PRoot Isar summary
11 views
Skip to first unread message
Alexander Smirnov
Nov 9, 2017, 4:57:43 AM11/9/17
to isar-users
Hello everybody,
I've tried to completely switch Isar to PRoot, so here are the problems
I've faced with:
1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
root. The command 'chown' doesn't have any effect.
2. Some system commands are failed in PRoot: passwd, chpasswd. I see
message: System error, no other clues (but for Wheezy these commands work).
3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
resulting image.
So, summary:
============
1. PRoot could be an intermediate option for:
+ Buildchroot creation.
+ Packages building.
- Drawback: works slowly.
2. For image generation the other tool should be considered.
--
With best regards,
Alexander Smirnov
ilbers GmbH
Baierbrunner Str. 28c
D-81379 Munich
+49 (89) 122 67 24-0
http://ilbers.de/
Commercial register Munich, HRB 214197
General manager: Baurzhan Ismagulov
I've tried to completely switch Isar to PRoot, so here are the problems
I've faced with:
1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
root. The command 'chown' doesn't have any effect.
2. Some system commands are failed in PRoot: passwd, chpasswd. I see
message: System error, no other clues (but for Wheezy these commands work).
3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
resulting image.
So, summary:
============
1. PRoot could be an intermediate option for:
+ Buildchroot creation.
+ Packages building.
- Drawback: works slowly.
2. For image generation the other tool should be considered.
--
With best regards,
Alexander Smirnov
ilbers GmbH
Baierbrunner Str. 28c
D-81379 Munich
+49 (89) 122 67 24-0
http://ilbers.de/
Commercial register Munich, HRB 214197
General manager: Baurzhan Ismagulov
Jan Kiszka
Nov 10, 2017, 1:59:36 PM11/10/17
to isar-...@googlegroups.com
On 2017-11-09 10:57, Alexander Smirnov wrote:
> Hello everybody,
>
> I've tried to completely switch Isar to PRoot, so here are the problems
> I've faced with:
>
> 1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
> root. The command 'chown' doesn't have any effect.
>
> 2. Some system commands are failed in PRoot: passwd, chpasswd. I see
> message: System error, no other clues (but for Wheezy these commands work).
>
> 3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
> resulting image.
>
> So, summary:
> ============
>
> 1. PRoot could be an intermediate option for:
> + Buildchroot creation.
> + Packages building.
> - Drawback: works slowly.
Aren't issues 1 and 2 from above affecting these use cases as well?
> Hello everybody,
>
> I've tried to completely switch Isar to PRoot, so here are the problems
> I've faced with:
>
> 1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
> root. The command 'chown' doesn't have any effect.
>
> 2. Some system commands are failed in PRoot: passwd, chpasswd. I see
> message: System error, no other clues (but for Wheezy these commands work).
>
> 3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
> resulting image.
>
> So, summary:
> ============
>
> 1. PRoot could be an intermediate option for:
> + Buildchroot creation.
> + Packages building.
> - Drawback: works slowly.
>
> 2. For image generation the other tool should be considered.
>
Jan
--
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux
Alexander Smirnov
Nov 10, 2017, 2:42:26 PM11/10/17
to Jan Kiszka, isar-...@googlegroups.com
Hi,
On 11/10/2017 09:59 PM, Jan Kiszka wrote:
> On 2017-11-09 10:57, Alexander Smirnov wrote:
>> Hello everybody,
>>
>> I've tried to completely switch Isar to PRoot, so here are the problems
>> I've faced with:
>>
>> 1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
>> root. The command 'chown' doesn't have any effect.
>>
>> 2. Some system commands are failed in PRoot: passwd, chpasswd. I see
>> message: System error, no other clues (but for Wheezy these commands work).
>>
>> 3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
>> resulting image.
>>
>> So, summary:
>> ============
>>
>> 1. PRoot could be an intermediate option for:
>> + Buildchroot creation.
>> + Packages building.
>> - Drawback: works slowly.
>
> Aren't issues 1 and 2 from above affecting these use cases as well?
>
For now I don't have any facts about problems with buildchroot, but my
test includes only 'hello' and 'example-raw' applications.
- Regarding UID/GID, what I've seen for now, these manipulations are
done in postinst scripts.
- Passwd/chpasswd commands are also used in postinst scripts (for
example initrd package), there is no need to have passwords in
buildchroot because we are working under root.
So, roughly speaking, buildchroot is only needed to compile and pack the
binary package, what doesn't require multi-UID/GID and passwords support.
