Error "http://localhost/v2/users dial unix /run/snapd.socket" while porting Ubuntu-core to TI AM335x Starter Kit

Hello:
I want to evaluate security feature of snap on my IoT device. But I got a error: “http://localhost/v2/users dial unix /run/snapd.socket”
Hardware: TI AM335x Starter Kit
Software: ti-processor-sdk-linux-am335x-evm-03.03.00.04-Linux-x86-Install(Linux version 4.4.41)
I use this kernel code for reference: https://github.com/snapcore/sample-kernels/tree/stable-4.4.y
I found zImage will cause the error.
I will get the error if I build kernel with this configs: “CONFIG_SECURITY_SELINUX=y, CONFIG_SECURITY_SMACK=y, CONFIG_SECURITY_APPARMOR=y, CONFIG_SECURITY_YAMA=y and CONFIG_DEFAULT_SECURITY_APPARMOR=y.”
I can also succeed to login with “ssh username@IPADDRESS” without those configs.
So is the snap security feature depends on those kernel security config? Can you kindly guide me how to solve this problem? @ogra
Error log:
error: cannot obtain system details: cannot communicate with server: timeout exceeded while waiting for response
Press enter to configure.

After I pressed enter and configured the eth and got correct IP address:
2020-09-09_171601

The TI Sitara evm should be supported by our pc-kernel snap (which is pretty much mainline with some ubuntu sauce patches on top) … for a start i’d try adjusting your model assertion to use it … download the snap:

UBUNTU_STORE_ARCH=armhf snap download pc-kernel --channel=18/stable

then use the --snap arg for ubuntu-image to point to the downloaded .snap file and see if that works …

(IIRC the devicetree file is called am335x-evm.dtb)

1 Like

Here is my command:
for gadget snap: snapcraft --target-arch=armhf --destructive-mode
for kernel snap: snapcraft --target-arch=armhf
for core snap: sudo ubuntu-image snap --snap ./core18_1889.snap --snap ./snapd_8792.snap --snap ./am335x-kernel.snap --snap ./am335x.snap -O ./am335x.img am335x.model
I download and get pc-kernel_597.snap so I need to use pc-kernel_597.snap to replace core18_1889.snap or snapd_8792.snap?

you need to replace am335x-kernel.snap … and adjust your model assertion to use pc-kernel instead of am335x-kernel …

1 Like

Begin: Loading essential drivers … [ 13.907783] usbcore: registered new interface driver usb-storage
done.
Begin: Running /scripts/init-premount … done.
Begin: Mounting root file system … Begin: Running /scripts/nfs-top … done.
Begin: Running /scripts/nfs-premount … done.
Begin: Running /scripts/local-top … done.
Begin: Running /scripts/local-premount … [ 169.006901] random: crng init done
[ 169.010515] random: 7 urandom warning(s) missed due to ratelimiting
findfs: unable to resolve ‘LABEL=writable’
done.
cannot find ‘writable’ partition
Rebooting automatically due to panic= boot argument
[ 554.163509] reboot: Restarting system

Hi, ogra, thanks for your quickly and professional reply.
Seemed can’t boot.
Actually we will build kernel based on TI SDK.
So is there a method to enable SECURITY related kernel config and avoid the error below?

well, if you insist on building your own (i guess the pc-kernel simply misses a module in the initrd to drive your MMC controller), take a look at the first commit of my raspberrypi.org kernel build (note all later commits use the source from kernel.ubuntu.com and dont have the patches)

there is a configs-linux-5.1rpi.patch file you want to use (just copy/paste it into your tree as is (perhaps rename it to match your version for cleanness)) and you need to add the full apparmor patchset for your kernel version … take a look at the snapcraft.yaml how they are applied (and how the configs are used) in my tree …

2 Likes

Hi, ogra:
I don’t mean to insist on my own kernel. For example, I buy chips from TI or NXP and setup my own hardware platform. So I need to modify kernel based on TI or NXP’s kernel SDK but not from kernel.org or ubuntu kernel becasue TI or NXP have many many patches on kernel.org kernel release to adapt their chips. It is easier to develop based on TI or NXP kernel SDK.
So the error is a common known bug? The solution is to apply apparmor patches?
I usually use arm chips. Does all arm chips will encounter this error?

git apply -v configs-linux-5.1rpi.patch is OK
git apply -v apparmor-linux-5.1rpi.patch report error. I think the patch is for kernel 5.1 but my kernel version is v4.4.41.
So there is many kernel releases and many arm chips. It is really difficult to patch all those cases.

Snap confinement and security is solely done by the kernel (for less/zero overhead) … if you want proper functionality and security on Ubuntu Core you need to apply the apparmor patches for your major kernel version and set the necessary config options.

for different apparmor patchsets against different major kernel versions take a look at:
https://kernel.ubuntu.com/git/jj/linux-apparmor-backports/refs/heads

1 Like