/apps/freedomotic.sideload/5.6.0/bin/start: 4: cd: can't cd to
/apps/freedomotic/current
Launching Freedomotic runtime...
/apps/freedomotic.sideload/5.6.0/bin/start: 9:
/apps/freedomotic.sideload/5.6.0/bin/start:
/apps/freedomotic/current/jre/bin/java: not found


This is because the app was sideloaded and your 'start' script doesn't handle
that well. You should use the SNAP_* variables in your 'start' script so you
aren't hardcoding paths.

Eg:

$ sudo snappy install hello-world
...
$ hello-world.env|grep SNAP_
SNAP_APP_PATH=/apps/hello-world.canonical/1.0.15
SNAP_ORIGIN=canonical
SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0.15
SNAP_FULLNAME=hello-world.canonical
SNAP_NAME=hello-world
SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.15/tmp
SNAP_OLD_PWD=/tmp
SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.15

Do be aware of this bug though:
https://bugs.launchpad.net/snappy-ubuntu/+bug/1449625

So, looking at 'start', if I change this:
appdir=/apps/freedomotic/current
cd $appdir
export JAVA_HOME="/apps/freedomotic/current/jre"

to:
appdir=$SNAP_APP_PATH
cd $appdir
export JAVA_HOME="$appdir/jre"


then "freedomatic.start" tries to do something:
$ freedomotic.start
Launching Freedomotic runtime...
log4j:ERROR Could not find value for key log4j.appender.default.file
log4j:ERROR Could not instantiate appender named "default.file".
INFO  [main] - Freedomotic instance ID: c020cc66-8aba-4274-9ccf-2595037d16d6
INFO  [main] - Creating new messaging broker
INFO  [main] - Configuring messaging broker
INFO  [main] - /apps/freedomotic.sideload/5.6.0/freedomotic


The systemd service also tries to do something too:
$ sudo systemctl stop freedomotic_freedomotic_5.6.0.service
...
$ sudo systemctl start freedomotic_freedomotic_5.6.0.service

However, there is a seccomp denial[3][4]:
$ sudo sc-logresolve /var/log/syslog
May 11 22:00:17 localhost kernel: [264654.298530] audit: type=1326
audit(1431381617.920:34): auid=1000 uid=1000 gid=1000 ses=83 pid=5889
comm="java" exe="/apps/freedomotic.sideload/5.6.0/jre/bin/java" sig=31
arch=40000028 syscall=288(socketpair) compat=0 ip=0xb6e9ab86 code=0x0

'socketpair' is part of the 'network-service' cap (apps by default only get
client networking), so you can change your yaml to:

name: freedomotic
architecture: armhf
version: 5.6.0
vendor: Freedomotic Team <info at freedomotic.com>
icon: meta/freedomotic.svg
services:
 - name: freedomotic
   description: "freedomotic runtime"
   start: bin/start
   caps:
     - network-service
binaries:
 - name: start
   exec: bin/start
   description: "freedomotic runtime cli"
   caps:
     - network-service

After making these changes, the app gets farther along, but has another security
denial:
apparmor="DENIED" operation="mknod"
profile="freedomotic.sideload_freedomotic_5.6.0"
name="/apps/freedomotic.sideload/5.6.0/freedomotic/plugins/objects/base-things/data/cmd/index.txt"
pid=6557 comm="java" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

the app is incorrectly trying to write to the read-only install directory--
security policy enforces the snappy FHS[5]. It should instead be modified to
write out to SNAP_APP_DATA_PATH.

Attached is a diff of the changes I made.

Hope this helps

References:
[1]https://developer.ubuntu.com/en/snappy/guides/packaging-format-apps/
[2]https://developer.ubuntu.com/en/snappy/guides/package-metadata/
[3]https://developer.ubuntu.com/en/snappy/guides/security-policy/
[4]https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#Debugging
[5]https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/
https://developer.ubuntu.com/en/snappy/guides/


