Merge pull request #735 from morphis/update-to-lxc-3.0

container: update to LXC 3.0 + AppArmor/seccomp support + console log dump
2018-06-12 10:54:48 +02:00 · 2018-06-12 10:54:48 +02:00 · bc8a71384b
commit bc8a71384b
parent a0cebef948 d720173ed6
8 changed files with 48 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -81,7 +81,7 @@ system:
 * libsdl2
 * libprotobuf
 * protobuf-compiler
- * lxc
+ * lxc (>= 3.0)

 On an Ubuntu system you can install all build dependencies with the following
 command:
@ -95,7 +95,7 @@ $ sudo apt install build-essential cmake cmake-data debhelper dbus google-mock \
    libproperties-cpp-dev libprotobuf-dev libsdl2-dev libsdl2-image-dev lxc-dev \
    pkg-config protobuf-compiler 
 ```
-We recommend Ubuntu 16.04 (xenial) with **GCC 5.x** as your build environment.
+We recommend Ubuntu 18.04 (bionic) with **GCC 7.x** as your build environment.


 ### Build
--- a/android/init.goldfish.rc
+++ b/android/init.goldfish.rc
@ -91,7 +91,8 @@ service qemud /system/bin/qemud
 # named by the androidboot.console kernel option
 # if not, is simply exits immediately

-service goldfish-logcat /system/bin/logcat -Q
+service goldfish-logcat /system/bin/logcat
+    console
    oneshot

 service fingerprintd /system/bin/fingerprintd
--- a/scripts/anbox-init.sh
+++ b/scripts/anbox-init.sh
@ -13,11 +13,13 @@
 # You should have received a copy of the GNU General Public License along
 # with this program.  If not, see <http://www.gnu.org/licenses/>.

+set -x
+
 function prepare_filesystem() {
 	# These dev files need to be adjusted everytime as they are
 	# bind mounted into the temporary rootfs
 	for f in qemu_pipe qemu_trace goldfish_pipe input/* ; do
-		if [ ! -e /dev/$f ] ; then
+		if [ ! -e "/dev/$f" ] ; then
 			continue
 		fi
 		chown system:system /dev/$f
--- a/scripts/build-with-docker.sh
+++ b/scripts/build-with-docker.sh
@ -1,3 +1,3 @@
 #!/bin/sh
-docker pull ubuntu:16.04
-docker run -i -t -v $PWD:/anbox ubuntu:16.04 /anbox/scripts/clean-build.sh
+docker pull ubuntu:18.04
+docker run -i -t -v $PWD:/anbox ubuntu:18.04 /anbox/scripts/clean-build.sh
--- a/scripts/clean-build.sh
+++ b/scripts/clean-build.sh
@ -21,7 +21,6 @@ apt-get install -qq -y \
  libboost-test-dev \
  libboost-thread-dev \
  libcap-dev \
-  libdbus-cpp-dev \
  libegl1-mesa-dev \
  libgles2-mesa-dev \
  libglib2.0-dev \
--- a/scripts/collect-bug-info.sh
+++ b/scripts/collect-bug-info.sh
@ -26,6 +26,7 @@ set -x
 cp /var/snap/anbox/common/data/system.log $TMPDIR || true
 cp /var/snap/anbox/common/containers/lxc-monitord.log $TMPDIR || true
 cp /var/snap/anbox/common/logs/container.log $TMPDIR || true
+cp /var/snap/anbox/common/logs/console.log* $TMPDIR || true
 $SNAP/command-anbox.wrapper system-info > $TMPDIR/system-info.log 2>&1 || true

 if [ -e /etc/systemd/system/snap.anbox.container-manager.service ]; then
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -70,9 +70,9 @@ parts:

        case "$ARCH" in
          x86_64)
-            IMAGE_PATH="2018/06/11"
+            IMAGE_PATH="2018/06/12"
            IMAGE_NAME="android_amd64.img"
-            IMAGE_HASH="0423700cb963fc64b2776a4e76cff886ef6648f0847f5b88b4ab0d61a7f1694f"
+            IMAGE_HASH="5c4b8f7caeaf604770e37a29b65c7711b26d009a548b4fac8dfb77585e56dc73"
            ;;
          *)
            echo "ERROR: Unknown architecture $ARCH"
@ -102,7 +102,7 @@ parts:
  lxc:
    source: https://github.com/lxc/lxc
    source-type: git
-    source-tag: lxc-2.0.7
+    source-tag: lxc-3.0.0
    build-packages:
      - libapparmor-dev
      - libcap-dev
@ -120,8 +120,8 @@ parts:
      - --disable-api-docs
      - --disable-bash
      - --disable-cgmanager
-      - --disable-apparmor
-      - --disable-seccomp
+      - --enable-apparmor
+      - --enable-seccomp
      - --enable-capabilities
      - --with-rootfs-path=/var/snap/anbox/common/lxc/
      - --libexecdir=/snap/anbox/current/libexec/
@ -129,7 +129,7 @@ parts:
      snap/anbox/current/libexec: libexec
    prime:
      - lib/liblxc.so.1
-      - lib/liblxc.so.1.2.0
+      - lib/liblxc.so.1.4.0
      - libexec/lxc/lxc-monitord
      - bin/lxc-start
      - bin/lxc-stop
@ -181,6 +181,8 @@ parts:
    prime:
      - glvnd
      - desktop
+      - apparmor
+      - seccomp

  anbox:
    plugin: cmake
--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@ -45,6 +45,7 @@ constexpr const char *default_container_ip_address{"192.168.250.2"};
 constexpr const std::uint32_t default_container_ip_prefix_length{24};
 constexpr const char *default_host_ip_address{"192.168.250.1"};
 constexpr const char *default_dns_server{"8.8.8.8"};
+constexpr const char *default_console_buffer_size{"256KB"};

 constexpr int device_major(__dev_t dev) {
  return int(((dev >> 8) & 0xfff) | ((dev >> 32) & (0xfffff000)));
@ -74,19 +75,19 @@ void LxcContainer::setup_id_map() {
  const auto base_id = unprivileged_uid;
  const auto max_id = 65536;

-  set_config_item("lxc.id_map", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1));
-  set_config_item("lxc.id_map", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1));
+  set_config_item("lxc.idmap", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1));
+  set_config_item("lxc.idmap", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1));

  // We need to bind the user id for the one running the client side
  // process as he is the owner of various socket files we bind mount
  // into the container.
