Re: Has anybody ever snapped gunicorn?

2016-10-10 Thread Leo Arias 
Hello,

On Mon, Oct 10, 2016 at 10:51 AM, Robert Park 
wrote:

> Well so far the only interfaces i need were network and network-bind. Is
> there even a snap interface that provides dac_override and chown? I
> couldn't find any in a quick google.
>

This is for chown: https://bugs.launchpad.net/snappy/+bug/1619888
Please leave your comment there about your use case.

For dac_override, I found this:
https://github.com/snapcore/snapd/blob/98c8e937625ce3134cf17025d8f0eb3e1016259a/interfaces/builtin/log_observe.go#L46
However, the comment in there makes me think you need a separate interface
not yet implemented. If that's the case, the process is to file a bug that
the security team will add to their backlog, or implement the interface
yourself.

pura vida
-- 
¡paz y baile!
http://www.ubuntu.com
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: Has anybody ever snapped gunicorn?

2016-10-10 Thread Robert Park 
Hi Alfonso, thanks for the response

On Oct 9, 2016 11:59 PM, "Alfonso Sanchez-Beato" <
alfonso.sanchez-be...@canonical.com> wrote:
> On Mon, Oct 10, 2016 at 1:56 AM, Robert Park 
wrote:
>>
>> Right, so that was a $PYTHONPATH issue indeed which I've fixed by
>> setting this in a wrapper script:
>>
>> export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages:$SNAP/src"
>>
>>
>> But still gunicorn is not working. When I run it, I get this error:
>>
>> $ sudo quantifiedself.server
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Starting gunicorn 19.4.5
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Listening at:
>> http://0.0.0.0:8080 (4365)
>> [2016-10-09 16:30:13 -0700] [4365] [INFO] Using worker: sync
>> fish: “sudo quantifiedself.server” terminated by signal SIGSYS (Bad
system call)
>>
>>
>> All I can find in kern.log is this, but it doesn't mean much to me:
>>
>> 236:Oct  9 16:30:02 rouge kernel: [1793707.594342] audit: type=1400
>> audit(1476055802.615:377): apparmor="DENIED" operation="capable"
>> profile="snap.quantifiedself.server" pid=4236 comm="gunicorn3"
>> capability=1  capname="dac_override"
>> 237:Oct  9 16:30:13 rouge kernel: [1793718.438376] audit: type=1326
>> audit(1476055813.459:378): auid=1000 uid=0 gid=0 ses=1 pid=4365
>> comm="gunicorn3" exe="/usr/bin/python3.5" sig=31 arch=c03e
>> syscall=92 compat=0 ip=0x7f861dff2a47 code=0x0
>>
>>
>> Anybody have any ideas how to troubleshoot this?
>
>
> The first trace is for apparmor, you need to have
>
> capability dac_override,
>
> in the apparmor snippet of one of the interfaces you are using.
>
> The second one seems to be from seccomp when calling syscall 92, which
happens to be chown. You would need to have that call in the seccomp
snippet of one interface you are using.
>
> Not sure if you miss some interface/connection or if these need to be
added to one interface you are using.

Well so far the only interfaces i need were network and network-bind. Is
there even a snap interface that provides dac_override and chown? I
couldn't find any in a quick google.

Or am i better off digging into gunicorn and figuring out why it's trying
to chown and patching it to not do that?
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: Has anybody ever snapped gunicorn?

2016-10-09 Thread Robert Park 
Right, so that was a $PYTHONPATH issue indeed which I've fixed by
setting this in a wrapper script:

export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages:$SNAP/src"


But still gunicorn is not working. When I run it, I get this error:

$ sudo quantifiedself.server
[2016-10-09 16:30:13 -0700] [4365] [INFO] Starting gunicorn 19.4.5
[2016-10-09 16:30:13 -0700] [4365] [INFO] Listening at:
http://0.0.0.0:8080 (4365)
[2016-10-09 16:30:13 -0700] [4365] [INFO] Using worker: sync
fish: “sudo quantifiedself.server” terminated by signal SIGSYS (Bad system call)


All I can find in kern.log is this, but it doesn't mean much to me:

236:Oct  9 16:30:02 rouge kernel: [1793707.594342] audit: type=1400
audit(1476055802.615:377): apparmor="DENIED" operation="capable"
profile="snap.quantifiedself.server" pid=4236 comm="gunicorn3"
capability=1  capname="dac_override"
237:Oct  9 16:30:13 rouge kernel: [1793718.438376] audit: type=1326
audit(1476055813.459:378): auid=1000 uid=0 gid=0 ses=1 pid=4365
comm="gunicorn3" exe="/usr/bin/python3.5" sig=31 arch=c03e
syscall=92 compat=0 ip=0x7f861dff2a47 code=0x0


Anybody have any ideas how to troubleshoot this?

Thanks.

On Sun, Oct 2, 2016 at 11:51 AM, Robert Park  wrote:
> I've got gunicorn3 and python3-gunicorn in my stage-packages, and
> gunicorn is working correctly when I run it from my app's source tree,
> but when I try to snap it I get this:
>
> Traceback (most recent call last):
>   File "/snap/weighttracker/x4/usr/bin/gunicorn3", line 5, in 
> from pkg_resources import load_entry_point
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 2927, in 
> @_call_aside
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 2913, in _call_aside
> f(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 2940, in _initialize_master_working_set
> working_set = WorkingSet._build_master()
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 635, in _build_master
> ws.require(__requires__)
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 943, in require
> needed = self.resolve(parse_requirements(requirements))
>   File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py",
> line 829, in resolve
> raise DistributionNotFound(req, requirers)
> pkg_resources.DistributionNotFound: The 'gunicorn==19.4.5'
> distribution was not found and is required by the application
>
> I find this utterly bizarre because this traceback starts in
> usr/bin/gunicorn3 and then it apparently fails to load itself. I guess
> it's a $PYTHONPATH issue? What am I doing wrong?
>
> https://git.launchpad.net/~robru/+git/weightloss/tree/snapcraft.yaml
>
> Thanks.
>
> --
> robru



-- 
robru

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft