On 25.02.2013 17:18, Alexander Larsson wrote: > Today I've been looking at the app image part of the application stuff > we were talking about on the hackfest. > > Basically, given a "base profile" as a directory with the basic > dependencies and one or more app images, merge these two into a single > tree inside a separate namespace and run the app from there. > > Given that we don't currently have any union fs upstream the only way > we can do this currently is to use bind mounts. So, I've written a > small app to test this. It takes a directory with the base os and > a set of squashfs images, then it clones to get a new namespace > where it mounts a tmpfs. Inside it we mount loopback mount the images > and create a directory "root" where we build up the merged structure. > > Any dir/file just in one of the sources gets bind-mounted in, but > if any directory is in multiple sources we create it on the tmpfs and > merge in the the children recursively. > > It also mounts /proc, and bind-mounts $home and /dev. We also disable > all kind of SUID and new caps stuff. > > Code at: https://github.com/alexlarsson/run-merged > > In order to set up some kind of test base environment I used this: > > mkdir /opt/base_os > yum install nautilus --installroot=/opt/base_os/F18 --releasever=18 > yum remove nautilus --installroot=/opt/base_os/F18 --releasever=18 > > It gives me a base os that has everything nautilus requires at runtime. > Obviously a real base os needs to be much more carefully constructed, > but > this is a simple test. > > Then i can create a test app with: > > yumdownloader nautilus --releasever=18 > yumdownloader nautilus-extensions --releasever=18 > yumdownloader gtk3-devel --releasever=18 > > mkdir -p /tmp/app_image > rpm2cpio nautilus-3.6.3-4.fc18.x86_64.rpm | (cd /tmp/app_image && cpio > -id ) > rpm2cpio nautilus-extensions-3.6.3-4.fc18.x86_64.rpm | > (cd /tmp/app_image && cpio -id ) > rpm2cpio gtk3-devel-3.6.4-1.fc18.x86_64.rpm | (cd /tmp/app_image && > cpio -id ) > mksquashfs /tmp/app_image nautilus.squashfs > > Then i start run-merged: > > ./run-merged /opt/base_os/F18 ./nautilus.squashfs > sh-4.2$ mount | wc -l > 5307 > > Yowzers! 5000 bind mounts! But i can run gtk3-demo and it works. > > Of course, now comes the hard parts: > > sh-4.2$ nautilus > (nautilus:15428): GLib-WARNING **: getpwuid_r(): failed due to unknown > user id (1000)
We could solve this with a custom nsswitch.conf module that calls out of the sandbox or does something useful here. The real question is if we want name-spaced uids and gids in a sandbox or not. We may also want to restrict enumerating other users and groups by code inside a sandbox. Cheers, Stef _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
