Bug#829134: debootstrap: Changes needed to support unprivileged userns debootstrap
Hi, On Thu, 08 Sep 2016 15:39:57 +0200 Johannes Schauer wrote: > On Thu, 30 Jun 2016 13:12:16 -0700 Ben Longbons wrote: > > Now that the kernel supports user_namespaces(7), it should be possible to > > debootstrap in them. Some small changes are needed. > > > > Configuration needed: > > * Kernel 3.8 or later (3.11 recommended) > > * Set the sysctl kernel.unprivileged_userns_clone to 1 > > (Debian-specific "temporary" patch from years ago). > > * Install the `uidmap` package and add yourself to /etc/sub[ug]id > > * Install the `lxc` package (for one helper binary only) > > * Make sure the current directory is searchable by other. > > > > I have attached the necessary changes as a wrapper script, > > I find your script highly interesting! > > A year ago I tried to write a tool that combined the powers of > lxc-usernsexec(1) and unshare(1) because I was unable to combine them in a way > that would give me both: correct mapping of user and group ids as well as > unsharing the user namespace and others. I blogged about it here: > > https://blog.mister-muffin.de/2015/10/25/unshare-without-superuser-privileges/ > > and the code is here: > > https://gitlab.mister-muffin.de/josch/user-unshare/blob/master/user-unshare > > I do not know whether what you demonstrated now in shell already worked one > year ago (in particular I was not aware of the lxc-unshare tool) but your > script works fine for me. I'm happy that it seems that I don't have to further > dabble with the perl code I came up with because lxc-usernsexec and > lxc-unshare > seem to be able to do the major grunt work while the rest can be done in > simple > POSIX shell. Thank you! The disadvantage of the lxc-usernsexec and lxc-unshare tools is, that they are part of the lxc package. See bug #847491. > I wonder though: why would this feature be useful for debootstrap? The > resulting directory would have all the wrong ownership information. The > directory would only be useful if its user knows exactly how to map the user > ids between the host and the unshared user namespace. > > So my practical question: > > How do you use the chroots that you create in this fashion? Which commands do > you use to work with them? To answer my own question: by packing up the chroot into a tarball. The files stored inside the tarball will have the correct permission. I combined the insights from your tool with the Perl script I wrote and cited above and added support to sbuild-createchroot to run debootstrap without needing sudo but using Linux user namespaces. Since debootstrap does not yet offer this functionality itself, I will carry the code as part of sbuild. See the following two commits for details: https://salsa.debian.org/debian/sbuild/commit/f21d63cca448a5fc90338319e2ea507623293060?expanded=1 https://salsa.debian.org/debian/sbuild/commit/53e250cdeb0035663833fa0c8ce80adf96d31c03?expanded=1 Thanks! cheers, josch signature.asc Description: signature
Bug#829134: debootstrap: Changes needed to support unprivileged userns debootstrap
Hi Ben, On Thu, 30 Jun 2016 13:12:16 -0700 Ben Longbons wrote: > Now that the kernel supports user_namespaces(7), it should be possible to > debootstrap in them. Some small changes are needed. > > Configuration needed: > * Kernel 3.8 or later (3.11 recommended) > * Set the sysctl kernel.unprivileged_userns_clone to 1 > (Debian-specific "temporary" patch from years ago). > * Install the `uidmap` package and add yourself to /etc/sub[ug]id > * Install the `lxc` package (for one helper binary only) > * Make sure the current directory is searchable by other. > > I have attached the necessary changes as a wrapper script, I find your script highly interesting! A year ago I tried to write a tool that combined the powers of lxc-usernsexec(1) and unshare(1) because I was unable to combine them in a way that would give me both: correct mapping of user and group ids as well as unsharing the user namespace and others. I blogged about it here: https://blog.mister-muffin.de/2015/10/25/unshare-without-superuser-privileges/ and the code is here: https://gitlab.mister-muffin.de/josch/user-unshare/blob/master/user-unshare I do not know whether what you demonstrated now in shell already worked one year ago (in particular I was not aware of the lxc-unshare tool) but your script works fine for me. I'm happy that it seems that I don't have to further dabble with the perl code I came up with because lxc-usernsexec and lxc-unshare seem to be able to do the major grunt work while the rest can be done in simple POSIX shell. Thank you! I wonder though: why would this feature be useful for debootstrap? The resulting directory would have all the wrong ownership information. The directory would only be useful if its user knows exactly how to map the user ids between the host and the unshared user namespace. So my practical question: How do you use the chroots that you create in this fashion? Which commands do you use to work with them? Thanks! cheers, josch signature.asc Description: signature
Bug#829134: debootstrap: Changes needed to support unprivileged userns debootstrap
Package: debootstrap
Version: 1.0.81
Severity: wishlist
Tags: patch
Dear Maintainer,
Now that the kernel supports user_namespaces(7), it should be possible
to debootstrap in them. Some small changes are needed.
