search

nanovms / nanos

A kernel designed to run one and only one application in a virtualized environment
https://nanos.org
Apache License 2.0
2.58k stars 133 forks source link

cannot enable executable stack as shared object requires: Permission denied #1993

Closed leeyiding closed 2 months ago

leeyiding commented 7 months ago

Hello, I am trying to run the project wangzhaode/mnn-llm in nanos, but some errors occurred. I cannot search for relevant solutions, so I would like to ask for some help.

According to the project's README, I did the following

# Download models
./script/download_model.sh qwen-1.8b
# Compilation
./script/build.sh
# Execution
./build/web_demo qwen-1.8b web

After that, I try to create the nanos application

{
    "Dirs": [
        "qwen-1.8b",
        "web"
    ],
    "Args": [
        "qwen-1.8b",
        "web"
    ]
}
ops run web_demo -c config.json --show-debug

An error occurred after running: 

Manifest:
        &{root:map[arguments:[web_demo qwen-1.8b web] children:map[etc:map[passwd:/tmp/web_demo_temp3937009542/passwd resolv.conf:/tmp/web_demo_temp3937009542/resolv.conf ssl:map[certs:map[ca-certificates.crt:/root/.ops/common/ca-certificates.crt]]] lib:map[x86_64-linux-gnu:map[libc.so.6:/lib/x86_64-linux-gnu/libc.so.6 libgcc_s.so.1:/lib/x86_64-linux-gnu/libgcc_s.so.1 libm.so.6:/lib/x86_64-linux-gnu/libm.so.6 libmvec.so.1:/lib/x86_64-linux-gnu/libmvec.so.1 libnss_dns.so.2:/root/.ops/common/libnss_dns.so.2 libpthread.so.0:/lib/x86_64-linux-gnu/libpthread.so.0 libstdc++.so.6:/lib/x86_64-linux-gnu/libstdc++.so.6]] lib64:map[ld-linux-x86-64.so.2:/lib64/ld-linux-x86-64.so.2] proc:map[sys:map[kernel:map[hostname:/tmp/web_demo_temp3937009542/hostname]]] qwen-1.8b:map[block_0.mnn:qwen-1.8b/block_0.mnn block_1.mnn:qwen-1.8b/block_1.mnn block_10.mnn:qwen-1.8b/block_10.mnn block_11.mnn:qwen-1.8b/block_11.mnn block_12.mnn:qwen-1.8b/block_12.mnn block_13.mnn:qwen-1.8b/block_13.mnn block_14.mnn:qwen-1.8b/block_14.mnn block_15.mnn:qwen-1.8b/block_15.mnn block_16.mnn:qwen-1.8b/block_16.mnn block_17.mnn:qwen-1.8b/block_17.mnn block_18.mnn:qwen-1.8b/block_18.mnn block_19.mnn:qwen-1.8b/block_19.mnn block_2.mnn:qwen-1.8b/block_2.mnn block_20.mnn:qwen-1.8b/block_20.mnn block_21.mnn:qwen-1.8b/block_21.mnn block_22.mnn:qwen-1.8b/block_22.mnn block_23.mnn:qwen-1.8b/block_23.mnn block_3.mnn:qwen-1.8b/block_3.mnn block_4.mnn:qwen-1.8b/block_4.mnn block_5.mnn:qwen-1.8b/block_5.mnn block_6.mnn:qwen-1.8b/block_6.mnn block_7.mnn:qwen-1.8b/block_7.mnn block_8.mnn:qwen-1.8b/block_8.mnn block_9.mnn:qwen-1.8b/block_9.mnn embedding.mnn:qwen-1.8b/embedding.mnn lm.mnn:qwen-1.8b/lm.mnn tokenizer.txt:qwen-1.8b/tokenizer.txt] root:map[nanos:map[mnn-llm:map[MNN:map[build:map[libMNN.so:/root/nanos/mnn-llm/MNN/build/libMNN.so]] build:map[libllm.so:/root/nanos/mnn-llm/build/libllm.so] libs:map[libMNN_Express.so:/root/nanos/mnn-llm/libs/libMNN_Express.so]]]] web:map[css:map[github-markdown-light.min.css:web/css/github-markdown-light.min.css github.min.css:web/css/github.min.css katex.min.css:web/css/katex.min.css texmath.css:web/css/texmath.css] index.html:web/index.html js:map[highlight.min.js:web/js/highlight.min.js katex.min.js:web/js/katex.min.js markdown-it-link-attributes.min.js:web/js/markdown-it-link-attributes.min.js markdown-it.min.js:web/js/markdown-it.min.js texmath.js:web/js/texmath.js]] web_demo:web_demo] environment:map[IMAGE_NAME:web_demo NANOS_VERSION:0.1.48 OPS_VERSION:0.1.40 PWD:/ USER:root] program:/web_demo] boot:map[children:map[kernel:/root/.ops/0.1.48/kernel.img]] targetRoot: klibHostDir:/root/.ops/0.1.48/klibs}
running local instance
booting /root/.ops/images/web_demo ...
en1: assigned 10.0.2.15
web_demo: error while loading shared libraries: libMNN.so: cannot enable executable stack as shared object requires: Permission denied

According to the search engine results, it may be caused by selinux, but the Ubuntu I am using does not enable selinux.

eyberg commented 7 months ago

I would need to look further into this project specifically but we disable stack execution by default, https://github.com/nanovms/nanos/blob/master/SECURITY.md as it's a massive security issue

eyberg commented 7 months ago

sorry - just coming back to this now..

if you change this line:

https://github.com/nanovms/nanos/blob/master/src/unix/exec.c#L74

to

 ivmap(VMAP_FLAG_STACK | VMAP_FLAG_READABLE | VMAP_FLAG_WRITABLE | VMAP_FLAG_EXEC,

you can disable the stack exec protection; although this is not recommended from a security pov

then I was able to bump the memory and run it:

ops run build/web_demo -p 8080 -c config.json -m 4g

also on src/tokenizer.cpp in mnn-llm I had to throw in:

#include <climits>
leeyiding commented 6 months ago

Thank you very much for your answer, I will try it.