need help with freedomotic snappy app
mauro at freedomotic.com
mauro at freedomotic.com
Tue May 19 16:27:03 UTC 2015
HiJamie
sorry for delay.
Thanks for your suggestions.
I created another package but I can't install on Raspi2 with the following
error
Last login: Tue May 19 16:01:40 2015
(RaspberryPi2)ubuntu at localhost:~$ dir
freedomotic_5.6.0_armhf.snap
(RaspberryPi2)ubuntu at localhost:~$ sudo snappy install
--allow-unauthenticated freedomotic_5.6.0_armhf.snap
Installing freedomotic_5.6.0_armhf.snap
2015/05/19 16:05:55 Signature check failed, but installing anyway as
requested
mkdir /apps/freedomotic/5.6.0/jre/lib/security: permission denied
unpack freedomotic_5.6.0_armhf.snap to /apps/freedomotic/5.6.0 failed with
exit status 1
(RaspberryPi2)ubuntu at localhost:~$
I'm using the image from
http://people.canonical.com/~lool/pi2-device-and-oem/pi2.img.gz
The installed ubuntu core is 2015-04-10 and not updated to May as in your
mail. The update command doesn't work as reported in
https://developer.ubuntu.com/en/snappy/start/
Do you think it's related to missing updated core?
And how to solve?
Thanks
Mauro
On Mon, May 11, 2015 5:27 pm, Jamie Strandboge wrote:
> On 05/08/2015 02:10 PM, mauro at freedomotic.com wrote:
>
>> Hi Alexander
>> I added
>> binaries:
>> - name: bin/start
>>
>>
>> When I "start.freedomotic" this is the output:
>>
>>
>> (RaspberryPi2)ubuntu at localhost:~$ start.freedomotic
>> aa-exec: ERROR: profile 'freedomotic_start_5.6.0' does not exist
>> The file freedomotic.apparmor is present. Infact if I launch "start" in
>> bin folder with sudo it works. After a random time the app is killed.
>>
>>
>
> 'start.freedomotic' is not the correct name for the file on either the
> stable or the rolling snappy releases-- you should be using
> 'freedomotic.start'. If
> 'start.freedomotic' is working for you it indicates either you have some
> old files laying around or your system is out of date. Also, running under
> sudo from your app's install directory will certainly work-- you are
> bypassing systemd and the app launcher (it is useful to know that it works
> on its own though).
>
> I downloaded the snap from dropbox:
> $ click-review /tmp/freedomotic_5.6.0_armhf.snap
> /tmp/freedomotic_5.6.0_armhf.snap: pass
>
>
>
> and installed on my beaglebone. $ sudo snappy install
> --allow-unauthenticated /tmp/freedomotic_5.6.0_armhf.snap
> Installing /tmp/freedomotic_5.6.0_armhf.snap
> 2015/05/11 21:29:36 Signature check failed, but installing anyway as
> requested Name Date Version Developer
> ubuntu-core 2015-05-08 55 ubuntu docker 2015-05-08 1.6.1.002
> freedomotic 2015-05-11 5.6.0 sideload beagleblack 2015-05-08 1.7.1
>
> $ start.freedomotic # <----- your command which correctly
> doesn't work -bash: start.freedomotic: command not found
>
>
> $ freedomotic.start # <----- what should work based on your
> comments, # but doesn't
> -bash: freedomotic.start: command not found
>
>
>
> In looking at your snappy packaging, you are not specifying any
> 'binaries', only
> a service so you won't get a binary you can use from the command line--
> only a systemd service.
>
> Looking at your package.yaml, there are several issues:
> $ cat ./package.yaml
> name: freedomotic
> architecture: armhf
> version: 5.6.0
> vendor: Freedomotic Team <info at freedomotic.com>
> icon: meta/freedomotic.svg
> services:
> - name: freedomotic
> description: "freedomotic runtime"
> start: bin/start
> integration:
> freedomotic:
> apparmor: meta/freedomotic.apparmor
>
>
> First, as mentioned, you don't have a 'binaries' entry[1]. Second, you
> are using the obsoleted 'integration' hook for specifying security
> policy[2] (the review tools should've caught this, and I've added a todo
> to fix this). Looking at freedomotic.apparmor, you aren't doing anything
> out of the ordinary, so I suggest you change your yaml to simply:
>
>
> name: freedomotic
> architecture: armhf
> version: 5.6.0
> vendor: Freedomotic Team <info at freedomotic.com>
> icon: meta/freedomotic.svg
> services:
> - name: freedomotic
> description: "freedomotic runtime"
> start: bin/start
> binaries:
> - name: start
> exec: bin/start
> description: "freedomotic runtime cli"
>
>
>
> With the above you will get a systemd service (that calls 'bin/start')
> *and* a
> CLI binary in /apps/bin/freedomotic.start (which also happens to call
> 'bin/start'-- I'm not sure you actually want to do that in your package,
> but it illustrates the point I'm trying to make) and you don't have to do
> anything special for security.
