我正在尝试为自定义 nginx 版本制作一个 snap 包 - 我的想法是,我可以运行我的 snap,它将使用 snap 包含的 HTML 内容启动一个 nginx 服务器。
到目前为止,我有一个可以正常snapcraft.yaml
构建的工作文件,以及一个为 nginx 创建默认配置的钩子脚本。nginx
hooks/install
这是我的snapcraft.yaml
:
name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.
grade: devel
confinement: strict
apps:
nginx:
command: bin/nginx
plugs: [network, network-bind]
parts:
nginx:
plugin: autotools
source: https://github.com/nginx/nginx.git
source-type: git
source-tag: release-1.13.6
prepare: |
wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
mkdir zlib
tar xvf zlib.tar.gz --strip-components 1 -C zlib/
wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
mkdir pcre
tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
build: |
auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --sbin-path=$SNAP_DATA/nginx --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
make
install: |
mkdir -p $SNAPCRAFT_PART_INSTALL/bin
cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
build-packages:
- libc6
- libgd3
- libgeoip1
- libpcre3
- libssl1.0.0
- libxml2
- libxslt1.1
- zlib1g
这是我拥有的文件hooks/install
:
#!/bin/sh -e
# Create a default config file
echo "
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}" > "$SNAP_DATA/nginx.conf"
echo "
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff (sorry it's quite long, obviously once this works properly I'm going to tidy it up instead of just echo'ing it to a file). tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}" > "$SNAP_DATA/mime.types"
mkdir $SNAP_COMMON/logs
touch $SNAP_COMMON/logs/nginx.log
touch $SNAP_COMMON/logs/error.log
mkdir $SNAP_DATA/html
echo "<!DOCTYPE html>
<html>
<body>
<h1>Hello World</h1>
<p>This is Sean. With nginx. In a snap.</p>
</body>
</html>
" > $SNAP_DATA/html/index.html
(抱歉,它太长了,显然,一旦它正常工作,我就会把它整理好,而不是仅仅将它回显到文件中)。
snapcraft prime
无论如何,我可以通过运行然后运行来让它工作sudo snap try --devmode prime/
。我使用启动服务器sudo nginx-custom.nginx
,然后可以转到http://localhost/index.html并获取我的 hello world 页面。
但是,/var/log/syslog
我看到了这些警告:
Nov 2 09:52:58 sean kernel: [211015.893585] audit: type=1400 audit(1509576778.917:105841): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30856 comm="nginx" capability=0 capname="chown"
Nov 2 09:52:58 sean kernel: [211015.893933] audit: type=1400 audit(1509576778.917:105842): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30870 comm="nginx" capability=6 capname="setgid"
而且,如果我尝试在没有标志的情况下运行它,--devmode
nginx 就会崩溃:
Bad system call (core dumped)
并且syslog
:
Nov 2 10:02:36 sean kernel: [211593.967970] audit: type=1326 audit(1509577356.986:105851): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31156 comm="nginx" exe="/snap/nginx-custom/x1/bin/nginx" sig=31 arch=c000003e syscall=92 compat=0 ip=0x7f19db75b2c7 code=0x0
看起来 nginx 正在尝试调用chown
和setgid
,但是被阻止了。
我发现一个较早的 nginx snapcraft 文件示例,但我认为它使用了不再适用的旧语法。除此之外,snapcraft 文档中似乎没有关于此类权限的任何内容。
有没有办法允许 snap 受限应用程序调用chown
和setgid
?或者,如果失败了,有没有办法禁止 nginx 需要这些?
答案1
我设法让它工作,通过分叉nginx
和注释掉导致限制违规的各种系统调用。笔记:我还没有对此进行过广泛的测试,但它似乎确实可以满足我使用它的目的。您可以看到我所做的更改这里。
snapcraft.yaml
name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.
grade: devel
confinement: strict
apps:
nginx:
command: bin/nginx
daemon: forking
stop-command: bin/nginx -s stop
stop-timeout: 10s
plugs: [network, network-bind]
parts:
nginx:
plugin: autotools
source: https://github.com/seanlano/nginx.git
source-type: git
source-tag: release-1.13.6_snap-fix
prepare: |
wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
mkdir zlib
tar xvf zlib.tar.gz --strip-components 1 -C zlib/
wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
mkdir pcre
tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
build: |
auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
make
install: |
mkdir -p $SNAPCRAFT_PART_INSTALL/bin
cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
build-packages:
- libc6
- libgd3
- libgeoip1
- libssl1.0.0
- libxml2
- libxslt1.1
您需要创建一个适当的nginx.conf
文件,它引用受限环境中的正确路径。