我是 jape 的开发人员,jape 是一个形式逻辑证明编辑器,它使用 java 提供 GUI,使用 OCaml 提供证明步骤引擎。(请参阅 github 上的 rbornat/jape)。我正在尝试将 jape 打包为 snap。该 snap 包含一个 jre,使用 jlink 和 adoptopenjdk 的 JDK 11 构建。它首先调用 jre 中的一个类。
为了构建 snap,我已经把它包含在内了,build-attributes: [keep-execstack]
因为 JIT 编译器(还有另一个库,忘记是什么了)需要它。
snap 可以使用 --devmode 和 --dangerous。我告诉它连接到personal-files
以便它可以访问~/.java
,并连接到:home
。到目前为止一切顺利。
但是 jre 的垃圾收集器会很多访问系统文件,向我展示snappy-debug
。例如,它以
= AppArmor =
Time: Aug 14 18:49:17
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="truncate" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_pattern" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_pattern'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_uses_pid" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_uses_pid (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_uses_pid'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'
后来它花了很多时间阅读关于记忆的东西
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.limit_in_bytes'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.usage_in_bytes'
我不知道如何让这个快照变得简单。system-files
界面说快照不能查看/etc
或/proc
;layout
机制不喜欢链接到proc/1/cgroup
(这是我迄今为止尝试过的所有方法),我必须以某种方式提供运行 uid
和pid
值来描述发生了什么。然而,Snapcraft 的 Java 文档并没有提及任何这些困难。
帮助?
答案1
当我尝试将基于 JRE 的应用程序打包为 snap 时,我也遇到了同样的问题。到目前为止,我发现的唯一选择是使用 Classic Confinement:
grade: stable
confinement: classic
有人能告诉我使用严格限制来打包我的申请的正确方法吗?