cool-yacht-37128
09/20/2022, 7:32 AMcool-yacht-37128
09/20/2022, 8:39 AMcool-yacht-37128
09/20/2022, 8:43 AMcool-yacht-37128
09/20/2022, 9:02 AMnoexec
mode. Meaning even if you store a file there, you cannot run any executables from those locations. Not even if you are root
• A .pex built with the default zipapp layout unpacks itself to ~/.pex
• Where you get failed to map segment from shared object
errors are when you have python modules which use .so
library files. These are often memory mapped, and noexec prevents access to such files (more detail). So python packages that use compiled .so libraries cannot be run from user writable paths
• The same issue doesn’t occur if you run the .pex via sudo
because the pex is run as the root user, and the root user’s home dir is /root
which is mounted with exec mode.
Even if it was possible to direct PEX to which dir to use as a cache location, in practise on a hardened linux server there are no good paths that are user writable and can execute binaries by design. Creating a directory in /opt that is world writable just compromises the entire OS security.
Thus it’s not possible at all to run .pexs by normal users on such hardened systems at all if they contain modules that container .so
libraries
My ugly solution: A shell script wrapper around the pex to check if the user is a superuser or not, and attempt to run the pex via sudo.enough-analyst-54434
09/20/2022, 1:28 PMenough-analyst-54434
09/20/2022, 3:41 PM--include-tools
you can then run PEX_TOOLS=1 the/pex venv install/here --compile --rm all
which will install the PEX at install/here
with an executable install/here/pex
script that acts just like the original PEX file (which is deleted by --rm all
).enough-analyst-54434
09/20/2022, 3:44 PM--alias my-app-exe-name
that created a relative symlink at install/here/my-app-exe-name
that pointed at install/here/pex
or even simply re-named it.enough-analyst-54434
09/20/2022, 3:45 PMcool-yacht-37128
09/20/2022, 10:48 PMcool-yacht-37128
09/20/2022, 10:50 PMcool-yacht-37128
09/20/2022, 10:51 PMenough-analyst-54434
09/20/2022, 10:54 PM--layout loose
PEXes (or packed) is these are slower and less compatible than --venv
PEXes). The fastest is a PEX_TOOLS created venv - these run at native Python / venv speed and are the most compatible with arbitrary Python programs since these all expect to run in a venv.enough-analyst-54434
09/20/2022, 10:55 PMcool-yacht-37128
09/20/2022, 10:55 PMenough-analyst-54434
09/20/2022, 10:57 PMcool-yacht-37128
09/20/2022, 11:07 PMcool-yacht-37128
09/20/2022, 11:08 PMenough-analyst-54434
09/20/2022, 11:23 PMenough-analyst-54434
09/20/2022, 11:24 PMenough-analyst-54434
09/20/2022, 11:44 PMcool-yacht-37128
09/20/2022, 11:56 PM