gunicorn shows following errors when loopchain started.
Traceback (most recent call last):
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/arbiter.py", line 203, in run
self.manage_workers()
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/arbiter.py", line 545, in manage_workers
self.spawn_workers()
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/arbiter.py", line 616, in spawn_workers
self.spawn_worker()
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/arbiter.py", line 565, in spawn_worker
self.cfg, self.log)
File "/snap/loopchain/6/lib/python3.6/site-packages/sanic/worker.py", line 30, in __init__
super().__init__(*args, **kw)
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/workers/base.py", line 58, in __init__
self.tmp = WorkerTmp(cfg)
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/workers/workertmp.py", line 26, in __init__
util.chown(name, cfg.uid, cfg.gid)
File "/snap/loopchain/6/lib/python3.6/site-packages/gunicorn/util.py", line 173, in chown
os.chown(path, uid, gid)
PermissionError: [Errno 1] Operation not permitted: '/tmp/wgunicorn-7phm2h5f'
$ df /mem
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 32768 0 32768 0% /mem
But, gunicorn canât find /mem directory.
Traceback (most recent call last):
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/arbiter.py", line 203, in run
self.manage_workers()
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/arbiter.py", line 545, in manage_workers
self.spawn_workers()
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/arbiter.py", line 616, in spawn_workers
self.spawn_worker()
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/arbiter.py", line 565, in spawn_worker
self.cfg, self.log)
File "/snap/loopchain/10/lib/python3.6/site-packages/sanic/worker.py", line 30, in __init__
super().__init__(*args, **kw)
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/workers/base.py", line 58, in __init__
self.tmp = WorkerTmp(cfg)
File "/snap/loopchain/10/lib/python3.6/site-packages/gunicorn/workers/workertmp.py", line 22, in __init__
raise RuntimeError("%s doesn't exist. Can't create workertmp." % fdir)
RuntimeError: /mem/ doesn't exist. Can't create workertmp.
The good news is, we have a snaps that runs multiple gunicorns without any chown issues, so its definitely possible.
I suspect that this is something to do with your use for system-files for /tmp - why do you need this?
By default, every snap gets its own isolated /tmp tmpfs mount, so your gunicorn has access to that. Thatâs what we use in our snap, and it works just fine with gunicorn. I would suggest removing the temporary-data plug altogether and seeing if that works.
This is not visible from the mount namespace used by snap applications.
I would recommend that you inspect gunicorn to understand why it wants to chown and chmod things it creates and come back with this information. As stated elsewhere the sandbox is not going to allow that.
sanic is web server and running via gunicorn with GunicornWorker.
This is gunicorn workers/base.py parent of GunicornWorker.
gunicorn create worker process and worker check alive by âworker temp fileâ.
do chown to allow worker process write to temp file when initialize worker process.
GunicornWorker call notify every seconds and temp file updated by os.chmod.
If failed check alive in timeout, process killed by gunicorn master worker.
I think loopchain canât use strict confinement unless fix or replace gunicorn or allow permission system-files.
It depends on if it hits the syscall. This would be denied by seccomp if it did. Perhaps it is better to use an LD_PRELOAD or patch the source to not chown.
I have this same problem and I donât relish forking Gunicorn to solve it. I think itâs probably going to simply lead to me giving up on making my snap strict. Anyone got any other ideas?
There is no need to ask the gunicorn. Just upgrade your gunicorn to 20.0.x.
If you want to use the current version of gunicorn, you can apply the âmonkey patchâ above.