From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludovic.courtes@inria.fr (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Unprivileged /gnu/store with PRoot
Date: Fri, 12 May 2017 17:53:21 +0200
Message-ID: <87d1beoyvi.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43997)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludovic.courtes@inria.fr>) id 1d9Csi-0003zu-PK
	for guix-devel@gnu.org; Fri, 12 May 2017 11:53:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludovic.courtes@inria.fr>) id 1d9Csf-000736-MX
	for guix-devel@gnu.org; Fri, 12 May 2017 11:53:28 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:16172)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ludovic.courtes@inria.fr>)
	id 1d9Csf-0006zE-9J
	for guix-devel@gnu.org; Fri, 12 May 2017 11:53:25 -0400
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel <guix-devel@gnu.org>

Hello Guix!

In hostile environments (read: machines that lack Guix and where you=E2=80=
=99re
not root, such as HPC clusters), it can be hard to manage software with
Guix.

We can use =E2=80=98guix pack=E2=80=99 to build a bundle on one machine and=
 ship it to
the target machine.  But then, on the target machine, we need to be able
to =E2=80=9Cmap=E2=80=9D the pack=E2=80=99s root directory to the root dire=
ctory of the
processes we run.

When user namespaces are enabled, this can be achieved with =E2=80=98unshar=
e=E2=80=99
and =E2=80=98chroot=E2=80=99 as shown at
<https://www.gnu.org/software/guix/news/creating-bundles-with-guix-pack.htm=
l>.
However user namespaces are often disabled by distros for lack of
confidence in their security properties=C2=B9.

One way to work around the problem is to use PRoot, a ptrace(2)-based
tool to virtualize the file system=C2=B2.  With the =E2=80=98proot-static=
=E2=80=99 package I
just pushed, one can run, say, hwloc, on such a hostile machine by
sending locally-created packs as well as =E2=80=98proot=E2=80=99:

  scp $(guix build proot-static)/bin/proot hostile:
  scp $(guix pack hwloc -S /bin=3Dbin) hostile:hwloc.tgz

and then on the hostile machine:

  mkdir ~/.local
  cd ~/.local
  tar xf ~/hwloc.tgz
  cd
  ./proot -b .local:/ /bin/lstopo

where =E2=80=9Cproot -b .local:/=E2=80=9D essentially =E2=80=9Cbind-mounts=
=E2=80=9D ~/.local to /.

Pretty cool no?  :-)

PRoot adds overhead since it has to intercept every syscall.  However,
for a mostly computational process, it should not be much of a problem.

Ludo=E2=80=99.

=C2=B9 See for instance
  <http://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-nam=
espaces/>
  and the recent AF_PACKET vulnerability
  <https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-v=
ia-packet.html>.

=C2=B2 https://github.com/proot-me/PRoot