Hi, On 10/19/2017 02:15 PM, Benedikt Niedermayr wrote: > Am 19.10.2017 um 13:08 schrieb Claudius Heine: >> Hi, >> >> On 10/19/2017 12:44 PM, Benedikt Niedermayr wrote: >>> Am 19.10.2017 um 12:39 schrieb Claudius Heine: >>>> Hi >>>> >>>> On 10/19/2017 12:14 PM, Alexander Smirnov wrote: >>>>> Hi, >>>>> >>>>> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote: >>>>>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander >>>>>> Smirnov: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I've performed several experiments with PRoot: >>>>>> >>>>>> 1. Generate multistrap filesystem: >>>>>> >>>>>> As reference I've used the following resource: >>>>>> https://github.com/josch/polystrap/blob/master/polystrap.sh >>>>>> >>>>>> >>>>>> So, I was able to run the following command without root >>>>>> permissions: >>>>>> >>>>>> $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f >>>>>> multistrap.conf -d >>>>>> test >>>>>> >>>>>> After this command execution I have 'test' folder which looks >>>>>> quite >>>>>> similar to one, generated with sudo (at least 'du -sm' is the >>>>>> same). >>>>>> >>>>>> 2. Run commands in PRoot chroot: >>>>>> >>>>>> I'm successfully able to run PRoot chroot for various >>>>>> architectures: >>>>>> >>>>>> $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash >>>>>> >>>>>> Also I was able to run: 'dpkg --configure -a' in these chroots. >>>>>> >>>>>> 3. Mount of various work folders: >>>>>> >>>>>> Mount forlder using PRoot seems also works good: >>>>>> >>>>>> $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test >>>>>> /bin/bash >>>>>> >>>>>> And in this chroot I have /proc and /dev mounted. >>>>>> >>>>>> >>>>>> So, my brief conclusion is: PRoot could be a good option for >>>>>> Isar. It >>>>>> seems that it's designed to support exact features that are >>>>>> required >>>>>> for >>>>>> Isar. :-) >>>>>> >>>>>> I'd like to try to implement simple PoC to test if *.deb >>>>>> package could >>>>>> be generated in Isar without 'sudo'. >>>>>> >>>>>> BTW: PRoot is a part of standard Debian, so it could be >>>>>> installed via >>>>>> 'apt-get', no custom repos required. >>>>>> >>>>>> -- With best regards, >>>>>> Alexander Smirnov >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Sounds nice... >>>>>> >>>>>> What is the PROOT_NO_SECCOMP=1 for? >>>>> >>>>> Don't remember exactly, I derived this as workaround from issues in >>>>> PRoot guthub (will analyze it in details later). As I got it, there >>>>> was some change related to ptrace systemcall in recent kernel and >>>>> this option helps old PRoot to workaround this change. I use jessie >>>>> on my host so my proot is quite old, probably in stretch this issue >>>>> is already fixed. >>>> >>>> PROOT_NO_SECCOMP=1 should not be necessary if you are using the >>>> kas-isar container with '--security-opt=seccomp:unconfined'. >>>> >>>> I would also advice to used at least version 5.* (I use 5.1.0) >>>> because with the version 4.* I had bad experiences previously. >>>> >>>> Claudius >>>> >>>> >>> >>> So I tried to do similiar steps as Alexander, >>> mkdir -r proot_tests/test >> >> '-r'? I suppose you meant '-p'. >> >>> cd proot_tests >>> PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f >>> multistrap.conf >>> >>> But after a while the following error appears: >>> >>> chroot: cannot change root directory to >>> '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': >>> Operation not permitted >> >> Yes this is one of the issues of proot. Not all systemcalls are emulated: >> >> $ proot -0 >> # id >> uid=0(root) gid=0(root) >> groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),124(docker),125(wireshark),1000(ch) >> >> # ls -al >> total 12 >> drwxr-xr-x 3 root root 4096 Oct 19 12:47 . >> drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. >> drwxr-xr-x 2 root root 4096 Oct 19 12:47 test >> # chown nobody:nogroup test >> # ls -al >> total 12 >> drwxr-xr-x 3 root root 4096 Oct 19 12:47 . >> drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. >> drwxr-xr-x 2 root root 4096 Oct 19 12:47 test >> # mknod mem c 1 1 >> # ls -al >> total 12 >> drwxr-xr-x 3 root root 4096 Oct 19 12:47 . >> drwxrwxrwt 23 root root 4096 Oct 19 12:56 .. >> drwxr-xr-x 2 root root 4096 Oct 19 12:47 test >> # chroot test >> chroot: cannot change root directory to 'test': Operation not permitted >> >> Claudius >> > >> '-r'? I suppose you meant '-p'. > > Yes, it was a typo. > > > Ok but why is it working when Alexander runs multistrap with proot? > In my mail I only mentioned that the output folder from this command looks quite similar to the one generated with sudo, so probably there were some error messages in the log. > I took a look into multistrap and saw there are calls to 'chroot'. But > how can it work, when proot doesn't support this syscall? > Regarding chroot usage in multistrap, AFAIK it's only used to run configscript, what could be done outside multistrap via proot (item #2 in my initial mail). According to my log attached, seems that's true, no configscript found, so no error happened :-) Alex > > Regards, > > Benedikt > > > > -- With best regards, Alexander Smirnov ilbers GmbH Baierbrunner Str. 28c D-81379 Munich +49 (89) 122 67 24-0 http://ilbers.de/ Commercial register Munich, HRB 214197 General manager: Baurzhan Ismagulov