Re: PRoot experiments - Benedikt Niedermayr

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Benedikt Niedermayr <benbrenson89@googlemail.com>
To: Claudius Heine <claudius.heine.ext@siemens.com>,
	Alexander Smirnov <asmirnov@ilbers.de>,
	isar-users <isar-users@googlegroups.com>
Subject: Re: PRoot experiments
Date: Thu, 19 Oct 2017 13:15:11 +0200	[thread overview]
Message-ID: <037fdc8e-7b1c-7ce6-4a7f-6a02b6b4da72@googlemail.com> (raw)
In-Reply-To: <6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com>

Am 19.10.2017 um 13:08 schrieb Claudius Heine:
> Hi,
>
> On 10/19/2017 12:44 PM, Benedikt Niedermayr wrote:
>> Am 19.10.2017 um 12:39 schrieb Claudius Heine:
>>> Hi
>>>
>>> On 10/19/2017 12:14 PM, Alexander Smirnov wrote:
>>>> Hi,
>>>>
>>>> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote:
>>>>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander 
>>>>> Smirnov:
>>>>>
>>>>>     Hi all,
>>>>>
>>>>>     I've performed several experiments with PRoot:
>>>>>
>>>>>     1. Generate multistrap filesystem:
>>>>>
>>>>>     As reference I've used the following resource:
>>>>> https://github.com/josch/polystrap/blob/master/polystrap.sh
>>>>> <https://github.com/josch/polystrap/blob/master/polystrap.sh>
>>>>>
>>>>>     So, I was able to run the following command without root 
>>>>> permissions:
>>>>>
>>>>>     $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f
>>>>>     multistrap.conf -d
>>>>>     test
>>>>>
>>>>>     After this command execution I have 'test' folder which looks 
>>>>> quite
>>>>>     similar to one, generated with sudo (at least 'du -sm' is the 
>>>>> same).
>>>>>
>>>>>     2. Run commands in PRoot chroot:
>>>>>
>>>>>     I'm successfully able to run PRoot chroot for various 
>>>>> architectures:
>>>>>
>>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash
>>>>>
>>>>>     Also I was able to run: 'dpkg --configure -a' in these chroots.
>>>>>
>>>>>     3. Mount of various work folders:
>>>>>
>>>>>     Mount forlder using PRoot seems also works good:
>>>>>
>>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test 
>>>>> /bin/bash
>>>>>
>>>>>     And in this chroot I have /proc and /dev mounted.
>>>>>
>>>>>
>>>>>     So, my brief conclusion is: PRoot could be a good option for 
>>>>> Isar. It
>>>>>     seems that it's designed to support exact features that are 
>>>>> required
>>>>>     for
>>>>>     Isar. :-)
>>>>>
>>>>>     I'd like to try to implement simple PoC to test if *.deb 
>>>>> package could
>>>>>     be generated in Isar without 'sudo'.
>>>>>
>>>>>     BTW: PRoot is a part of standard Debian, so it could be 
>>>>> installed via
>>>>>     'apt-get', no custom repos required.
>>>>>
>>>>>     --     With best regards,
>>>>>     Alexander Smirnov
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sounds nice...
>>>>>
>>>>> What is the PROOT_NO_SECCOMP=1 for?
>>>>
>>>> Don't remember exactly, I derived this as workaround from issues in 
>>>> PRoot guthub (will analyze it in details later). As I got it, there 
>>>> was some change related to ptrace systemcall in recent kernel and 
>>>> this option helps old PRoot to workaround this change. I use jessie 
>>>> on my host so my proot is quite old, probably in stretch this issue 
>>>> is already fixed.
>>>
>>> PROOT_NO_SECCOMP=1 should not be necessary if you are using the 
>>> kas-isar container with '--security-opt=seccomp:unconfined'.
>>>
>>> I would also advice to used at least version 5.* (I use 5.1.0) 
>>> because with the version 4.* I had bad experiences previously.
>>>
>>> Claudius
>>>
>>>
>>
>> So I tried to do similiar steps as Alexander,
>> mkdir -r proot_tests/test
>
> '-r'? I suppose you meant '-p'.
>
>> cd proot_tests
>> PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f 
>> multistrap.conf
>>
>> But after a while the following error appears:
>>
>> chroot: cannot change root directory to 
>> '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': 
>> Operation not permitted
>
> Yes this is one of the issues of proot. Not all systemcalls are emulated:
>
> $ proot -0
> # id
> uid=0(root) gid=0(root) 
> groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),124(docker),125(wireshark),1000(ch)
> # ls -al
> total 12
> drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
> drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
> drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
> # chown nobody:nogroup test
> # ls -al
> total 12
> drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
> drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
> drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
> # mknod mem c 1 1
> # ls -al
> total 12
> drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
> drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
> drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
> # chroot test
> chroot: cannot change root directory to 'test': Operation not permitted
>
> Claudius
>

> '-r'? I suppose you meant '-p'. 

Yes, it was a typo.


Ok but why is it working when Alexander runs multistrap with proot?

I took a look into multistrap and saw there are calls to 'chroot'. But 
how can it work, when proot doesn't support this syscall?


Regards,

Benedikt

next prev parent reply	other threads:[~2017-10-19 11:15 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-18 12:29 Alexander Smirnov
2017-10-19  8:59 ` Henning Schild
2017-10-19 10:10 ` Ben Brenson
     [not found] ` <b0082bee-94d7-48c6-8582-93efc4171b59@googlegroups.com>
2017-10-19 10:14   ` Alexander Smirnov
2017-10-19 10:39     ` Claudius Heine
2017-10-19 10:44       ` Benedikt Niedermayr
2017-10-19 11:08         ` Claudius Heine
2017-10-19 11:15           ` Benedikt Niedermayr [this message]
2017-10-19 11:37             ` Alexander Smirnov
2017-10-19 11:36           ` Benedikt Niedermayr
2017-10-19 11:40             ` Alexander Smirnov
2017-10-19 13:37               ` Ben Brenson
2017-10-20  8:18               ` Ben Brenson
2017-10-20  8:52                 ` Claudius Heine
2017-10-20  9:21                   ` Ben Brenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=037fdc8e-7b1c-7ce6-4a7f-6a02b6b4da72@googlemail.com \
    --to=benbrenson89@googlemail.com \
    --cc=asmirnov@ilbers.de \
    --cc=claudius.heine.ext@siemens.com \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox