Hi Sean,
On 2020-01-28 17:50, Sean Whitton wrote:
>I am thinking about implementing support for running commands in a
>chroot,which would be used like this:
>
>task "foo" => sub {
> chroot "/srv/chroot/foo" => sub {
> file "/etc/foo.conf", source => "confs/foo.conf"; # actually edits
>/srv/chroot/foo/etc/foo.conf
> run "mycmd", ["--foo", "bar"]; # actually execs `chroot
>/srv/chroot/foo mycmd --foo bar`
> };
>};
>
sounds great, I'm sure it would a be a useful addition!
>Has anyone thought about how this would be implemented in Rex?
There is a placeholder issue about chroot support with some recent
comment:
https://github.com/RexOps/Rex/issues/468
Looks like your proposal matches the second form mentioned there, which
I believe is a well-balanced design choice.
>My first thoughts are that we probably don't want to use the chroot
>system call, because that would require forking, which won't work
>except where the connection type is local.
I guess you mean the perl built-in chroot, right? Technically, if the
managed host has perl, a small wrapper script can be created there, then
executed, and that might work. I would prefer a "cleaner" solution
though, like the one below.
>So it seems we want some sort of connection layer, like the current
>sudo layer, which transforms paths and prepends chroot(1) to commands.
>Does that sound right?
Yes, that could be one approach, definitely. Another could be to still
add a "chroot modifier" for `run`/`i_run` commands and the chroot
feature somehow transforms those calls by e.g. adding the extra
parameters.
Since I expect some experimentation before reaching a stable set of
interface design and implementation details, I would suggest trying to
implement this first outside Rex core as an extension module
(Rex::Commands::Chroot and similar perhaps?).
Finally, some random thoughts to consider, which occurred to me while
replying:
- A chroot feature probably would need to handle not just the
user-defined `run` commands, but also the OS commands executed
internally by rex (`i_run`).
- For some functionality (notably sudo support), rex uses small perl
wrapper scripts on the machine targeted by a task. They probably need
to be double-checked in the context of a chroot feature.
- Related to the point above, chroot would be used by root, so it would
be probably used together with sudo in one way or another. First
iteration might be able to assume "root-only, without sudo" use case,
though, and then perhaps it could be solved later.
- I wonder how this feature would be best to test, and if there's any
relevant differences between various platforms besides "chroot is not
supported on Windows" (fixme)?
In any case, I'd be happy to help your work towards this feature, feel
free to join the discussions on the GitHub issue and/or on IRC too.
Cheers,
FErki