From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6478227101770055680 X-Received: by 10.80.141.200 with SMTP id s8mr399333edh.12.1508411713629; Thu, 19 Oct 2017 04:15:13 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 10.80.167.100 with SMTP id h91ls2749983edc.8.gmail; Thu, 19 Oct 2017 04:15:13 -0700 (PDT) X-Received: by 10.80.201.74 with SMTP id p10mr396853edh.7.1508411713351; Thu, 19 Oct 2017 04:15:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508411713; cv=none; d=google.com; s=arc-20160816; b=v1R8vLStuPKOKMe+UkPA78vm4NwCPTLMnhU+BqCEeJUvZsjaKIJXrbUmdk90H5HfKM vVXlRypfm52itxojC8gU9uTGI612BTc6CZsa4Js+VZvSm6gFf3Xa83ajVOjPv3MKUbjT sXkhMqz19CSlTc58YYpRpv95zgAhIcmpH8rM7g2i5psAtWG4DYsmu3CzZDhrYRGcuNAa RoG8n33xC3+R4Ag/8VJkQwQW37KTExjySW0XgPk+QLs4L1gftEVwdollzYz9/2YQDoUz TMU2hr0deSJ3zoYf1JjKC8SH8mjtKLSwYD/guBD/fun1YmgBzIlYbWPsNFsR7/2FAi7C pABg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-language:content-transfer-encoding:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :dkim-signature:arc-authentication-results; bh=PfNmAkB9WWGEGMfSze8lpIFRTRRo+d0FSRrQoy7azws=; b=lpHSR8YuU72Ds6Rauq/FzJzxwLl7nYRQYNyfvJ6fmKd+ANOsmzrUvhIiwbd4zih9ja 7AgdyCn0IsgF8uZbbdHsQqcLrIwqnwYapbQ8qK1F79/7F6YYOn5ubdeQO7IUhvX0EZoU mWpfq3jtJbaCZTkaU+i7fxqKYKpUs4expeDXihMWnB/E43K0n968MzgAm22iuewyjGsh yu7lAINPRsZeWMfHZ/uWuAep+eeERf+RqEYxn6E2p+eJq2ZPQO+rkAx0C8QKLx8GMsgY pMnimiFdGBZDKW092K2EPwTTCk9EA2pSrfJ+UIi3wZ3zypJLyknzbK8aN3XXnrrbzsbd zMmw== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=mspZXkRR; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::231 as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com. [2a00:1450:400c:c09::231]) by gmr-mx.google.com with ESMTPS id f9si847998edm.1.2017.10.19.04.15.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 04:15:13 -0700 (PDT) Received-SPF: pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::231 as permitted sender) client-ip=2a00:1450:400c:c09::231; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=mspZXkRR; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::231 as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: by mail-wm0-x231.google.com with SMTP id 196so15705320wma.1 for ; Thu, 19 Oct 2017 04:15:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=PfNmAkB9WWGEGMfSze8lpIFRTRRo+d0FSRrQoy7azws=; b=mspZXkRR+HnCJygKYbUTNRcoqJn/wnEnWM93ath1JGozi6znoyGvqmLtwgWJWTy+Q8 zJiu3AaC4tkna6ZD/J31ECzfNjWTB/hJ3961VeitsBAZ/ET3dcb4P861MByNC3uYSuP8 mvglWeqPTNNFkQTmjIeq4tCTwlvfnyhfoga199PfMm8P2p1rekazTzdOEBgvE4RPCEJ/ GNzAiNMSM7nCkGEUxdDbIkT2HpSx1cZiAQiwdtk8F4bC1rqXbJjnEtvbj8j6+9Q3ttwH i/OaL44prkhQOKe/2tGApJtCrZWGaKVhqpJgC9JQDNQhtz3AVBKuK/GASoOjUz08OBpi 5C7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=PfNmAkB9WWGEGMfSze8lpIFRTRRo+d0FSRrQoy7azws=; b=fanZAHZoW+nU03FM5coHfKzJxe2bDWeoza64scGehBO1lDL74+m/xvlhN0cTbodkM3 aXrIvqjIHDT49ZH7p678OqAiQ2CC7kfPYjH0SOwV7VE7qjSQSOFw1vOQXrtHoy1txpjV fJBAusAfnyM6BNVcsYr//aumX3zdoVsIsdbKT8mbENveOEr6em8k3N1T+bHrtW2krZiw UTjYt7Yo+39z0QctWI1lVfT/8JKdjt9/gOeMNVcrbqz3/O7tCb9pVmRj6kaFABooWZVH sjNi5erPti3/8hxR7alVwr2z8Mgn/YnxIlTZzcTwod9FWwOuZLy9pZ8605vu5TozWdY1 STJQ== X-Gm-Message-State: AMCzsaXlid5bj6BrcxwXEJvk/n3iKhVZF7aFmiRQICpTDT6Psjl+cXWq TPeyXobdn34tPimHnbX2rUe3vrND0WA= X-Google-Smtp-Source: ABhQp+TC3KQqT83NGGPs7UVGI48OorO3NtQd5coX5Daq1eBI7/ZToHcY208mefuJPOjlLdzZqll1Nw== X-Received: by 10.28.157.83 with SMTP id g80mr1458956wme.9.1508411712816; Thu, 19 Oct 2017 04:15:12 -0700 (PDT) Return-Path: Received: from [192.168.0.11] (ipb21b4179.dynamic.kabel-deutschland.de. [178.27.65.121]) by smtp.gmail.com with ESMTPSA id c37sm27439352wra.73.2017.10.19.04.15.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 04:15:12 -0700 (PDT) Subject: Re: PRoot experiments To: Claudius Heine , Alexander Smirnov , isar-users References: <0b129e7e-f633-70d8-34fe-07cbb34fac13@ilbers.de> <99059b0d-4a58-eda2-65d3-91dc96ba2bd0@ilbers.de> <0314d700-be53-e319-3248-b6b44f567b2a@siemens.com> <6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com> From: Benedikt Niedermayr Message-ID: <037fdc8e-7b1c-7ce6-4a7f-6a02b6b4da72@googlemail.com> Date: Thu, 19 Oct 2017 13:15:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TUID: 8LbqjN+Kwha3 Am 19.10.2017 um 13:08 schrieb Claudius Heine: > Hi, > > On 10/19/2017 12:44 PM, Benedikt Niedermayr wrote: >> Am 19.10.2017 um 12:39 schrieb Claudius Heine: >>> Hi >>> >>> On 10/19/2017 12:14 PM, Alexander Smirnov wrote: >>>> Hi, >>>> >>>> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote: >>>>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander >>>>> Smirnov: >>>>> >>>>>     Hi all, >>>>> >>>>>     I've performed several experiments with PRoot: >>>>> >>>>>     1. Generate multistrap filesystem: >>>>> >>>>>     As reference I've used the following resource: >>>>> https://github.com/josch/polystrap/blob/master/polystrap.sh >>>>> >>>>> >>>>>     So, I was able to run the following command without root >>>>> permissions: >>>>> >>>>>     $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f >>>>>     multistrap.conf -d >>>>>     test >>>>> >>>>>     After this command execution I have 'test' folder which looks >>>>> quite >>>>>     similar to one, generated with sudo (at least 'du -sm' is the >>>>> same). >>>>> >>>>>     2. Run commands in PRoot chroot: >>>>> >>>>>     I'm successfully able to run PRoot chroot for various >>>>> architectures: >>>>> >>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash >>>>> >>>>>     Also I was able to run: 'dpkg --configure -a' in these chroots. >>>>> >>>>>     3. Mount of various work folders: >>>>> >>>>>     Mount forlder using PRoot seems also works good: >>>>> >>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test >>>>> /bin/bash >>>>> >>>>>     And in this chroot I have /proc and /dev mounted. >>>>> >>>>> >>>>>     So, my brief conclusion is: PRoot could be a good option for >>>>> Isar. It >>>>>     seems that it's designed to support exact features that are >>>>> required >>>>>     for >>>>>     Isar. :-) >>>>> >>>>>     I'd like to try to implement simple PoC to test if *.deb >>>>> package could >>>>>     be generated in Isar without 'sudo'. >>>>> >>>>>     BTW: PRoot is a part of standard Debian, so it could be >>>>> installed via >>>>>     'apt-get', no custom repos required. >>>>> >>>>>     --     With best regards, >>>>>     Alexander Smirnov >>>>> >>>>> >>>>> >>>>> >>>>> Sounds nice... >>>>> >>>>> What is the PROOT_NO_SECCOMP=1 for? >>>> >>>> Don't remember exactly, I derived this as workaround from issues in >>>> PRoot guthub (will analyze it in details later). As I got it, there >>>> was some change related to ptrace systemcall in recent kernel and >>>> this option helps old PRoot to workaround this change. I use jessie >>>> on my host so my proot is quite old, probably in stretch this issue >>>> is already fixed. >>> >>> PROOT_NO_SECCOMP=1 should not be necessary if you are using the >>> kas-isar container with '--security-opt=seccomp:unconfined'. >>> >>> I would also advice to used at least version 5.* (I use 5.1.0) >>> because with the version 4.* I had bad experiences previously. >>> >>> Claudius >>> >>> >> >> So I tried to do similiar steps as Alexander, >> mkdir -r proot_tests/test > > '-r'? I suppose you meant '-p'. > >> cd proot_tests >> PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f >> multistrap.conf >> >> But after a while the following error appears: >> >> chroot: cannot change root directory to >> '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': >> Operation not permitted > > Yes this is one of the issues of proot. Not all systemcalls are emulated: > > $ proot -0 > # id > uid=0(root) gid=0(root) > groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),124(docker),125(wireshark),1000(ch) > # ls -al > total 12 > drwxr-xr-x  3 root root 4096 Oct 19 12:47 . > drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. > drwxr-xr-x  2 root root 4096 Oct 19 12:47 test > # chown nobody:nogroup test > # ls -al > total 12 > drwxr-xr-x  3 root root 4096 Oct 19 12:47 . > drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. > drwxr-xr-x  2 root root 4096 Oct 19 12:47 test > # mknod mem c 1 1 > # ls -al > total 12 > drwxr-xr-x  3 root root 4096 Oct 19 12:47 . > drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. > drwxr-xr-x  2 root root 4096 Oct 19 12:47 test > # chroot test > chroot: cannot change root directory to 'test': Operation not permitted > > Claudius > > '-r'? I suppose you meant '-p'. Yes, it was a typo. Ok but why is it working when Alexander runs multistrap with proot? I took a look into multistrap and saw there are calls to 'chroot'. But how can it work, when proot doesn't support this syscall? Regards, Benedikt