site  contact  subhomenews

New website for EasyOS

October 05, 2018 — BarryK

I have registered the domain name easyos.org, and added it as a new website to my shared hosting account with omnis.com. My experience with Omnis has been very good. I only have a cheap shared-hosting account, but it is "unlimited everything" and so far that's what it has been. Everything just works, no hassles. Have contacted tech support a couple of times, once when I first created the account, and just now, a PHP problem when installed the forum, and got satisfaction.

I intend to migrate my EasyOS pages to the new URL, for now, have just got one page, here:

https://easyos.org/about/how-and-why-easyos-is-different.html

...I thought about creating this summary list recently, when someone sent me an email asking if there was such a summary anywhere. Now there is!

I announced recently that I will be moving away from using the Puppy Forum for announcing and discussing releases of Easy. That has now happened, presenting the brand-new EasyOS Forum:

https://easyos.org/forum/

It is intended to be very low-traffic, just for Easy, though limited discussion of other topics is OK, as long as I don't have to get too distracted with administration and moderation!

I intend to still hang out on the Puppy Forum, and contribute. If I do mention Easy, it will only be an oblique reference, and if I do want to announce anything to do with Easy, will do so in the "Off Topic" section.

Tags: easy

Easy Containers simple and expert modes

October 03, 2018 — BarryK

I posted yesterday about an improvement to security in Easy Containers, using a macvlan bridge for Internet access:

http://bkhome.org/news/201810/macvlan-bridge-in-easy-containers.html

This is an ongoing project. Developing a container system from basic principles, rather than just follow everyone else and use something like Docker, is a challenge. There is a certain satisfaction to doing it, just as there is a satisfaction in compiling all of the packages used in EasyOS from source, rather than build a distro from the binary packages of one of the mainline distros (as everyone else does!).

For the Easy Containers GUI (in Filesystem menu), I have introduced "Simple" and "Expert" tabs. This is a snapshot showing the Expert tab:

image

Note the new "Access" section. There is a checkbox to disable network (and hence Internet) access, and a checkbox to enable a shared folder -- that is, choose any folder in the host system and it will available in the container, as /shared-folder.

This shared-folder thing is a convenience. Actually, the host system can look inside any running container and access any folder.

As mentioned previously, I am now using the 'pflask' utility, which is looking good. The only issue that I have right now is that the containers are locked down a bit too much and sound is not working ...will get onto that.

Regarding the Simple tab, there is nothing in it yet. I propose that it will have some very simple choices, like do you want Internet access, fast versus slower-but-more-secure, etc.

EDIT 2018-10-6
Sound is fixed, and I added a checkbox to the GUI. Just had to bind /dev/snd into the container and copy-in /etc/asound.state.

Tags: easy

Macvlan bridge in Easy Containers

October 02, 2018 — BarryK

Yesterday I posted about experiments with a veth bridge:

http://bkhome.org/news/201810/containers-veth-bridge-getting-started.html

...afterward, realised why there was an error when tried to use 'veth1' and 'eth1' -- my midi-tower PC has two physical ethernet ports, eth0 and eth1, so 'eth1' was already claimed -- I had forgotten about it.

A note on the side: in EasyOS and Quirky, I have disabled udev renaming of interfaces. I am unimpressed with that and prefer to keep the original names, 'eth0', 'wlan0', etc. (at least in the host system, inside containers, though, I am using my own renaming, see below)

A reservation that I have with the veth bridge method, is that the active interface on the host changes from 'eth0' to 'br0', which might have repercussions in some scripts.

With the macvlan method, I can keep 'eth0' as the active host interface. My understanding of these bridging techniques is superficial, I have just scanned through online documentation looking for something simple that will work in Easy Containers. For macvlan, I found this page useful:

https://sreeninet.wordpress.com/2016/05/29/macvlan-and-ipvlan/

Then I figured out something a bit different, and surprise, surprise, it actually worked! The script /usr/local/easy_containers/ec-chroot is where the action is. When the macvlan-bridge option is chosen, the code looks something like this. Just the essential parts have been pulled out of the script:

IFcont="$(echo -n "$EXE" | sed -e 's%[^a-zA-Z0-9]%%g' | tr '[A-Z]' '[a-z]')1" #ex: seamonkey1 --just want a unique name
NETNSexe="ip netns exec ${IFcont}ns"
IFIP="$(getlocalip | grep -v '^lo' | grep '^[a-z0-9]*: ' | tail -n 1)" #my veth tests created eth0.5 etc, screen out.
IFhost="${IFIP/:*/}" #ex: eth0
ip link add ${IFcont} link ${IFhost} type macvlan mode bridge
ip netns add ${IFcont}ns
ip link set ${IFcont} netns ${IFcont}ns
ip netns exec ${IFcont}ns ifconfig ${IFcont} up
ip netns exec ${IFcont}ns dhcpcd -b ${IFcont} #-b background immediately

The $EXE is the name of the container, for example "seamonkey", and I used that to create a unique network interface name, $IFcont, for use in the container, for example "seamonkey1" -- there is no law that interface names have to be the conventional "eth0" etc!

'getlocalip' is a handy utility that I posted about awhile back:

http://bkhome.org/news/201802/new-getlocalip-utility.html

I also wanted to generate a unique name for the 'network namespace' in the host, that is ${IFcont}ns, so "seamonkey1ns"

The second-last line brings up the interface in the new network-namespace, and the last line runs dhcpcd to obtain a lease and assign an IP to the interface.

All ready to go... as per the veth example, I did not create a separate network-namespace with 'pflask' -- I tried, but couldn't get it to work. With a separate network-namespace by pflask, then 'dhcpcd' has to be run in the container, or the busybox 'udhcpc' -- but this requires removing some of the security, and I couldn't get it to work anyway (the interface showed up inside the container, and 'udhcpc' ran but was unable to obtain a lease).

So, 'ec-chroot' is running pflask with this appended:
${NETNSexe} pflask ...
It's working. Now looking into some other improvements to Easy Containers, including the GUI.

Tags: easy

Containers veth bridge, getting started

October 01, 2018 — BarryK

I started to put together Easy Containers in January 2017, and this website was extremely helpful:

http://blog.z3bra.org/2016/03/hand-crafted-containers.html

...lovely clear grass-roots explanation. At that time, I did not bother about 'network namespace', just using the host network namespace in the containers -- which makes things very simple, just have to copy /etc/resolv.conf into a container, and we have Internet access. I do drop 'network capabilities', so it is reasonably secure.

Forward to now, and I am experimenting with a container having its own network namespace. The above link has a example, setting up a 'virtual ethernet' bridge. It requires the "netns" option for the 'ip' utility, which the Busybox ip applet does not have, so had to install the full 'ip' from the 'iproute2' package -- the 'ip' is 430KB unfortunately.

Here is what I did, follow the example from above link:

# brctl addbr br0
# brctl addif br0 eth0
# dhcpcd br0
br0: waiting for carrier
br0: carrier acquired
br0: adding address fe80::4ea2:f3b9:2318:6773
DUID 00:01:00:01:13:43:3e:ca:c0:55:e9:0f:eb:00
br0: IAID e8:0f:ec:00
br0: soliciting a DHCP lease
br0: offered 192.168.1.3 from 192.168.1.1
br0: leased 192.168.1.3 for 7200 seconds
br0: adding route to 192.168.1.0/24
br0: adding default route via 192.168.1.1
forked to background, child pid 5414
# ip netns add handcraft
# ip link add veth1 type veth peer name eth1
RTNETLINK answers: File exists
# ip link set eth1 netns handcraft
# brctl addif br0 veth1
brctl: iface veth1: No such device
# ip link add veth2 type veth peer name eth2
# ip link set eth2 netns handcraft
# brctl addif br0 veth2
# ip link set veth2 up
# ip netns exec dhcpcd eth2
Cannot open network namespace "dhcpcd": No such file or directory
# ip netns exec handcraft dhcpcd eth2
eth2: waiting for carrier
eth2: carrier acquired
eth2: adding address fe80::b4b:efa7:15f7:d3d0
DUID 00:01:00:01:13:43:3e:ca:c0:55:e9:0f:eb:00
eth2: IAID d4:a8:e2:56
eth2: soliciting a DHCP lease
eth2: soliciting an IPv6 router
eth2: offered 192.168.1.4 from 192.168.1.1
eth2: probing address 192.168.1.4/24
eth2: leased 192.168.1.4 for 7200 seconds
eth2: adding route to 192.168.1.0/24
eth2: adding default route via 192.168.1.1
forked to background, child pid 6996
#

Along the way, got two errors, but was able to fix. I don't know why it objected to "veth1". The second error is due to a syntax error in the example, which I sorted out by reading this excellent page:

https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/

Now to run my container. The container rootfs is already setup, with /etc/resolv.conf copied-in, just a matter of chrooting into it. Using pflask:

# ip netns exec handcraft pflask --keepenv --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-ipcns --no-netns \
--caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-mknod,-sys_module,-sys_nice,-sys_resource \
--no-userns --chroot=/mnt/sdc2/containers/sh0/container -- /ec-run sh0 sakura

...I have not specified a network namespace for pflask, instead have prefixed as shown in blue text.

Inside the container, I expect 'eth2' to be accessible:

# ifconfig
eth2 Link encap:Ethernet HWaddr 9A:45:D4:A9:E2:57
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe81::b4b:efa6:15f7:d3d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39782 (38.8 KiB) TX bytes:1737 (1.6 KiB)

# ping google.com
PING google.com (172.217.167.78): 56 data bytes
64 bytes from 172.217.167.78: seq=0 ttl=49 time=82.916 ms

...yay!

Notice no 'lo' interface, would have to set that up. But, do I need it?

