:: Re: [DNG] Any parties interested in…
Góra strony
Delete this message
Reply to this message
Autor: tom
Data:  
Dla: dng
CC: g4sra
Temat: Re: [DNG] Any parties interested in lxc ?
On Mon, 5 Oct 2020 11:30:10 +0100
g4sra via Dng <dng@???> wrote:
>
> Hi Tom,
>
> This is my current thinking with regard to a LXC Container system for
> building OS images and support software. The host workstation has all
> the standard development tools ('build-essential' etc) that any/all
> containers would normally need. This can be updated as required (in
> effect, updating all containers).
>
> The containers must run unprivileged as the both the software being
> built and the build software itself may be of dubious quality
> (especially if I wrote it).
>
> Container1:
>       bind,ro mounts the host filesystem providing development tool
> access overlayfs a delta filesystem on which required tools\libraries
> etc can be built

>
> ContainerN: repeat above as often as required
>
> ContainerX: 
>    bind,ro mounts the host filesystem providing development tool
> access bind,ro mounts CN deltas to provide access to the
> tools\libraries overlayfs a delta filesystem on which the test OS can
> be built 

>
> Can you:
> see anything wrong with the proposed above where container
> superuser privileges and device access would allow corruption of
> either the Host or of a neighbouring container ? think of anything
> builds require that I have not made allowance for ? detail a better
> way for obtaining my goal ?
>
> Appreciate your comments Tom.
> Charlie

That all should be possible. As for mounting external directories, I
know that's possible but I have not personally tried that. I came
across that reading documentation. However I do have hypervisor
mountpoints inside of a container's rootfs.

Unprivileged containers I still have not figured out how to generate. I
have a script that creatures unprivileged containers and lxc comes with
a template downloader script. However those templates are downloaded
from some Ansible server hosted on Canonical's website. The images are
generated from /HIGHLY/ abstracted Ansible templates, not actual
source code or bash scripts. Because of this it's very difficult to
figure out what's really going on as the specifics are all abstracted
away. The difference between a script that builds a Devuan image for
a container and a script that builds a Devuan image for a container then
then 'underprivilegizes' it with subuids/subgids.

Maybe you being a Redhat stuff expert would be able to enlighten us
on that and I could then modify my script to be able to create
unprivileged containers too instead of relying on some Canonical
webserver always being up and accessible or having to build out a QA
server when I really don't need one just to create local containers.

Can I put attachments on emails to the dyne mailing lists?

-- 
 _________________________________________ 
/ Suppose for a moment that the           \

| automobile industry had developed at    |
| the same rate as computers and over the |
| same period: how much cheaper and more  |
| efficient would the current models be?  |
| If you have not already heard the       |
| analogy, the answer is shattering.      |
| Today you would be able to buy a        |
| Rolls-Royce for $2.75, it would do      |
| three million miles to the gallon, and  |
| it would deliver enough power to drive  |
| the Queen Elizabeth II. And if you were |
| interested in miniaturization, you      |
| could place half a dozen of them on a   |
| pinhead.                                |
|                                         |

\ -- Christopher Evans                    /
 ----------------------------------------- 
\
 \
   /\   /\   
  //\\_//\\     ____
  \_     _/    /   /
   / * * \    /^^^]
   \_\O/_/    [   ]
    /   \_    [   /
    \     \_  /  /
     [ [ /  \/ _/
    _[ [ \  /_/