[Bug 1611603] Re: fails to start when confined in a snap

Jamie Strandboge jamie at ubuntu.com
Thu Feb 2 18:46:00 UTC 2017

Note that snapd 2.22 allows snaps to chown to root:root. You might be
interested in https://bugs.launchpad.net/snappy/+bug/1606510/comments/14

You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to gunicorn in Ubuntu.

  fails to start when confined in a snap

Status in gunicorn package in Ubuntu:

Bug description:
  I attempted to package a simple WSGI app in an Ubuntu snap with
  gunicorn, and ran into a problem with gunicorn vs. the Snap security

  The policy forbids calling chown at all, whereas the
  workers.workertmp.WorkerTmp class relies on the default and
  historically unproblematic behaviour of silently succeeding when the
  UID/GID are the same as the calling process's.

  I've attached a patch that attempts to short-circuit chown when it
  would be a no-op, which is the case when gunicorn is run as root in a
  snap, and this patch lets my app work when confined.

  snaps also do not currently allow setuid, etc., and so there's no sense in trying to create a gunicorn-using snap that starts as root and then drops privileges.  For more information on the snap security policy, please visit: https://developer.ubuntu.com/en/snappy/guides/security/
  and https://developer.ubuntu.com/en/snappy/build-apps/debug/

To manage notifications about this bug go to:

More information about the Ubuntu-openstack-bugs mailing list