Anbox fails to run on Sxmo

What's the expected behaviour?

Anbox should be started, displaying and populating the session-manager

What's the current behaviour?

Anbox tries to start at first, but eventually fails, giving the following error message: "[daemon.cpp:61@Run] [org.freedesktop.DBus.Error.ServiceUnknown] The name org.anbox was not provided by any .service files"

How to reproduce your issue?

1. Install the postmarketos-anbox meta-package from the repository
2. Start the anbox-container-manager service
3. Run anbox-launch from the terminal, which results in the above dbus error
4. alternatively Run anbox session-manager, which results in a segfault

What device are you using?

pine64-pinephone

On what postmarketOS version did you encounter the issue?

• edge (master branch)
• v21.03
• v20.05

On what environment did you encounter the issue?

Phone environments

• Phosh
• Plasma Mobile
• Sxmo

How did you get postmarketOS image?

• from https://images.postmarketos.org
• I built it using pmbootstrap
• It was preinstalled on my device

What's the build date of the image? (in yyyy-mm-dd format)

2021-05-13

Additional information

The wiki stated that, according to my error message, dbus isn't started or properly configured properly. "ps ax | grep -i dbus" shows that dbus is indeed running, so it must be a configuration issue. I followed #458 (closed). DBus is running and both XDG_RUNTIME_DIR and DBUS_SESSION_BUS_ADDRESS are indeed set. (I had to install dbus-x11 to run dbus-launch). Not sure what else to do...

Some facts:

• "rc-service anbox-container-manager status" shows the container manager is started
• the container itself isn't running, however - anbox session-manager segfaults, anbox-launch gives the above error, adb shell shows no devices
• /var/lib/anbox/logs/ is completely empty

Any thoughts?

changed the description

By Joel on 2021-05-14T08:13:58

changed the description

By Joel on 2021-05-14T08:14:52

changed the description

By Joel on 2021-05-14T08:15:50

added type::bug ui-sxmo + 1 deleted label

It sure used to work, it tested it when sxmo got out ️

By Antoine Fontaine on 2021-05-20T23:20:36

Good to know, thanks for the datapoint, @afontain!

Given that you contributed most of anbox to pmOS/alpine, and we have quite the detailed bug report here, can you give @baconicsynergy any pointers how to debug this further?

By Oliver Smith on 2021-05-20T23:20:36

What's the segfault message you get when launching anbox session-manager exactly?

I'll update the wiki page a bit. When anbox says "[daemon.cpp:61@Run] [org.freedesktop.DBus.Error.ServiceUnknown] The name org.anbox was not provided by any .service files", it really means the session-manager crashed.

By Antoine Fontaine on 2021-05-20T23:40:25

I can reproduce the issue on phosh. I get the following:

[ 2021-05-22 12:25:47] [client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.apparmor.profile
[ 2021-05-22 12:25:47] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.
[ 2021-05-22 12:25:47] [daemon.cpp:61@Run] Container is not running
[ 2021-05-22 12:25:48] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.
Stack trace (most recent call last) in thread 4333:
#6    Object "0xffff8377fbab <???+0> at /lib/ld-musl-aarch64.so.1", at 0xffff8377fbab, in
#5    Object "0xffff83078bc3 <???+0> at /usr/lib/libstdc++.so.6", at 0xffff83078bc3, in
#4    Object "0xaaaab1541a0b <???+0> at /usr/bin/anbox", at 0xaaaab1541a0b, in
#3    Object "0xaaaab150e6ef <_ZN5boost4asio6detail9scheduler10do_run_oneERNS1_27conditionally_enabled_mutex11scoped_lockERNS1_21scheduler_thread_infoERKNS_6system10error_codeE+347> at /usr/bin/anbox", at 0xaaaab150e6ef, in
#2    Object "0xaaaab155836b <_ZN5boost4asio6detail23reactive_socket_recv_opINS0_17mutable_buffers_1ESt8functionIFvRKNS_6system10error_codeEmEENS0_15any_io_executorEE11do_completeEPvPNS1_19scheduler_operationES8_m+143> at /usr/bin/anbox", at 0xaaaab155836b, in
#1    Object "0xaaaab15580ab <_ZN5boost4asio6detail7binder2ISt8functionIFvRKNS_6system10error_codeEmEES5_mEclEv+63> at /usr/bin/anbox", at 0xaaaab15580ab, in
#0    Object "0xaaaab150932c <???+0> at /usr/bin/anbox", at 0xaaaab150932c, in
Segmentation fault

By Rasmus Rendal on 2021-05-22T12:30:07

Can you try to enable apparmor in the kernel config and test again? « Failed to start container: Failed to set config item lxc.apparmor.profile » suggests that's what you are missing.

By Antoine Fontaine on 2021-05-22T13:34:52

How does one enable apparmor? I'm confused as to why it's disabled if Anbox needs it, especially if it worked before. That must mean it used to be enabled, right?

By Silent-Hunter on 2021-07-06T04:44:57

afaik this is lxc bug, it wasn't required before

By Alexey Min on 2021-07-06T05:21:07

I see, so is it the issue caused by using lxc 4?

By Silent-Hunter on 2021-07-06T05:37:46

maybe https://gitlab.alpinelinux.org/alpine/aports/-/issues/12761

By Alexey Min on 2021-07-06T05:40:46

Hmm... how would I run lxc config set $CONTAINER raw.lxc "lxc.apparmor.profile=unconfined" on the Anbox container? It looks like it's the only way to solve the problem.

