From 51840062b167883ef6104bc9f0a5f5f470d5b629 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Fri, 25 May 2018 09:14:29 +0200 Subject: [PATCH 01/13] container: update to LXC 3.0 --- snap/snapcraft.yaml | 4 +-- src/anbox/container/lxc_container.cpp | 37 +++++++++++++-------------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index c2da677..e1c9c4c 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -102,7 +102,7 @@ parts: lxc: source: https://github.com/lxc/lxc source-type: git - source-tag: lxc-2.0.7 + source-tag: lxc-3.0.0 build-packages: - libapparmor-dev - libcap-dev @@ -129,7 +129,7 @@ parts: snap/anbox/current/libexec: libexec prime: - lib/liblxc.so.1 - - lib/liblxc.so.1.2.0 + - lib/liblxc.so.1.4.0 - libexec/lxc/lxc-monitord - bin/lxc-start - bin/lxc-stop diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index a0d5a57..e6839fb 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -74,19 +74,19 @@ void LxcContainer::setup_id_map() { const auto base_id = unprivileged_uid; const auto max_id = 65536; - set_config_item("lxc.id_map", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1)); - set_config_item("lxc.id_map", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1)); + set_config_item("lxc.idmap", utils::string_format("u 0 %d %d", base_id, creds_.uid() - 1)); + set_config_item("lxc.idmap", utils::string_format("g 0 %d %d", base_id, creds_.gid() - 1)); // We need to bind the user id for the one running the client side // process as he is the owner of various socket files we bind mount // into the container. - set_config_item("lxc.id_map", utils::string_format("u %d %d 1", android_system_uid, creds_.uid())); - set_config_item("lxc.id_map", utils::string_format("g %d %d 1", android_system_uid, creds_.gid())); + set_config_item("lxc.idmap", utils::string_format("u %d %d 1", android_system_uid, creds_.uid())); + set_config_item("lxc.idmap", utils::string_format("g %d %d 1", android_system_uid, creds_.gid())); - set_config_item("lxc.id_map", utils::string_format("u %d %d %d", android_system_uid + 1, + set_config_item("lxc.idmap", utils::string_format("u %d %d %d", android_system_uid + 1, base_id + android_system_uid + 1, max_id - creds_.uid() - 1)); - set_config_item("lxc.id_map", utils::string_format("g %d %d %d", android_system_uid + 1, + set_config_item("lxc.idmap", utils::string_format("g %d %d %d", android_system_uid + 1, base_id + android_system_uid + 1, max_id - creds_.gid() - 1)); } @@ -97,9 +97,9 @@ void LxcContainer::setup_network() { return; } - set_config_item("lxc.network.type", "veth"); - set_config_item("lxc.network.flags", "up"); - set_config_item("lxc.network.link", "anbox0"); + set_config_item("lxc.net.0.type", "veth"); + set_config_item("lxc.net.0.flags", "up"); + set_config_item("lxc.net.0.link", "anbox0"); // Instead of relying on DHCP we will give Android a static IP configuration // for the virtual ethernet interface LXC creates for us. This will be bridged @@ -245,33 +245,32 @@ void LxcContainer::start(const Configuration &configuration) { set_config_item("lxc.mount.auto", "proc:mixed sys:mixed cgroup:mixed"); set_config_item("lxc.autodev", "1"); - set_config_item("lxc.pts", "1024"); - set_config_item("lxc.tty", "0"); - set_config_item("lxc.utsname", "anbox"); + set_config_item("lxc.pty.max", "1024"); + set_config_item("lxc.tty.max", "0"); + set_config_item("lxc.uts.name", "anbox"); set_config_item("lxc.group.devices.deny", ""); set_config_item("lxc.group.devices.allow", ""); // We can't move bind-mounts, so don't use /dev/lxc/ - set_config_item("lxc.devttydir", ""); + set_config_item("lxc.tty.dir", ""); set_config_item("lxc.environment", "PATH=/system/bin:/system/sbin:/system/xbin"); - set_config_item("lxc.init_cmd", "/anbox-init.sh"); - set_config_item("lxc.rootfs.backend", "dir"); + set_config_item("lxc.init.cmd", "/anbox-init.sh"); const auto rootfs_path = SystemConfiguration::instance().rootfs_dir(); DEBUG("Using rootfs path %s", rootfs_path); - set_config_item("lxc.rootfs", rootfs_path); + set_config_item("lxc.rootfs.path", rootfs_path); - set_config_item("lxc.loglevel", "0"); + set_config_item("lxc.log.level", "0"); const auto log_path = SystemConfiguration::instance().log_dir(); - set_config_item("lxc.logfile", utils::string_format("%s/container.log", log_path).c_str()); + set_config_item("lxc.log.file", utils::string_format("%s/container.log", log_path).c_str()); setup_network(); - set_config_item("lxc.aa_profile", "anbox-container"); + set_config_item("lxc.apparmor.profile", "anbox-container"); if (!privileged_) setup_id_map(); From f79e3738f15d16543fde3d72224e40c09a4e6a9c Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Wed, 30 May 2018 10:46:35 +0200 Subject: [PATCH 02/13] scripts: use 18.04 as our new build environment --- README.md | 4 ++-- scripts/build-with-docker.sh | 4 ++-- scripts/clean-build.sh | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f45d09e..b0b086d 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ system: * libsdl2 * libprotobuf * protobuf-compiler - * lxc + * lxc (>= 3.0) On an Ubuntu system you can install all build dependencies with the following command: @@ -95,7 +95,7 @@ $ sudo apt install build-essential cmake cmake-data debhelper dbus google-mock \ libproperties-cpp-dev libprotobuf-dev libsdl2-dev libsdl2-image-dev lxc-dev \ pkg-config protobuf-compiler ``` -We recommend Ubuntu 16.04 (xenial) with **GCC 5.x** as your build environment. +We recommend Ubuntu 18.04 (bionic) with **GCC 7.x** as your build environment. ### Build diff --git a/scripts/build-with-docker.sh b/scripts/build-with-docker.sh index 5d0159c..8a0de21 100755 --- a/scripts/build-with-docker.sh +++ b/scripts/build-with-docker.sh @@ -1,3 +1,3 @@ #!/bin/sh -docker pull ubuntu:16.04 -docker run -i -t -v $PWD:/anbox ubuntu:16.04 /anbox/scripts/clean-build.sh +docker pull ubuntu:18.04 +docker run -i -t -v $PWD:/anbox ubuntu:18.04 /anbox/scripts/clean-build.sh diff --git a/scripts/clean-build.sh b/scripts/clean-build.sh index 8420472..6ec8e51 100755 --- a/scripts/clean-build.sh +++ b/scripts/clean-build.sh @@ -21,7 +21,6 @@ apt-get install -qq -y \ libboost-test-dev \ libboost-thread-dev \ libcap-dev \ - libdbus-cpp-dev \ libegl1-mesa-dev \ libgles2-mesa-dev \ libglib2.0-dev \ From ab2ae5ac47bc243697e047d1d93aead761c254df Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Thu, 31 May 2018 16:00:22 +0200 Subject: [PATCH 03/13] snap: enable apparmor&seccomp support within lxc --- snap/snapcraft.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index e1c9c4c..f6ddb71 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -120,8 +120,8 @@ parts: - --disable-api-docs - --disable-bash - --disable-cgmanager - - --disable-apparmor - - --disable-seccomp + - --enable-apparmor + - --enable-seccomp - --enable-capabilities - --with-rootfs-path=/var/snap/anbox/common/lxc/ - --libexecdir=/snap/anbox/current/libexec/ From 4e715ca5a59c4103e6b6d514182f4fca1cbb7f34 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 08:59:43 +0200 Subject: [PATCH 04/13] snap: package missing apparmor configuration --- snap/snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index f6ddb71..1e29b19 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -181,6 +181,7 @@ parts: prime: - glvnd - desktop + - apparmor anbox: plugin: cmake From e398ecd7861cb05bc6d3f57eae4b0a1e8c26bf1e Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:00:07 +0200 Subject: [PATCH 05/13] container: dump console log This allows us debugging early boot problems much easier. --- src/anbox/container/lxc_container.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index e6839fb..2cfe9b1 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -45,6 +45,7 @@ constexpr const char *default_container_ip_address{"192.168.250.2"}; constexpr const std::uint32_t default_container_ip_prefix_length{24}; constexpr const char *default_host_ip_address{"192.168.250.1"}; constexpr const char *default_dns_server{"8.8.8.8"}; +constexpr const char *default_console_buffer_size{"256KB"}; constexpr int device_major(__dev_t dev) { return int(((dev >> 8) & 0xfff) | ((dev >> 32) & (0xfffff000))); @@ -268,6 +269,10 @@ void LxcContainer::start(const Configuration &configuration) { const auto log_path = SystemConfiguration::instance().log_dir(); set_config_item("lxc.log.file", utils::string_format("%s/container.log", log_path).c_str()); + // Dump the console output to disk to have a chance to debug early boot problems + set_config_item("lxc.console.logfile", utils::string_format("%s/console.log", log_path).c_str()); + set_config_item("lxc.console.rotate", "1"); + setup_network(); set_config_item("lxc.apparmor.profile", "anbox-container"); From a7e2db21bca27df5b864e5ceee30aa6405caf92c Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:03:50 +0200 Subject: [PATCH 06/13] scripts: also collect container console log files --- scripts/collect-bug-info.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/collect-bug-info.sh b/scripts/collect-bug-info.sh index 199058d..3c42cd4 100755 --- a/scripts/collect-bug-info.sh +++ b/scripts/collect-bug-info.sh @@ -26,6 +26,7 @@ set -x cp /var/snap/anbox/common/data/system.log $TMPDIR || true cp /var/snap/anbox/common/containers/lxc-monitord.log $TMPDIR || true cp /var/snap/anbox/common/logs/container.log $TMPDIR || true +cp /var/snap/anbox/common/logs/console.log* $TMPDIR || true $SNAP/command-anbox.wrapper system-info > $TMPDIR/system-info.log 2>&1 || true if [ -e /etc/systemd/system/snap.anbox.container-manager.service ]; then From d858682194541ef8e1c9f13bf9e1e31e60fa1818 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:04:45 +0200 Subject: [PATCH 07/13] container: don't load apparmor profile yet --- src/anbox/container/lxc_container.