Re: PRoot experiments - Claudius Heine

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Claudius Heine <claudius.heine.ext@siemens.com>
To: Benedikt Niedermayr <benbrenson89@googlemail.com>,
	Alexander Smirnov <asmirnov@ilbers.de>,
	isar-users <isar-users@googlegroups.com>
Subject: Re: PRoot experiments
Date: Thu, 19 Oct 2017 13:08:36 +0200	[thread overview]
Message-ID: <6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com> (raw)
In-Reply-To: <d5ffecd6-b9b3-43d5-4ca4-1e8bfde61d4b@googlemail.com>

Hi,

On 10/19/2017 12:44 PM, Benedikt Niedermayr wrote:
> Am 19.10.2017 um 12:39 schrieb Claudius Heine:
>> Hi
>>
>> On 10/19/2017 12:14 PM, Alexander Smirnov wrote:
>>> Hi,
>>>
>>> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote:
>>>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander Smirnov:
>>>>
>>>>     Hi all,
>>>>
>>>>     I've performed several experiments with PRoot:
>>>>
>>>>     1. Generate multistrap filesystem:
>>>>
>>>>     As reference I've used the following resource:
>>>> https://github.com/josch/polystrap/blob/master/polystrap.sh
>>>> <https://github.com/josch/polystrap/blob/master/polystrap.sh>
>>>>
>>>>     So, I was able to run the following command without root 
>>>> permissions:
>>>>
>>>>     $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f
>>>>     multistrap.conf -d
>>>>     test
>>>>
>>>>     After this command execution I have 'test' folder which looks quite
>>>>     similar to one, generated with sudo (at least 'du -sm' is the 
>>>> same).
>>>>
>>>>     2. Run commands in PRoot chroot:
>>>>
>>>>     I'm successfully able to run PRoot chroot for various 
>>>> architectures:
>>>>
>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash
>>>>
>>>>     Also I was able to run: 'dpkg --configure -a' in these chroots.
>>>>
>>>>     3. Mount of various work folders:
>>>>
>>>>     Mount forlder using PRoot seems also works good:
>>>>
>>>>     $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test /bin/bash
>>>>
>>>>     And in this chroot I have /proc and /dev mounted.
>>>>
>>>>
>>>>     So, my brief conclusion is: PRoot could be a good option for 
>>>> Isar. It
>>>>     seems that it's designed to support exact features that are 
>>>> required
>>>>     for
>>>>     Isar. :-)
>>>>
>>>>     I'd like to try to implement simple PoC to test if *.deb package 
>>>> could
>>>>     be generated in Isar without 'sudo'.
>>>>
>>>>     BTW: PRoot is a part of standard Debian, so it could be 
>>>> installed via
>>>>     'apt-get', no custom repos required.
>>>>
>>>>     --     With best regards,
>>>>     Alexander Smirnov
>>>>
>>>>
>>>>
>>>>
>>>> Sounds nice...
>>>>
>>>> What is the PROOT_NO_SECCOMP=1 for?
>>>
>>> Don't remember exactly, I derived this as workaround from issues in 
>>> PRoot guthub (will analyze it in details later). As I got it, there 
>>> was some change related to ptrace systemcall in recent kernel and 
>>> this option helps old PRoot to workaround this change. I use jessie 
>>> on my host so my proot is quite old, probably in stretch this issue 
>>> is already fixed.
>>
>> PROOT_NO_SECCOMP=1 should not be necessary if you are using the 
>> kas-isar container with '--security-opt=seccomp:unconfined'.
>>
>> I would also advice to used at least version 5.* (I use 5.1.0) because 
>> with the version 4.* I had bad experiences previously.
>>
>> Claudius
>>
>>
> 
> So I tried to do similiar steps as Alexander,
> mkdir -r proot_tests/test

'-r'? I suppose you meant '-p'.

> cd proot_tests
> PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f 
> multistrap.conf
> 
> But after a while the following error appears:
> 
> chroot: cannot change root directory to 
> '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': 
> Operation not permitted

Yes this is one of the issues of proot. Not all systemcalls are emulated:

$ proot -0
# id
uid=0(root) gid=0(root) 
groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),124(docker),125(wireshark),1000(ch)
# ls -al
total 12
drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
# chown nobody:nogroup test
# ls -al
total 12
drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
# mknod mem c 1 1
# ls -al
total 12
drwxr-xr-x  3 root root 4096 Oct 19 12:47 .
drwxrwxrwt 23 root root 4096 Oct 19 12:56 ..
drwxr-xr-x  2 root root 4096 Oct 19 12:47 test
# chroot test
chroot: cannot change root directory to 'test': Operation not permitted

Claudius

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

next prev parent reply	other threads:[~2017-10-19 11:08 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-18 12:29 Alexander Smirnov
2017-10-19  8:59 ` Henning Schild
2017-10-19 10:10 ` Ben Brenson
     [not found] ` <b0082bee-94d7-48c6-8582-93efc4171b59@googlegroups.com>
2017-10-19 10:14   ` Alexander Smirnov
2017-10-19 10:39     ` Claudius Heine
2017-10-19 10:44       ` Benedikt Niedermayr
2017-10-19 11:08         ` Claudius Heine [this message]
2017-10-19 11:15           ` Benedikt Niedermayr
2017-10-19 11:37             ` Alexander Smirnov
2017-10-19 11:36           ` Benedikt Niedermayr
2017-10-19 11:40             ` Alexander Smirnov
2017-10-19 13:37               ` Ben Brenson
2017-10-20  8:18               ` Ben Brenson
2017-10-20  8:52                 ` Claudius Heine
2017-10-20  9:21                   ` Ben Brenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com \
    --to=claudius.heine.ext@siemens.com \
    --cc=asmirnov@ilbers.de \
    --cc=benbrenson89@googlemail.com \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox