search

canonical / snapcraft

Package, distribute, and update any app for Linux and IoT.
https://snapcraft.io
GNU General Public License v3.0
1.18k stars 440 forks source link

Issue a warning when building a snap that stages another snap built on a different base #4891

Open kian99 opened 2 months ago

kian99 commented 2 months ago

What needs to get done

c/p from https://forum.snapcraft.io/t/snapcraft-should-fail-or-warn-when-using-a-stage-snap-with-different-base/21228

When using a stage snap that has a different base (i.e. building a base: core18 nodejs snap using node from the 10/stable track) there will not be access to the glibc from the core base snap and the snap fails to run with apparmor denials like below:

Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.507:539): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libdl-2.23.so" pid=
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.507:540): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/librt-2.23.so" pid=
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.507:541): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/usr/lib/x86_64-linux-gnu/libstdc++.so.6.
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.507:542): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libm-2.23.so" pid=4
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.507:543): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libgcc_s.so.1" pid=
Nov 21 12:54:53 localhost audit[4123]: AVC apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=4123 comm="node" requested_mas
Nov 21 12:54:53 localhost audit[4123]: AVC apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libc-2.23.so" pid=4123 comm="node" requested_mask="r" 
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.511:544): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libpthread-2.23.so"
Nov 21 12:54:53 localhost kernel: audit: type=1400 audit(1605963293.511:545): apparmor="DENIED" operation="open" profile="snap.picviewer-kiosk.file-browser" name="/snap/core/10185/lib/x86_64-linux-gnu/libc-2.23.so" pid=4
Nov 21 12:54:53 localhost kernel: node[4123]: segfault at 0 ip 0000000000000000 sp 00007ffda5de47a8 error 14 in node[3ff000+1000]

since snapcraft unpacks stage snaps, it can surely also check what base a stage snap uses, it should then fail the build or at least warn that you can not combine stage snaps with the chosen base.

I believe a warning is better suited than an error. It is possible that the contents inside of the staged snap are statically built or they could be a script and will run just fine on a different base.

Why it needs to get done

This will help developers creating snaps be aware at build time why their snap may fail to work. It can also help catch issues at build time where a staged snap was upgraded to a new core but the base snap doing the import was not.

syncronize-issues-to-jira[bot] commented 1 month ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/CRAFT-3126.

This message was autogenerated