Colin Walters <walters verbum org> writes: > On Thu, 2012-09-06 at 06:08 +0300, Adrian Perez wrote: > >> and the linux-user-chroot tool won't work as some operations >> are forbidden. > > So there are two independent technologies: virtualization, and > containers. Even though Wikipedia calls containers "Operating > system-level virtualization", it's a lot less confusing to say > "containers". Indeed. Let's call them containers for the sake of clarity :) > But both technologies are kind of hostile to *nesting*, i.e. > virtualization-inside-virtualization or container-inside-container. > > You can do VMs inside VMs as of very recent versions of KVM as I > understand it, but with caveats. ...and only in certain architectures like amd64, but not i686 or ARM. YMMV, as they say. Nesting containers is always prone to “funny” things happening — I have had some previous experiences with those kind of things. Not all of them nice ;-) > Given that linux-user-chroot is a security-sensitive setuid binary, I'm > really wary of adding hacks to it. This is understandable. > What about writing instead a fork of the tool designed to nest inside > vserver, and patching gnome-ostree to use it? I'd be happy to make this > part more configurable/pluggable. Probably this is the best approach. What about having an optional key in ostbuild.cfg to configure the chroot helper? To keep things as easy as possible, chroot helpers should accept the followig command line supported by linux-user-chroot: --mount-proc --mount-bind --mount-readonly --chdir The rest of options could be specified in the configuration file, e.g.: [general] chroot-helper = linux-user-chroot --unshare-ipc --unshare-net --unshare-pid Then, ostbuild would pick the chroot-helper setting from the config file, and append the needed --mount-*/--chdir flags and the program to run. Then I could maintain a small vServer-friendly fork of linux-user-chroot. How does this sound? > I think it's clearly a vServer bug that you can't call > PR_SET_NO_NEW_PRIVS by the way. Someone should ping them about that. Indeed you are right with this. After reading about what this does, I can not see why this should not work inside a vServer container. I am trying to ping the vServer guys at #vserver irc oftc net, if there is no answer I will send them an a message to the mailing list. Cheers, P.S. As a side note, lately I have been (ab)using linux-user-chroot to launch some of the development chroots in my laptop. Nicer that some ugly bash script I used to have :) -- Adrian Perez <aperez igalia com> - Sent from my toaster Igalia - Free Software Engineering
Attachment:
pgp4IUdOKTyYF.pgp
Description: PGP signature