制作 snap 包:nginx 在受限时崩溃,需要 capname="chown"

制作 snap 包:nginx 在受限时崩溃,需要 capname="chown"

我正在尝试为自定义 nginx 版本制作一个 snap 包 - 我的想法是,我可以运行我的 snap,它将使用 snap 包含的 HTML 内容启动一个 nginx 服务器。

到目前为止,我有一个可以正常snapcraft.yaml构建的工作文件,以及一个为 nginx 创建默认配置的钩子脚本。nginxhooks/install

这是我的snapcraft.yaml

name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.

grade: devel 
confinement: strict

apps:
  nginx:
    command: bin/nginx
    plugs: [network, network-bind]

parts:
  nginx:
    plugin: autotools
    source: https://github.com/nginx/nginx.git
    source-type: git
    source-tag: release-1.13.6
    prepare: |
        wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
        mkdir zlib
        tar xvf zlib.tar.gz --strip-components 1 -C zlib/
        wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
        mkdir pcre
        tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
    build: |
        auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --sbin-path=$SNAP_DATA/nginx --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
        make
    install: |
        mkdir -p $SNAPCRAFT_PART_INSTALL/bin
        cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
    build-packages:
        - libc6
        - libgd3
        - libgeoip1
        - libpcre3
        - libssl1.0.0
        - libxml2
        - libxslt1.1
        - zlib1g

这是我拥有的文件hooks/install

#!/bin/sh -e

# Create a default config file
echo "
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

}" > "$SNAP_DATA/nginx.conf"

echo "

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff           (sorry it's quite long, obviously once this works properly I'm going to tidy it up instead of just echo'ing it to a file).                            tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    application/font-woff                            woff;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}" > "$SNAP_DATA/mime.types"

mkdir $SNAP_COMMON/logs
touch $SNAP_COMMON/logs/nginx.log
touch $SNAP_COMMON/logs/error.log

mkdir $SNAP_DATA/html
echo "<!DOCTYPE html>
<html>
<body>

<h1>Hello World</h1>

<p>This is Sean. With nginx. In a snap.</p>

</body>
</html>
" > $SNAP_DATA/html/index.html

(抱歉,它太长了,显然,一旦它正常工作,我就会把它整理好,而不是仅仅将它回显到文件中)。

snapcraft prime无论如何,我可以通过运行然后运行来让它工作sudo snap try --devmode prime/。我使用启动服务器sudo nginx-custom.nginx,然后可以转到http://localhost/index.html并获取我的 hello world 页面。

但是,/var/log/syslog我看到了这些警告:

Nov  2 09:52:58 sean kernel: [211015.893585] audit: type=1400 audit(1509576778.917:105841): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30856 comm="nginx" capability=0  capname="chown"
Nov  2 09:52:58 sean kernel: [211015.893933] audit: type=1400 audit(1509576778.917:105842): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30870 comm="nginx" capability=6  capname="setgid"

而且,如果我尝试在没有标志的情况下运行它,--devmodenginx 就会崩溃:

Bad system call (core dumped) 

并且syslog

Nov  2 10:02:36 sean kernel: [211593.967970] audit: type=1326 audit(1509577356.986:105851): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31156 comm="nginx" exe="/snap/nginx-custom/x1/bin/nginx" sig=31 arch=c000003e syscall=92 compat=0 ip=0x7f19db75b2c7 code=0x0

看起来 nginx 正在尝试调用chownsetgid,但是被阻止了。

我发现一个较早的 nginx snapcraft 文件示例,但我认为它使用了不再适用的旧语法。除此之外,snapcraft 文档中似乎没有关于此类权限的任何内容。


有没有办法允许 snap 受限应用程序调用chownsetgid?或者,如果失败了,有没有办法禁止 nginx 需要这些?

答案1

我设法让它工作,通过分叉nginx和注释掉导致限制违规的各种系统调用。笔记:我还没有对此进行过广泛的测试,但它似乎确实可以满足我使用它的目的。您可以看到我所做的更改这里


snapcraft.yaml

name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.

grade: devel 
confinement: strict

apps:
  nginx:
    command: bin/nginx
    daemon: forking
    stop-command: bin/nginx -s stop
    stop-timeout: 10s
    plugs: [network, network-bind]

parts:
  nginx:
    plugin: autotools
    source: https://github.com/seanlano/nginx.git
    source-type: git
    source-tag: release-1.13.6_snap-fix
    prepare: |
        wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
        mkdir zlib
        tar xvf zlib.tar.gz --strip-components 1 -C zlib/
        wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
        mkdir pcre
        tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
    build: |
        auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
        make
    install: |
        mkdir -p $SNAPCRAFT_PART_INSTALL/bin
        cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
    build-packages:
        - libc6
        - libgd3
        - libgeoip1
        - libssl1.0.0
        - libxml2
        - libxslt1.1

您需要创建一个适当的nginx.conf文件,它引用受限环境中的正确路径。

相关内容