pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)

[s243a]

Which puppylinux kernels have "user namespaces" enabled? It might be useful.

Oh, one other important point. You need to have a Linux kernel with namespaces support. Some Puppy kernels, including Quirky, do not have this.

I am currently using kernel 4.4.44, configured as shown here:

http://barryk.org/news/?viewDetailed=00500

Fatdog64 should be OK. Fatdog64 has aufs, probably not overlayfs (I haven't checked, just guessing).

http://murga-linux.com/puppy/viewtopic. ... 772#940772

However @BarryK seems to later contridict this:

EDIT 2018-10-8
Reverted, going back to the 4.14.73 kernel with user namespaces disabled. Will keep it disabled for future compiles of the kernel. Have been reading some more, and user namespaces seem like asking for trouble. Plus, as already running as root in Easy, there doesn't seem much point in having user namespaces.

What I do want to be able to do is optionally run as user 'zeus' in containers. I was unable to get pflask to do that. rather than get tied up trying to "fix" pflask, perhaps this is a satisfactory workaround:

# pflask -- chroot --userspec=zeus:zeus /mnt/sdc2/containers/sh0/container whoami
zeus

Well, that's a starting point, but has limitations. If pflask drops capabilities, will have to make sure that still has the capability to do a chroot and change user:group -- which, oddly, may mean zeus will end up with more capabilities than the "crippled root" -- though, a start-script in the container could drop more capabilities.

Also, the full 'chroot' from 'coreutils' package is required, as the busybox applet does not support that commandline option.

https://bkhome.org/news/201810/kernel-4 ... paces.html

I'm trying to find a kernel suitable to run pflask on puppylinux. pflask seems to run on Fatdog64 and EasyOS but not necessarily on puppylinux. The error I get is "write(gid_map): Operation not permitted" (see post). Installing the package uidmap, didn't seem to resolve this issue.

While trying to solve this issue I came across a number of kernal parmaters that may or may not be relevent.

/proc/sys/kernel/unprivileged_bpf_disable (Configurable on Fatdog64). Mentioned at:
1 - github.com/lxc/lxc: Can't start unprivileged containers on 4.9 kernel with OpenWRT #1923
2 - nsfocusglobal.com: Linux Kernel Information Disclosure and Privilege Escalation Vulnerability Threat Alert
3 - ycombinator: Linux 3.8 introduced unprivileged user namespaces [pdf] (man7.org)
7 - gitlab.com: Rootless docker guide

kernel.unprivileged_userns_clone -- Mentioned at:
4 - superuser.com/questions/1094597: Enable user namespaces in Debian kernel
5 - .stackexchange.com/.../303213: How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)
6 - github.com/containers/buildah: Provide a better error message when user namespaces are not available #1068

Source #5 (How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)) also mentiones kernel.userns_restrict. Source #1 (Can't start unprivileged containers on 4.9 kernel with OpenWRT #1923) mentions two kernel patches to get these kernel parameters:

After applying the two kernel patches from the two links below, the output of ls -al /proc/sys/kernel/| grep unpriv is

lxcuser@LEDE:~$ ls -al /proc/sys/kernel/| grep unpriv
-rw-r--r-- 1 root root 0 Oct 3 11:09 unprivileged_bpf_disabled
-rw-r--r-- 1 root root 0 Oct 3 11:09 unprivileged_userns_clone

lxcuser@LEDE:~$ cat /proc/sys/kernel/unprivileged_userns_clone
1

lxcuser@LEDE:~$ unshare -U
-ash: setgid: Invalid argument

Kernel patches taken from
https://lists.ubuntu.com/archives/kerne ... 67926.html
https://lwn.net/Articles/673990

https://github.com/lxc/lxc/issues/1923# ... -347109881

Here are some random links on sandboxing that came up on my search that people might find interesting:
Sandboxing Unsafe Executables on Linux for an Online Compiler with Minijail
http://www.oldforum.puppylinux.com OS Level Virtualization: Containers, chroot, cgroops jails,
https://chromium.googlesource.com/chromium/.../sandboxing.md

Here is an other interesting kernel parmater mentioned by BarryK but not related to sandboxing:
https://man7.org/linux/man-pages/man7/k ... own.7.html (mentioned in EasyOS 2.4.92 released, RC for 2.5)