> On Thu, May 7, 2015 5:36 pm, Alexander Sack wrote:
>> Oh,
>>
>>
>> if you dont know how to test on ARM you can make the same snap for amd64 I
>> am sure use a jre accordingly and then use a KVM to test it... once that
>> work, just replace the jre with the armhf one etc. and it will work fine
>> too!
>>
>> On Fri, May 8, 2015 at 12:34 AM, Alexander Sack <asac at canonical.com>
>> wrote:
>>
>>> On Fri, May 8, 2015 at 12:31 AM, Alexander Sack <asac at canonical.com>
>>> wrote:
>>>
>>>> On Wed, May 6, 2015 at 11:50 AM,  <mauro at freedomotic.com> wrote:
>>>>
>>>>> Hi
>>>>> our raspi2 image is updated to the last version. I uploaded the snap
>>>>> on dropbox
>>>>> https://www.dropbox.com/s/us29rn028q9neum/freedomotic_5.6.0_armhf.s
>>>>> nap?dl=0
>>>>>
>>>>> Is there anyone who can try it on raspberry2 or another armhf board
>>>>> and give us any feedback? To start it you must lanch ./start under
>>>>> bin folder.
>>>>
>>>> did you try to make a binaries: entry for this in package.yaml so you
>>>>  can start it with freedomotic.start using normal confinement?
>>>
>>> I tried running it direcetly and it doesnt work. The right thing to do
>>> is to use use a binaries: entry in package.yaml (check out hello-world
>>> example) and then use $SNAP_APP_PATH to find the top level dir of your
>>> app in that start script.
>>>
>>> If you install hello-world you can see the environment variables you
>>> have available:
>>>
>>> hello-world.env | grep SNAP_
>>> SNAP_APP_PATH=/apps/hello-world.canonical/1.0.14
>>> SNAP_ORIGIN=canonical
>>> SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0.14
>>> SNAP_FULLNAME=hello-world.canonical
>>> SNAP_NAME=hello-world
>>> SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.14/tmp
>>> SNAP_OLD_PWD=/home/ubuntu
>>> SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.14
>>>
>>>
>>>
>>> and in hello-world/meta/package.yaml you have this:
>>>
>>> name: hello-world
>>> version: 1.0.13
>>> vendor: Snappy Developers <snappy-devel at lists.ubuntu.com>
>>> icon: meta/hello.svg
>>> binaries:
>>> - name: bin/echo
>>> - name: bin/env
>>>
>>>
>>> ...
>>>
>>>
>>> this makes commands like hello-world.env that get properly confined and
>>> the right envs set.
>>>
>>>
>>>>
>>>>>
>>>>> Thanks
>>>>> Mauro
>>>>>
>>>>>
>>>>> On Mon, May 4, 2015 1:07 pm, Jamie Strandboge wrote:
>>>>>
>>>>>> On 05/04/2015 09:04 AM, mauro at freedomotic.com wrote:
>>>>>>
>>>>>>
>>>>>>> Hi Jamie,
>>>>>>> thanks for your reply. Based on Loic Minier's suggested example
>>>>>>> http://bazaar.launchpad.net/~lool/+junk/webcam-webui-snap/files
>>>>>>> /head:/me
>>>>>>> ta/ I modified my package. Would you like to test it on an ARM
>>>>>>> board?
>>>>>>>
>>>>>>>
>>>>>>> The compilation process is OK.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Based on looking at the packaging, it seems fine. The problem is
>>>>>> the target system that you are installing the snap on is not
>>>>>> running an up to date snappy. Please update your raspberry pi2
>>>>>> device to the latest stable release that came out a week and a
>>>>>> half ago (or alternatively, to rolling).
>>>>>>
>>>>>>
>>>>>>> Mauro
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, May 4, 2015 8:33 am, Jamie Strandboge wrote:
>>>>>>>
>>>>>>>
>>>>>>>> On 05/04/2015 08:29 AM, Jamie Strandboge wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> On 05/03/2015 04:23 AM, mauro at freedomotic.com wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hi all
>>>>>>>>>> I created the snap with embedded Oracle jre but it doesn't
>>>>>>>>>> start with the following error
>>>>>>>>>> (RaspberryPi2)ubuntu at localhost:~$
>>>>>>>>>> start.sh.freedomotic aa-exec: ERROR: profile
>>>>>>>>>> 'freedomotic_start.sh_5.6.0' does not exist
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I think it's related to AppArmor but I didn't find any
>>>>>>>>>> doc example about this. Can you help me? How to add this
>>>>>>>>>> file and modify the package.yaml?
>>>>>>>>>>
>>>>>>>>>> The snap is structure is online on
>>>>>>>>>> https://github.com/mcicolella/freedomotic-snappy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It is related to apparmor-- the profile
>>>>>>>>> 'freedomotic_start.sh_5.6.0'
>>>>>>>>> isn't loaded into the kernel so the aa-exec failed. I looked
>>>>>>>>> at your package.yaml and you are using the defaults (good),
>>>>>>>>> and there is nothing more you need to do for the security
>>>>>>>>> policy. What is probably happening is something during the
>>>>>>>>> install is failing prior to the apparmor policy generation.
>>>>>>>>>
>>>>>>>>> What I find curious though is that you are using the
>>>>>>>>> command 'start.sh.freedomotic'-- this should be
>>>>>>>>> freedomotic.start.sh instead. Also the reported error message
>>>>>>>>> shows snappy is using 'aa-exec' instead of
>>>>>>>>> 'ubuntu-core-launcher'. Also, the package shouldn't have
>>>>>>>>> been able to be in the half-installed state that it is in
>>>>>>>>> now (ie, unpacked, but without generated security policy,
>>>>>>>>> etc). All of this indicates your snappy system is out of
>>>>>>>>> date.
>>>>>>>>>
>>>>>>>> Sorry, I sent this a tad too soon...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> All of this indicates your snappy system is out of date and
>>>>>>>> you should upgrade to the latest stable release that came out
>>>>>>>> a week and a half ago (or alternatively, to rolling).
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jamie Strandboge                 http://www.ubuntu.com/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> snappy-devel mailing list snappy-devel at lists.ubuntu.com Modify
>>>>>>>>  settings or unsubscribe at:
>>>>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jamie Strandboge                 http://www.ubuntu.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> snappy-devel mailing list snappy-devel at lists.ubuntu.com Modify
>>>>> settings or unsubscribe at:
>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>>>>>
>>
> 
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freedomotic.diff
Type: text/x-diff
Size: 1091 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150511/210d7d02/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150511/210d7d02/attachment-0001.pgp>


More information about the snappy-devel mailing list