Configuration needed:
* Kernel 3.8 or later (3.11 recommended)
* Set the sysctl kernel.unprivileged_userns_clone to 1
(Debian-specific "temporary" patch from years ago).
* Install the `uidmap` package and add yourself to /etc/sub[ug]id
* Install the `lxc` package (for one helper binary only)
* Make sure the current directory is searchable by other.
I have attached the necessary changes as a wrapper script, but there
really should be some architectural changes:
* The `/usr/sbin/debootstrap` vs `/usr/share/debootstrap/functions`
split is quite painful. Move everything into one file and then
replace sbin/debootstrap with basically `source functions; main`.
* Satisfy `shellcheck`s errors and warnings, and suppress the rest.
* Beware that shellcheck currently does not catch `echo $(false)`.
* Make it possible to use more than one `--variant` at once somehow.
* Debootstrap is currently not idempotent - see the `rm dev...` hack.
* If you're in a new mount namespace, no need to `umount` at the end.
-- System Information:
Debian Release: stretch/sid
APT prefers testing-debug
APT policy: (600, 'testing-debug'), (600, 'testing'), (500,
'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, x32
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages debootstrap depends on:
ii wget 1.18-1
Versions of packages debootstrap recommends:
ii debian-archive-keyring 2014.3
ii gnupg 1.4.20-6
debootstrap suggests no packages.
-- no debconf information
#!/bin/sh
# userns-debootstrap - debootstrap in a unprivileged new UID namespace
#
# Copyright (c) 2016 Ben Longbons
#
#Permission is hereby granted, free of charge, to any person obtaining
#a copy of this software and associated documentation files (the
#"Software"), to deal in the Software without restriction, including
#without limitation the rights to use, copy, modify, merge, publish,
#distribute, sublicense, and/or sell copies of the Software, and to
#permit persons to whom the Software is furnished to do so, subject to
#the following conditions:
#
#The above copyright notice and this permission notice shall be
#included in all copies or substantial portions of the Software.
#
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
#EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
#IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
#CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
#TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
#SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# (This is the same license as debootstrap itself).
# This currently requires Debootstrap 1.0.76 or later,
# to avoid devices.tar.gz (see debian bug 571136).
# Note that, if everything works *correctly*, we `exec` rather than `exit`.
set -e
trap 'echo Failed during setup' EXIT
bailout()
{
local status="$?"
echo "Bailing out with status $status"
if test -z "$BASH"
then
echo 'For more debug info, run under bash (e.g. with --bash)'
enter_debug_shell
return
fi
echo "Last command: $BASH_COMMAND"
test -z "$debug_variables" || ( set -o posix; set; )
backtrace
enter_debug_shell
}
trap 'bailout' EXIT
if test -n "$BASH"
then
# bash doesn't set BASH_LINENO correctly for EXIT, so use ERR
set -E
# shellcheck disable=SC2039
trap 'bailout' ERR
trap 'echo Bug: irregular exit' EXIT
fi
umask 022
enter_debug_shell()
{
test -n "$debug_shell" || return
echo 'Entering debug shell!'
# If run e.g. from vim's :make, it tries to steal our stdio
exec "$debug_shell" <> /dev/tty 1>&0 2>&0
}
# shellcheck disable=SC2039
backtrace()
{
local skip_head=0 skip_tail=1
echo Backtrace:
for i in $(eval "echo {${skip_head}..$((${#BASH_LINENO[@]}-skip_tail-1))}")
do
echo "${BASH_SOURCE[i]}:${BASH_LINENO[i]}: error: ... from ${FUNCNAME[i+1]}"
done
}
dispatch()
{
phase=phase1
suite=
target=
mirror=
script=
: $suite $target $mirror $script
local arg
for arg
do
case "$arg" in
-h | --help)
usage
;;
--bash)
if test -z "$BASH"
then
echo 'Restarting under bash ...'
exec bash "$0" "$@"
fi
;;
--debug-shell)