Here are some manpages relevant to sandboxing (e.g. unsername mappings, cgroups, etc):
https://linux.die.net/man/5/cgrules.conf

Some more kernel documentation:
kernel.org/doc/html/latest/admin-guide: Namespaces compatibility list
kernel.org/doc/html/latest/admin-guide: Documentation for /proc/sys/kernel/

[rockedge]

This is the full real time kernel 5.4.70-rt40 I've compiled that might have the username space enabled:

Screenshot(6).png (28.14 KiB) Viewed 761 times

Also checked the full real time kernel 4.19.82-rt-30:

Screenshot(61).png (27.49 KiB) Viewed 759 times

If this is what you are looking for the kernel is here: https://rockedge.org/kernels/

under "Kernels"

[s243a]

This is the full real time kernel 5.4.70-rt40 I've compiled that might have the username space enabled:

Screenshot(6).png

Also checked the full real time kernel 4.19.82-rt-30:

Screenshot(61).png

If this is what you are looking for the kernel is here: https://rockedge.org/kernels/

under "Kernels"

Thankyou for the info. . I tried the command on upupGG+D and I get the following:

Code: Select all

# sysctl -a | grep namespace
user.max_cgroup_namespaces = 46499
user.max_ipc_namespaces = 46499
user.max_mnt_namespaces = 46499
user.max_net_namespaces = 46499
user.max_pid_namespaces = 46499
user.max_user_namespaces = 46499
user.max_uts_namespaces = 46499
sysctl -a | grep priv
kernel.unprivileged_bpf_disabled = 0
net.ipv4.ip_unprivileged_port_start = 1024

So I think the kernel that comes with upupGG+D already has these features. I also looked in menuconfig and I saw that they were checked.

The following Gentoo Wiki has some further info about what kernel parameters one might want to configure for containers:
https://wiki.gentoo.org/wiki/LXC

On another note, BarryK is saying that both ncap-ng and pflask should be compiled with the kernel sources (see post). When I compiled pflask it didn't ask for the kernel sources but maybe I should somehow do so .

One thing I tried to get things working was to copy the two files "/etc/subuid and /etc/subgid" from fatdog64.

https://docs.docker.com/engine/security/userns-remap/

As a side note @BarryK , did mention some patches for pflask:

Note, there are some patches here, don't know if any of them are useful:

https://github.com/OverC/meta-overc/blo ... ask_git.bb

https://bkhome.org/news/201809/pflask-c ... roids.html

but I don't think that he applied them.

[ozsouth]

My 5.4.100 64bit kernel ouput:
# sysctl -a | grep namespace
user.max_cgroup_namespaces = 31481
user.max_ipc_namespaces = 31481
user.max_mnt_namespaces = 31481
user.max_net_namespaces = 31481
user.max_pid_namespaces = 31481
user.max_user_namespaces = 31481
user.max_uts_namespaces = 31481

[s243a]

On fatdog64 which supports group and user mappings:

Code: Select all

-sh-4.4# sysctl -a | grep namespace
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wlan0.stable_secret"
user.max_cgroup_namespaces = 29685
user.max_ipc_namespaces = 29685
user.max_mnt_namespaces = 29685
user.max_net_namespaces = 29685
user.max_pid_namespaces = 29685
user.max_user_namespaces = 29685
user.max_uts_namespaces = 29685
-sh-4.4# sysctl -a | grep priv     
kernel.unprivileged_bpf_disabled = 0
net.ipv4.ip_unprivileged_port_start = 1024
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wlan0.stable_secret"
vm.unprivileged_userfaultfd = 1

[s243a]

I think I was able to enable unprivileged_bpf_disabled by doing the following.

2. Create a sysctl configuration file /etc/sysctl.d/80-lxc-userns.conf for enabling the required unprivileged_userns_clone flag at boot:

Code: Select all

kernel.unprivileged_userns_clone=1

3. Reload sysctl so it takes into account the newly created /etc/sysctl.d/80-lxc-userns.conf configuration file:

Code: Select all

sudo sysctl --system

https://myles.sh/configuring-lxc-unpriv ... an-jessie/

Then I observe:

Code: Select all

# ls /proc/sys/kernel | grep priv
unprivileged_bpf_disabled

which I don't think showed up before. Unfortunately, this didn't solve my problem.

[s243a]

I'm getting a little closer to getting pflask working on puppy (rather than Fatdog64 or EasyOS). Given that the pflask I installed didn't seem to recognize the capability option, I decided to look at the Fatdog64 recepie for pflask:

http://distro.ibiblio.org/fatdog/source/800/pflask-master-20180927.tar.bz2

After looking at the source, I noticed that the Fatdog64 is likely using the latest github code rather than the latest release. I suspect that EasyOS is doing the same. Anyway, after trying to compile the Fatdog64 verion of pflask, I identified the following missing packages in the devX of upupGG+D (see post): python3-minimal, python3-cap-ng, libcap-ng-dev

I suspect that at least some of these are also missing in Official puppies. However, after installing these packages, I'm now getting a lot of errors of the type:

Code: Select all

/usr/bin/ld: src/util.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: multiple definition of `use_syslog'; src/capabilities.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: first defined here
collect2: error: ld returned 1 exit status

[BarryK]

Hi,
I only quickly scanned this thread, so have not digested it all.

However, regarding the pflask source, this is what I use:

http://distro.ibiblio.org/easyos/source ... ter.tar.gz
Or:
http://distro.ibiblio.org/easyos/source ... ter.tar.gz

Maybe of some interest, this is the recipe in OpenEmbedded to compile it, file 'pflask_20180925.bb':

Code: Select all

# Recipe created by recipetool
# recipetool create -o pflask_git.bb https://github.com/ghedo/pflask.git
# ref: https://github.com/OverC/meta-overc/blob/master-oci/meta-cube/recipes-containers/pflask/pflask_git.bb

# BK note, source pkg has 'waf' in it. 2020-09-19 the one in pyro repo doesn't.
# anyway, that waf is a python2 script. waf-2.0.20 handles python3.

LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=c2cd5f772e6f9b401d92014b0d1ebccd"

SRC_URI = "http://distro.ibiblio.org/easyos/source/oe/pyro/pflask-${PV}master.tar.gz \
  file://waf-2.0.20"

SRC_URI[md5sum] = "3dec4d7b15f1fb746a9d0df0aa571081"
SRC_URI[sha1sum] = "78c0ff51540ed8f94d743ea738cbef1dfbbbf1e7"
SRC_URI[sha256sum] = "d1334b277ffe4e0e05e535a055851402dddc961ea3eea9a850da4699c24bc824"
SRC_URI[sha384sum] = "f2aca865cf0f1d2f5890efa1cacfa500a8fdf3c6f8089820620f2d17d3256db57d264535eb75b7886da3ce02ce30b740"
SRC_URI[sha512sum] = "13221d474a539ffbfe0006369dc85b34f681eb3f26fe04a5e87f5db0e9e251638329e28a4189b6ade0db91acfebc018bbdc754e71cd4d3de3dc8b1b33a389388"

S = "${WORKDIR}/${BPN}-${PV}master"

inherit pkgconfig python3native

# dbus and libcap-ng are optional deps, but i don't think need dbus...
DEPENDS = "libcap-ng"

do_configure_prepend () {
	cp -f ${WORKDIR}/waf-2.0.20 ./waf
	chmod 755 waf
}

do_configure () {
	./waf configure --prefix=${prefix}
}

do_compile () {
	./waf build
}

do_install () {
	install -d ${D}/usr/bin
	install -m 755 build/pflask ${D}/usr/bin
}

SECTION = "devel"
SUMMARY = "Light weight container runtime"
HOMEPAGE = "https://ghedo.github.io/pflask/"

Note the dbus optional dependency, not used.

[rockedge]

I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.

I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :

Code: Select all

./bootstrap.py
./waf configure
./waf build

I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.

[s243a]

I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.

I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :

Code: Select all

./bootstrap.py
./waf configure
./waf build

I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.

Did you use the latest github code or one of the releases?

[s243a]

I'm getting a little closer to getting pflask working on puppy (rather than Fatdog64 or EasyOS). Given that the pflask I installed didn't seem to recognize the capability option, I decided to look at the Fatdog64 recepie for pflask:

http://distro.ibiblio.org/fatdog/source/800/pflask-master-20180927.tar.bz2

After looking at the source, I noticed that the Fatdog64 is likely using the latest github code rather than the latest release. I suspect that EasyOS is doing the same. Anyway, after trying to compile the Fatdog64 verion of pflask, I identified the following missing packages in the devX of upupGG+D (see post): python3-minimal, python3-cap-ng, libcap-ng-dev

I suspect that at least some of these are also missing in Official puppies. However, after installing these packages, I'm now getting a lot of errors of the type:

Code: Select all

/usr/bin/ld: src/util.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: multiple definition of `use_syslog'; src/capabilities.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: first defined here
collect2: error: ld returned 1 exit status

I was able to fix this "multiple definition" error by adding the "extern" keyword to

Code: Select all

extern int use_syslog;

in line 42 of printf.h, which is part of the pflask source.

