Eu estou tentando fazer um pacote instantâneo para uma versão nginx personalizada - a idéia é que posso executar o snap e ele iniciará um servidor nginx com o conteúdo HTML que o snap contém.
Até agora, tenho um arquivo snapcraft.yaml funcional que constrói nginx muito bem e um script de gancho em hooks/install que cria uma configuração padrão para nginx.
Este é o meu snapcraft.yaml :
name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.
grade: devel
confinement: strict
apps:
nginx:
command: bin/nginx
plugs: [network, network-bind]
parts:
nginx:
plugin: autotools
source: https://github.com/nginx/nginx.git
source-type: git
source-tag: release-1.13.6
prepare: |
wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
mkdir zlib
tar xvf zlib.tar.gz --strip-components 1 -C zlib/
wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
mkdir pcre
tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
build: |
auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --sbin-path=$SNAP_DATA/nginx --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
make
install: |
mkdir -p $SNAPCRAFT_PART_INSTALL/bin
cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
build-packages:
- libc6
- libgd3
- libgeoip1
- libpcre3
- libssl1.0.0
- libxml2
- libxslt1.1
- zlib1g
E este é o arquivo que tenho em hooks/install :
#!/bin/sh -e
# Create a default config file
echo "
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}" > "$SNAP_DATA/nginx.conf"
echo "
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff (sorry it's quite long, obviously once this works properly I'm going to tidy it up instead of just echo'ing it to a file). tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}" > "$SNAP_DATA/mime.types"
mkdir $SNAP_COMMON/logs
touch $SNAP_COMMON/logs/nginx.log
touch $SNAP_COMMON/logs/error.log
mkdir $SNAP_DATA/html
echo "<!DOCTYPE html>
<html>
<body>
<h1>Hello World</h1>
<p>This is Sean. With nginx. In a snap.</p>
</body>
</html>
" > $SNAP_DATA/html/index.html
(desculpe, é bem longo, obviamente, uma vez que isso funcione corretamente, eu vou arrumar tudo em vez de apenas fazer um eco em um arquivo).
De qualquer forma, posso fazer isso funcionar executando snapcraft prime e, em seguida, sudo snap try --devmode prime/ . Eu inicio o servidor com sudo nginx-custom.nginx e, em seguida, posso ir para o link e obter minha página "hello world".
Mas, olhando em /var/log/syslog , vejo esses avisos:
Nov 2 09:52:58 sean kernel: [211015.893585] audit: type=1400 audit(1509576778.917:105841): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30856 comm="nginx" capability=0 capname="chown"
Nov 2 09:52:58 sean kernel: [211015.893933] audit: type=1400 audit(1509576778.917:105842): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30870 comm="nginx" capability=6 capname="setgid"
E, se eu tentar executá-lo sem o flag --devmode , recebo uma falha do nginx:
Bad system call (core dumped)
E em syslog :
Nov 2 10:02:36 sean kernel: [211593.967970] audit: type=1326 audit(1509577356.986:105851): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31156 comm="nginx" exe="/snap/nginx-custom/x1/bin/nginx" sig=31 arch=c000003e syscall=92 compat=0 ip=0x7f19db75b2c7 code=0x0
Parece que o nginx está tentando chamar chown e setgid , mas está sendo bloqueado.
Eu encontrei um antigo arquivo nginx snapcraft , mas ele usa eu acho mais antigo sintaxe que não funciona mais. Fora isso, não parece haver nada sobre esse tipo de permissão nos documentos do snapcraft.
Existe uma maneira de permitir que um aplicativo confinado de snap chame chown e setgid ? Ou, na falta disso, uma maneira de desativar o nginx de precisar disso?