Re: App image experiments

From: Stef Walter <stefw redhat com>
To: Alexander Larsson <alexl redhat com>, gnome-os-list gnome org
Subject: Re: App image experiments
Date: Mon, 25 Feb 2013 18:07:21 +0100

On 25.02.2013 17:18, Alexander Larsson wrote:

Today I've been looking at the app image part of the application stuff
we were talking about on the hackfest.

Basically, given a "base profile" as a directory with the basic
dependencies and one or more app images, merge these two into a single
tree inside a separate namespace and run the app from there.

Given that we don't currently have any union fs upstream the only way
we can do this currently is to use bind mounts. So, I've written a
small app to test this. It takes a directory with the base os and
a set of squashfs images, then it clones to get a new namespace
where it mounts a tmpfs. Inside it we mount loopback mount the images
and create a directory "root" where we build up the merged structure.

Any dir/file just in one of the sources gets bind-mounted in, but
if any directory is in multiple sources we create it on the tmpfs and
merge in the the children recursively.

It also mounts /proc, and bind-mounts $home and /dev. We also disable
all kind of SUID and new caps stuff.

Code at: https://github.com/alexlarsson/run-merged

In order to set up some kind of test base environment I used this:

 mkdir /opt/base_os
 yum install nautilus --installroot=/opt/base_os/F18 --releasever=18
 yum remove nautilus --installroot=/opt/base_os/F18 --releasever=18

It gives me a base os that has everything nautilus requires at runtime.
Obviously a real base os needs to be much more carefully constructed,
but
this is a simple test.

Then i can create a test app with:

 yumdownloader nautilus --releasever=18
 yumdownloader nautilus-extensions --releasever=18
 yumdownloader gtk3-devel --releasever=18

 mkdir -p /tmp/app_image
 rpm2cpio nautilus-3.6.3-4.fc18.x86_64.rpm | (cd /tmp/app_image && cpio
-id )
 rpm2cpio nautilus-extensions-3.6.3-4.fc18.x86_64.rpm |
(cd /tmp/app_image && cpio -id )
 rpm2cpio gtk3-devel-3.6.4-1.fc18.x86_64.rpm | (cd /tmp/app_image &&
cpio -id )
 mksquashfs /tmp/app_image nautilus.squashfs

Then i start run-merged:

 ./run-merged /opt/base_os/F18 ./nautilus.squashfs
 sh-4.2$ mount | wc -l
 5307

Yowzers! 5000 bind mounts! But i can run gtk3-demo and it works.

Of course, now comes the hard parts:

 sh-4.2$ nautilus
 (nautilus:15428): GLib-WARNING **: getpwuid_r(): failed due to unknown
user id (1000)


We could solve this with a custom nsswitch.conf module that calls out of
the sandbox or does something useful here. The real question is if we
want name-spaced uids and gids in a sandbox or not. We may also want to
restrict enumerating other users and groups by code inside a sandbox.

Cheers,

Stef

Follow-Ups:
- Re: App image experiments
  - From: Alexander Larsson

References:
- App image experiments
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]