But for sure, it needs to build much more real packages to have more
precise statistics. :-(
So I've created dedicated branch 'asmirnov/proot' for possible
experiments in future.
>>
>> 2. For image generation the other tool should be considered.
>>
>
> What is plan B now? Plan C remains falling back to VM builds, I suppose.
So there are 2 options remain for evaluation:
- fakeroot
- pseudo
I'd like to evaluate these tools for the features, that are uncovered now:
- rootfs with UID/GID support: in general PRoot is able to generate
multistrap rootfs with just *upacked* Debian packages, all the problems
occur when I try to run 'dpkg-configure -a' inside this rootfs.
- ext2fs image generation (AFAIK this already is supported by Yocto,
but unfortunately I don't know too much, I need to take a look first).
From this evaluation I'd like to get two points:
1. Could we somehow implement quick PoC to drop 'sudo' for Isar. This
PoC could be based on several tools in parallel.
2. If the item above is possible - then choose one dedicated tool and
try to adapt it for our needs.
Alex
On 11/10/2017 09:59 PM, Jan Kiszka wrote:
> On 2017-11-09 10:57, Alexander Smirnov wrote:
>> Hello everybody,
>>
>> I've tried to completely switch Isar to PRoot, so here are the problems
>> I've faced with:
>>
>> 1. PRoot doesn't work with UID/GID, all the files in PRoot are owned by
>> root. The command 'chown' doesn't have any effect.
>>
>> 2. Some system commands are failed in PRoot: passwd, chpasswd. I see
>> message: System error, no other clues (but for Wheezy these commands work).
>>
>> 3. mkfs.ext4 doesn't work under proot, lots of files are dropped in
>> resulting image.
>>
>> So, summary:
>> ============
>>
>> 1. PRoot could be an intermediate option for:
>> + Buildchroot creation.
>> + Packages building.
>> - Drawback: works slowly.
>
> Aren't issues 1 and 2 from above affecting these use cases as well?
>
test includes only 'hello' and 'example-raw' applications.
- Regarding UID/GID, what I've seen for now, these manipulations are
done in postinst scripts.
- Passwd/chpasswd commands are also used in postinst scripts (for
example initrd package), there is no need to have passwords in
buildchroot because we are working under root.
So, roughly speaking, buildchroot is only needed to compile and pack the
binary package, what doesn't require multi-UID/GID and passwords support.
But for sure, it needs to build much more real packages to have more
precise statistics. :-(
So I've created dedicated branch 'asmirnov/proot' for possible
experiments in future.
>>
>> 2. For image generation the other tool should be considered.
>>
>
> What is plan B now? Plan C remains falling back to VM builds, I suppose.
- fakeroot
- pseudo
I'd like to evaluate these tools for the features, that are uncovered now:
- rootfs with UID/GID support: in general PRoot is able to generate
multistrap rootfs with just *upacked* Debian packages, all the problems
occur when I try to run 'dpkg-configure -a' inside this rootfs.
- ext2fs image generation (AFAIK this already is supported by Yocto,
but unfortunately I don't know too much, I need to take a look first).
From this evaluation I'd like to get two points:
1. Could we somehow implement quick PoC to drop 'sudo' for Isar. This
PoC could be based on several tools in parallel.
2. If the item above is possible - then choose one dedicated tool and
try to adapt it for our needs.
Alex
Benedikt Niedermayr
Nov 11, 2017, 12:22:32 PM11/11/17
to Alexander Smirnov, Jan Kiszka, isar-...@googlegroups.com
these tools. Each tool has own drawbacks and benefits, but no tool
combines multiple drawbacks to fit our needs.
I don't want to bother you, but why can't we try to focus on running
builds with docker support?
Create a wrapper around "bitbake" which first performs a docker
container setup and then runs the bitbake build.
Using such wrapper can make the docker thing almost transparent.
I know there are some problems getting a docker container secure, but
maybe a focus on trying to get a docker based isar build secure, is
easier to reach than the our current approaches?
It is possible to drop some capabilities for docker in order to make it
more secure (e.g. don't allow to create dev files).
A mount command is also not required since, new versions of mkfs have
the "-d" option included (specifiy a directory, which copied into the
filesystem image). So no sys_admin capabilities would be needed.
It is also possible to customize other things within the container to
make it more secure:
- Add only required commands to sudoers file.
- Modify permissions to files/directories.
- Think about which commands within isar really need root privileges,
and drop those.
I think, if somebody seriously wants to exploit the container, he will
also reach that with a non-root based build.
The attachment contains a (very basic and rudimentary) approach of
running docker based isar builds.
Benedikt
Claudius Heine
Nov 12, 2017, 3:53:23 AM11/12/17
to Benedikt Niedermayr, Alexander Smirnov, Jan Kiszka, isar-...@googlegroups.com
Hi Ben,
On Sat, 2017-11-11 at 18:22 +0100, 'Benedikt Niedermayr' via isar-users
wrote:
We already using such a wrapper, that does sort of what you want:
https://github.com/siemens/kas
It does not wrap around docker itself, but around bitbake and a ready
prepared docker container is available:
https://hub.docker.com/r/kasproject/kas-isar/
Patches and feature requests welcome.
> I know there are some problems getting a docker container secure,
> but
> maybe a focus on trying to get a docker based isar build secure, is
> easier to reach than the our current approaches?
>
> It is possible to drop some capabilities for docker in order to make
> it
> more secure (e.g. don't allow to create dev files).
>
> A mount command is also not required since, new versions of mkfs
> have
> the "-d" option included (specifiy a directory, which copied into
> the
> filesystem image). So no sys_admin capabilities would be needed.
>
> It is also possible to customize other things within the container
> to
> make it more secure:
>
> - Add only required commands to sudoers file.
Problem here are the additional layers that might add additional
programs that need to be run with root privileges. That is not
something that can be controlled easily.
>
> - Modify permissions to files/directories.
Who cares if the container gets corrupted, of course we should mount
every 'source' directory into the container read-only.
>
> - Think about which commands within isar really need root
> privileges,
> and drop those.
Don't think that really helps, because there are so many programs that
might require root privileges, depending on the custom recipe.
Also if 'postinst' is run as root, you could put any command there that
is run as root user.
>
> I think, if somebody seriously wants to exploit the container, he
> will
> also reach that with a non-root based build.
If we are giving up on trying to remove the root dependency of the
build, then I would rather go with preparing a vagrant file instead of
a container. We would have better isolation there and don't really need
to care about capabilities.
Otherwise I would still suggest to patch proot to support the
additional syscalls (chown, chmod, mknod, ...), save those into a file
and allow proot to load this file via a parameter. Then we would have
something like pseudo, but better. Since pseudo and fakeroot does not
work with static binaries. (And this is what I thought Alex was looking
into.)
Cheers,
Claudius
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: c...@denx.de
PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
Keyserver: hkp://pool.sks-keyservers.net
On Sat, 2017-11-11 at 18:22 +0100, 'Benedikt Niedermayr' via isar-users
wrote:
https://github.com/siemens/kas
It does not wrap around docker itself, but around bitbake and a ready
prepared docker container is available:
https://hub.docker.com/r/kasproject/kas-isar/
Patches and feature requests welcome.
> I know there are some problems getting a docker container secure,
> but
> maybe a focus on trying to get a docker based isar build secure, is
> easier to reach than the our current approaches?
>
> It is possible to drop some capabilities for docker in order to make
> it
> more secure (e.g. don't allow to create dev files).
>
> A mount command is also not required since, new versions of mkfs
> have
> the "-d" option included (specifiy a directory, which copied into
> the
> filesystem image). So no sys_admin capabilities would be needed.
>
> It is also possible to customize other things within the container
> to
> make it more secure:
>
> - Add only required commands to sudoers file.
programs that need to be run with root privileges. That is not
something that can be controlled easily.
>
> - Modify permissions to files/directories.
every 'source' directory into the container read-only.
>
> - Think about which commands within isar really need root
> privileges,
> and drop those.
might require root privileges, depending on the custom recipe.
Also if 'postinst' is run as root, you could put any command there that
is run as root user.
>
> I think, if somebody seriously wants to exploit the container, he
> will
> also reach that with a non-root based build.
build, then I would rather go with preparing a vagrant file instead of
a container. We would have better isolation there and don't really need
to care about capabilities.
Otherwise I would still suggest to patch proot to support the
additional syscalls (chown, chmod, mknod, ...), save those into a file
and allow proot to load this file via a parameter. Then we would have
something like pseudo, but better. Since pseudo and fakeroot does not
work with static binaries. (And this is what I thought Alex was looking
into.)
Cheers,
Claudius
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: c...@denx.de
PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
Keyserver: hkp://pool.sks-keyservers.net
Reply all
Reply to author
Forward
0 new messages