From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6478227101770055680 X-Received: by 10.28.215.198 with SMTP id o189mr181882wmg.11.1508411318082; Thu, 19 Oct 2017 04:08:38 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 10.28.54.141 with SMTP id y13ls1343237wmh.6.canary-gmail; Thu, 19 Oct 2017 04:08:37 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TzW70QeBPeiPiuEVkrcYcqO3Dmiarhx4uTke1nV8BH4lUooD0BAGSVEMwTUkWn8lnJUR5/ X-Received: by 10.28.29.8 with SMTP id d8mr151018wmd.27.1508411317813; Thu, 19 Oct 2017 04:08:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508411317; cv=none; d=google.com; s=arc-20160816; b=Az1U9f0jdSqe4IE2oOCh5cWEK9P8xjg5OjurpZ3S6v1FcDFm3l3A9eQd74F0xd9s+9 2fAh9xrZVF1sL356VKN56HEzls1HSgMfwxDrW0QPxptOqKO4yllW06WdOJbA8cFRhhTi vM+ljl0mtJVFuB2x0w2IgbC4EYWMJkgQc5op9fNVaKcSL6McFcqqK4DDnIXCzHGpoZ4T SsUb/fTIBeC1dLzMeUTqQr2ehvHg0fxx2WeHwnoEQalQeqwpmj4JzdbtpT2AUSPM0wgX Rcz6T3BpI7+UapE10qsF/xlBRLKyFbSsXnUirwyNCHgSK5nCV+VQZmdL8Qbo9As5wsuk TQeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :arc-authentication-results; bh=ITwkn2NRlpNp7wDJSc3EXWgTpy9vsFVsxPotJnLCVas=; b=UhJ2hDYcYyF+8M40K9qsl2Bi7dMKAhpsVolhzWsq9yRvbsBQ5T6OHjyWk+8hF6Vhf6 91WmTTVbRge5f22GLIj/N6NeVaPqCu4UzsXE93OHYtcnfzQ1A3hUXoUuaQyIASKQ//jZ WCo3F3VUBM4s6I+gUINBt9pyO2JHbFscvC196Q0PlZoTmvhDj89ZWToyVKsbICOKc7TR MRFrPcMFs7qUnA3uFqSBhRPeKPOrfO5a61phKtl1nZT1SdZTy5cgRXIi34O/P+PDzxt9 T6DnXIY7/6IFdNWwWs2ebIDwcjL+jhQ9uEVDmp02spmo+UbXnOyROMWQecyUbFVIJS1I U1Kw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id 200si389412wmj.0.2017.10.19.04.08.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 04:08:37 -0700 (PDT) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id v9JB8b37025996 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Oct 2017 13:08:37 +0200 Received: from [139.25.68.223] (linux-ses-ext02.ppmd.siemens.net [139.25.68.223]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id v9JB8bKq021900; Thu, 19 Oct 2017 13:08:37 +0200 Subject: Re: PRoot experiments To: Benedikt Niedermayr , Alexander Smirnov , isar-users References: <0b129e7e-f633-70d8-34fe-07cbb34fac13@ilbers.de> <99059b0d-4a58-eda2-65d3-91dc96ba2bd0@ilbers.de> <0314d700-be53-e319-3248-b6b44f567b2a@siemens.com> From: Claudius Heine Message-ID: <6cf69de7-4c49-58cb-f9d3-b10b2ca0c4e6@siemens.com> Date: Thu, 19 Oct 2017 13:08:36 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: DaeEWkCpwG2e Hi, On 10/19/2017 12:44 PM, Benedikt Niedermayr wrote: > Am 19.10.2017 um 12:39 schrieb Claudius Heine: >> Hi >> >> On 10/19/2017 12:14 PM, Alexander Smirnov wrote: >>> Hi, >>> >>> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote: >>>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander Smirnov: >>>> >>>>     Hi all, >>>> >>>>     I've performed several experiments with PRoot: >>>> >>>>     1. Generate multistrap filesystem: >>>> >>>>     As reference I've used the following resource: >>>> https://github.com/josch/polystrap/blob/master/polystrap.sh >>>> >>>> >>>>     So, I was able to run the following command without root >>>> permissions: >>>> >>>>     $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f >>>>     multistrap.conf -d >>>>     test >>>> >>>>     After this command execution I have 'test' folder which looks quite >>>>     similar to one, generated with sudo (at least 'du -sm' is the >>>> same). >>>> >>>>     2. Run commands in PRoot chroot: >>>> >>>>     I'm successfully able to run PRoot chroot for various >>>> architectures: >>>> >>>>     $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash >>>> >>>>     Also I was able to run: 'dpkg --configure -a' in these chroots. >>>> >>>>     3. Mount of various work folders: >>>> >>>>     Mount forlder using PRoot seems also works good: >>>> >>>>     $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test /bin/bash >>>> >>>>     And in this chroot I have /proc and /dev mounted. >>>> >>>> >>>>     So, my brief conclusion is: PRoot could be a good option for >>>> Isar. It >>>>     seems that it's designed to support exact features that are >>>> required >>>>     for >>>>     Isar. :-) >>>> >>>>     I'd like to try to implement simple PoC to test if *.deb package >>>> could >>>>     be generated in Isar without 'sudo'. >>>> >>>>     BTW: PRoot is a part of standard Debian, so it could be >>>> installed via >>>>     'apt-get', no custom repos required. >>>> >>>>     --     With best regards, >>>>     Alexander Smirnov >>>> >>>> >>>> >>>> >>>> Sounds nice... >>>> >>>> What is the PROOT_NO_SECCOMP=1 for? >>> >>> Don't remember exactly, I derived this as workaround from issues in >>> PRoot guthub (will analyze it in details later). As I got it, there >>> was some change related to ptrace systemcall in recent kernel and >>> this option helps old PRoot to workaround this change. I use jessie >>> on my host so my proot is quite old, probably in stretch this issue >>> is already fixed. >> >> PROOT_NO_SECCOMP=1 should not be necessary if you are using the >> kas-isar container with '--security-opt=seccomp:unconfined'. >> >> I would also advice to used at least version 5.* (I use 5.1.0) because >> with the version 4.* I had bad experiences previously. >> >> Claudius >> >> > > So I tried to do similiar steps as Alexander, > mkdir -r proot_tests/test '-r'? I suppose you meant '-p'. > cd proot_tests > PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f > multistrap.conf > > But after a while the following error appears: > > chroot: cannot change root directory to > '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': > Operation not permitted Yes this is one of the issues of proot. Not all systemcalls are emulated: $ proot -0 # id uid=0(root) gid=0(root) groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),124(docker),125(wireshark),1000(ch) # ls -al total 12 drwxr-xr-x 3 root root 4096 Oct 19 12:47 . drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. drwxr-xr-x 2 root root 4096 Oct 19 12:47 test # chown nobody:nogroup test # ls -al total 12 drwxr-xr-x 3 root root 4096 Oct 19 12:47 . drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. drwxr-xr-x 2 root root 4096 Oct 19 12:47 test # mknod mem c 1 1 # ls -al total 12 drwxr-xr-x 3 root root 4096 Oct 19 12:47 . drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. drwxr-xr-x 2 root root 4096 Oct 19 12:47 test # chroot test chroot: cannot change root directory to 'test': Operation not permitted Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de