Open comword opened 6 years ago
The problem seems to boil down to missing support in your kernel for FUSE mounts in unprivileged user namespaces. The Ubuntu kernel comes with support for this for quite a while but I am not sure what the state of this is in the Debian kernel you're using. @zhsj Any idea?
The audit messages in the kernel log are normal and not a problem as the snap is running in devmode
which enables seccomp and AppArmor only in complain mode.
Regarding Settings to the DNS server, IP address, IPv6 support, Proxy.
I am not sure what you mean as you primarily describe the problem with the failing sdcard
process. To separate things can you file a separate bug report for the problem you're seeing for any missing or not working network function?
@morphis How can I check whether the fuse module supports unprivileged user namespace? Is there a kernel config? Is this feature in upstream? I don't think Debian has magic patch to upstream fuse module.
$ grep -i fuse /boot/config-4.17.0-3-amd64
CONFIG_FUSE_FS=m
I'm also having the same FUSE spamming problem problem with a freshly installed anbox on gentoo I have CONFIG_FUSE_FS=m too.
version: 4
snap-revision: 144
cpu:
arch: x86
brand: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
features:
- aes
- sse4_1
- sse4_2
- avx
os:
name: Gentoo
version:
snap-based: true
kernel:
version: Linux version 4.14.65-gentoo (root@pen) (gcc version 8.2.0 (Gentoo 8.2.0-r2 p1.2)) #4 SMP Mon Sep 3 12:20:52 CEST 2018
binder: true
ashmem: true
graphics:
egl:
vendor: Mesa Project
version: 1.4 (DRI2)
extensions:
- EGL_ANDROID_native_fence_sync
- EGL_CHROMIUM_sync_control
- EGL_EXT_buffer_age
- EGL_EXT_create_context_robustness
- EGL_EXT_image_dma_buf_import
- EGL_EXT_image_dma_buf_import_modifiers
- EGL_KHR_config_attribs
- EGL_KHR_create_context
- EGL_KHR_create_context_no_error
- EGL_KHR_fence_sync
- EGL_KHR_get_all_proc_addresses
- EGL_KHR_gl_colorspace
- EGL_KHR_gl_renderbuffer_image
- EGL_KHR_gl_texture_2D_image
- EGL_KHR_gl_texture_3D_image
- EGL_KHR_gl_texture_cubemap_image
- EGL_KHR_image
- EGL_KHR_image_base
- EGL_KHR_image_pixmap
- EGL_KHR_no_config_context
- EGL_KHR_reusable_sync
- EGL_KHR_surfaceless_context
- EGL_EXT_pixel_format_float
- EGL_KHR_wait_sync
- EGL_MESA_configless_context
- EGL_MESA_drm_image
- EGL_MESA_image_dma_buf_export
- EGL_NOK_texture_from_pixmap
- EGL_WL_bind_wayland_display
gles2:
vendor: Intel Open Source Technology Center
vendor: OpenGL ES 3.0 Mesa 18.0.5
extensions:
- GL_ANGLE_texture_compression_dxt3
- GL_ANGLE_texture_compression_dxt5
- GL_APPLE_texture_max_level
- GL_EXT_blend_func_extended
- GL_EXT_blend_minmax
- GL_EXT_clip_cull_distance
- GL_EXT_color_buffer_float
- GL_EXT_compressed_ETC1_RGB8_sub_texture
- GL_EXT_discard_framebuffer
- GL_EXT_disjoint_timer_query
- GL_EXT_draw_buffers
- GL_EXT_draw_buffers_indexed
- GL_EXT_draw_elements_base_vertex
- GL_EXT_frag_depth
- GL_EXT_map_buffer_range
- GL_EXT_multi_draw_arrays
- GL_EXT_occlusion_query_boolean
- GL_EXT_polygon_offset_clamp
- GL_EXT_read_format_bgra
- GL_EXT_robustness
- GL_EXT_separate_shader_objects
- GL_EXT_shader_integer_mix
- GL_EXT_texture_border_clamp
- GL_EXT_texture_compression_dxt1
- GL_EXT_texture_filter_anisotropic
- GL_EXT_texture_format_BGRA8888
- GL_EXT_texture_rg
- GL_EXT_texture_sRGB_decode
- GL_EXT_texture_type_2_10_10_10_REV
- GL_EXT_unpack_subimage
- GL_INTEL_performance_query
- GL_KHR_blend_equation_advanced
- GL_KHR_context_flush_control
- GL_KHR_debug
- GL_KHR_no_error
- GL_KHR_robustness
- GL_MESA_shader_integer_functions
- GL_NV_draw_buffers
- GL_NV_fbo_color_attachments
- GL_NV_read_buffer
- GL_NV_read_depth
- GL_NV_read_depth_stencil
- GL_NV_read_stencil
- GL_OES_EGL_image
- GL_OES_EGL_image_external
- GL_OES_EGL_sync
- GL_OES_compressed_ETC1_RGB8_texture
- GL_OES_depth24
- GL_OES_depth_texture
- GL_OES_depth_texture_cube_map
- GL_OES_draw_buffers_indexed
- GL_OES_draw_elements_base_vertex
- GL_OES_element_index_uint
- GL_OES_fbo_render_mipmap
- GL_OES_get_program_binary
- GL_OES_mapbuffer
- GL_OES_packed_depth_stencil
- GL_OES_required_internalformat
- GL_OES_rgb8_rgba8
- GL_OES_sample_shading
- GL_OES_sample_variables
- GL_OES_shader_multisample_interpolation
- GL_OES_standard_derivatives
- GL_OES_stencil8
- GL_OES_surfaceless_context
- GL_OES_texture_3D
- GL_OES_texture_border_clamp
- GL_OES_texture_float
- GL_OES_texture_float_linear
- GL_OES_texture_half_float
- GL_OES_texture_half_float_linear
- GL_OES_texture_npot
- GL_OES_vertex_array_object
- GL_OES_vertex_half_float
If anyone has ideas what other kernel parameter can be missing I'd be happy to add it to my kernel and test :D
After some research FUSE mounts in unprivileged containers, this issue is related to the kernel and lxc continainer. Please consider giving an option to use the privileged continainer rather than modify the kernel.
