Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 03:23, tom wrote:
> On Sat, 3 Oct 2020 11:04:23 +0100
> g4sra via Dng wrote:
>
>> I am seeking any Devuaners with an interest in lxc to bounce ideas
>> off.
-- snip --
>
> Hello grsra, I run LXC on Devuan, and have done so even through the
> ascii->beowulf migration. I have some custom scripts and such for doing
> so, but found the devuan gitlab a little overwhelming and a lack of
> interest by other devuaners with LXC. If your interested in
> Devuan+OpenRC+LXC I'm probably your man.
>
> I would appreciate if we kept this on-board unless needed. Never know
> when someone in the future might find it useful.
>
Hi Tom,
This is my current thinking with regard to a LXC Container system for building
OS images and support software.
The host workstation has all the standard development tools ('build-essential'
etc) that any/all containers would normally need.
This can be updated as required (in effect, updating all containers).
The containers must run unprivileged as the both the software being built and
the build software itself may be of dubious quality (especially if I wrote it).
Container1:
bind,ro mounts the host filesystem providing development tool access
overlayfs a delta filesystem on which required tools\libraries etc can be
built
ContainerN: repeat above as often as required
ContainerX:
bind,ro mounts the host filesystem providing development tool access
bind,ro mounts CN deltas to provide access to the tools\libraries
overlayfs a delta filesystem on which the test OS can be built
Can you:
see anything wrong with the proposed above where container superuser
privileges and device access would allow corruption of either the Host or of a
neighbouring container ?
think of anything builds require that I have not made allowance for ?
detail a better way for obtaining my goal ?
Appreciate your comments Tom.
Charlie
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
Hi Tom, Mason, Anybody else... Beowulf lxc 1:3.1.0+really3.0.3-8 amd64 is broken. Simple test I picked up from the internet: ~# lxc-usernsexec Failed to find subuid or subgid allocation On a host configured for unprivileged containers it should drop you into unprivileged 'root' mode: ~#./lxc-usernsexec # id uid=0(root) gid=0(root) groups=0(root) #ls -ld /root drwx-- 29 nobody nogroup 4096 Oct 5 16:43 /root The current lxc git HEAD works fine (see above, confirmation my host is correctly configured). ./init.lxc --version 4.0.0-devel Considering what steps to take next... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Sat, Oct 03, 2020 at 11:04:23AM +0100, g4sra via Dng wrote: > I am seeking any Devuaners with an interest in lxc to bounce ideas off. > > I wish to move to multi-fully-containerised development but am repeatedly > stumbling along the way. > Unfortunately the official lxc resources do not help much with the > (systemd-less) issues I am having. > I find bouncing (sometimes stupid - I find playing devils advocate can really > help) ideas off other people often helps understanding and can lead to > solving the problems. > > If anybody out there with practical experience or interest in lxc would like > to be electronically pestered, please reply direct to me off list. No practical experience. But is there any chance lxc can play nicely with random USB devices? Or the built-in camera and microphone? -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 17:22, Hendrik Boom wrote: --snip-- > > No practical experience. > But is there any chance lxc can play nicely with random USB devices? Or > the built-in camera and microphone? Never tried, not got that far. Importing (is that the correct jargon?) a device into a LXC Container seems trivial enough. I would imagine "random" USB devices might be a bit of a struggle though, the device needs to be present before the container is spun up as far as I can tell. A KVM/QEMU VM can do it, and does frequently for me. > > -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 16:50, g4sra via Dng wrote: > Hi Tom, Mason, Anybody else... > > Beowulf lxc 1:3.1.0+really3.0.3-8 amd64 is broken. > > Simple test I picked up from the internet: > > ~# lxc-usernsexec > Failed to find subuid or subgid allocation --snip-- > > Considering what steps to take next... None... After some tracing it seems that lxc-usernsexec is only failing for the default case. When used internally by LXC, it appears lxc-usernsexec is always passed arguments and therefore this bug has little impact. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Mon, 5 Oct 2020 12:22:27 -0400 Hendrik Boom wrote: > On Sat, Oct 03, 2020 at 11:04:23AM +0100, g4sra via Dng wrote: > > I am seeking any Devuaners with an interest in lxc to bounce ideas > > off. > > > > I wish to move to multi-fully-containerised development but am > > repeatedly stumbling along the way. Unfortunately the official lxc > > resources do not help much with the (systemd-less) issues I am > > having. I find bouncing (sometimes stupid - I find playing devils > > advocate can really help) ideas off other people often helps > > understanding and can lead to solving the problems. > > > > If anybody out there with practical experience or interest in lxc > > would like to be electronically pestered, please reply direct to me > > off list. > > No practical experience. > But is there any chance lxc can play nicely with random USB devices? > Or the built-in camera and microphone? > > -- hendrik > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I think so, you can write hardware device exception rules, though I have not played with this myself. Only to fix containment and AppArmor breakage on a server. -- _ / Suppose for a moment that the \ | automobile industry had developed at| | the same rate as computers and over the | | same period: how much cheaper and more | | efficient would the current models be? | | If you have not already heard the | | analogy, the answer is shattering. | | Today you would be able to buy a| | Rolls-Royce for $2.75, it would do | | three million miles to the gallon, and | | it would deliver enough power to drive | | the Queen Elizabeth II. And if you were | | interested in miniaturization, you | | could place half a dozen of them on a | | pinhead.| | | \ -- Christopher Evans/ - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Mon, 5 Oct 2020 11:30:10 +0100
g4sra via Dng wrote:
>
> Hi Tom,
>
> This is my current thinking with regard to a LXC Container system for
> building OS images and support software. The host workstation has all
> the standard development tools ('build-essential' etc) that any/all
> containers would normally need. This can be updated as required (in
> effect, updating all containers).
>
> The containers must run unprivileged as the both the software being
> built and the build software itself may be of dubious quality
> (especially if I wrote it).
>
> Container1:
> bind,ro mounts the host filesystem providing development tool
> access overlayfs a delta filesystem on which required tools\libraries
> etc can be built
>
> ContainerN: repeat above as often as required
>
> ContainerX:
>bind,ro mounts the host filesystem providing development tool
> access bind,ro mounts CN deltas to provide access to the
> tools\libraries overlayfs a delta filesystem on which the test OS can
> be built
>
> Can you:
> see anything wrong with the proposed above where container
> superuser privileges and device access would allow corruption of
> either the Host or of a neighbouring container ? think of anything
> builds require that I have not made allowance for ? detail a better
> way for obtaining my goal ?
>
> Appreciate your comments Tom.
> Charlie
That all should be possible. As for mounting external directories, I
know that's possible but I have not personally tried that. I came
across that reading documentation. However I do have hypervisor
mountpoints inside of a container's rootfs.
Unprivileged containers I still have not figured out how to generate. I
have a script that creatures unprivileged containers and lxc comes with
a template downloader script. However those templates are downloaded
from some Ansible server hosted on Canonical's website. The images are
generated from /HIGHLY/ abstracted Ansible templates, not actual
source code or bash scripts. Because of this it's very difficult to
figure out what's really going on as the specifics are all abstracted
away. The difference between a script that builds a Devuan image for
a container and a script that builds a Devuan image for a container then
then 'underprivilegizes' it with subuids/subgids.
Maybe you being a Redhat stuff expert would be able to enlighten us
on that and I could then modify my script to be able to create
unprivileged containers too instead of relying on some Canonical
webserver always being up and accessible or having to build out a QA
server when I really don't need one just to create local containers.
Can I put attachments on emails to the dyne mailing lists?
--
_
/ Suppose for a moment that the \
| automobile industry had developed at|
| the same rate as computers and over the |
| same period: how much cheaper and more |
| efficient would the current models be? |
| If you have not already heard the |
| analogy, the answer is shattering. |
| Today you would be able to buy a|
| Rolls-Royce for $2.75, it would do |
| three million miles to the gallon, and |
| it would deliver enough power to drive |
| the Queen Elizabeth II. And if you were |
| interested in miniaturization, you |
| could place half a dozen of them on a |
| pinhead.|
| |
\ -- Christopher Evans/
-
\
\
/\ /\
//\\_//\\
\_ _// /
/ * * \/^^^]
\_\O/_/[ ]
/ \_[ /
\ \_ / /
[ [ / \/ _/
_[ [ \ /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
