IOError in package using keras model, using opencpu-server

[Debajyoti Nag]

Hi, 

I am trying to use a keras model in my package, and it works fine within rstudio.

However, when trying to call via the API, I get the following error

IOError: Unable to open file (unable to flock file, errno = 13, error message = 'Permission denied')

On checking the logs, I can see this is most likely linked with the AppArmor profile:

root@ip-20-80-40-101:~# sudo tail -f /var/log/kern.log | grep opencpu

gives:

Jan 27 23:54:20 ip-20-80-40-101 kernel: [2019126.246477] audit: type=1400 audit(1548613460.154:168): apparmor="DENIED" operation="unlink" profile="opencpu-exec" name="/usr/local/lib/R/site-library/reticulate/python/rpytools/__init__.pyc" pid=14756 comm="apache2" requested_mask="d" denied_mask="d" fsuid=33 ouid=0
Jan 27 23:54:20 ip-20-80-40-101 kernel: [2019126.246633] audit: type=1400 audit(1548613460.154:169): apparmor="DENIED" operation="unlink" profile="opencpu-exec" name="/usr/local/lib/R/site-library/reticulate/python/rpytools/call.pyc" pid=14756 comm="apache2" requested_mask="d" denied_mask="d" fsuid=33 ouid=0
Jan 27 23:54:20 ip-20-80-40-101 kernel: [2019126.248382] audit: type=1400 audit(1548613460.154:170): apparmor="DENIED" operation="unlink" profile="opencpu-exec" name="/usr/local/lib/R/site-library/reticulate/python/rpytools/output.pyc" pid=14756 comm="apache2" requested_mask="d" denied_mask="d" fsuid=33 ouid=0
Jan 27 23:54:20 ip-20-80-40-101 kernel: [2019126.992518] audit: type=1400 audit(1548613460.898:171): apparmor="DENIED" operation="file_lock" profile="opencpu-exec" name="/tmp/ocpu-temp/x01b782204d9bd7/keras_model39a43a999ab6.h5" pid=14756 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=33

In my package, I have the model stored in data/ folder, and I load it in the onLoad function

.onLoad <- function(lib, pkg) {
  # something to run
  utils::data(recipeObject, package = pkg, envir = parent.env(environment()))
  utils::data(serializedModel, package = pkg, envir = parent.env(environment()))
}

I do not have any experience with AppArmor profiles, and would be great if someone could get me started.

How exactly should I go about this?

Thanks in advance, 

/Debajyoti

[Jeroen Ooms]

Looks like your code is trying to edit files in the reticulate
package, it's unclear why it would want to do that.

Anyway if you want to allow this, edit your file
/etc/apparmor.d/opencpu.d/custom and add a line like this:

/usr/local/lib/R/site-library/ rwmix,

And then run

sudo service apparmor restart
sudo apachectl restart

See also section 3.5 of the server manual
https://opencpu.github.io/server-manual/opencpu-server.pdf

> --
> You received this message because you are subscribed to the Google Groups "opencpu" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to opencpu+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Debajyoti Nag]

Somehow, this didn't have any effect.

I'm still seeing the same error and same 'Denied' messages in the log.

[Debajyoti Nag]

Okay, setting permissions on the files in /usr/local/lib/R/site-library worked, but still stuck with the last Denied flag.

Jan 28 12:55:09 ip-20-80-40-101 kernel: [2065976.378059] audit: type=1400 audit(1548660309.647:395): apparmor="DENIED" operation="file_lock" profile="opencpu-exec" name="/tmp/ocpu-temp/x00a6ede5d9a5c2/keras_model51515547cae2.h5" pid=20817 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=33

but I cannot find any /ocpu-temp/ within /tmp/ 

[Jeroen Ooms]

On Sun, Jan 27, 2019 at 11:29 PM Debajyoti Nag <dave...@gmail.com> wrote:
>
>
> Okay, setting permissions on the files in /usr/local/lib/R/site-library worked, but still stuck with the last Denied flag.

Right it probably should have been: /usr/local/lib/R/site-library/** rwmix.

Maybe the file lock warning can be ignored? Usually things will work
fine without locking.

> but I cannot find any /ocpu-temp/ within /tmp/

If you are running systemd, /tmp is mapped to a virtual per-user
directory /tmp.systemd-private-....-apache2.service-.... But I think
you can just say /tmp/ocpu-temp in the apparmor profile.

[Debajyoti Nag]

/etc/apparmor.d/opencpu.d/custom now looks like 

/some/custom/special/dir rwmix,
/usr/local/lib/R/site-library/** rwmix,
/tmp/ocpu-temp rwmix,

but still facing the same error

root@ip-20-80-40-101:~# tail -f /var/log/kern.log | grep opencpu
Jan 28 13:19:46 ip-20-80-40-101 kernel: [2067453.271149] audit: type=1400 audit(1548661786.519:578): apparmor="DENIED" operation="file_lock" profile="opencpu-exec" name="/tmp/ocpu-temp/x0a8477197e1e1c/keras_model57805b0e6ae8.h5" pid=22400 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=33

We are indeed using systemd, and i can see the  /tmp.systemd-private-....-apache2.service-.... directory.

How can I resolve this, or If I want to ignore the file locks, how do I set that? Is that recommended?

[Debajyoti Nag]

This works after adding the below line to /etc/apparmor.d/opencpu.d/custom 

/tmp/** rwkmix,

Thank you for your help. :)