| 1 |
On Thu, Mar 8, 2018 at 7:46 PM, Benda Xu <heroxbd@g.o> wrote: |
| 2 |
> Rich Freeman <rich0@g.o> writes: |
| 3 |
> |
| 4 |
>> If you have util-linux installed then try running (as any user - you |
| 5 |
>> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U |
| 6 |
>> -r /bin/bash |
| 7 |
>> |
| 8 |
>> Congrats. You are now root in a container. You're in the same root |
| 9 |
>> filesystem as always. You'll note that you can't actually see |
| 10 |
>> anything that you couldn't see before. If you run ps -ea you'll see |
| 11 |
>> that you're the only process running on the system. Devices like |
| 12 |
>> /dev/sda aren't actually accessible. A lot of container managers |
| 13 |
>> would mount a new /dev and just hide most of that stuff. You can |
| 14 |
>> probably imagine how something like this could be useful for isolating |
| 15 |
>> processes. |
| 16 |
> |
| 17 |
> Just a side node, this seems to be the ultimate sandbox we (Gentoo and |
| 18 |
> portage) are after. With this, we might even be able to have portage |
| 19 |
> full functional: a build is completely determined and only determined by |
| 20 |
> the dependencies and USE flags. |
| 21 |
> |
| 22 |
|
| 23 |
I'm not sure how well this would perform, but I had given this a bit |
| 24 |
of thought a few years ago. There are two obvious ways to go about |
| 25 |
this: the sandbox or containers. |
| 26 |
|
| 27 |
Either way you first go through the declared dependencies (and @system |
| 28 |
under our current policies) and obtain a list of all files installed |
| 29 |
by these packages. Then you either bind mount those files into a |
| 30 |
container, or add them to the sandbox configuration as readable. |
| 31 |
Right now the sandbox rules are set to allow read access by default on |
| 32 |
everything, but this is just a one-liner to change, which would cause |
| 33 |
the sandbox to generate an error if a file is read which isn't |
| 34 |
explicitly enabled. |
| 35 |
|
| 36 |
The container solution is going to be cleaner because it also helps |
| 37 |
curb errors from automagic build systems. These build systems |
| 38 |
wouldn't even be able to detect files not owned by a declared |
| 39 |
dependency. With the sandbox approach those files would be visible, |
| 40 |
but would generate errors when accessed (so at least we get a bug |
| 41 |
report, but users still have to deal with the issue). Sure, this |
| 42 |
would to some extent hide problems, but then again the automagic build |
| 43 |
system would be defeated all the same. |
| 44 |
|
| 45 |
The real question is how long it takes to extract those file lists and |
| 46 |
create all those bind mounts. In the case of @system some of this |
| 47 |
could be cached. I'm pretty sure the file lists would be quite fast - |
| 48 |
we only need to go one level deep on the dependency tree (I think). I |
| 49 |
suspect the bind mounts would be fast, but I haven't tried to |
| 50 |
benchmark it. I also have no idea how sandbox performs with a very |
| 51 |
long list of rules. |
| 52 |
|
| 53 |
-- |
| 54 |
Rich |
Archives