[squid-dev] To make squid works in snap world.
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 15 04:42:50 UTC 2017
On 15/03/2017 3:44 a.m., Gary Wang wrote:
> Hi guys
> I'm sorry that I'm here so late. :(
> Generally, regarding the purpose of this MP.
> https://code.launchpad.net/~gary-wzl77/squid/ipc_prefix/+merge/318714
>
> I'd like to make squid snap works as a confined
> <https://snapcraft.io/docs/reference/confinement>snap in snap world. So
> that we can ship this snap in ubuntu-core.
> The reason why I need to add compile option to enable to customize IPC
> prefix at compiling time is that in order to use shared memory in an app
> which released as a snap package the only allowed file path will be like
> this <https://bugs.launchpad.net/snappy/+bug/1653955>(in the following
> namespace)
> /dev/shm/sem.snap.@{SNAP_NAME}.*
>
> Hence in our case, the shared memory file path should be
> /dev/shm/sem.snap.squid-snap.{random-string}
> Otherwise, you will get the following error when running the squid in
> snap world
> http://paste.ubuntu.com/24175840/
>
Having looked at this a lot more now I think the patch is based on an
incorrect assumption.
You see Squid complaining of /dev/shm Permissions error. Other people
getting that error in snap world were using semaphores and fixed it by
using snap /dev/shm/sem.* names. So you fixed the /dev/shm naming to
match snap semaphore naming.
... but Squid does *not* use semaphores.
Simply making Squid pretend to be doing semaphores to bypass the
security is not the right way forward.
The real question is why the permissions error is occuring?
What in snap world is refusing permission?
Amos
More information about the squid-dev
mailing list