There's an option --privileged
to anbox container-manager
.
If you want to run a privileged container just set snap set anbox container.privileged=true
. However a privileged container is not the right answer as it compromises security and effectively it becomes easy for Android apps to own your entire system as we don't have much other security protection in place (we can't use SELinux like regular Android builds do). Also running Anbox in privileged mode will break in other places as the Android rootfs has a shifted user+group ids to the new base id 100000.
The right answer to the FUSE problem is that run the sdcard daemon process from the Android system outside of the user namespace. That removes the unprivileged mount problem but brings in a new problem as we need to tell sdcard to properly translate all ids to our base one at 100000.
Your kernel should support FUSE in user namespaces when /sys/module/fuse/parameters/userns_mounts
is present.
So the solutions would be either to patch or kernels with that Ubuntu patch or somehow hope that running in privileged mode won't break it or to have FUSE work from inside out? Wouldn't it be easier to like try maybe NBD to mount the sdcard or maybe NFS apart from the performance penalty it would bring?
NBD or NFS wont help as the sdcard FUSE file system serves a very Android specific need. Have a read at http://androidxref.com/6.0.0_r5/xref/system/core/sdcard/sdcard.c#47 and https://www.xda-developers.com/diving-into-sdcardfs-how-googles-fuse-replacement-will-reduce-io-overhead/ for more details. Working around the sdcard FUSE file system is not an option, sadly.
Well that's sad then. Is there any way I could get that one patch I need for FUSE?
FWIW, fuse in user namespace is accepted in upstream tree since 4.18.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.18-FUSE
@kde99 I can't say if its a single patch or multiple. The link @zhsj provided should be a good starting point for further investigations.
@zhsj I updated to 4.18.5 and "ls: cannot access '/sys/module/fuse/parameters/userns_mounts': No such file or directory" also now anbox is now failing to even start up with "SIGBUS" in art paste of log . Back with the older kernel it starts well though.
EDIT: It starts under 4.14.65 well but FUSE fails because of the missing stuff.
@kde99 The SIGBUS crash on kernels >= 4.18 was just fixed with https://github.com/anbox/anbox-modules/pull/9 A newer anbox-modules package is already available in the anbox-support PPA (https://launchpad.net/~morphis/+archive/ubuntu/anbox-support/). If you manually installed the kernel modules or use packages for a different distribution they need to be updated to include the changes from the mentioned PR.
/sys/module/fuse/parameters/userns_mounts
does not need to exist on plain upstream kernels as I suspect the upstream and Ubuntu implementations are slightly different. The check in the container-manager startup script just prints a warning but still continues to start the manager.
@morphis Ok so after updating the kernel modules It does work under 4.18.5 well FUSE mounted too. I can see the SD from Total commander but suffering from #443 still but that's not as bad as not being able to start. Thanks for helping ^^
snap refresh --devmode --edge anbox
sudo snap set anbox debug.enable=true
sudo /snap/bin/anbox.collect-bug-info
anbox-system-diagnostics-2018-08-26.zipanbox system-info
below:Please describe your problem: No audio in any of applications including the settings app. The network seems to unable to connect. Clicking the music app crashes the whole Anbox (all windows will disappear) No sdcard and vold produce noises like "V vold : Waiting for FUSE to spin up..." The kernel message is flooded with lines like:
Is this issue related to the AppArmor or premission leakage? Following log may related to the sdcard problem:
What were you expecting?: Working Android functions. Settings to the DNS server, IP address, IPv6 support, Proxy.
Additional info: