From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6478227101770055680 X-Received: by 10.25.150.132 with SMTP id y126mr37573lfd.33.1508409858248; Thu, 19 Oct 2017 03:44:18 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 10.46.32.224 with SMTP id g93ls974587lji.13.gmail; Thu, 19 Oct 2017 03:44:18 -0700 (PDT) X-Received: by 10.25.67.94 with SMTP id m30mr34545lfj.35.1508409857877; Thu, 19 Oct 2017 03:44:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508409857; cv=none; d=google.com; s=arc-20160816; b=klUwxXdb27VqdNUCB2uC181jUw42+tXqSl3vWkOkuLldQjMHrqEb4LUldzHbBNevto bruxoIWplApOQ+4WghAz8yfi2bLVDWryhRgCAZu/ptm+6wLIT6VO1EsPYhuNyR1GVFJN OBbyfMCxqhtkK+CFR9IJW+nquhVoLDsHPC4OXHM3RDM1zB7lbk7TIHP0D20IPgvm/R4r lP+ZLstESa+ytwHm9IwJWaSLeEF46C8gXINoQ5YIQepY2TO5NWzsp4zMH/0BiuFdB+Dh Wzdi8zU23NF9KjomZlJePl99MK6GR0I+ssted6g/UIVLhJNHRc2yMnYTbDoa0+f3rq07 Qn4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-language:content-transfer-encoding:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :dkim-signature:arc-authentication-results; bh=qEEMskI4ZgVwUVSdEk4qG+wD4G9ZSga0Fms+e+7hVS0=; b=WjAqpi5gHNFsp8eBZ4eZyxWeUOldPLfslLy8QXCDK8YpoBHbRGBbtkz+Kn/Tt6yq26 iGdbaV8n/UMuykLHguP0O6JqpIUYBjUvbzyH80G582HyiYt5dGth5cdMy2GkQN4/AV1K 5Hp7R2L3qz02Pt10/hd5DGdAEBvZoF2WFIpQvs4A/EZ1JxoCMfYPhN0EE2fC5gteN7Et eQg9cTf/YeGymIHot+0Kby25aXkSjQyTzpw5n42oa4WdhcR31NqIwigAP9Nc4nU7g462 fbbfdMnYacqAxNkzp9DZ30SEuWbgcpZXg37gnF7QpivEMUEWDB8L0o8w8Jj1PpQDe5M2 2owg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=PRIcMgzB; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::236 as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com. [2a00:1450:400c:c09::236]) by gmr-mx.google.com with ESMTPS id w14si740853lfk.2.2017.10.19.03.44.17 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 03:44:17 -0700 (PDT) Received-SPF: pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::236 as permitted sender) client-ip=2a00:1450:400c:c09::236; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=PRIcMgzB; spf=pass (google.com: domain of benbrenson89@googlemail.com designates 2a00:1450:400c:c09::236 as permitted sender) smtp.mailfrom=benbrenson89@googlemail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: by mail-wm0-x236.google.com with SMTP id i124so14988075wmf.3 for ; Thu, 19 Oct 2017 03:44:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=qEEMskI4ZgVwUVSdEk4qG+wD4G9ZSga0Fms+e+7hVS0=; b=PRIcMgzBQ59dTSrs+rTe6NenBpaGYjB5Ye16nIXlYjSz5M8/W5NT4OVR3tcf0KvV+4 xa6CtahVlbIfkVJtgVPYRQc93VY/y3Cp3djysa7rYAObsoc4svQEst+G6KIHtoRks3HA 5xa+uDMKO+nrWayehIq+KSGLpRCwUeyKADD4JLSUQcGxue/3EmWbMlImVZIMZQvoY4JE f9mvjgWFrdMY0IUkDkEQX+o+pnt6MBXvHny5b8/fVgD28KgLCHuFfmfujZF87fsNiKKe tX8ilCcsZeh5O3INAoYdCKAY08RyIByWOKzyW+EKCwRT8HlQUH/UKpNaI/Y+UZfMZo+t 6JoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=qEEMskI4ZgVwUVSdEk4qG+wD4G9ZSga0Fms+e+7hVS0=; b=agmeeNpxIv9Z4RjBY56J0Ob2uevdJW1n6UpMcgCtWYe/qfqrxDRmMYbcARCsaS070A TUmqst6l574HIWpmIVI804Go83eydv5pYFZwI7oFlpPjfk8wtHRKdUaRR4B0nrMp4SA8 HOpVxXh9w3fbGVDVXMcYrA89nxQrh3ODZk7RGkH3d1WogoaBPDdqrlpNkm4eNN6N3qdG yR6aJTh/8nrsM/O5K1ind+DYCG/5qNOq47YYnGxM981kzZE4iFee/jMMRwGfOGoMjqF8 8CDJVOxHRpivW4g5GXlgL6A/BMDD8nTz86Q8RhubX9CphvEGU4EVEefb8B69WHEttgJ9 qOsA== X-Gm-Message-State: AMCzsaWqRQXX/79Ps8E2lCNnX9yt0ER7QMLwyaHoBn4u3bGjlrE5VTpG 1fX3hqF5V5um4dw+lwxcx6hTdJ5AgB8= X-Google-Smtp-Source: ABhQp+SgDslQ1RCBdju2xRgIFf/HL/sxz4ewZnq3xr/9YwrK4PGjPOUqtlmlSTq5TGhEbaTnjOFr1w== X-Received: by 10.28.8.212 with SMTP id 203mr1243426wmi.43.1508409857215; Thu, 19 Oct 2017 03:44:17 -0700 (PDT) Return-Path: Received: from [192.168.0.11] (ipb21b4179.dynamic.kabel-deutschland.de. [178.27.65.121]) by smtp.gmail.com with ESMTPSA id c17sm3360228wrg.26.2017.10.19.03.44.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 03:44:16 -0700 (PDT) Subject: Re: PRoot experiments To: Claudius Heine , Alexander Smirnov , isar-users References: <0b129e7e-f633-70d8-34fe-07cbb34fac13@ilbers.de> <99059b0d-4a58-eda2-65d3-91dc96ba2bd0@ilbers.de> <0314d700-be53-e319-3248-b6b44f567b2a@siemens.com> From: Benedikt Niedermayr Message-ID: Date: Thu, 19 Oct 2017 12:44:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <0314d700-be53-e319-3248-b6b44f567b2a@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TUID: dBl9Ez9DMi4m Am 19.10.2017 um 12:39 schrieb Claudius Heine: > Hi > > On 10/19/2017 12:14 PM, Alexander Smirnov wrote: >> Hi, >> >> On 10/19/2017 01:07 PM, 'Ben Brenson' via isar-users wrote: >>> Am Mittwoch, 18. Oktober 2017 14:29:45 UTC+2 schrieb Alexander Smirnov: >>> >>>     Hi all, >>> >>>     I've performed several experiments with PRoot: >>> >>>     1. Generate multistrap filesystem: >>> >>>     As reference I've used the following resource: >>> https://github.com/josch/polystrap/blob/master/polystrap.sh >>> >>> >>>     So, I was able to run the following command without root >>> permissions: >>> >>>     $ PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -f >>>     multistrap.conf -d >>>     test >>> >>>     After this command execution I have 'test' folder which looks quite >>>     similar to one, generated with sudo (at least 'du -sm' is the >>> same). >>> >>>     2. Run commands in PRoot chroot: >>> >>>     I'm successfully able to run PRoot chroot for various >>> architectures: >>> >>>     $ PROOT_NO_SECCOMP=1 proot -0 -r ./test /bin/bash >>> >>>     Also I was able to run: 'dpkg --configure -a' in these chroots. >>> >>>     3. Mount of various work folders: >>> >>>     Mount forlder using PRoot seems also works good: >>> >>>     $ PROOT_NO_SECCOMP=1 proot -0 -b /proc -b /dev -r ./test /bin/bash >>> >>>     And in this chroot I have /proc and /dev mounted. >>> >>> >>>     So, my brief conclusion is: PRoot could be a good option for >>> Isar. It >>>     seems that it's designed to support exact features that are >>> required >>>     for >>>     Isar. :-) >>> >>>     I'd like to try to implement simple PoC to test if *.deb package >>> could >>>     be generated in Isar without 'sudo'. >>> >>>     BTW: PRoot is a part of standard Debian, so it could be >>> installed via >>>     'apt-get', no custom repos required. >>> >>>     --     With best regards, >>>     Alexander Smirnov >>> >>> >>> >>> >>> Sounds nice... >>> >>> What is the PROOT_NO_SECCOMP=1 for? >> >> Don't remember exactly, I derived this as workaround from issues in >> PRoot guthub (will analyze it in details later). As I got it, there >> was some change related to ptrace systemcall in recent kernel and >> this option helps old PRoot to workaround this change. I use jessie >> on my host so my proot is quite old, probably in stretch this issue >> is already fixed. > > PROOT_NO_SECCOMP=1 should not be necessary if you are using the > kas-isar container with '--security-opt=seccomp:unconfined'. > > I would also advice to used at least version 5.* (I use 5.1.0) because > with the version 4.* I had bad experiences previously. > > Claudius > > So I tried to do similiar steps as Alexander, mkdir -r proot_tests/test cd proot_tests PROOT_NO_SECCOMP=1 proot -0 /usr/sbin/multistrap -a amd64 -d test -f multistrap.conf But after a while the following error appears: chroot: cannot change root directory to '/home/brenson/Schreibtisch/mixed_mode/siemens/proot_tests/test/': Operation not permitted Regards, Benedikt