Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
what about Docker (http://www.docker.io/) for the VMs? On Sun, May 19, 2013 at 5:13 PM, Sean Alexandre wrote: > I went to a presentation this past weekend about Tiny Tiny RSS. It's an > RSS web > app that can be installed on a server, to provide something like a "Google > Reader" app. > (The title of the presentation was "The Coming Google RSS Reader > Apocalpyse", at > BarCampRDU 2013.) > > The presenter has Tiny Tiny RSS running on a machine at home, and is > providing service > for himself and some family and friends. He's even written a > keyboard-centric web frontend: > https://github.com/cgrinds/dripdripdrop > He runs Tiny Tiny RSS as the backend, and then serves up pages based on > the front end he's written. > > Tiny Tiny RSS is listed on the FreedomBox LeavingTheCloud page: > http://wiki.debian.org/FreedomBox/LeavingTheCloud > > This got me thinking about how I'd like to Tiny Tiny on the machine I've > got at home. > Currently it's running ownCloud, WordPress, a Tor Relay, and BitTorrent. > They run on > separate VMs. I'd like to run Tiny Tiny RSS too, and want to put it in a > separate VM. > > Ideally I'd have a script I could run, that just spins up a new VM running > Tiny Tiny. > It would be something like: > > freedombox-vm create tiny-tiny-rss [instance-name] [config-script-file] > freedombox-vm start [instance-name] > > The VMs would run using KVM. Here's an interesting post on this, from this > past week: > > How to get started with libvirt on Debian > http://rabexc.blogspot.com/2013/05/how-to-get-started-with-libvirt-on.html > > I want to dig into this as a next project, after some other things I'm > working on. > I thought I'd put it out there to get any thoughts other might have on > this, and > find out if anyone else is doing something similar. > > Ultimately, it seems this kind of approach would be a good one for > FreedomBox in > general. The process of spinning up instances would be hidden behind the > FreedomBox > web UI, but a user would essentially be doing things such as > "freedombox-vm create" > and "freedombox-vm start". > > This way, services are better insulated from each other, for better > security. The > host machine would probably be doing basic network services (dhcpd, > dhclient, iptables, > etc.) But then there would be a separate VM for user services such as an > RSS reader, > social networking, chat, etc. > > To take this one step further, the longer term goal would be to do > something similar to > what Qubes is doing with things such as temporary VMs -- VMs created > temporarily for > just one task and then discarded: > http://www.qubes-os.org/ > > > ___ > Freedombox-discuss mailing list > Freedombox-discuss@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
Nick Hardiman writes: > Do you have a rundown yet of how to > * stick exmachina (http://gitorious.org/exmachina) at the back, > * proxy (http://www.privoxy.org, > https://github.com/jvasile/freedombox-privoxy) in front, and > * various apps into LXC? From a higher-level, this should probably be configured in Freedom-Maker's bin/projects-chroot script. As for the individual tasks: - Gluing EM into Plinth: I believe that's complete. - Gluing Privoxy into Plinth: Incomplete. - Gluing LXC into Plinth: Incomplete. Nick pgprYlGIjTK0J.pgp Description: PGP signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
On Mon, May 20, 2013 at 12:45:47PM +0100, Nick Hardiman wrote: > Do you have a rundown yet of how to > * stick exmachina (http://gitorious.org/exmachina) at the back, > * proxy (http://www.privoxy.org, > https://github.com/jvasile/freedombox-privoxy) in front, and > * various apps into LXC? No, I wish I did. As a first pass, though, here are some things I think a solution would have. As a disclaimer, I realize that this is a departure from the current approach taken with the DreamPlug and wouldn't work for it. It seems like a natural evolution for the project, though, as hardware becomes more capapable. First, some terms: * VM - A virtual machine (VM), either a lightweight VM such as LXC or a fully virtualized machine such as KVM. * Host - The machine runs the VMs. * Guest - An instance of a VM. An approach: * The web app that provides the user interface (Plinth) runs in its own guest. * Each additional app or service (e.g. Privoxy) also runs in its own guest. * The host manages all guests: creating, starting, stopping. * Communication between host and guests would happen through sockets; e.g. for KVM this might be based on something like this: http://www.ldlabs.org/blog/2011/02/25/communication-between-qemukvm-guest-and-host/ What would this mean for exmachina, I wonder? It seems augeas may not be an option. The larger ideas behind exmachine would still apply, though, I think. Instead of augeas, the host would read from the socket. Any parsing it does would be very locked down, to help prevent injection attacks from a compromised guest. The host would have a whitelist of things it accepts, and discard anything else. Processing would be done in an environment such as Python versus C, to prevent memory overwrite problems. It would be nice if this were done in a way allows a choice between KVM and LXC. So scripts such as "freedombox-vm create" would call out to stubs that would do one thing for KVM and something else for LXC. (A given FreedomBox would be based on just KVM or LXC, and not both.) Whether all the stubs get filled out, and for what types of VMs (Tiny Tiny RSS, Tor Relay, etc) would depend on the do-ocracy model that FreedomBox seems to be following. I know I'm interested in this. I just wish I had more time for it. One other thought is this would ideally be a plugable architecture. A common interface would define how FreedomBox guests communicate with the FreedomBox host. Different people could be working on differerent modules. So I might be working on a Tiny Tiny RSS module, while someone else is working on an ownCloud module, someone else on the actual host, etc. ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
Do you have a rundown yet of how to * stick exmachina (http://gitorious.org/exmachina) at the back, * proxy (http://www.privoxy.org, https://github.com/jvasile/freedombox-privoxy) in front, and * various apps into LXC? On 20 May 2013, at 12:07, Sean Alexandre wrote: > On Mon, May 20, 2013 at 12:39:16PM +0200, Anders Jackson wrote: >> I like the idea, a lot. Make the Freedombox a router in front of all >> services, manage the network connections for all services to Internet and >> the local network. >> >> As Freedombox are targeted at low powered devices, virtual machines might >> be to heavy though. You might look into containers instead. LCX might be a >> better solution for this. Faster and lighter to set up, run and tear down. >> And I know it works on more targets, like in ARM machines. >> >> https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ > > Thanks for the link. So I see his approach lets you choose. The sandbox can > run > with either LXC or KVM. I like that. I'm going to come back to this and dig > deeper. > His approach seems like it probably has some of the scripting I'm looking for > too, or > something like it. > > At a very high level it seems the tradeoff between KVM and LXC is KVM gives > better > isolation/protection because it's full virtualization, while LXC performs > better. > > LXC is probably a better approach for hardware such as the DreamPlug, while > KVM > seems better for more powerful platforms. > > More powerful platforms should become more common over time, given Moore's > Law. > > Also, KVM runs on some ARM CPUs today. There was this earlier thread with > some links: > > Debian Wheezy, and LXC > http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-May/005310.html > > > ___ > Freedombox-discuss mailing list > Freedombox-discuss@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
On Mon, May 20, 2013 at 12:39:16PM +0200, Anders Jackson wrote: > I like the idea, a lot. Make the Freedombox a router in front of all > services, manage the network connections for all services to Internet and > the local network. > > As Freedombox are targeted at low powered devices, virtual machines might > be to heavy though. You might look into containers instead. LCX might be a > better solution for this. Faster and lighter to set up, run and tear down. > And I know it works on more targets, like in ARM machines. > > https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ Thanks for the link. So I see his approach lets you choose. The sandbox can run with either LXC or KVM. I like that. I'm going to come back to this and dig deeper. His approach seems like it probably has some of the scripting I'm looking for too, or something like it. At a very high level it seems the tradeoff between KVM and LXC is KVM gives better isolation/protection because it's full virtualization, while LXC performs better. LXC is probably a better approach for hardware such as the DreamPlug, while KVM seems better for more powerful platforms. More powerful platforms should become more common over time, given Moore's Law. Also, KVM runs on some ARM CPUs today. There was this earlier thread with some links: Debian Wheezy, and LXC http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-May/005310.html ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
Hello. Den 20 maj 2013 02:15 skrev "Sean Alexandre" : > > I went to a presentation this past weekend about Tiny Tiny RSS. It's an RSS web > app that can be installed on a server, to provide something like a "Google Reader" app. > (The title of the presentation was "The Coming Google RSS Reader Apocalpyse", at > BarCampRDU 2013.) > > The presenter has Tiny Tiny RSS running on a machine at home, and is providing service ... > Tiny Tiny RSS is listed on the FreedomBox LeavingTheCloud page: > http://wiki.debian.org/FreedomBox/LeavingTheCloud > > This got me thinking about how I'd like to Tiny Tiny on the machine I've got at home. ... > Ideally I'd have a script I could run, that just spins up a new VM running Tiny Tiny. > It would be something like: > > freedombox-vm create tiny-tiny-rss [instance-name] [config-script-file] > freedombox-vm start [instance-name] > > The VMs would run using KVM. Here's an interesting post on this, from this past week: > > How to get started with libvirt on Debian > http://rabexc.blogspot.com/2013/05/how-to-get-started-with-libvirt-on.html ... Thanks for those links. I like the idea, a lot. Make the Freedombox a router in front of all services, manage the network connections for all services to Internet and the local network. As Freedombox are targeted at low powered devices, virtual machines might be to heavy though. You might look into containers instead. LCX might be a better solution for this. Faster and lighter to set up, run and tear down. And I know it works on more targets, like in ARM machines. https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ > I want to dig into this as a next project, after some other things I'm working on. > I thought I'd put it out there to get any thoughts other might have on this, and > find out if anyone else is doing something similar. Yes, there are some work based on LCX. I at least have read about a duch who made some progress about LCX last year. Very interesting work. > Ultimately, it seems this kind of approach would be a good one for FreedomBox in > general. The process of spinning up instances would be hidden behind the FreedomBox > web UI, but a user would essentially be doing things such as "freedombox-vm create" > and "freedombox-vm start". > > This way, services are better insulated from each other, for better security. The > host machine would probably be doing basic network services (dhcpd, dhclient, iptables, > etc.) But then there would be a separate VM for user services such as an RSS reader, > social networking, chat, etc. I like this approach. > To take this one step further, the longer term goal would be to do something similar to > what Qubes is doing with things such as temporary VMs -- VMs created temporarily for > just one task and then discarded: > http://www.qubes-os.org/ > > > ___ > Freedombox-discuss mailing list > Freedombox-discuss@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
[Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
I went to a presentation this past weekend about Tiny Tiny RSS. It's an RSS web app that can be installed on a server, to provide something like a "Google Reader" app. (The title of the presentation was "The Coming Google RSS Reader Apocalpyse", at BarCampRDU 2013.) The presenter has Tiny Tiny RSS running on a machine at home, and is providing service for himself and some family and friends. He's even written a keyboard-centric web frontend: https://github.com/cgrinds/dripdripdrop He runs Tiny Tiny RSS as the backend, and then serves up pages based on the front end he's written. Tiny Tiny RSS is listed on the FreedomBox LeavingTheCloud page: http://wiki.debian.org/FreedomBox/LeavingTheCloud This got me thinking about how I'd like to Tiny Tiny on the machine I've got at home. Currently it's running ownCloud, WordPress, a Tor Relay, and BitTorrent. They run on separate VMs. I'd like to run Tiny Tiny RSS too, and want to put it in a separate VM. Ideally I'd have a script I could run, that just spins up a new VM running Tiny Tiny. It would be something like: freedombox-vm create tiny-tiny-rss [instance-name] [config-script-file] freedombox-vm start [instance-name] The VMs would run using KVM. Here's an interesting post on this, from this past week: How to get started with libvirt on Debian http://rabexc.blogspot.com/2013/05/how-to-get-started-with-libvirt-on.html I want to dig into this as a next project, after some other things I'm working on. I thought I'd put it out there to get any thoughts other might have on this, and find out if anyone else is doing something similar. Ultimately, it seems this kind of approach would be a good one for FreedomBox in general. The process of spinning up instances would be hidden behind the FreedomBox web UI, but a user would essentially be doing things such as "freedombox-vm create" and "freedombox-vm start". This way, services are better insulated from each other, for better security. The host machine would probably be doing basic network services (dhcpd, dhclient, iptables, etc.) But then there would be a separate VM for user services such as an RSS reader, social networking, chat, etc. To take this one step further, the longer term goal would be to do something similar to what Qubes is doing with things such as temporary VMs -- VMs created temporarily for just one task and then discarded: http://www.qubes-os.org/ ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
