Security:Vasum:Usage

From Tizen Wiki
Jump to: navigation, search

The following Wiki page revolves around all details required to run Vasum. The page goes through Vasum installation process, tests and known problems on two supported systems - Tizen and Fedora.

Installing Vasum on Tizen 3.0 (Odroid device)

Vasum was originally developed on Tizen 3.0 distribution. Following section covers how to launch Vasum on a Tizen device called Odroid.

Prepare Tizen on Odroid

If you don't have Tizen installed on your Odroid device, we recommend reading the official guide available here.

Install Vasum

With prepared Odroid device we can move on to installing Vasum dependencies and Vasum itself.

Downloading pre-built dependent packages

Download packages listed below from Tizen.org download site:

  • libboost_program_options
  • libboost_regex
  • libboost_test
  • libcap-tools
  • python-xml

Other dependent packages need to be built manually.

Pre-built Vasum packages

Most recent project packages built by CI tool: CI: last successful build artifacts

Building the Vasum packages

It is recommended to use GBS for building the packages - it will create required RPM files ready to install on Tizen device. To make sure all packages are properly built, it is recommended to add following URL in .gbs.conf file:

http://download.tizen.org/snapshots/tizen/common/latest/repos/arm-wayland/packages/

Repositories to clone and build using GBS:

For each repository do the following shell code:

git clone ssh://<user>@review.tizen.org:29418/<repo_name>
git checkout tizen
gbs build ...

Vasum can be built with, or without DBus support. By default DBus support is turned on - if you want to build Vasum with alternative IPC, without DBus, add GBS argument --define 'without_dbus TRUE'.

After successful build, copy RPMs onto target device, however without devel packages.

Install all the packages

Assuming the packages are copied into one location (and no devel packages are there), navigate to the directory with packages and call:

rpm -Uh *.rpm

Installing Vasum on Fedora

There are two ways to install Vasum on Fedora distribution. This section covers both of the methods - installing using Make tool, and using RPMbuild.

Dependencies

Vasum requires some additional dependencies to be downloaded before launching build. The packages can be easily downloaded using following command:

sudo dnf install json-devel json-c-devel systemd-devel glib2-devel sqlite-devel lxc lxc-devel boost boost-devel ncurses-devel readline-devel

Additionally, Vasum uses already existing LXC templates to generate new Zones. These are not provided with default LXC packages - to install them call:

sudo dnf install lxc-templates

Make installation

Installing Vasum using Make is a regular process, similar to most of open-source projects. Vasum is built using CMake, Make and GCC.

Building

After successful dependency download, navigate to Vasum repository root dir and generate Makefiles using CMake:

cmake -DCMAKE_INSTALL_PREFIX_PATH=/usr/local .

After successful configuration, we can proceed to build and install Vasum:

make
make install

With such steps, binaries should be installed to /usr/local/bin directory and libraries to /usr/local/lib. All binaries should be accessible from command line and fully working.

RPMbuild installation

Building a Vasum RPM requires some extra steps to perform in order to properly build it.

Additional tools

Obviously, to build a Vasum RPM using RPMbuild, we need to download RPMbuild from Fedora repos:

sudo dnf install rpmdevtools

Building

First of all, set up rpmbuild tree:

rpmdev-setuptree

Then, copy the sources to a TAR archive inside rpmbuild tree. Navigate to Vasum directory and call:

tar -cvf ~/rpmbuild/SOURCES/vasum-0.1.1.tar.gz ../vasum-0.1.1


NOTE: RPMbuild assumes that the sources are located in vasum-0.1.1 directory before packing them into TAR. Thus, the TAR file should contain a top-level directory vasum-0.1.1, and all the sources should be kept inside it. If your Vasum sources are located in a directory with different name, an alternative solution to the problem would be to add a temporary workaround to spec file - find %prep section and change:

%setup -q

to:

%setup -q -c %{name}-%{version}

Then, create a source tar WITHOUT the top-level directory, for example while being inside Vasum directory:

tar -cvf ~/rpmbuild/SOURCES/vasum-0.1.1.tar.gz ./*


Next, RPMbuild will require a Vasum .spec file to build. Copy our spec to rpmbuild:

cp packaging/vasum.spec ~/rpmbuild/SPECS/

Finally, build the project:

rpmbuild -ba ~/rpmbuild/SPECS/vasum.spec --define 'platform_type Fedora'

RPMbuild will produce ready to install RPMs inside rpmbuild/RPMS/<target> directory. In most cases, <target> will be x86_64.

Vasum Tests

Vasum repository has a directory called tests, which contains all tests written for Vasum. When Vasum packages are created using RPMbuild, or with GBS, the contents of this folder create a vasum-tests RPM package. Installing this package is optional, however it can be a good reference point to check if Vasum works correctly.

NOTE: All tests must be launched as root user.

NOTE: When tests fail with "Name lost org.tizen.vasum.host" message, stop vasum service ("systemctl stop vasum").

Unit tests

Unit tests are designed to verify behavior of all Vasum Server modules in various configurations. They are the main testing suite for Vasum Server and its modules.

To launch Unit tests, use vsm_all_tests.py script. The script should be visible from anywhere in the system, so it is easy to launch it by just typing scripts name in shell.

Integration tests

Integration tests check system configuration, images integrity, etc. If any of them fails, it's highly probable that Vasum Server and its Zones won't launch at all.

To launch Integration tests, use vsm_int_tests.py command. Similarly as vsm_all_tests.py, the script should be available to launch from shell anywhere in the system.