-  set_config_item("lxc.id_map", utils::string_format("u %d %d 1", android_system_uid, creds_.uid()));
-  set_config_item("lxc.id_map", utils::string_format("g %d %d 1", android_system_uid, creds_.gid()));
+  set_config_item("lxc.idmap", utils::string_format("u %d %d 1", android_system_uid, creds_.uid()));
+  set_config_item("lxc.idmap", utils::string_format("g %d %d 1", android_system_uid, creds_.gid()));

-  set_config_item("lxc.id_map", utils::string_format("u %d %d %d", android_system_uid + 1,
+  set_config_item("lxc.idmap", utils::string_format("u %d %d %d", android_system_uid + 1,
                                                     base_id + android_system_uid + 1,
                                                     max_id - creds_.uid() - 1));
-  set_config_item("lxc.id_map", utils::string_format("g %d %d %d", android_system_uid + 1,
+  set_config_item("lxc.idmap", utils::string_format("g %d %d %d", android_system_uid + 1,
                                                     base_id + android_system_uid + 1,
                                                     max_id - creds_.gid() - 1));
 }
@ -97,9 +98,9 @@ void LxcContainer::setup_network() {
    return;
  }

-  set_config_item("lxc.network.type", "veth");
-  set_config_item("lxc.network.flags", "up");
-  set_config_item("lxc.network.link", "anbox0");
+  set_config_item("lxc.net.0.type", "veth");
+  set_config_item("lxc.net.0.flags", "up");
+  set_config_item("lxc.net.0.link", "anbox0");

  // Instead of relying on DHCP we will give Android a static IP configuration
  // for the virtual ethernet interface LXC creates for us. This will be bridged
@ -245,33 +246,43 @@ void LxcContainer::start(const Configuration &configuration) {
  set_config_item("lxc.mount.auto", "proc:mixed sys:mixed cgroup:mixed");

  set_config_item("lxc.autodev", "1");
-  set_config_item("lxc.pts", "1024");
-  set_config_item("lxc.tty", "0");
-  set_config_item("lxc.utsname", "anbox");
+  set_config_item("lxc.pty.max", "1024");
+  set_config_item("lxc.tty.max", "0");
+  set_config_item("lxc.uts.name", "anbox");

  set_config_item("lxc.group.devices.deny", "");
  set_config_item("lxc.group.devices.allow", "");

  // We can't move bind-mounts, so don't use /dev/lxc/
-  set_config_item("lxc.devttydir", "");
+  set_config_item("lxc.tty.dir", "");

  set_config_item("lxc.environment",
                  "PATH=/system/bin:/system/sbin:/system/xbin");

-  set_config_item("lxc.init_cmd", "/anbox-init.sh");
-  set_config_item("lxc.rootfs.backend", "dir");
+  set_config_item("lxc.init.cmd", "/anbox-init.sh");

  const auto rootfs_path = SystemConfiguration::instance().rootfs_dir();
  DEBUG("Using rootfs path %s", rootfs_path);
-  set_config_item("lxc.rootfs", rootfs_path);
+  set_config_item("lxc.rootfs.path", rootfs_path);

-  set_config_item("lxc.loglevel", "0");
+  set_config_item("lxc.log.level", "0");
  const auto log_path = SystemConfiguration::instance().log_dir();
-  set_config_item("lxc.logfile", utils::string_format("%s/container.log", log_path).c_str());
+  set_config_item("lxc.log.file", utils::string_format("%s/container.log", log_path).c_str());
+
+  // Dump the console output to disk to have a chance to debug early boot problems
+  set_config_item("lxc.console.logfile", utils::string_format("%s/console.log", log_path).c_str());
+  set_config_item("lxc.console.rotate", "1");

  setup_network();

-  set_config_item("lxc.aa_profile", "anbox-container");
+#if 0
+  set_config_item("lxc.apparmor.profile", "anbox-container");
+
+  const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc";
+  set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str());
+#else
+  set_config_item("lxc.apparmor.profile", "unconfined");
+#endif

  if (!privileged_)
    setup_id_map();