如何基于 jre 构建 snap

如何基于 jre 构建 snap

我是 jape 的开发人员,jape 是一个形式逻辑证明编辑器,它使用 java 提供 GUI,使用 OCaml 提供证明步骤引擎。(请参阅 github 上的 rbornat/jape)。我正在尝试将 jape 打包为 snap。该 snap 包含一个 jre,使用 jlink 和 adoptopenjdk 的 JDK 11 构建。它首先调用 jre 中的一个类。

为了构建 snap,我已经把它包含在内了,build-attributes: [keep-execstack]因为 JIT 编译器(还有另一个库,忘记是什么了)需要它。

snap 可以使用 --devmode 和 --dangerous。我告诉它连接到personal-files以便它可以访问~/.java,并连接到:home。到目前为止一切顺利。

但是 jre 的垃圾收集器会很多访问系统文件,向我展示snappy-debug。例如,它以

= AppArmor =
Time: Aug 14 18:49:17
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="truncate" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_pattern" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_pattern'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_uses_pid" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_uses_pid (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_uses_pid'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

后来它花了很多时间阅读关于记忆的东西

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.limit_in_bytes'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.usage_in_bytes'

我不知道如何让这个快照变得简单。system-files界面说快照不能查看/etc/proclayout机制不喜欢链接到proc/1/cgroup(这是我迄今为止尝试过的所有方法),我必须以某种方式提供运行 uidpid值来描述发生了什么。然而,Snapcraft 的 Java 文档并没有提及任何这些困难。

帮助?

答案1

当我尝试将基于 JRE 的应用程序打包为 snap 时,我也遇到了同样的问题。到目前为止,我发现的唯一选择是使用 Classic Confinement:

grade: stable
confinement: classic

有人能告诉我使用严格限制来打包我的申请的正确方法吗?

相关内容