Adding custom libraries inside the kernel usr/lib

muthiah · September 4, 2019, 10:31am

Hi,

I am trying to add custom libraries i.e custom OpenSSL into kernel usr/lib path. I want to share this custom library with other snaps. I am checking for another approach than the content interface.

Can I push the static custom libraries into the kernel usr/lib. Below is my snapcraft.yaml

 kernel:
    plugin: kernel
    source: .
    kdefconfig: [defconfig,new_defconfig]
    kconfigs:
      - CONFIG_DEBUG_INFO=n
      - CONFIG_MARVELL_PHY=y
    kernel-initrd-modules:
      - usb-storage
      - ahci
      - libahci
      - sdhci
      - sdhci-pci
      - sdhci-acpi
      - mmc-block
      - nls_iso8859-1
    override-build: |
      cp debian/scripts/retpoline-extract-one \
        $SNAPCRAFT_PART_BUILD/scripts/ubuntu-retpoline-extract-one
      mkdir -p $SNAPCRAFT_PART_INSTALL/initrd-staging
      mkdir -p $SNAPCRAFT_PART_INSTALL/initrd-staging/usr
      mkdir -p $SNAPCRAFT_PART_INSTALL/initrd-staging/usr/lib
      mkdir -p $SNAPCRAFT_PART_INSTALL/initrd-staging/usr/lib/x86_64-linux-gnu
      cp -rav $SNAPCRAFT_PROJECT_DIR/a-library/*.so* \
        $SNAPCRAFT_PART_INSTALL/initrd-staging/usr/lib/x86_64-linux-gnu/
        snapcraftctl build
    kernel-with-firmware: false
    filesets:
     include-usr-files:
             #- $SNAPCRAFT_PROJECT_DIR/a-library/*
        - initrd-staging/usr/lib/x86_64-linux-gnu/*
     stage:
        - include-usr-files
  firmware:

lucyllewy · September 4, 2019, 10:50am

You can add your files anywhere inside your snap, but other snaps will not be able to see those files unless they are exposed, and consumed, by a content interface, or the snap is used as a base snap like core currently is for many apps. Base snaps are tightly controlled in the public store, but if you have a brand store I believe you have more leeway for publishing.

muthiah · September 6, 2019, 4:21am

Thanks Daniel . I am much interested in the core snap model.
can we use stage packages to include custom libraries.

yes we would be using brandstore for our production.

jamesh · September 6, 2019, 5:43am

Note also that not every application on your system will necessarily be using the same base snap. On my system, I have snaps using core as a base (built from Ubuntu 16.04) and others using core18 as a base (built from Ubuntu 18.04).

The core base snap provides OpenSSL 1.0.2g, while core18 ships both versions 1.0.2n and 1.1.1 (with most apps linked against the newer version). It’s highly likely that there will be a core20 base next year, increasing the number of versions further.

So I guess the real question is: what do you want to achieve by replacing the OpenSSL library?

muthiah · September 6, 2019, 7:38am

We want to have tested FIPS certifications changes in openssl along with the latest.
I quoted openssl as an example. we might have database client used by multiple snaps and would like to share it so that size of snaps are less

ogra · September 6, 2019, 8:49am

you can create an openssl-libs platform snap and use the content interface to share it with your application snaps …

muthiah · September 9, 2019, 11:26am

Hi Jamesh,

you’re rite, how do applications know the /usr/lib/x86_64-linux-gnu path.
when I ran snap run --shell app.name and try to see the environment, I don’t find the path to the openssl engines lib path.
can you help me to understand how this achieved.

Thanks
Muthiah

jamesh · September 10, 2019, 6:20am

When you launch a snap app, it is called through a wrapper that sets up a sandbox for the app. Part of this involves the use of “mount namespaces”, which allows different processes to see different views of the file system.

The biggest change is using the contents of the snap’s base snap (either core or core18) as the root of the file system. You can see what these root file systems look like by exploring /snap/core/current/ or /snap/core18/current/.