From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludovic.courtes@inria.fr (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Unprivileged /gnu/store with PRoot Date: Fri, 09 Jun 2017 10:09:27 +0200 Message-ID: <87zidhr39k.fsf@inria.fr> References: <87d1beoyvi.fsf@gnu.org> <87tw3qebwe.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49996) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dJEzA-0007EC-Hb for guix-devel@gnu.org; Fri, 09 Jun 2017 04:09:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dJEz5-0008Cp-EA for guix-devel@gnu.org; Fri, 09 Jun 2017 04:09:36 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:33768) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dJEz5-0008CY-21 for guix-devel@gnu.org; Fri, 09 Jun 2017 04:09:31 -0400 In-Reply-To: <87tw3qebwe.fsf@elephly.net> (Ricardo Wurmus's message of "Thu, 08 Jun 2017 17:29:05 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel Hello! Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >> One way to work around the problem is to use PRoot, a ptrace(2)-based >> tool to virtualize the file system=C2=B2. With the =E2=80=98proot-stati= c=E2=80=99 package I >> just pushed, one can run, say, hwloc, on such a hostile machine by >> sending locally-created packs as well as =E2=80=98proot=E2=80=99: >> >> scp $(guix build proot-static)/bin/proot hostile: >> scp $(guix pack hwloc -S /bin=3Dbin) hostile:hwloc.tgz >> >> and then on the hostile machine: >> >> mkdir ~/.local >> cd ~/.local >> tar xf ~/hwloc.tgz >> cd >> ./proot -b .local:/ /bin/lstopo >> >> where =E2=80=9Cproot -b .local:/=E2=80=9D essentially =E2=80=9Cbind-moun= ts=E2=80=9D ~/.local to /. >> >> Pretty cool no? :-) > > That *is* very cool indeed! > >> PRoot adds overhead since it has to intercept every syscall. However, >> for a mostly computational process, it should not be much of a problem. > > Can this be simplified? We really only need that user-space bind-mount > feature, nothing else. PRoot does more than that IIUC. Can we preload > a little library that provides =E2=80=9Copen=E2=80=9D and implementations= of other file > access procedures, and simply (I know=E2=80=A6) changes any access of =E2= =80=9C/gnu=E2=80=9D > with the new target directory? > > I suspect this is doomed to fail because of the way shebangs work and > because we cannot interpose internal glibc calls, though. Ultimately, > ptrace really is what we want on Linux and sadly it=E2=80=99s just slow. Exactly. Many have written LD_PRELOADable libraries to perform file system virtualization but it=E2=80=99s tedious (there are so many VFS-relat= ed functions to interpose!) and fragile, and an application can always do a direct syscall and bypass the thing. So PRoot is not the preferred option, but it=E2=80=99s one we can resort to= when there=E2=80=99s no other option. I have yet to measure its performance imp= act when running some of the linear algebra software that people use/develop here. > More power to the Hurd on HPC! :-) Ludo=E2=80=99.