-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error while loading shared libraries only when using config file #229
Comments
Have you ever managed to resolve this or is this still something you need help with? |
This is still not resolved. |
Okay, I'll see if I can replicate that in a Docker later this week. |
I've build it from source (not via Docker though) and could not verify the issue. The only other difference is that I'm running Have you built from HEAD as well? |
I created a minimal example to reproduce this problem.
DockerfileFROM ubuntu:22.04 as php_base
RUN apt-get update
RUN apt-get install -y \
nano time wget dos2unix \
autoconf \
bison \
flex \
gcc \
g++ \
libprotobuf-dev \
libnl-route-3-dev \
libtool \
make \
pkg-config \
protobuf-compiler \
python3.11 \
git \
&& apt-get -y autoremove \
&& apt-get clean
RUN mkdir /python
# Download and install pypy
RUN wget https://downloads.python.org/pypy/pypy3.10-v7.3.16-linux64.tar.bz2 -P /python
RUN tar -xf /python/pypy3.10-v7.3.16-linux64.tar.bz2 -C /python
RUN mv /python/pypy3.10-v7.3.16-linux64 /python/pypy3.10
RUN rm /python/pypy3.10-v7.3.16-linux64.tar.bz2
RUN cp /python/pypy3.10/bin/* /usr/bin -r
RUN cp /python/pypy3.10/lib/* /usr/lib -r
RUN cp /python/pypy3.10/include/* /usr/include -r
# Download and install NSJail
RUN git clone https://github.com/google/nsjail.git /nsjail
RUN cd /nsjail && make && mv /nsjail/nsjail /bin && rm -rf -- /nsjail
RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Copy nsjail config
RUN mkdir /var/nsjail
RUN chmod 0777 /var/nsjail
COPY empty.conf /var/nsjail/
#Copy Starter bash
COPY start-container /usr/local/bin/start-container
# Set permissions in folders
# This line is needed only for windows, and has no effect in linux.
RUN dos2unix /usr/local/bin/start-container
RUN chmod +x /usr/local/bin/start-container
ENTRYPOINT [ "start-container" ] empty.conf
start-container#!/bin/bash
echo -e "!!Starting!!"
pypy3.10 --version
echo -e "\n\n\n!!NSJail no config!!"
nsjail -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /dev/urandom -- /usr/bin/pypy --version
echo -e "\n\n\n!!NSJail empty config!!"
nsjail --config /var/nsjail/empty.conf -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /dev/urandom -- /usr/bin/pypy --version
ResultsThe output after building and running this image is as follow:
I'm using the binaries from pypy website and not the ubuntu distribution. |
I dont know if this problem is docker related, but I think if you run with this setup outside the docker the problem should be the same. |
Thanks for the very detailed information. I could spend some time today looking at this. Your problem seems to be that your downloaded pypy has the
The error message that you get is a bit confusing because you don't get the full path of the library but just the which shared library can't be found. This is despite you having mounted the file path where the shared library is located. However when the linker tries to resolve the shared library it can't find it. That's likely because it's not located in a standard location and you don't have Nsjail seems to mount
The root cause of the problem seems to be that (at least certain) default values of the configuration when started using cmdline args are ignored when using the config file. |
I tried mount the proc in my config file and this realy solve the problem. Is the behavior of overriding the default value for mounting |
Glad to see you're unlocked. I had a brief chat with @robertswiecki about that and he mentioned there are some default values set. I believe those are the ones you can see in the config.proto. Although I haven't looked in depth into the code if that is really the case. Regardless it's probably something that should be better documented. |
Setup
I'm running nsjail inside a docker container, using the last version from github repository today (27/04/2024). The container has the necessary privileges.
The steps I'm using to build nsjail in the Dockerfile:
Problem
When I execute nsjail with the following args all works fine:
nsjail -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /dev/urandom -- /usr/bin/pypy --version
The output is as following:
But when I create a config file with the same specs this dont work:
nsjail --config pypy-env.conf -- /usr/bin/pypy --version
pypy-env.conf
The output is as following:
I notice if I use the same first command but pass in the first arg an empty config file, the error is the same:
nsjail --config empty.conf -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /dev/urandom -- /usr/bin/pypy --version
The text was updated successfully, but these errors were encountered: