Resolve 'package contains external symlinks' error when trying to snap

catman1900 · November 26, 2017, 9:44pm

My snap is building successfully but I haven’t found a work around for this issue below:

Error:package contains external symlinks: usr/lib/jvm/java-8-openjdk-armhf/jre/lib/security/cacerts

I’m very unsure as to what I should do to fix this.

jdstrand · November 27, 2017, 3:26pm

This is describing a real problem with your snap which is that the usr/lib/jvm/java-8-openjdk-armhf/jre/lib/security/cacerts file is pointing somewhere outside your snap, which is not guaranteed to exist. In this particular case, it will prevent ssl encrypted connections like https to not work within your snap.

This is described here (with workaround): https://bugs.launchpad.net/ubuntu/+source/snapcraft/+bug/1599281

I think if you install openjdk-8-jre-headless and ca-certificates-java on your system, then when you run snapcraft, snapcraft will pull them in. I’ve also had success using this in the snapcraft.yaml when using ‘snapcraft cleanbuild’:

    build-packages:
    - ca-certificates
    - ca-certificates-java
    - openjdk-8-jre-headless
    stage-packages:
    - openjdk-8-jre-headless

UPDATE: added ‘openjdk-8-jre-headless’ to build-packages too since ca-certificates-java will pull in openjdk-9-jre-headless in cleanbuild.

kz6fittycent · April 7, 2021, 9:31pm

I’m getting this error for core20 again. The same packages are present for building - is there an underlying change that is causing this? Do I need to add something more to my snapcraft.yaml?

YAML is here.

snowsky · March 7, 2022, 6:40pm

I got the same error again today, can someone on snapd team shed a light?

regal · March 7, 2022, 8:23pm

The suggested solution mentioned by @jdstrand adds about 10MB filesize to the snap. 10MB for just some certificates…

build-packages:
  [ca-certificates, ca-certificates-java, default-jre]

But it still gets Automatically rejected:

package contains external symlinks: usr/lib/jvm/java-11-openjdk-amd64/lib/security/blacklisted.certs lint-snap-v2_external_symlinks

Another oddity is, that I get that error all the sudden; without any prior changes on the

snapcraft.yaml

kz6fittycent · March 8, 2022, 1:42am

This is what I did with my yaml:

    build-packages:
      - openjdk-17-jre-headless        
      - ca-certificates-java
      - ca-certificates

No issues building or running. Different JRE version, but I’m assuming that if you add ca-certificates to your build-packages, it may work. This is on core20, btw.

The referenced YAML is HERE.

James-Carroll · March 8, 2022, 8:00am

I’m assuming there’s been a regression related to the package bump as a result of https://ubuntu.com/security/notices/USN-5313-1

I’ve started getting the issue with blacklisted.certs as above too, on a package that’s otherwise been on autopilot (i.e, unchanged) for months/years.

core18 + default-jre, though I’m assuming the problem might be wider spread than that.

regal · March 8, 2022, 2:05pm

After updating from core18 to core20 and from gnome-3-28 to gnome-38 the build now fails completely: unknown plugin: 'maven'

So using core20 as possible workaround isn’t possible for my case, as core20 is still missing a maven plugin:

Displaying plugins available for ‘core20’: autotools catkin catkin-tools cmake colcon conda dump go make meson nil npm python qmake rust

vs.

Displaying plugins available for ‘core18’ ant catkin-tools conda dump godeps kernel meson plainbox-provider ruby waf autotools cmake crystal flutter gradle make nil python rust catkin colcon dotnet go kbuild maven nodejs qmake scons

kz6fittycent · March 8, 2022, 5:49pm

@regal I was able to successfully build and run the snap. I provided a PR.

I built the snap using Fabrica (thanks again @ogra).

regal · March 8, 2022, 6:38pm

@kz6fittycent thanks a lot for your effort! But unfortunately it still gets automatically rejected:

package contains external symlinks: usr/lib/jvm/java-11-openjdk-amd64/lib/security/blacklisted.certs lint-snap-v2_external_symlinks

kovzol · March 8, 2022, 7:39pm

Same error here with https://github.com/kovzol/geogebra/blob/master/snapcraft.yaml.

frossty · March 8, 2022, 8:09pm

It seems pretty clear (at least to me) that the issue is the following file inside of the snap:

usr/lib/jvm/java-11-openjdk-amd64/lib/security/blacklisted.certs -> /etc/java-11-openjdk/security/blacklisted.certs

This link is absolute and takes you outside of the snap filesystem and causes the error. It should point to

../../../../../../etc/java-11-openjdk/security/blacklisted.certs

like the other files in that directory. Would that be a problem with the openjdk package?

Secondly, is there a way in our snap configuration to correct this link?

Michael

PS: I am also using core18 as using core20 gives a “can’t find maven plugin” error as mentioned above.

kz6fittycent · March 8, 2022, 11:44pm

Are you building on snapcraft.io, or locally? I built that snap locally w/o issue. You could do the same and upload your snap to the store until the issue is rectified.

It could just be something to do with snapcraft.io. Just a guess on my part.

kz6fittycent · March 8, 2022, 11:47pm

Seems to be a consistent theme with core18 and the java packages.

I just updated both mc-installer and mc-server-installer today w/o issue using snapcraft.io. Those snaps are core20, but were core18 previously.

frossty · March 9, 2022, 3:11am

@kz6fittycent - Initially I was just using the github integration to build and deploy. The build works, the deploy was not allowed due to the issue.

Afterwards, I built locally. Again, the build works fine, but when I attempt to upload, the check/review process fails with the symlink error.

I’m curious (1) if this is an issue with the openjdk package and (2) if there is anything we can do in our snapcraft config file to correct the issue.

Michael

regal · March 9, 2022, 6:02am

Yes, I do automated continuous delivery on snapcraft.io. I requested a manual review of on of the rejected Dayon! builds yesterday - but I’m still waiting for feedback.

frossty · March 9, 2022, 2:46pm

In looking more closely, neither my main OS nor the location within the snap even contains blacklisted.certs. I bet the following can probably be deleted from within the snap and doesn’t have to be repointed.

usr/lib/jvm/java-11-openjdk-amd64/lib/security/blacklisted.certs -> /etc/java-11-openjdk/security/blacklisted.certs

Perhaps a snapcraft scriptlet could do that job. Does anyone see a flaw in this logic or have experience with scriptets?

This is important to me as I can no longer deploy any of my java snaps.

Michael

ogra · March 9, 2022, 3:06pm

i think this was solved internally in snapcraft long ago via

what you need to do is to make sure the target of the symlink exists on the build host (i.e. via build-packages like @kz6fittycent pointed out above) , then the target file should be pulled into your snap automatically, replacing the link with actual data … though it seems to have only landed for core20 based snaps …

frossty · March 9, 2022, 4:44pm

Thank you @ogra for your response. I’m still somewhat of a beginner with snapcraft. I have added the build packages that @kz6fittycent mentioned above, but the absolute path based symlink remains, and it points outside the snap and to a file that doesn’t exist on my system.

One option that seems to work for me is to delete that symlink. I’m not sure if it’s the best solution, but since it doesn’t point to a valid file I’m not sure it if will hurt. I agree the right answer is to get that file within the snap and have the symlink point to it.

But, as a workaround, you can delete the invalid symlink via the following:

override-prime: |
snapcraftctl prime
rm -vf usr/lib/jvm/java-11-openjdk-*/lib/security/blacklisted.certs

Thoughts?

ogra · March 9, 2022, 5:19pm

this is definitely a proper solution yet not very clean indeed, though i wonder why you do not end up with the target file replacing the symlink during prime …