>
> After making the above change, make sure your target system is up to
> date. On my beaglebone black I have: $ system-image-cli -i
> current build number: 55 device name: generic_armhf channel:
> ubuntu-core/15.04/edge last update: 2015-05-08 08:10:00 version version: 55
> version ubuntu: 20150508 version raw-device: 20150508
>
> If you are on the stable channel, you will have a different build number
> (I'm
> not sure about rasp pi2). If I were you, I'd reflash to stable and make
> sure you have a clean environment. Once you've done that, install the new
> package with the packaging changes I suggested.
>
> If you are iterating and installing the same version over and over again,
> you will want to do on your target: $ sudo snappy remove freedomotic
> Removing freedomotic
> Waiting for freedomotic_freedomotic_5.6.0.service to stop.
>
>
> $ sudo snappy purge freedomotic
> Purging freedomotic
>
>
> $ sudo snappy install --allow-unauthenticated
> /tmp/freedomotic_5.6.0_armhf.snap
>
>
>
> FYI, I built a package with the above changes and now I can use
> 'freedomotic.start', and it indicates a problem. Eg:
>
>
> $ freedomotic.start
> /apps/freedomotic.sideload/5.6.0/bin/start: 4: cd: can't cd to
> /apps/freedomotic/current
> Launching Freedomotic runtime...
> /apps/freedomotic.sideload/5.6.0/bin/start: 9:
> /apps/freedomotic.sideload/5.6.0/bin/start:
> /apps/freedomotic/current/jre/bin/java: not found
>
>
>
> This is because the app was sideloaded and your 'start' script doesn't
> handle that well. You should use the SNAP_* variables in your 'start'
> script so you aren't hardcoding paths.
>
> Eg:
>
>
> $ sudo snappy install hello-world
> ...
> $ hello-world.env|grep SNAP_
> SNAP_APP_PATH=/apps/hello-world.canonical/1.0.15
> SNAP_ORIGIN=canonical
> SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0.15
> SNAP_FULLNAME=hello-world.canonical
> SNAP_NAME=hello-world
> SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.15/tmp
> SNAP_OLD_PWD=/tmp
> SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.15
>
>
> Do be aware of this bug though:
> https://bugs.launchpad.net/snappy-ubuntu/+bug/1449625
>
>
> So, looking at 'start', if I change this:
> appdir=/apps/freedomotic/current cd $appdir export
> JAVA_HOME="/apps/freedomotic/current/jre"
>
>
> to:
> appdir=$SNAP_APP_PATH cd $appdir export JAVA_HOME="$appdir/jre"
>
>
> then "freedomatic.start" tries to do something: $ freedomotic.start
> Launching Freedomotic runtime...
> log4j:ERROR Could not find value for key log4j.appender.default.file
> log4j:ERROR Could not instantiate appender named "default.file".
> INFO [main] - Freedomotic instance ID:
> c020cc66-8aba-4274-9ccf-2595037d16d6 INFO [main] - Creating new messaging
> broker INFO [main] - Configuring messaging broker
> INFO [main] - /apps/freedomotic.sideload/5.6.0/freedomotic
>
>
>
> The systemd service also tries to do something too:
> $ sudo systemctl stop freedomotic_freedomotic_5.6.0.service
> ...
> $ sudo systemctl start freedomotic_freedomotic_5.6.0.service
>
>
> However, there is a seccomp denial[3][4]:
> $ sudo sc-logresolve /var/log/syslog
> May 11 22:00:17 localhost kernel: [264654.298530] audit: type=1326
> audit(1431381617.920:34): auid=1000 uid=1000 gid=1000 ses=83 pid=5889
> comm="java" exe="/apps/freedomotic.sideload/5.6.0/jre/bin/java" sig=31
> arch=40000028 syscall=288(socketpair) compat=0 ip=0xb6e9ab86 code=0x0
>
> 'socketpair' is part of the 'network-service' cap (apps by default only
> get client networking), so you can change your yaml to:
>
> name: freedomotic
> architecture: armhf
> version: 5.6.0
> vendor: Freedomotic Team <info at freedomotic.com>
> icon: meta/freedomotic.svg
> services:
> - name: freedomotic
> description: "freedomotic runtime"
> start: bin/start
> caps:
> - network-service
> binaries:
> - name: start
> exec: bin/start
> description: "freedomotic runtime cli"
> caps:
> - network-service
>
>
> After making these changes, the app gets farther along, but has another
> security denial:
> apparmor="DENIED" operation="mknod"
> profile="freedomotic.sideload_freedomotic_5.6.0"
> name="/apps/freedomotic.sideload/5.6.0/freedomotic/plugins/objects/base-t
> hings/data/cmd/index.txt" pid=6557 comm="java" requested_mask="c"
> denied_mask="c" fsuid=0 ouid=0
>
> the app is incorrectly trying to write to the read-only install
> directory-- security policy enforces the snappy FHS[5]. It should instead
> be modified to write out to SNAP_APP_DATA_PATH.
>
> Attached is a diff of the changes I made.
>
>
> Hope this helps
>
>
> References:
> [1]https://developer.ubuntu.com/en/snappy/guides/packaging-format-apps/
> [2]https://developer.ubuntu.com/en/snappy/guides/package-metadata/
> [3]https://developer.ubuntu.com/en/snappy/guides/security-policy/
> [4]https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#D
> ebugging
> [5]https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/
> https://developer.ubuntu.com/en/snappy/guides/
>
>
>
>> On Thu, May 7, 2015 5:36 pm, Alexander Sack wrote:
>>
>>> Oh,
>>>
>>>
>>>
>>> if you dont know how to test on ARM you can make the same snap for
>>> amd64 I am sure use a jre accordingly and then use a KVM to test it...
>>> once that work, just replace the jre with the armhf one etc. and it
>>> will work fine too!
>>>
>>> On Fri, May 8, 2015 at 12:34 AM, Alexander Sack <asac at canonical.com>
>>> wrote:
>>>
>>>
>>>> On Fri, May 8, 2015 at 12:31 AM, Alexander Sack
>>>> <asac at canonical.com>
>>>> wrote:
>>>>
>>>>
>>>>> On Wed, May 6, 2015 at 11:50 AM, <mauro at freedomotic.com> wrote:
>>>>>
>>>>>
>>>>>> Hi
>>>>>> our raspi2 image is updated to the last version. I uploaded the
>>>>>> snap on dropbox
>>>>>> https://www.dropbox.com/s/us29rn028q9neum/freedomotic_5.6.0_arm
>>>>>> hf.s nap?dl=0
>>>>>>
>>>>>> Is there anyone who can try it on raspberry2 or another armhf
>>>>>> board and give us any feedback? To start it you must lanch
>>>>>> ./start under
>>>>>> bin folder.
>>>>>
>>>>> did you try to make a binaries: entry for this in package.yaml so
>>>>> you can start it with freedomotic.start using normal confinement?
>>>>
>>>> I tried running it direcetly and it doesnt work. The right thing to
>>>> do is to use use a binaries: entry in package.yaml (check out
>>>> hello-world example) and then use $SNAP_APP_PATH to find the top
>>>> level dir of your app in that start script.
>>>>
>>>> If you install hello-world you can see the environment variables
>>>> you have available:
>>>>
>>>> hello-world.env | grep SNAP_
>>>> SNAP_APP_PATH=/apps/hello-world.canonical/1.0.14
>>>> SNAP_ORIGIN=canonical
>>>> SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0
>>>> .14
>>>> SNAP_FULLNAME=hello-world.canonical
>>>> SNAP_NAME=hello-world
>>>> SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.14/tmp
>>>> SNAP_OLD_PWD=/home/ubuntu
>>>> SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.14
>>>>
>>>>
>>>>
>>>>
>>>> and in hello-world/meta/package.yaml you have this:
>>>>
>>>> name: hello-world
>>>> version: 1.0.13
>>>> vendor: Snappy Developers <snappy-devel at lists.ubuntu.com>
>>>> icon: meta/hello.svg
>>>> binaries:
>>>> - name: bin/echo
>>>> - name: bin/env
>>>>
>>>>
>>>>
>>>> ...
