Score:1

how to build a snap based on a jre

fr flag

I'm the developer of jape, a formal logic proof editor which uses java to provide a GUI and OCaml to provide a proof-step engine. (see rbornat/jape on github). I'm trying to package jape as a snap. The snap contains a jre, built using jlink and the JDK 11 from adoptopenjdk. It commences by calling a class in the jre.

To build the snap I had already to include build-attributes: [keep-execstack] because the JIT compiler (and another library, forgotten what) needs it.

The snap works with --devmode and --dangerous. I've told it to connect to personal-files so it can get at ~/.java, and connected to :home. So far so good.

But the jre's garbage collector makes a lot of access to system files, shown to me by snappy-debug. For example, it starts with

= AppArmor =
Time: Aug 14 18:49:17
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="truncate" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_pattern" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_pattern'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_uses_pid" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_uses_pid (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_uses_pid'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'

and later it spends lots of time reading stuff about memory

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.limit_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.limit_in_bytes'

= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/[email protected]/memory.usage_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.usage_in_bytes'

I'm at a loss to see how to make this a snap. The system-files interface says the snap mustn't look at /etc or /proc; the layout mechanism doesn't like linking to proc/1/cgroup (which is all I've tried so far), and I would have to somehow provide run-time uid and pid values to describe what's going on. Yet the snapcraft documentation for java doesn't hint at any of these difficulties.

Help?

user535733 avatar
cn flag
This seems like a good question for the Snapcraft experts at snap.io.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.