By Silent-Hunter on 2021-07-06T05:42:47

Is there a file I can edit to make Anbox start unconfined until the apparmor situation is fixed?

By Silent-Hunter on 2021-07-06T20:32:06

Is there a reason PMOS doesn't revert to an older version of LXC?

By Silent-Hunter on 2021-07-07T00:08:26

It's better to patch latest version than rollback to older one - there are other bugfixes introduced ;)

Could you try to enable apparmor in your kernel using pmbootstrap kconfig?
Would be nice to have it confirmed that's the issue.

By JuniorJPDJ on 2021-07-11T06:01:18

I tried but I wasn't sure how. Do I have to do it on the phone? I couldn't find detailed enough instructions for the kconfig part of pmbootstrap.

By Silent-Hunter on 2021-07-11T00:01:40

You will be compiling kernel, so doing it at phone isn't good idea at all, you need POWER AND SPEEEEED.

First you need to know which kernel are you running - I see your device is pine64-pinephone so you are running linux-postmarketos-allwinner on aarch64 architecture (you can learn it by looking at device package)

To edit config of this kernel you need to run:

pmbootstrap kconfig edit --arch aarch64 linux-postmarketos-allwinner

Then in menu you need to find apparmor suppport - the easiest way is to use / key to search and then selecting the option interesting you by number key.

eg. in this example apparmor support seem to be on second place with (2) number:

When you click 2 key on your keyboard it will magically teleport you to that option in menuconfig.
Enable it by pressing space until it's * as we want it to be built-in:

Select "Save" button using right-left arrows and confirm saving using enter key. Default name is the one you want to use. Accept confirmation and select exit as long as you are still in menu - you want to quit whole menuconfig now.

Now pmbootstrap should modify kernel package for you, checksum new config and blablabla.

What you want to do now is compiling new kernel:

pmbootstrap build --force linux-postmarketos-allwinner

and installing it on device (your phone should be connected to PC using usb during this step):

pmbootstrap sideload linux-postmarketos-allwinner

Reboot your phone and check if anbox still crashes.

By JuniorJPDJ on 2021-07-11T00:52:29

mentioned in issue #1105 (closed)

By JuniorJPDJ on 2021-07-11T00:35:18

Unfortunately that didn't work.

It said this when I tried to sideload it. ERROR: /tmp/linux-postmarketos-allwinner-5.12.6_git20210523-r2.apk: UNTRUSTED signature

By Silent-Hunter on 2021-07-11T06:23:35

which command? for pmbootstrap sideload, run with --install-key. for apk update/upgrade/install, run with --allow-untrusted

By Alexey Min on 2021-07-11T06:23:56

Okay that did it, thanks! Unfortunately, I'm still having the exact same error with Anbox as the people above, though. It still says:

[client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.apparmor.profile

I checked the config in /proc/config.gz and while CONFIG_SECURITY_APPARMOR=y is set, CONFIG_DEFAULT_SECURITY_APPARMOR is not.

By Silent-Hunter on 2021-07-11T06:35:47

try setting also this one

By JuniorJPDJ on 2021-07-11T06:35:47

Unfortunately it's still the same error.

By Silent-Hunter on 2021-07-12T04:39:16

Is it still complaining about apparmor or just still crashing? Could you show us latest log?

By JuniorJPDJ on 2021-07-12T05:00:17

It's still complaining about apparmor. I'll get you a log, but I have to rebuild the kernel because I ran the update command on my phone and it overwrote the kernel with the stock one. And my computer is slow so it takes a little bit to compile.

By Silent-Hunter on 2021-07-12T07:18:16

Wow. what the quack.

By JuniorJPDJ on 2021-07-12T07:24:27

Okay, so running anbox-launch gives this: [ 2021-07-13 00:50:37] [daemon.cpp:61@Run] [org.freedesktop.DBus.Error.ServiceUnknown] The name org.anbox was not provided by any .service files And then running anbox session-manager gives this: [ 2021-07-13 00:52:39] [client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.apparmor.profile And in /var/lib/anbox/logs/container.log, is this:

lxc 20210713004946.850 ERROR    confile - confile.c:set_config_apparmor_profile:1459 - Invalid argument - Built without AppArmor support
lxc 20210713004947.647 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket
lxc 20210713005239.545 ERROR    confile - confile.c:set_config_apparmor_profile:1459 - Invalid argument - Built without AppArmor support
lxc 20210713005239.439 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket
lxc 20210713005534.340 ERROR    confile - confile.c:set_config_apparmor_profile:1459 - Invalid argument - Built without AppArmor support
lxc 20210713005534.769 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket

By Silent-Hunter on 2021-07-13T00:57:12

Oh, and anbox session-manager still segfaults.

I also did check to make sure the kernel edit worked.

pinephone:~$ cat config | grep APPARMOR
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y

By Silent-Hunter on 2021-07-13T01:03:02

Oh, so basically now we have lxc compiled without apparmor support and still there's no evidence the lack of apparmor is a problem which makes anbox segfault. Please try running session-manager through gdb or at least strace.

By JuniorJPDJ on 2021-07-18T15:23:14

I suppose this isn't surprising, but the log is really long. I tried to use gdb but it didn't seem to be able to recognise "anbox session-manager" as a single command. anbox.strace.err.log

By Silent-Hunter on 2021-07-20T23:39:32

was this not https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/22712 ? and is this now solved?

By Steven Vanden Branden on 2021-08-17T17:03:38

Anbox has been dropped from Alpine completely, so I'm closing this.

See https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/33087

By Newbyte on 2022-04-19T09:46:24

closed