From 08e02e4368342c96ad5ab1417c37a64402d8d12e Mon Sep 17 00:00:00 2001 From: Luca Di Maio Date: Sat, 26 Aug 2023 10:05:16 +0000 Subject: [PATCH] WIP: unsharing mode, work on #28 Signed-off-by: Luca Di Maio --- distrobox-create | 39 ++++++++++++++++++++++++++------ docs/usage/distrobox-assemble.md | 2 +- 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/distrobox-create b/distrobox-create index 6c7cf8a458..759efa6474 100755 --- a/distrobox-create +++ b/distrobox-create @@ -72,6 +72,8 @@ nvidia=0 nopasswd=0 unshare_ipc=0 unshare_netns=0 +unshare_process=0 +unshare_devsys=0 # Use cd + dirname + pwd so that we do not have relative paths in mount points # We're not using "realpath" here so that symlinks are not resolved this way # "realpath" would break situations like Nix or similar symlink based package @@ -175,10 +177,13 @@ Options: --init-hooks: additional commands to execute during container initialization --pre-init-hooks: additional commands to execute prior to container initialization --init/-I: use init system (like systemd) inside the container. - this will make host's processes not visible from within the container. + this will make host's processes not visible from within the container. (assumes --unshare-process) --nvidia: try to integrate host's nVidia drivers in the guest - --unshare-netns: do not share the net namespace with host + --unshare-devsys: do not share host devices and sysfs dirs from host --unshare-ipc: do not share ipc namemspace with host + --unshare-netns: do not share the net namespace with host + --unshare-process: do not share process namemspace with host + --unshare-all: activate all the unshare flags below --compatibility/-C: show list of compatible images --help/-h: show this message --no-entry: do not generate a container entry in the application list @@ -262,14 +267,30 @@ while :; do -I | --init) shift init=1 + unshare_process=1 + ;; + --unshare-ipc) + shift + unshare_ipc=1 ;; --unshare-netns) shift unshare_netns=1 ;; - --unshare-ipc) + --unshare-process) + shift + unshare_process=1 + ;; + --unshare-sys) + shift + unshare_devsys=1 + ;; + --unshare-all) shift unshare_ipc=1 + unshare_netns=1 + unshare_process=1 + unshare_devsys=1 ;; -C | --compatibility) show_compatibility @@ -539,7 +560,7 @@ generate_command() { --network host" fi - if [ "${init}" -eq 0 ]; then + if [ "${unshare_process}" -eq 0 ]; then result_command="${result_command} --pid host" fi @@ -559,14 +580,18 @@ generate_command() { --env \"HOME=${container_user_home}\" --env \"container=${container_manager}\" --volume /:/run/host:rslave - --volume /dev:/dev:rslave - --volume /sys:/sys:rslave --volume /tmp:/tmp:rslave --volume \"${distrobox_entrypoint_path}\":/usr/bin/entrypoint:ro --volume \"${distrobox_export_path}\":/usr/bin/distrobox-export:ro --volume \"${distrobox_hostexec_path}\":/usr/bin/distrobox-host-exec:ro --volume \"${container_user_home}\":\"${container_user_home}\":rslave" + if [ "${unshare_devsys}" -eq 0 ]; then + result_command="${result_command} + --volume /dev:/dev:rslave + --volume /sys:/sys:rslave" + fi + # In case of initful containers, we implement a series of mountpoint in order # for systemd to work properly inside a container. # The following are a flag-based implementation of what podman's --systemd flag @@ -633,7 +658,7 @@ generate_command() { # to /run/shm, instead of the other way around. # Resolve this detecting if /dev/shm is a symlink and mount original # source also in the container. - if [ -L "/dev/shm" ]; then + if [ -L "/dev/shm" ] && [ "${unshare_ipc}" -eq 0 ]; then result_command="${result_command} --volume $(realpath /dev/shm):$(realpath /dev/shm)" fi diff --git a/docs/usage/distrobox-assemble.md b/docs/usage/distrobox-assemble.md index 9bb4cee889..5f5a893ae5 100644 --- a/docs/usage/distrobox-assemble.md +++ b/docs/usage/distrobox-assemble.md @@ -48,7 +48,7 @@ This is an example manifest file to create two containers: pull=true root=false replace=false - volume=/tmp/test:/run/a /tmp/test:/run/b + volume="/tmp/test:/run/a /tmp/test:/run/b" **Create**