site  news  contact

Using Easy Containers

May 07, 2018 — BarryK

Running an application in a container, is a mechanism to achieve isolation from the rest of the system and higher security than if the application were run in the normal way.

There is another web-page which is a technical overview of EasyOS from the user-perspective, including an introduction to Easy Containers (EC):

http://bkhome.org/easy/how-easy-works-part-2.html

...please read that first. As that page explains, there is a nice GUI for managing Easy Containers. However, back-track for a moment, to when EasyOS is first booted...

At first bootup, there is a desktop. As described in the above link, there are two pre-created containers, seamonkey and sh0, and these appear in the menu.

However, they also appear on the desktop, labeled "www" and "console", with a little lock-symbol top-left on each:

image

Clicking on one of these will run the app in a container. In the case of "www", it will start SeaMonkey, and it will be just like the normal SeaMonkey. From the user-perspective, you will notice some differences though:

  1. A tiny bit slower to startup.
  2. Open and Save files can only be within the container.
  3. Extensions/add-ons/themes not shared with the system-SeaMonkey.

You are, in fact, running SeaMonkey in it's own private operating system.

If you would like to take advantage of the security and isolation offered by EC, for other apps, it is very easy...

Creating containerized apps

As already introduced in the above link, there is a GUI manager. This is launched from the menu:

image

Then, Easy Container Management will run:

image

...down at the bottom, select an app, then click the "Create" button, and that's it, the app is containerized.

One important note though. Those security settings are a work-in-progress. Probably best to leave the default as-is, as setting one of them may break the app.

When an app is containerized, it will appear in the menu with a "lock" icon. SeaMonkey for example:

image

The app will also appear on the desktop, in a group. This snapshot shows three additional containerized apps:

image

The obvious contenders to be "containerized" are those apps that access the Internet, as reflected in the above snapshot.

As already stated, a containerized app has certain restrictions, including that of file open and save...

Open and Save files

Taking the example of SeaMonkey, if a file is downloaded from the Internet, the default save-path is /root/Downloads. If you accept that, and save the file, it is saved at /root/Downloads inside the container, so how do other apps in the system get to that file?

Click the "file" icon at top-left of screen, and navigate to:

/mnt/wkg/containers/seamonkey/container/root/Downloads

That's it, you are there!

Note, "wkg" is a symlink to the actual working-partition. If, for example, it is "sdb2", then this path is the same:

/mnt/sdb2/containers/seamonkey/container/root/Downloads

Note that you do not have to be concerned with file ownership, as everything in EasyOS runs as root-user (administrator), even inside a container. Though, technically, root-user inside a container is completely different from root in the main system, still, there is the convenience of the files downloaded in the container being seen as owned by root by the rest of the system.

Running as root
A note on the side about this. Puppy Linux right from the start ran as root, and Easy inherits this. There is a justification at /usr/share/doc/root.htm in a running Easy, also online here:
http://bkhome.org/archive/puppylinux/technical/root.htm
...note, user "spot" is deprecated in Easy, as we now have containers.
...also, "fido" has not received any attention for years, may not work properly.

An extra note about this: as already stated above, "root" inside a container is completely different from root in the main system, and, in fact, has similar rights to a non-root user. This limitation of rights of "root" is achieved by Linux Capabilities, see checkboxes in the above snapshot. So, you have the security of restricted rights, yet do not need to be bothered about file ownership/permissions, if, for example, you drag a file from the system into a container for opening by an app in the container.

When you are experimenting with containers, you will also want to delete them...

Deleting a containerized app

This is very easy. If you decide that you no longer want to run the app in a container, look at the above snapshot of the Easy Container Management -- choose the app and click the "Delete" button.

Security settings

This is currently at an immature stage, and it is intended to append to this web-page in the future.

One thing to note, there is a mechanism for templates, to preset the security-settings for each app. These templates can be found at /usr/local/easy_containers/templates

Postscript

Easy Containers are fun, and, yes, easy. Bear in mind though, the newness of the whole mechanism, and Barry's grass-roots implementation, rather than using one of the established mechanisms such as Docker or LXC.

If you would like to get involved in helping to mature EC, please do!

Regards,
Barry Kauler

Tags: easy