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index 2cfe9b1..24370fd 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -275,7 +275,11 @@ void LxcContainer::start(const Configuration &configuration) { setup_network(); +#if 0 set_config_item("lxc.apparmor.profile", "anbox-container"); +#else + set_config_item("lxc.apparmor.profile", "unconfined"); +#endif if (!privileged_) setup_id_map(); From 19d902f25a5aa9430d6871bb7f38efacc0d0199d Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:49:11 +0200 Subject: [PATCH 08/13] scripts: quote correctly to not cause errors --- scripts/anbox-init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/anbox-init.sh b/scripts/anbox-init.sh index f8ac1c6..54cdd6a 100644 --- a/scripts/anbox-init.sh +++ b/scripts/anbox-init.sh @@ -17,7 +17,7 @@ function prepare_filesystem() { # These dev files need to be adjusted everytime as they are # bind mounted into the temporary rootfs for f in qemu_pipe qemu_trace goldfish_pipe input/* ; do - if [ ! -e /dev/$f ] ; then + if [ ! -e "/dev/$f" ] ; then continue fi chown system:system /dev/$f From 24f774282a4d49cf6c2bc867ea93bd54f36cd60c Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:49:28 +0200 Subject: [PATCH 09/13] scripts: print all executed commands --- scripts/anbox-init.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/anbox-init.sh b/scripts/anbox-init.sh index 54cdd6a..1c0d0bc 100644 --- a/scripts/anbox-init.sh +++ b/scripts/anbox-init.sh @@ -13,6 +13,8 @@ # You should have received a copy of the GNU General Public License along # with this program. If not, see . +set -x + function prepare_filesystem() { # These dev files need to be adjusted everytime as they are # bind mounted into the temporary rootfs From 041e9b30cfa7f74cba616801ada8a24b3d60e749 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:50:06 +0200 Subject: [PATCH 10/13] android: forward logcat output to the container console --- android/init.goldfish.rc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/android/init.goldfish.rc b/android/init.goldfish.rc index 48663bc..6db19e4 100644 --- a/android/init.goldfish.rc +++ b/android/init.goldfish.rc @@ -91,7 +91,8 @@ service qemud /system/bin/qemud # named by the androidboot.console kernel option # if not, is simply exits immediately -service goldfish-logcat /system/bin/logcat -Q +service goldfish-logcat /system/bin/logcat + console oneshot service fingerprintd /system/bin/fingerprintd From af1c42c24d5b6b7c9d5b82f3340b0a06b9ffbac4 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:50:33 +0200 Subject: [PATCH 11/13] snap: also package our seccomp profile --- snap/snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 1e29b19..a0b947f 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -182,6 +182,7 @@ parts: - glvnd - desktop - apparmor + - seccomp anbox: plugin: cmake From 0f63d0e7d82a7a8f88e2b1b078f4d56c59e5e2b5 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 09:52:43 +0200 Subject: [PATCH 12/13] container: specifiy correct path to seccomp profile --- src/anbox/container/lxc_container.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp index 24370fd..f8dcf83 100644 --- a/src/anbox/container/lxc_container.cpp +++ b/src/anbox/container/lxc_container.cpp @@ -277,6 +277,9 @@ void LxcContainer::start(const Configuration &configuration) { #if 0 set_config_item("lxc.apparmor.profile", "anbox-container"); + + const auto seccomp_profile_path = fs::path(utils::get_env_value("SNAP", "/etc/anbox")) / "seccomp" / "anbox.sc"; + set_config_item("lxc.seccomp.profile", seccomp_profile_path.string().c_str()); #else set_config_item("lxc.apparmor.profile", "unconfined"); #endif From d720173ed6b4c9d682d49304d57db6f6a7128de7 Mon Sep 17 00:00:00 2001 From: Simon Fels Date: Tue, 12 Jun 2018 10:17:14 +0200 Subject: [PATCH 13/13] snap: update to newer Android image with latest changes included --- snap/snapcraft.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index a0b947f..3bb9485 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -70,9 +70,9 @@ parts: case "$ARCH" in x86_64) - IMAGE_PATH="2018/06/11" + IMAGE_PATH="2018/06/12" IMAGE_NAME="android_amd64.img" - IMAGE_HASH="0423700cb963fc64b2776a4e76cff886ef6648f0847f5b88b4ab0d61a7f1694f" + IMAGE_HASH="5c4b8f7caeaf604770e37a29b65c7711b26d009a548b4fac8dfb77585e56dc73" ;; *) echo "ERROR: Unknown architecture $ARCH"