>>>>
>>>>
>>>>
>>>> this makes commands like hello-world.env that get properly confined
>>>> and the right envs set.
>>>>
>>>>
>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Mauro
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, May 4, 2015 1:07 pm, Jamie Strandboge wrote:
>>>>>>
>>>>>>
>>>>>>> On 05/04/2015 09:04 AM, mauro at freedomotic.com wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi Jamie,
>>>>>>>> thanks for your reply. Based on Loic Minier's suggested
>>>>>>>> example
>>>>>>>> http://bazaar.launchpad.net/~lool/+junk/webcam-webui-snap/f
>>>>>>>> iles /head:/me
>>>>>>>> ta/ I modified my package. Would you like to test it on an
>>>>>>>> ARM
>>>>>>>> board?
>>>>>>>>
>>>>>>>>
>>>>>>>> The compilation process is OK.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Based on looking at the packaging, it seems fine. The problem
>>>>>>> is the target system that you are installing the snap on is
>>>>>>> not running an up to date snappy. Please update your raspberry
>>>>>>> pi2 device to the latest stable release that came out a week
>>>>>>> and a half ago (or alternatively, to rolling).
>>>>>>>
>>>>>>>
>>>>>>>> Mauro
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, May 4, 2015 8:33 am, Jamie Strandboge wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> On 05/04/2015 08:29 AM, Jamie Strandboge wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On 05/03/2015 04:23 AM, mauro at freedomotic.com wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hi all
>>>>>>>>>>> I created the snap with embedded Oracle jre but it
>>>>>>>>>>> doesn't start with the following error
>>>>>>>>>>> (RaspberryPi2)ubuntu at localhost:~$
>>>>>>>>>>> start.sh.freedomotic aa-exec: ERROR: profile
>>>>>>>>>>> 'freedomotic_start.sh_5.6.0' does not exist
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I think it's related to AppArmor but I didn't find
>>>>>>>>>>> any doc example about this. Can you help me? How to
>>>>>>>>>>> add this file and modify the package.yaml?
>>>>>>>>>>>
>>>>>>>>>>> The snap is structure is online on
>>>>>>>>>>> https://github.com/mcicolella/freedomotic-snappy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> It is related to apparmor-- the profile
>>>>>>>>>> 'freedomotic_start.sh_5.6.0'
>>>>>>>>>> isn't loaded into the kernel so the aa-exec failed. I
>>>>>>>>>> looked at your package.yaml and you are using the
>>>>>>>>>> defaults (good), and there is nothing more you need to
>>>>>>>>>> do for the security policy. What is probably happening
>>>>>>>>>> is something during the install is failing prior to the
>>>>>>>>>> apparmor policy generation.
>>>>>>>>>>
>>>>>>>>>> What I find curious though is that you are using the
>>>>>>>>>> command 'start.sh.freedomotic'-- this should be
>>>>>>>>>> freedomotic.start.sh instead. Also the reported error
>>>>>>>>>> message shows snappy is using 'aa-exec' instead of
>>>>>>>>>> 'ubuntu-core-launcher'. Also, the package shouldn't
>>>>>>>>>> have been able to be in the half-installed state that it
>>>>>>>>>> is in now (ie, unpacked, but without generated security
>>>>>>>>>> policy, etc). All of this indicates your snappy system
>>>>>>>>>> is out of date.
>>>>>>>>>>
>>>>>>>>> Sorry, I sent this a tad too soon...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> All of this indicates your snappy system is out of date
>>>>>>>>> and you should upgrade to the latest stable release that
>>>>>>>>> came out a week and a half ago (or alternatively, to
>>>>>>>>> rolling).
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Jamie Strandboge http://www.ubuntu.com/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> snappy-devel mailing list snappy-devel at lists.ubuntu.com
>>>>>>>>> Modify
>>>>>>>>> settings or unsubscribe at:
>>>>>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jamie Strandboge http://www.ubuntu.com/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> snappy-devel mailing list snappy-devel at lists.ubuntu.com Modify
>>>>>> settings or unsubscribe at:
>>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>>>>>>
>>>>>>
>>>
>>
>>
>
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> --
> snappy-devel mailing list snappy-devel at lists.ubuntu.com Modify settings or
> unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>
More information about the snappy-devel
mailing list