1 |
On Thu, Mar 8, 2018 at 7:46 PM, Benda Xu <heroxbd@g.o> wrote: |
2 |
> Rich Freeman <rich0@g.o> writes: |
3 |
> |
4 |
>> If you have util-linux installed then try running (as any user - you |
5 |
>> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U |
6 |
>> -r /bin/bash |
7 |
>> |
8 |
>> Congrats. You are now root in a container. You're in the same root |
9 |
>> filesystem as always. You'll note that you can't actually see |
10 |
>> anything that you couldn't see before. If you run ps -ea you'll see |
11 |
>> that you're the only process running on the system. Devices like |
12 |
>> /dev/sda aren't actually accessible. A lot of container managers |
13 |
>> would mount a new /dev and just hide most of that stuff. You can |
14 |
>> probably imagine how something like this could be useful for isolating |
15 |
>> processes. |
16 |
> |
17 |
> Just a side node, this seems to be the ultimate sandbox we (Gentoo and |
18 |
> portage) are after. With this, we might even be able to have portage |
19 |
> full functional: a build is completely determined and only determined by |
20 |
> the dependencies and USE flags. |
21 |
> |
22 |
|
23 |
I'm not sure how well this would perform, but I had given this a bit |
24 |
of thought a few years ago. There are two obvious ways to go about |
25 |
this: the sandbox or containers. |
26 |
|
27 |
Either way you first go through the declared dependencies (and @system |
28 |
under our current policies) and obtain a list of all files installed |
29 |
by these packages. Then you either bind mount those files into a |
30 |
container, or add them to the sandbox configuration as readable. |
31 |
Right now the sandbox rules are set to allow read access by default on |
32 |
everything, but this is just a one-liner to change, which would cause |
33 |
the sandbox to generate an error if a file is read which isn't |
34 |
explicitly enabled. |
35 |
|
36 |
The container solution is going to be cleaner because it also helps |
37 |
curb errors from automagic build systems. These build systems |
38 |
wouldn't even be able to detect files not owned by a declared |
39 |
dependency. With the sandbox approach those files would be visible, |
40 |
but would generate errors when accessed (so at least we get a bug |
41 |
report, but users still have to deal with the issue). Sure, this |
42 |
would to some extent hide problems, but then again the automagic build |
43 |
system would be defeated all the same. |
44 |
|
45 |
The real question is how long it takes to extract those file lists and |
46 |
create all those bind mounts. In the case of @system some of this |
47 |
could be cached. I'm pretty sure the file lists would be quite fast - |
48 |
we only need to go one level deep on the dependency tree (I think). I |
49 |
suspect the bind mounts would be fast, but I haven't tried to |
50 |
benchmark it. I also have no idea how sandbox performs with a very |
51 |
long list of rules. |
52 |
|
53 |
-- |
54 |
Rich |