I figured this out by searching for "declaring variable in c header files" and I noticed in a few discussions recommending the "extern" keyword in the header file. The first thing I tried was removing the "int" keyword in printf.c but that is not allowed in c because in "c" there is apparently a difference between declaring a variable and defining a variable. When you declare a variable it allocates memory but when you define a variable it is just a protype. You can define a variable multiple times using the extern keyword but you can declare it only once. All variables declared or defined outside of a function (or codeblock?) are global.

I'm not sure if this error is due to this header file being imported in multiple places or because it conflicts with the following deffintion:

Code: Select all

int use_syslog = 0;

*line number 43 of printf.c, which is also part of the pflask source.

*disclaimer. I only just spent a bit of time googling this tonight so my understanding on this isn't great and I"m far from an expert.

P.S. I'm curious why this wasn't an issue when pflask was built on fatdog64. Was there some patch that I missed?

**Final note. This fix appears to have let me successfully compile pflask. I'll test it now.

[s243a]

I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.

I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :

Code: Select all

./bootstrap.py
./waf configure
./waf build

I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.

The tricky thing is the so called /init script for the container can't have any errors or the container won't work and reducing the capabilities of the processes within the container creates further opportunities for errors. In my /init script, I strip the /root/.jwmrc and /root/.jwmrc files so that starting jwm doesn't launch any undeeded processes:

Code: Select all

cat << "EOF" >top/strip_jwm.sh
#!bin/sh
cat /root/.jwmrc | sed -nr '$! {H};$ {H;x;s#(<StartupCommand>)(.*)(</StartupCommand>)##g;p}' > /root/.jwmrc-new
mv /root/.jwmrc-new /root/.jwmrc
 
cat /root/.jwmrc-tray | sed -nr '/.*xload*./! {p}' > /root/.jwmrc-tray-new
mv /root/.jwmrc-tray-new /root/.jwmrc-tray
EOF

Ln#393-404 of ruf-puppy4-flask.sh

I also start jwm directly rather than relying on the /root/.xinitrc file

Code: Select all

echo '
#!/bin/sh
source /etc/profile
export PATH="$PATH:/usr/local/bin/"
ldconfig
#gdk-pixbuf-query-loaders --update-cache
/usr/bin/gtk-update-icon-cache -f /usr/share/icons/hicolor/
DEFAULT_DESK_ICONS="JQ8flat"
#[ $NEWPVERSION -ge 500 ] && DEFAULT_DESK_ICONS="JQ8flat"
[ ! -d /usr/local/lib/X11/themes/JQ8flat ] && DEFAULT_DESK_ICONS="Stardust"
[ -f /etc/desktop_icon_theme ] && DEFAULT_DESK_ICONS="`cat /etc/desktop_icon_theme`" #w477
/usr/sbin/icon_switcher_cli $DEFAULT_DESK_ICONS
fixmenus #probably not necessary
DISPLAY=:2 rox -n &
/strip_jwm.sh
DISPLAY=:2 jwm &
PID=$!
'"#$(if [ ! -z "$BROWSER_CMD" ]; then
  echo "DISPLAY=:2 xterm -e $BROWSER_CMD"
   fi )"'
wait "$PID"
' >top/init_basic

Ln#336-357 of ruf-puppy4-flask.sh
**Note that this above init script is for puppy4. In later versions of puppy icons/themes are handled differently.

For more info on the above example see (still very preliminary!):
[sfs_only]: Attack Pup, Pristine and with Updated Core/CLI libs/utilities

For examples on newer versions of puppy you could look at my containerized versions of the iron-browser and ungoogled-chromium browser. In all cases the /dev/mixer mount point will need to be removed for the container to work on GroovyPup32 (AKA upupGG+D). They will though work without modification on Fatdog64-811.

[rockedge]

I used the most recent from here -> https://github.com/ghedo/pflask