Page 1 of 1
pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Tue Mar 02, 2021 4:02 am
by s243a
Which puppylinux kernels have "user namespaces" enabled? It might be useful.
BarryK wrote:
Oh, one other important point. You need to have a Linux kernel with namespaces support. Some Puppy kernels, including Quirky, do not have this.
I am currently using kernel 4.4.44, configured as shown here:
http://barryk.org/news/?viewDetailed=00500
Fatdog64 should be OK. Fatdog64 has aufs, probably not overlayfs (I haven't checked, just guessing).
http://murga-linux.com/puppy/viewtopic. ... 772#940772
However @BarryK seems to later contridict this:
BarryK wrote:
EDIT 2018-10-8
Reverted, going back to the 4.14.73 kernel with user namespaces disabled. Will keep it disabled for future compiles of the kernel. Have been reading some more, and user namespaces seem like asking for trouble. Plus, as already running as root in Easy, there doesn't seem much point in having user namespaces.
What I do want to be able to do is optionally run as user 'zeus' in containers. I was unable to get pflask to do that. rather than get tied up trying to "fix" pflask, perhaps this is a satisfactory workaround:
# pflask -- chroot --userspec=zeus:zeus /mnt/sdc2/containers/sh0/container whoami
zeus
Well, that's a starting point, but has limitations. If pflask drops capabilities, will have to make sure that still has the capability to do a chroot and change user:group -- which, oddly, may mean zeus will end up with more capabilities than the "crippled root" -- though, a start-script in the container could drop more capabilities.
Also, the full 'chroot' from 'coreutils' package is required, as the busybox applet does not support that commandline option.
https://bkhome.org/news/201810/kernel-4 ... paces.html
I'm trying to find a kernel suitable to run pflask on puppylinux. pflask seems to run on Fatdog64 and EasyOS but not necessarily on puppylinux. The error I get is "write(gid_map): Operation not permitted" (see post). Installing the package uidmap, didn't seem to resolve this issue.
While trying to solve this issue I came across a number of kernal parmaters that may or may not be relevent.
/proc/sys/kernel/unprivileged_bpf_disable (Configurable on Fatdog64). Mentioned at:
1 - github.com/lxc/lxc: Can't start unprivileged containers on 4.9 kernel with OpenWRT #1923
2 - nsfocusglobal.com: Linux Kernel Information Disclosure and Privilege Escalation Vulnerability Threat Alert
3 - ycombinator: Linux 3.8 introduced unprivileged user namespaces [pdf] (man7.org)
7 - gitlab.com: Rootless docker guide
kernel.unprivileged_userns_clone -- Mentioned at:
4 - superuser.com/questions/1094597: Enable user namespaces in Debian kernel
5 - .stackexchange.com/.../303213: How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)
6 - github.com/containers/buildah: Provide a better error message when user namespaces are not available #1068
Source #5 (How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)) also mentiones kernel.userns_restrict. Source #1 (Can't start unprivileged containers on 4.9 kernel with OpenWRT #1923) mentions two kernel patches to get these kernel parameters:
JagadeeshPagadala wrote:
After applying the two kernel patches from the two links below, the output of ls -al /proc/sys/kernel/| grep unpriv is
lxcuser@LEDE:~$ ls -al /proc/sys/kernel/| grep unpriv
-rw-r--r-- 1 root root 0 Oct 3 11:09 unprivileged_bpf_disabled
-rw-r--r-- 1 root root 0 Oct 3 11:09 unprivileged_userns_clone
lxcuser@LEDE:~$ cat /proc/sys/kernel/unprivileged_userns_clone
1
lxcuser@LEDE:~$ unshare -U
-ash: setgid: Invalid argument
Kernel patches taken from
https://lists.ubuntu.com/archives/kerne ... 67926.html
https://lwn.net/Articles/673990
https://github.com/lxc/lxc/issues/1923# ... -347109881
Here are some random links on sandboxing that came up on my search that people might find interesting:
Sandboxing Unsafe Executables on Linux for an Online Compiler with Minijail
http://www.oldforum.puppylinux.com OS Level Virtualization: Containers, chroot, cgroops jails,
https://chromium.googlesource.com/chromium/.../sandboxing.md
Here is an other interesting kernel parmater mentioned by BarryK but not related to sandboxing:
https://man7.org/linux/man-pages/man7/k ... own.7.html (mentioned in EasyOS 2.4.92 released, RC for 2.5)
Here are some manpages relevant to sandboxing (e.g. unsername mappings, cgroups, etc):
https://linux.die.net/man/5/cgrules.conf
Some more kernel documentation:
kernel.org/doc/html/latest/admin-guide: Namespaces compatibility list
kernel.org/doc/html/latest/admin-guide: Documentation for /proc/sys/kernel/
Re: Which PuppyLinux Kernels have "user namespaces enabled"?
