Re: Has anybody ever snapped gunicorn?
Hello, On Mon, Oct 10, 2016 at 10:51 AM, Robert Parkwrote: > Well so far the only interfaces i need were network and network-bind. Is > there even a snap interface that provides dac_override and chown? I > couldn't find any in a quick google. > This is for chown: https://bugs.launchpad.net/snappy/+bug/1619888 Please leave your comment there about your use case. For dac_override, I found this: https://github.com/snapcore/snapd/blob/98c8e937625ce3134cf17025d8f0eb3e1016259a/interfaces/builtin/log_observe.go#L46 However, the comment in there makes me think you need a separate interface not yet implemented. If that's the case, the process is to file a bug that the security team will add to their backlog, or implement the interface yourself. pura vida -- ¡paz y baile! http://www.ubuntu.com -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Has anybody ever snapped gunicorn?
Hi Alfonso, thanks for the response On Oct 9, 2016 11:59 PM, "Alfonso Sanchez-Beato" < alfonso.sanchez-be...@canonical.com> wrote: > On Mon, Oct 10, 2016 at 1:56 AM, Robert Parkwrote: >> >> Right, so that was a $PYTHONPATH issue indeed which I've fixed by >> setting this in a wrapper script: >> >> export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages:$SNAP/src" >> >> >> But still gunicorn is not working. When I run it, I get this error: >> >> $ sudo quantifiedself.server >> [2016-10-09 16:30:13 -0700] [4365] [INFO] Starting gunicorn 19.4.5 >> [2016-10-09 16:30:13 -0700] [4365] [INFO] Listening at: >> http://0.0.0.0:8080 (4365) >> [2016-10-09 16:30:13 -0700] [4365] [INFO] Using worker: sync >> fish: “sudo quantifiedself.server” terminated by signal SIGSYS (Bad system call) >> >> >> All I can find in kern.log is this, but it doesn't mean much to me: >> >> 236:Oct 9 16:30:02 rouge kernel: [1793707.594342] audit: type=1400 >> audit(1476055802.615:377): apparmor="DENIED" operation="capable" >> profile="snap.quantifiedself.server" pid=4236 comm="gunicorn3" >> capability=1 capname="dac_override" >> 237:Oct 9 16:30:13 rouge kernel: [1793718.438376] audit: type=1326 >> audit(1476055813.459:378): auid=1000 uid=0 gid=0 ses=1 pid=4365 >> comm="gunicorn3" exe="/usr/bin/python3.5" sig=31 arch=c03e >> syscall=92 compat=0 ip=0x7f861dff2a47 code=0x0 >> >> >> Anybody have any ideas how to troubleshoot this? > > > The first trace is for apparmor, you need to have > > capability dac_override, > > in the apparmor snippet of one of the interfaces you are using. > > The second one seems to be from seccomp when calling syscall 92, which happens to be chown. You would need to have that call in the seccomp snippet of one interface you are using. > > Not sure if you miss some interface/connection or if these need to be added to one interface you are using. Well so far the only interfaces i need were network and network-bind. Is there even a snap interface that provides dac_override and chown? I couldn't find any in a quick google. Or am i better off digging into gunicorn and figuring out why it's trying to chown and patching it to not do that? -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: Has anybody ever snapped gunicorn?
Right, so that was a $PYTHONPATH issue indeed which I've fixed by setting this in a wrapper script: export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages:$SNAP/src" But still gunicorn is not working. When I run it, I get this error: $ sudo quantifiedself.server [2016-10-09 16:30:13 -0700] [4365] [INFO] Starting gunicorn 19.4.5 [2016-10-09 16:30:13 -0700] [4365] [INFO] Listening at: http://0.0.0.0:8080 (4365) [2016-10-09 16:30:13 -0700] [4365] [INFO] Using worker: sync fish: “sudo quantifiedself.server” terminated by signal SIGSYS (Bad system call) All I can find in kern.log is this, but it doesn't mean much to me: 236:Oct 9 16:30:02 rouge kernel: [1793707.594342] audit: type=1400 audit(1476055802.615:377): apparmor="DENIED" operation="capable" profile="snap.quantifiedself.server" pid=4236 comm="gunicorn3" capability=1 capname="dac_override" 237:Oct 9 16:30:13 rouge kernel: [1793718.438376] audit: type=1326 audit(1476055813.459:378): auid=1000 uid=0 gid=0 ses=1 pid=4365 comm="gunicorn3" exe="/usr/bin/python3.5" sig=31 arch=c03e syscall=92 compat=0 ip=0x7f861dff2a47 code=0x0 Anybody have any ideas how to troubleshoot this? Thanks. On Sun, Oct 2, 2016 at 11:51 AM, Robert Parkwrote: > I've got gunicorn3 and python3-gunicorn in my stage-packages, and > gunicorn is working correctly when I run it from my app's source tree, > but when I try to snap it I get this: > > Traceback (most recent call last): > File "/snap/weighttracker/x4/usr/bin/gunicorn3", line 5, in > from pkg_resources import load_entry_point > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 2927, in > @_call_aside > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 2913, in _call_aside > f(*args, **kwargs) > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 2940, in _initialize_master_working_set > working_set = WorkingSet._build_master() > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 635, in _build_master > ws.require(__requires__) > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 943, in require > needed = self.resolve(parse_requirements(requirements)) > File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", > line 829, in resolve > raise DistributionNotFound(req, requirers) > pkg_resources.DistributionNotFound: The 'gunicorn==19.4.5' > distribution was not found and is required by the application > > I find this utterly bizarre because this traceback starts in > usr/bin/gunicorn3 and then it apparently fails to load itself. I guess > it's a $PYTHONPATH issue? What am I doing wrong? > > https://git.launchpad.net/~robru/+git/weightloss/tree/snapcraft.yaml > > Thanks. > > -- > robru -- robru -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft