HiJamie sorry for delay. Thanks for your suggestions. I created another package but I can't install on Raspi2 with the following error Last login: Tue May 19 16:01:40 2015 (RaspberryPi2)ubuntu@localhost:~$ dir freedomotic_5.6.0_armhf.snap (RaspberryPi2)ubuntu@localhost:~$ sudo snappy install --allow-unauthenticated freedomotic_5.6.0_armhf.snap Installing freedomotic_5.6.0_armhf.snap 2015/05/19 16:05:55 Signature check failed, but installing anyway as requested mkdir /apps/freedomotic/5.6.0/jre/lib/security: permission denied unpack freedomotic_5.6.0_armhf.snap to /apps/freedomotic/5.6.0 failed with exit status 1 (RaspberryPi2)ubuntu@localhost:~$
I'm using the image from http://people.canonical.com/~lool/pi2-device-and-oem/pi2.img.gz The installed ubuntu core is 2015-04-10 and not updated to May as in your mail. The update command doesn't work as reported in https://developer.ubuntu.com/en/snappy/start/ Do you think it's related to missing updated core? And how to solve? Thanks Mauro On Mon, May 11, 2015 5:27 pm, Jamie Strandboge wrote: > On 05/08/2015 02:10 PM, [email protected] wrote: > >> Hi Alexander >> I added >> binaries: >> - name: bin/start >> >> >> When I "start.freedomotic" this is the output: >> >> >> (RaspberryPi2)ubuntu@localhost:~$ start.freedomotic >> aa-exec: ERROR: profile 'freedomotic_start_5.6.0' does not exist >> The file freedomotic.apparmor is present. Infact if I launch "start" in >> bin folder with sudo it works. After a random time the app is killed. >> >> > > 'start.freedomotic' is not the correct name for the file on either the > stable or the rolling snappy releases-- you should be using > 'freedomotic.start'. If > 'start.freedomotic' is working for you it indicates either you have some > old files laying around or your system is out of date. Also, running under > sudo from your app's install directory will certainly work-- you are > bypassing systemd and the app launcher (it is useful to know that it works > on its own though). > > I downloaded the snap from dropbox: > $ click-review /tmp/freedomotic_5.6.0_armhf.snap > /tmp/freedomotic_5.6.0_armhf.snap: pass > > > > and installed on my beaglebone. $ sudo snappy install > --allow-unauthenticated /tmp/freedomotic_5.6.0_armhf.snap > Installing /tmp/freedomotic_5.6.0_armhf.snap > 2015/05/11 21:29:36 Signature check failed, but installing anyway as > requested Name Date Version Developer > ubuntu-core 2015-05-08 55 ubuntu docker 2015-05-08 1.6.1.002 > freedomotic 2015-05-11 5.6.0 sideload beagleblack 2015-05-08 1.7.1 > > $ start.freedomotic # <----- your command which correctly > doesn't work -bash: start.freedomotic: command not found > > > $ freedomotic.start # <----- what should work based on your > comments, # but doesn't > -bash: freedomotic.start: command not found > > > > In looking at your snappy packaging, you are not specifying any > 'binaries', only > a service so you won't get a binary you can use from the command line-- > only a systemd service. > > Looking at your package.yaml, there are several issues: > $ cat ./package.yaml > name: freedomotic > architecture: armhf > version: 5.6.0 > vendor: Freedomotic Team <[email protected]> > icon: meta/freedomotic.svg > services: > - name: freedomotic > description: "freedomotic runtime" > start: bin/start > integration: > freedomotic: > apparmor: meta/freedomotic.apparmor > > > First, as mentioned, you don't have a 'binaries' entry[1]. Second, you > are using the obsoleted 'integration' hook for specifying security > policy[2] (the review tools should've caught this, and I've added a todo > to fix this). Looking at freedomotic.apparmor, you aren't doing anything > out of the ordinary, so I suggest you change your yaml to simply: > > > name: freedomotic > architecture: armhf > version: 5.6.0 > vendor: Freedomotic Team <[email protected]> > icon: meta/freedomotic.svg > services: > - name: freedomotic > description: "freedomotic runtime" > start: bin/start > binaries: > - name: start > exec: bin/start > description: "freedomotic runtime cli" > > > > With the above you will get a systemd service (that calls 'bin/start') > *and* a > CLI binary in /apps/bin/freedomotic.start (which also happens to call > 'bin/start'-- I'm not sure you actually want to do that in your package, > but it illustrates the point I'm trying to make) and you don't have to do > anything special for security. > > After making the above change, make sure your target system is up to > date. On my beaglebone black I have: $ system-image-cli -i > current build number: 55 device name: generic_armhf channel: > ubuntu-core/15.04/edge last update: 2015-05-08 08:10:00 version version: 55 > version ubuntu: 20150508 version raw-device: 20150508 > > If you are on the stable channel, you will have a different build number > (I'm > not sure about rasp pi2). If I were you, I'd reflash to stable and make > sure you have a clean environment. Once you've done that, install the new > package with the packaging changes I suggested. > > If you are iterating and installing the same version over and over again, > you will want to do on your target: $ sudo snappy remove freedomotic > Removing freedomotic > Waiting for freedomotic_freedomotic_5.6.0.service to stop. > > > $ sudo snappy purge freedomotic > Purging freedomotic > > > $ sudo snappy install --allow-unauthenticated > /tmp/freedomotic_5.6.0_armhf.snap > > > > FYI, I built a package with the above changes and now I can use > 'freedomotic.start', and it indicates a problem. Eg: > > > $ freedomotic.start > /apps/freedomotic.sideload/5.6.0/bin/start: 4: cd: can't cd to > /apps/freedomotic/current > Launching Freedomotic runtime... > /apps/freedomotic.sideload/5.6.0/bin/start: 9: > /apps/freedomotic.sideload/5.6.0/bin/start: > /apps/freedomotic/current/jre/bin/java: not found > > > > This is because the app was sideloaded and your 'start' script doesn't > handle that well. You should use the SNAP_* variables in your 'start' > script so you aren't hardcoding paths. > > Eg: > > > $ sudo snappy install hello-world > ... > $ hello-world.env|grep SNAP_ > SNAP_APP_PATH=/apps/hello-world.canonical/1.0.15 > SNAP_ORIGIN=canonical > SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0.15 > SNAP_FULLNAME=hello-world.canonical > SNAP_NAME=hello-world > SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.15/tmp > SNAP_OLD_PWD=/tmp > SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.15 > > > Do be aware of this bug though: > https://bugs.launchpad.net/snappy-ubuntu/+bug/1449625 > > > So, looking at 'start', if I change this: > appdir=/apps/freedomotic/current cd $appdir export > JAVA_HOME="/apps/freedomotic/current/jre" > > > to: > appdir=$SNAP_APP_PATH cd $appdir export JAVA_HOME="$appdir/jre" > > > then "freedomatic.start" tries to do something: $ freedomotic.start > Launching Freedomotic runtime... > log4j:ERROR Could not find value for key log4j.appender.default.file > log4j:ERROR Could not instantiate appender named "default.file". > INFO [main] - Freedomotic instance ID: > c020cc66-8aba-4274-9ccf-2595037d16d6 INFO [main] - Creating new messaging > broker INFO [main] - Configuring messaging broker > INFO [main] - /apps/freedomotic.sideload/5.6.0/freedomotic > > > > The systemd service also tries to do something too: > $ sudo systemctl stop freedomotic_freedomotic_5.6.0.service > ... > $ sudo systemctl start freedomotic_freedomotic_5.6.0.service > > > However, there is a seccomp denial[3][4]: > $ sudo sc-logresolve /var/log/syslog > May 11 22:00:17 localhost kernel: [264654.298530] audit: type=1326 > audit(1431381617.920:34): auid=1000 uid=1000 gid=1000 ses=83 pid=5889 > comm="java" exe="/apps/freedomotic.sideload/5.6.0/jre/bin/java" sig=31 > arch=40000028 syscall=288(socketpair) compat=0 ip=0xb6e9ab86 code=0x0 > > 'socketpair' is part of the 'network-service' cap (apps by default only > get client networking), so you can change your yaml to: > > name: freedomotic > architecture: armhf > version: 5.6.0 > vendor: Freedomotic Team <[email protected]> > icon: meta/freedomotic.svg > services: > - name: freedomotic > description: "freedomotic runtime" > start: bin/start > caps: > - network-service > binaries: > - name: start > exec: bin/start > description: "freedomotic runtime cli" > caps: > - network-service > > > After making these changes, the app gets farther along, but has another > security denial: > apparmor="DENIED" operation="mknod" > profile="freedomotic.sideload_freedomotic_5.6.0" > name="/apps/freedomotic.sideload/5.6.0/freedomotic/plugins/objects/base-t > hings/data/cmd/index.txt" pid=6557 comm="java" requested_mask="c" > denied_mask="c" fsuid=0 ouid=0 > > the app is incorrectly trying to write to the read-only install > directory-- security policy enforces the snappy FHS[5]. It should instead > be modified to write out to SNAP_APP_DATA_PATH. > > Attached is a diff of the changes I made. > > > Hope this helps > > > References: > [1]https://developer.ubuntu.com/en/snappy/guides/packaging-format-apps/ > [2]https://developer.ubuntu.com/en/snappy/guides/package-metadata/ > [3]https://developer.ubuntu.com/en/snappy/guides/security-policy/ > [4]https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement#D > ebugging > [5]https://developer.ubuntu.com/en/snappy/guides/filesystem-layout/ > https://developer.ubuntu.com/en/snappy/guides/ > > > >> On Thu, May 7, 2015 5:36 pm, Alexander Sack wrote: >> >>> Oh, >>> >>> >>> >>> if you dont know how to test on ARM you can make the same snap for >>> amd64 I am sure use a jre accordingly and then use a KVM to test it... >>> once that work, just replace the jre with the armhf one etc. and it >>> will work fine too! >>> >>> On Fri, May 8, 2015 at 12:34 AM, Alexander Sack <[email protected]> >>> wrote: >>> >>> >>>> On Fri, May 8, 2015 at 12:31 AM, Alexander Sack >>>> <[email protected]> >>>> wrote: >>>> >>>> >>>>> On Wed, May 6, 2015 at 11:50 AM, <[email protected]> wrote: >>>>> >>>>> >>>>>> Hi >>>>>> our raspi2 image is updated to the last version. I uploaded the >>>>>> snap on dropbox >>>>>> https://www.dropbox.com/s/us29rn028q9neum/freedomotic_5.6.0_arm >>>>>> hf.s nap?dl=0 >>>>>> >>>>>> Is there anyone who can try it on raspberry2 or another armhf >>>>>> board and give us any feedback? To start it you must lanch >>>>>> ./start under >>>>>> bin folder. >>>>> >>>>> did you try to make a binaries: entry for this in package.yaml so >>>>> you can start it with freedomotic.start using normal confinement? >>>> >>>> I tried running it direcetly and it doesnt work. The right thing to >>>> do is to use use a binaries: entry in package.yaml (check out >>>> hello-world example) and then use $SNAP_APP_PATH to find the top >>>> level dir of your app in that start script. >>>> >>>> If you install hello-world you can see the environment variables >>>> you have available: >>>> >>>> hello-world.env | grep SNAP_ >>>> SNAP_APP_PATH=/apps/hello-world.canonical/1.0.14 >>>> SNAP_ORIGIN=canonical >>>> SNAP_APP_USER_DATA_PATH=/home/ubuntu//apps/hello-world.canonical/1.0 >>>> .14 >>>> SNAP_FULLNAME=hello-world.canonical >>>> SNAP_NAME=hello-world >>>> SNAP_APP_TMPDIR=/tmp/snaps/hello-world.canonical/1.0.14/tmp >>>> SNAP_OLD_PWD=/home/ubuntu >>>> SNAP_APP_DATA_PATH=/var/lib//apps/hello-world.canonical/1.0.14 >>>> >>>> >>>> >>>> >>>> and in hello-world/meta/package.yaml you have this: >>>> >>>> name: hello-world >>>> version: 1.0.13 >>>> vendor: Snappy Developers <[email protected]> >>>> icon: meta/hello.svg >>>> binaries: >>>> - name: bin/echo >>>> - name: bin/env >>>> >>>> >>>> >>>> ... >>>> >>>> >>>> >>>> this makes commands like hello-world.env that get properly confined >>>> and the right envs set. >>>> >>>> >>>>> >>>>>> >>>>>> Thanks >>>>>> Mauro >>>>>> >>>>>> >>>>>> >>>>>> On Mon, May 4, 2015 1:07 pm, Jamie Strandboge wrote: >>>>>> >>>>>> >>>>>>> On 05/04/2015 09:04 AM, [email protected] wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Hi Jamie, >>>>>>>> thanks for your reply. Based on Loic Minier's suggested >>>>>>>> example >>>>>>>> http://bazaar.launchpad.net/~lool/+junk/webcam-webui-snap/f >>>>>>>> iles /head:/me >>>>>>>> ta/ I modified my package. Would you like to test it on an >>>>>>>> ARM >>>>>>>> board? >>>>>>>> >>>>>>>> >>>>>>>> The compilation process is OK. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Based on looking at the packaging, it seems fine. The problem >>>>>>> is the target system that you are installing the snap on is >>>>>>> not running an up to date snappy. Please update your raspberry >>>>>>> pi2 device to the latest stable release that came out a week >>>>>>> and a half ago (or alternatively, to rolling). >>>>>>> >>>>>>> >>>>>>>> Mauro >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, May 4, 2015 8:33 am, Jamie Strandboge wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On 05/04/2015 08:29 AM, Jamie Strandboge wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On 05/03/2015 04:23 AM, [email protected] wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hi all >>>>>>>>>>> I created the snap with embedded Oracle jre but it >>>>>>>>>>> doesn't start with the following error >>>>>>>>>>> (RaspberryPi2)ubuntu@localhost:~$ >>>>>>>>>>> start.sh.freedomotic aa-exec: ERROR: profile >>>>>>>>>>> 'freedomotic_start.sh_5.6.0' does not exist >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I think it's related to AppArmor but I didn't find >>>>>>>>>>> any doc example about this. Can you help me? How to >>>>>>>>>>> add this file and modify the package.yaml? >>>>>>>>>>> >>>>>>>>>>> The snap is structure is online on >>>>>>>>>>> https://github.com/mcicolella/freedomotic-snappy >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It is related to apparmor-- the profile >>>>>>>>>> 'freedomotic_start.sh_5.6.0' >>>>>>>>>> isn't loaded into the kernel so the aa-exec failed. I >>>>>>>>>> looked at your package.yaml and you are using the >>>>>>>>>> defaults (good), and there is nothing more you need to >>>>>>>>>> do for the security policy. What is probably happening >>>>>>>>>> is something during the install is failing prior to the >>>>>>>>>> apparmor policy generation. >>>>>>>>>> >>>>>>>>>> What I find curious though is that you are using the >>>>>>>>>> command 'start.sh.freedomotic'-- this should be >>>>>>>>>> freedomotic.start.sh instead. Also the reported error >>>>>>>>>> message shows snappy is using 'aa-exec' instead of >>>>>>>>>> 'ubuntu-core-launcher'. Also, the package shouldn't >>>>>>>>>> have been able to be in the half-installed state that it >>>>>>>>>> is in now (ie, unpacked, but without generated security >>>>>>>>>> policy, etc). All of this indicates your snappy system >>>>>>>>>> is out of date. >>>>>>>>>> >>>>>>>>> Sorry, I sent this a tad too soon... >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> All of this indicates your snappy system is out of date >>>>>>>>> and you should upgrade to the latest stable release that >>>>>>>>> came out a week and a half ago (or alternatively, to >>>>>>>>> rolling). >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Jamie Strandboge http://www.ubuntu.com/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> snappy-devel mailing list [email protected] >>>>>>>>> Modify >>>>>>>>> settings or unsubscribe at: >>>>>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jamie Strandboge http://www.ubuntu.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> snappy-devel mailing list [email protected] Modify >>>>>> settings or unsubscribe at: >>>>>> https://lists.ubuntu.com/mailman/listinfo/snappy-devel >>>>>> >>>>>> >>> >> >> > > > -- > Jamie Strandboge http://www.ubuntu.com/ > -- > snappy-devel mailing list [email protected] Modify settings or > unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel > -- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