Posted: Tue Mar 02, 2021 1:31 pm
by rockedge
This is the full real time kernel 5.4.70-rt40 I've compiled that might have the username space enabled:
- Screenshot(6).png (28.14 KiB) Viewed 766 times
Also checked the full real time kernel 4.19.82-rt-30:
- Screenshot(61).png (27.49 KiB) Viewed 764 times
If this is what you are looking for the kernel is here: https://rockedge.org/kernels/
under "Kernels"
Re: Which PuppyLinux Kernels have "user namespaces enabled"?
Posted: Wed Mar 03, 2021 6:48 am
by s243a
rockedge wrote: ↑Tue Mar 02, 2021 1:31 pm
This is the full real time kernel 5.4.70-rt40 I've compiled that might have the username space enabled:
Screenshot(6).png
Also checked the full real time kernel 4.19.82-rt-30:
Screenshot(61).png
If this is what you are looking for the kernel is here: https://rockedge.org/kernels/
under "Kernels"
Thankyou for the info. . I tried the command on upupGG+D and I get the following:
Code: Select all
# sysctl -a | grep namespace
user.max_cgroup_namespaces = 46499
user.max_ipc_namespaces = 46499
user.max_mnt_namespaces = 46499
user.max_net_namespaces = 46499
user.max_pid_namespaces = 46499
user.max_user_namespaces = 46499
user.max_uts_namespaces = 46499
sysctl -a | grep priv
kernel.unprivileged_bpf_disabled = 0
net.ipv4.ip_unprivileged_port_start = 1024
So I think the kernel that comes with upupGG+D already has these features. I also looked in menuconfig and I saw that they were checked.
The following Gentoo Wiki has some further info about what kernel parameters one might want to configure for containers:
https://wiki.gentoo.org/wiki/LXC
On another note, BarryK is saying that both ncap-ng and pflask should be compiled with the kernel sources (see post). When I compiled pflask it didn't ask for the kernel sources but maybe I should somehow do so .
One thing I tried to get things working was to copy the two files "/etc/subuid and /etc/subgid" from fatdog64.
https://docs.docker.com/engine/security/userns-remap/
As a side note @BarryK , did mention some patches for pflask:
https://bkhome.org/news/201809/pflask-c ... roids.html
but I don't think that he applied them.
Re: Which PuppyLinux Kernels have "user namespaces enabled"?
Posted: Wed Mar 03, 2021 9:13 am
by ozsouth
My 5.4.100 64bit kernel ouput:
# sysctl -a | grep namespace
user.max_cgroup_namespaces = 31481
user.max_ipc_namespaces = 31481
user.max_mnt_namespaces = 31481
user.max_net_namespaces = 31481
user.max_pid_namespaces = 31481
user.max_user_namespaces = 31481
user.max_uts_namespaces = 31481
Re: Which PuppyLinux Kernels have "user namespaces enabled"?
Posted: Wed Mar 03, 2021 2:01 pm
by s243a
On fatdog64 which supports group and user mappings:
Code: Select all
-sh-4.4# sysctl -a | grep namespace
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wlan0.stable_secret"
user.max_cgroup_namespaces = 29685
user.max_ipc_namespaces = 29685
user.max_mnt_namespaces = 29685
user.max_net_namespaces = 29685
user.max_pid_namespaces = 29685
user.max_user_namespaces = 29685
user.max_uts_namespaces = 29685
-sh-4.4# sysctl -a | grep priv
kernel.unprivileged_bpf_disabled = 0
net.ipv4.ip_unprivileged_port_start = 1024
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wlan0.stable_secret"
vm.unprivileged_userfaultfd = 1
Re: Which PuppyLinux Kernels have "user namespaces enabled"?
Posted: Wed Mar 03, 2021 2:38 pm
by s243a
I think I was able to enable unprivileged_bpf_disabled by doing the following.
2. Create a sysctl configuration file /etc/sysctl.d/80-lxc-userns.conf for enabling the required unprivileged_userns_clone flag at boot:
Code: Select all
kernel.unprivileged_userns_clone=1
3. Reload sysctl so it takes into account the newly created /etc/sysctl.d/80-lxc-userns.conf configuration file:
https://myles.sh/configuring-lxc-unpriv ... an-jessie/
Then I observe:
Code: Select all
# ls /proc/sys/kernel | grep priv
unprivileged_bpf_disabled
which I don't think showed up before. Unfortunately, this didn't solve my problem.
