目标
基于 dpdk-19.11 l2fwd 程序及其依赖库本地构建一个 snap 包,能够在 ubuntu 20.04 桌面环境中安装并测试运行。
编写 snap 包 yaml 描述文件
yaml 文件:
name: test # you probably want to 'snapcraft register <name>'
base: core22 # the base snap is the execution environment for this snap
version: '0.1' # just for humans, typically '1.2+git' or '1.3.2'
summary: Single-line elevator pitch for your amazing snap # 79 char long summary
description: |This is my-snap's description. You have a paragraph or two to tell themost important story about your snap. Keep it under 100 words though,we live in tweetspace and your description wants to look good in the snapstore.grade: devel # must be 'stable' to release into candidate/stable channels
confinement: devmode # use 'strict' once you have the right plugs and slotsapps:l2fwd:command: bin/l2fwdparts:file-copy:plugin: dumpsource: /home/longyu/snap/l2fwdstage:- bin- lib
上述描述文件使用 file-copy 将指定目录的二进制文件内容拷贝到 snap 包中,使用这些文件生成一个 snap 包文件。
原始文件目录结构:
root@ubuntu:/home/longyu/snap/l2fwd# tree ./bin ./lib/
./bin
└── l2fwd
./lib/
└── x86_64-linux-gnu├── libcrypto.so.1.0.0└── libnuma.so.11 directory, 3 files
编译生成 snap 包
编译过程日志如下:
root@ubuntu:/home/longyu/snap/l2fwd/snap# snapcraft --destructive-mode --debug
Executed: pull file-copy
Executed: build file-copy
Executed: stage file-copy
Executed: prime file-copy
Executed parts lifecycle
Generated snap metadata
Running linter: library /bin/bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /snap/core22/current/lib/x86_64-linux-gnu/libtinfo.so.6)
/bin/bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /snap/core22/current/lib/x86_64-linux-gnu/libtinfo.so.6)
Unable to determine library dependencies for 'lib/x86_64-linux-gnu/libcrypto.so.1.0.0' /bin/bash: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /snap/core22/current/lib/x86_64-linux-gnu/libtinfo.so.6)Unable to determine library dependencies for 'lib/x86_64-linux-gnu/libnuma.so.1'
Created snap package test_0.1_amd64.snap
snapcraft 指定了 debug 参数能够输出 snap 包构建中的一些调试信息,出现问题时可以根据调试信息进行排查。
安装运行 l2fwd snap 包
安装命令:
snap install --dangerous ./test_0.1_amd64.snap --devmode
snap 默认从官方源安装 snap 包,要安装一个本地制作的 snap 包,需要指定 --dangerous,同时 --devmode 指定使用开发模式,在这种模式下 snap 内部的权限控制仅输出日志并不会做实际的阻断,便于测试。
运行日志示例:
root@ubuntu:/home/longyu/snap/l2fwd# /snap/bin/test.l2fwd
EAL: Detected 4 lcore(s)
EAL: Detected 1 NUMA nodes
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: No available hugepages reported in hugepages-1048576kB
EAL: Probing VFIO support...
EAL: VFIO support initialized
EAL: PCI device 0000:02:01.0 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 8086:100f net_e1000_em
EAL: PCI device 0000:02:06.0 on NUMA socket -1
EAL: Invalid NUMA socket, default to 0
EAL: probe driver: 8086:100f net_e1000_em
EAL: using IOMMU type 8 (No-IOMMU)
EAL: Ignore mapping IO port bar(4)
dmesg 相关信息:
[518163.136314] kauditd_printk_skb: 712 callbacks suppressed
[518163.136317] audit: type=1326 audit(1693798734.950:73568): auid=1000 uid=0 gid=0 ses=286 subj=snap.test.l2fwd pid=274885 comm="l2fwd" exe="/snap/test/x1/bin/l2fwd" sig=0 arch=c000003e syscall=172 compat=0 ip=0x7f4a886fdb3b code=0x7ffc0000
[518163.138624] audit: type=1400 audit(1693798734.950:73569): apparmor="ALLOWED" operation="open" profile="snap.test.l2fwd" name="/run/dpdk/rte/config" pid=274885 comm="l2fwd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
...........................................................................................................................................................
[518496.329159] audit: type=1400 audit(1693799068.140:74046): apparmor="ALLOWED" operation="unlink" profile="snap.test.l2fwd" name="/run/dpdk/rte/mp_socket" pid=275040 comm="l2fwd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
[518496.329171] audit: type=1326 audit(1693799068.140:74047): auid=1000 uid=0 gid=0 ses=286 subj=snap.test.l2fwd pid=275040 comm="l2fwd" exe="/snap/test/x1/bin/l2fwd" sig=0 arch=c000003e syscall=49 compat=0 ip=0x7fbb4b8ff66b code=0x7ffc0000
[518496.546520] vfio-pci 0000:02:06.0: vfio-noiommu device opened by user (l2fwd:275040)
从 dmesg 的日志看,apparmor 监控到了 l2fwd 运行过程中的许多资源访问过程,仅仅输出了日志,并没有阻断,程序能够正常运行。
strict 模式运行 l2fwd
dmesg 中的 audit 信息:
[612862.262407] audit: type=1400 audit(1693893435.219:74550): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.test-user-core" pid=285736 comm="apparmor_parser"
[612862.343653] audit: type=1400 audit(1693893435.303:74551): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.test-user-core.l2fwd" pid=285737 comm="apparmor_parser"
[612884.622773] audit: type=1326 audit(1693893457.551:74552): auid=1000 uid=0 gid=0 ses=339 subj=snap.test-user-core.l2fwd pid=285770 comm="l2fwd" exe="/snap/test-user-core/x1/bin/l2fwd" sig=0 arch=c000003e syscall=172 compat=0 ip=0x7fdf39e16b3b code=0x50000
[612884.766348] audit: type=1400 audit(1693893457.719:74553): apparmor="DENIED" operation="open" profile="snap.test-user-core.l2fwd" name="/run/dpdk/rte/config" pid=285770 comm="l2fwd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
上述日志是以 strict 模式运行时内核输出的部分信息,在这种模式下, l2fwd 会按照默认的 apparmor 规则严格执行,apparmor 阻断了 l2fwd 打开 /run/dpdk/rte/config 文件的过程,l2fwd 无法正常运行。
要让 l2fwd 正常运行,需要修改 l2fwd 的 apparmor 规则,这里已经达成了目标,暂时跳过。
参考链接
https://askubuntu.com/questions/822765/snap-install-failure-error-cannot-find-signatures-with-metadata-for-snap