CI integration tests

Each commit is tested. See the patchset related test results: patchset integration tests

Running Vasum

Starting up Vasum Server

After successful flashing and package installation, Vasum should be ready to run. Vasum is visible as a systemd service - it can be launch using systemctl call:

systemctl start vasum

Creating and launching Zones

Vasum Server will have no Zones running by default. A new Zone can be easily created with Vasum CLI call:

vasum-cli create_zone <zone name>

Then, you can start newly created Zone and log into Zone's console:

vasum-cli start_zone <zone name>
lxc-console -P /usr/share/.zones -t 0 -n <zone name>

Login to created Zone with default credentials. On Tizen this would be: login root, password tizen.

To exit console and return to host's console, hit the combination "Ctrl+A" and immediately after hit "Q" key (without Ctrl button).

Shutting down and destroying Zones

If you want to shut down specific Zone, use Vasum CLI:

vasum-cli shutdown_zone <zone name>

If you want to erase specific Zone, call:

vasum-cli destroy_zone <zone name>

NOTE: This command will not only remove Zone from Vasum database, but it will delete all Zone configuration files and Zone's root directory as well. If needed, backup the data before destroying the Zone!

Known problems on Tizen 3.0

Warning during image copy: "Failed to copy "/opt/usr/containers/img/mp/dev/random": Function not implemented"

This is due to some stub device nodes already created in container image. It shouldn't affect container launch.

Error when launching Vasum: "None of the files under '/dev/input/' represents device named: gpio_keys.6"

Make sure, that event devices in /dev/input/ directory belong to input group. If not, use chgrp to change their group:

chgrp input /dev/input/event*

Error when creating new Zone: "Failed to successfully execute func: locale::facet::_S_create_c_locale name not valid"

By default Tizen Common profile has LC_ALL variable set to empty string. Reset it with following command before launching SCS:

export LC_ALL="en_GB.UTF-8"

Keep in mind, this has to be re-executed every time target device is rebooted. To avoid it, add above line to /etc/profile, ~/.bash_profile, ~/.bashrc or some other file read by Bash when launched.

Error when starting Zone: "Name lost org.tizen.vasum.zone"

Currently, to make Vasum development easier, the Server is launched as a root user. This unfortunately causes an aforementioned error when trying to connect by DBus to just started Zone.

To properly launch Zone, configuration file /etc/dbus-1/system.d/org.tizen.vasum.zone.conf must be edited. Change line:

<policy user="security-containers">

to:

<policy user="0">

Known problems on Fedora

Ready to use Fedora VirtualBox image: Fedora 22 VirtualBox image

Log in as dev (password: "samsung"). Open console and type:

sudo systemctl stop vasum
sudo vsm_all_tests.py

The image has vasum and tests installed from rpm packages - you can uninstall those and install your own freely. When working on your own distribution, you may experience following issues:

getpwnam failed to find user 'security-containers'

Make installation does not perform some post-install commands done by RPM. Add user security-containers with ID 377 manually:

groupadd -g 377 security-containers
useradd -g 377 -u 377 security-containers

*.so.0: cannot open shared object file: No such file or directory

When building and installing using Make, we declared different path prefix to use during installation - /usr/local. If this is not already done, we need to point ldconfig to these paths. Create a new file in /etc/lds.so.conf.d/ (can be named for example usr_local.conf) and add line:

/usr/local/lib64
/usr/local/lib

Then, run ldconfig to update changes.

Failed to attach 'vethXXXXXX' to the bridge 'lxcbr0': Operation not permitted

The issue can be produced by numerous reasons.

First reason is missing kernel configuration options. The easiest way to check it is to use vasum-check-config script provided with Vasum packages. Just type:

vasum-check-config

The script will check if all required kernel configuration options are enabled. If any option from Network virtualization category is missing, the kernel must be recompiled with these configuration options enabled. Follow official guide for building Fedora kernel for more info.

If the kernel is updated and the issue still persists, the other reason could be lxc-net service being unable to set up network devices for LXC. One easy way to check this is to type:

brctl show

If the list is empty, it means that probably lxc-net has its settings overriden and does not set up LXC network bridge at all.

To fix the problem with lxc-net script, check contents of /etc/sysconfig/lxc file. There should be an option USE_LXC_BRIDGE - it should be set to "true". After editing the file, reboot the lxc-net service:

systemctl stop lxc-net && systemctl start lxc-net

Now brctl show should show lxcbr0 interface.

Permission denied - error mounting <sth> on <sth2>

This issue is probably caused by SELinux - it can be easily verified by typing on another terminal:

tail -f /var/log/audit/audit.log

And then retrying Zone start. Similar line should appear:

type=AVC msg=audit(1438003160.626:538): avc: denied { mounton } for pid=1946 comm="lxc-start" path="<sth2>" dev="proc" ino=25886 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

To fix the issue, we must supply SELinux with custom policy:

grep lxc-start /var/log/audit/audit.log | audit2allow -M myvasumpol
semodule -i myvasumpol.pp

Note that audit2allow might not be present on the system - install it with:

dnf install policycoreutils-devel

Known problems on Ubuntu 14.04

cgroups

Vasum rely on cgroups in order to manage system resources inside containers. Before running Vasum make sure you have installed cgroup-bin and that following directories exist in your filesystem:

/sys/fs/cgroup/cpu
/sys/fs/cgroup/memory

You need to reboot your system after installing cgroup-bin to see the effect.

getpwnam failed to find user 'security-containers' (same on Fedora)

Make installation does not perform some post-install commands done by RPM. Add user security-containers with ID 377 manually:

   groupadd -g 377 security-containers
   useradd -g 377 -u 377 security-containers 

getpwnam failed to find group 'input'

Add mentioned group:

   groupadd input