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Thu Mar 04, 2021 5:28 am
by s243a
I'm getting a little closer to getting pflask working on puppy (rather than Fatdog64 or EasyOS). Given that the pflask I installed didn't seem to recognize the capability option, I decided to look at the Fatdog64 recepie for pflask:
http://distro.ibiblio.org/fatdog/source/800/pflask-master-20180927.tar.bz2
After looking at the source, I noticed that the Fatdog64 is likely using the latest github code rather than the latest release. I suspect that EasyOS is doing the same. Anyway, after trying to compile the Fatdog64 verion of pflask, I identified the following missing packages in the devX of upupGG+D (see post): python3-minimal, python3-cap-ng, libcap-ng-dev
I suspect that at least some of these are also missing in Official puppies. However, after installing these packages, I'm now getting a lot of errors of the type:
Code: Select all
/usr/bin/ld: src/util.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: multiple definition of `use_syslog'; src/capabilities.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: first defined here
collect2: error: ld returned 1 exit status
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Fri Mar 05, 2021 1:01 pm
by BarryK
Hi,
I only quickly scanned this thread, so have not digested it all.
However, regarding the pflask source, this is what I use:
http://distro.ibiblio.org/easyos/source ... ter.tar.gz
Or:
http://distro.ibiblio.org/easyos/source ... ter.tar.gz
Maybe of some interest, this is the recipe in OpenEmbedded to compile it, file 'pflask_20180925.bb':
Code: Select all
# Recipe created by recipetool
# recipetool create -o pflask_git.bb https://github.com/ghedo/pflask.git
# ref: https://github.com/OverC/meta-overc/blob/master-oci/meta-cube/recipes-containers/pflask/pflask_git.bb
# BK note, source pkg has 'waf' in it. 2020-09-19 the one in pyro repo doesn't.
# anyway, that waf is a python2 script. waf-2.0.20 handles python3.
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=c2cd5f772e6f9b401d92014b0d1ebccd"
SRC_URI = "http://distro.ibiblio.org/easyos/source/oe/pyro/pflask-${PV}master.tar.gz \
file://waf-2.0.20"
SRC_URI[md5sum] = "3dec4d7b15f1fb746a9d0df0aa571081"
SRC_URI[sha1sum] = "78c0ff51540ed8f94d743ea738cbef1dfbbbf1e7"
SRC_URI[sha256sum] = "d1334b277ffe4e0e05e535a055851402dddc961ea3eea9a850da4699c24bc824"
SRC_URI[sha384sum] = "f2aca865cf0f1d2f5890efa1cacfa500a8fdf3c6f8089820620f2d17d3256db57d264535eb75b7886da3ce02ce30b740"
SRC_URI[sha512sum] = "13221d474a539ffbfe0006369dc85b34f681eb3f26fe04a5e87f5db0e9e251638329e28a4189b6ade0db91acfebc018bbdc754e71cd4d3de3dc8b1b33a389388"
S = "${WORKDIR}/${BPN}-${PV}master"
inherit pkgconfig python3native
# dbus and libcap-ng are optional deps, but i don't think need dbus...
DEPENDS = "libcap-ng"
do_configure_prepend () {
cp -f ${WORKDIR}/waf-2.0.20 ./waf
chmod 755 waf
}
do_configure () {
./waf configure --prefix=${prefix}
}
do_compile () {
./waf build
}
do_install () {
install -d ${D}/usr/bin
install -m 755 build/pflask ${D}/usr/bin
}
SECTION = "devel"
SUMMARY = "Light weight container runtime"
HOMEPAGE = "https://ghedo.github.io/pflask/"
Note the dbus optional dependency, not used.
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Fri Mar 05, 2021 3:54 pm
by rockedge
I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.
I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :
Code: Select all
./bootstrap.py
./waf configure
./waf build
I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Sat Mar 06, 2021 4:41 am
by s243a
rockedge wrote: ↑Fri Mar 05, 2021 3:54 pm
I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.
I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :
Code: Select all
./bootstrap.py
./waf configure
./waf build
I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.
Did you use the latest github code or one of the releases?
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Sat Mar 06, 2021 4:56 am
by s243a
s243a wrote: ↑Thu Mar 04, 2021 5:28 am
I'm getting a little closer to getting pflask working on puppy (rather than Fatdog64 or EasyOS). Given that the pflask I installed didn't seem to recognize the capability option, I decided to look at the Fatdog64 recepie for pflask:
http://distro.ibiblio.org/fatdog/source/800/pflask-master-20180927.tar.bz2
After looking at the source, I noticed that the Fatdog64 is likely using the latest github code rather than the latest release. I suspect that EasyOS is doing the same. Anyway, after trying to compile the Fatdog64 verion of pflask, I identified the following missing packages in the devX of upupGG+D (see post): python3-minimal, python3-cap-ng, libcap-ng-dev
I suspect that at least some of these are also missing in Official puppies. However, after installing these packages, I'm now getting a lot of errors of the type:
Code: Select all
/usr/bin/ld: src/util.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: multiple definition of `use_syslog'; src/capabilities.c.1.o:/root/Downloads/pflask-master-20180927.tar.bz2.extracted/pflask-master/build/../src/printf.h:42: first defined here
collect2: error: ld returned 1 exit status
I was able to fix this "multiple definition" error by adding the "extern" keyword to
in line 42 of printf.h, which is part of the pflask source.
