a-shell icon indicating copy to clipboard operation
a-shell copied to clipboard
verified publisher icon holzschu

Jupyter server fails to start due to `pyzmq` dlopen error in hardened environment

Open IcEarthlight opened this issue 4 months ago • 3 comments

There seems to be a problem when running the Jupyter server inside a-Shell. I found this problem in build 484, version 1.17.0, and the latest build 485, version 1.17.0 doesn't fix it. When I execute python -m jupyter_server, jupyter-server, or other commands that depend on Jupyter Server (such as jupyter-notebook), the process fails with the following traceback.

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/var/mobile/Containers/Data/Application/96C4605C-2041-40D0-B0A6-0AD647CA6DCC/Library/lib/python3.13/site-packages/jupyter_server/__main__.py", line 4, in <module>
    from jupyter_server import serverapp as app
  File "/var/mobile/Containers/Data/Application/96C4605C-2041-40D0-B0A6-0AD647CA6DCC/Library/lib/python3.13/site-packages/jupyter_server/serverapp.py", line 30, in <module>
    import jupyter_client
  File "/var/mobile/Containers/Data/Application/96C4605C-2041-40D0-B0A6-0AD647CA6DCC/Library/lib/python3.13/site-packages/jupyter_client/__init__.py", line 3, in <module>
    from .asynchronous import AsyncKernelClient
  File "/var/mobile/Containers/Data/Application/96C4605C-2041-40D0-B0A6-0AD647CA6DCC/Library/lib/python3.13/site-packages/jupyter_client/asynchronous/__init__.py", line 1, in <module>
    from .client import AsyncKernelClient  # noqa
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/mobile/Containers/Data/Application/96C4605C-2041-40D0-B0A6-0AD647CA6DCC/Library/lib/python3.13/site-packages/jupyter_client/asynchronous/client.py", line 8, in <module>
    import zmq.asyncio
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/site-packages/zmq/__init__.py", line 52, in <module>
    from zmq import backend
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/site-packages/zmq/backend/__init__.py", line 15, in <module>
    _ns = select_backend(backend)
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/site-packages/zmq/backend/select.py", line 30, in select_backend
    mod = import_module(name)
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/importlib/__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/site-packages/zmq/backend/cffi/__init__.py", line 9, in <module>
    from zmq.backend.cffi import _poll, context, devices, error, message, socket, utils
  File "/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Library/lib/python3.13/site-packages/zmq/backend/cffi/_poll.py", line 15, in <module>
    from ._cffi import ffi
ImportError: dlopen(Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi, 0x0002): tried: 'Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (relative path not allowed in hardened program), '/private/preboot/Cryptexes/OSFrameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (errno=2), '/usr/lib/swift/Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (errno=2, not in dyld cache), '/private/preboot/Cryptexes/OS/usr/lib/swift/Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (errno=2), '/private/var/containers/Bundle/Application/822375D0-8798-4B28-85D8-F67E02ABCD59/a-Shell.app/Frameworks/Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (errno=2), '/usr/lib/Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (errno=2, not in dyld cache), 'Frameworks/PythonAzmq.backend.cffi._cffi.framework/PythonAzmq.backend.cffi._cffi' (relative path not allowed in hardened program)

The issue appears to be the ImportError in zmq.backend.cffi._cffi. My preliminary analysis suggests this issue may be related to pyzmq binary included in the pythonInstall.tar.gz package.

IcEarthlight avatar Sep 08 '25 13:09 IcEarthlight

Thanks for telling me. The issue affects all dynamic libraries, including, for example, numpy. But it doesn't appear on local builds, only on the distributed builds. The key information is "relative path not allowed in hardened program", and the solution is going to be to provide an absolute path instead.

holzschu avatar Sep 08 '25 14:09 holzschu

It seems to be fixed with build 486 (at least on my test machine).

holzschu avatar Sep 10 '25 13:09 holzschu

Thanks for the quick fix! The latest build has resolved the issue for me. I've also tried numpy, matplotlib, pandas, and they all works. However, when attempting to run the jupyter notebook/server, I'm now encountering some segmentation faults. I'll open a separate issue for this.

IcEarthlight avatar Sep 10 '25 15:09 IcEarthlight