site
contact
newsPlanning run non-root in containers
I have been working on syncing Debian package management with the Puppy-format package management, for the past week. However, I had the nagging feeling that I'm going in the wrong direction...
Have now abandoned apt/dpkg sync'ing with the Puppy-format
Package database and PKGget. It just isn't the way I want to go
with EasyOS.
Yes, the Dunfell-series, built from packages compiled from scratch, does have a very small package repository. However, we can have a mechanism to import large packages, such as appimages, to SFS files, and thereby obtain a large repository.
So, I am going back to basics, revisiting Easy Containers. I ran the 'dir2sfs' utility to create an SFS of the latest Chrome web browser. Yes, works great on the main desktop, as user "chrome". However, in a container runs as "crippled root" and requires the "--no-sandbox" commandline option to run. Unfortunately, Chrome puts up a warning message that "--no-sandbox" is unsupported and may cause stability problems.
Chrome runs fine in a container, but that warning is going to alarm users. So what I want to do is be able to run Chrome as user "chrome" in a container. This is not so easy.
Back around 2018, when Easy Containers was young, I did consider
being able to run apps as user "zeus"; however, never actually got
that to work.
One thing that looks like being helpful is the Linux kernel "user namespace" support. That feature is currently disabled, so as I type this, the 5.15.67 kernel is compiling, with user-namespace ticked:
General setup > Namespaces support
[*] UTS namespace
[ ] TIME namespace
[*] IPC namespace
[*] User namespace
[*] PID Namespaces
[*] Network namespace
That's just one building-block toward implementing running
non-root in containers.
Tags: easy