I figured this out by searching for "declaring variable in c header files" and I noticed in a few discussions recommending the "extern" keyword in the header file. The first thing I tried was removing the "int" keyword in printf.c but that is not allowed in c because in "c" there is apparently a difference between declaring a variable and defining a variable. When you declare a variable it allocates memory but when you define a variable it is just a protype. You can define a variable multiple times using the extern keyword but you can declare it only once. All variables declared or defined outside of a function (or codeblock?) are global.
I'm not sure if this error is due to this header file being imported in multiple places or because it conflicts with the following deffintion:
*line number 43 of printf.c, which is also part of the pflask source.
*disclaimer. I only just spent a bit of time googling this tonight so my understanding on this isn't great and I"m far from an expert.
P.S. I'm curious why this wasn't an issue when pflask was built on fatdog64. Was there some patch that I missed?
**Final note. This fix appears to have let me successfully compile pflask. I'll test it now.
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Sat Mar 06, 2021 6:06 am
by s243a
rockedge wrote: ↑Fri Mar 05, 2021 3:54 pm
I have compiled pflask in Bionic64-8.0 and have it working. I was able to mount a Firstrib_rootfs using pflask which started at the command line but the one attempt at loading the WeeDog with the X server starting did not succeed yet.
I used the source from https://github.com/ghedo/pflask
and installed the libcap-ng-dev
cloned to /root/Build and then :
Code: Select all
./bootstrap.py
./waf configure
./waf build
I found the thread really interesting and have not use pflask before now other than in EasyOS, so I gave it a try out. Further testing and refinement is necessary. Also I have a really complete Python 3 in this Bionic64 to run object detection programs.
The tricky thing is the so called /init script for the container can't have any errors or the container won't work and reducing the capabilities of the processes within the container creates further opportunities for errors. In my /init script, I strip the /root/.jwmrc and /root/.jwmrc files so that starting jwm doesn't launch any undeeded processes:
Code: Select all
cat << "EOF" >top/strip_jwm.sh
#!bin/sh
cat /root/.jwmrc | sed -nr '$! {H};$ {H;x;s#(<StartupCommand>)(.*)(</StartupCommand>)##g;p}' > /root/.jwmrc-new
mv /root/.jwmrc-new /root/.jwmrc
cat /root/.jwmrc-tray | sed -nr '/.*xload*./! {p}' > /root/.jwmrc-tray-new
mv /root/.jwmrc-tray-new /root/.jwmrc-tray
EOF
Ln#393-404 of ruf-puppy4-flask.sh
I also start jwm directly rather than relying on the /root/.xinitrc file
Code: Select all
echo '
#!/bin/sh
source /etc/profile
export PATH="$PATH:/usr/local/bin/"
ldconfig
#gdk-pixbuf-query-loaders --update-cache
/usr/bin/gtk-update-icon-cache -f /usr/share/icons/hicolor/
DEFAULT_DESK_ICONS="JQ8flat"
#[ $NEWPVERSION -ge 500 ] && DEFAULT_DESK_ICONS="JQ8flat"
[ ! -d /usr/local/lib/X11/themes/JQ8flat ] && DEFAULT_DESK_ICONS="Stardust"
[ -f /etc/desktop_icon_theme ] && DEFAULT_DESK_ICONS="`cat /etc/desktop_icon_theme`" #w477
/usr/sbin/icon_switcher_cli $DEFAULT_DESK_ICONS
fixmenus #probably not necessary
DISPLAY=:2 rox -n &
/strip_jwm.sh
DISPLAY=:2 jwm &
PID=$!
'"#$(if [ ! -z "$BROWSER_CMD" ]; then
echo "DISPLAY=:2 xterm -e $BROWSER_CMD"
fi )"'
wait "$PID"
' >top/init_basic
Ln#336-357 of ruf-puppy4-flask.sh
**Note that this above init script is for puppy4. In later versions of puppy icons/themes are handled differently.
For more info on the above example see (still very preliminary!):
[sfs_only]: Attack Pup, Pristine and with Updated Core/CLI libs/utilities
For examples on newer versions of puppy you could look at my containerized versions of the iron-browser and ungoogled-chromium browser. In all cases the /dev/mixer mount point will need to be removed for the container to work on GroovyPup32 (AKA upupGG+D). They will though work without modification on Fatdog64-811.
Re: pflask dependencies (was Which PuppyLinux Kernels have "user namespaces enabled"?)
Posted: Sat Mar 06, 2021 5:11 pm
by rockedge
I used the most recent from here -> https://github.com/ghedo/pflask