Tags: easy

Kernel 4.14.73, ethernet bridge

September 30, 2018 — BarryK

I am currently working on Easy Containers in EasyOS, mostly targeting improving security. It is now uses the 'pflask' utility, that I posted about here:

http://bkhome.org/news/201809/pflask-chroot-on-steroids.html

One security step is to enable 'network namespace' for the container, and use a 'ethernet bridge' to access the physical network interface. However, I found that my Linux kernel is not configured correctly. So, have just now compiled the 4.14.73 kernel, running EasyOS, with these turned on:

[*] networking support
         Networking options
<*> IPV6 support
<*> 802.1D Ethernet bridging
<*> 802.1Q VLAN support

Note, previously, IPV6 support was a module, but to configure ethernet bridging to be built-in, had to change IPV6 to built-in.

I will probably post a little tutorial on how I setup the bridge, after figuring it out.

The kernel source, with patches and build scripts is here:

http://distro.ibiblio.org/easyos/source/kernel/4.14.73/

...'DOTconfig-4.14.73.gz' is the latest '.config' file. There is another 'DOTconfig-4.14.73' inside the 'build-kernel-4.14.73.tar.gz' tarball, that does not have the above ethernet bridge support.

Tags: easy

pflask, chroot on steroids

September 27, 2018 — BarryK

Yesterday I posted a list of URLs about low-level grass-roots container creation:

http://bkhome.org/news/201809/low-level-container-how-tos.html

One of those is Pflask, and I am liking it very much. It can be used as simply as a drop-in replacement for 'chroot', or a lot more. Here is the project home page:

https://ghedo.github.io/pflask/

Man page:

https://ghedo.github.io/pflask/pflask.html

Source code:

https://github.com/ghedo/pflask

The problem for me with containers, is that it is such a complex topic. It is a full-time job in itself, whereas I just take a look at Easy Containers (in EasyOS) every now and again. I do need to leaverage off other work, and 'ghedo' has done a brilliant job. I have been testing Pflask and am impressed by the simplicity and yet featureful.

Note, there are some patches here, don't know if any of them are useful:

https://github.com/OverC/meta-overc/blob/master-oci/meta-cube/recipes-containers/pflask/pflask_git.bb 

Tags: easy

libseccomp bumped, cgroups in kernel

September 22, 2018 — BarryK

Now returning to developing EasyContainers, after a lapse of a couple of months. Well, I think it is getting on to about two months since I last dabbled in them.

Preparing the ground, so to speak, I want to have 'libseccomp' in EasyOS. The package is already compiled in 'oe-qky-src', my fork of OpenEmbedded, as it was needed for Flatpak (universal packages) support (that I experimented with a couple of months ago).

I have bumped 'libseccomp' from 2.3.1 to 2.3.3, see commits:

https://github.com/bkauler/oe-qky-src/commit/a0c9eb170a76d19e6794bf6080532a61903de3d4

I have also compiled the 4.14.71 kernel in EasyOS Pyro, with more support for cgroups. Previously, had only enabled "Device controller" support in cgroups (General setup -> Control group support), have now enabled these as well:

Memory controller
IO controller
CPU controller
PIDs controller
RDMA controller
Simple CPU accounting controller

The previous kernel build had "User namespaces" enabled (General setup -> Namespaces support). I have now disabled that, but the other namespaces are still enabled.

Note, have also done the same for the 4.18.9 kernel, that I compiled yesterday for the Quirky builds.

Tags: easy

Easy Beaver 0.9.4 released

September 21, 2018 — BarryK

Easy Beaver 0.9.3 was released just two days ago. It has the 4.18.8 kernel, but there was an advisory of a security issue, so have now upgraded to 4.18.9. It also has 'youtube-dl', a YouTube downloader script, but we found that no longer works -- a new script was made available yesterday and have upgraded. The "desk" icon on the desktop did not work, as the 'xserver-xephyr' DEB package was missing. These fixes were important, hence we have release 0.9.4. 

Easy Beaver 0.9.2 was released in May 2018:

http://bkhome.org/news/201805/easy-beaver-092-released.html

Mostly, I have focused on the "Pyro" series of EasyOS, built with packages compiled entirely from source, using my fork of OpenEmbedded. However, also created some builds using Ubuntu DEBs -- there were some releases based on Ubuntu Xenial Xerus DEBs, and one using Bionic Beaver DEBS (0.9.2).

Have now built EasyOS x86_64 with Bionic Beaver 18.04.1 DEBs, codenamed "Easy Beaver", version 0.9.4. Download from here:

http://distro.ibiblio.org/easyos/amd64/releases/beaver/0.9.4/

Built with latest woofQ, so from that respect on a par with the Pyro series. Building with Ubuntu DEBs does result in a considerably bigger download file, however, weigh that against compatibility with the Ubuntu DEB respositories.
The kernel is 4.18.9, patched with aufs.

The download is an image that you can write to a USB stick, as described here:

http://bkhome.org/easy/how-to-write-easyos-to-a-flash-drive.html

Pyro
Regarding the Pyro series, this generally sees more activity from me. These are the latest releases:

0.9.6.3, x86_64, Raspberry Pi3:
http://bkhome.org/news/201809/easyos-0963-64-bit-on-raspberry-pi.html

0.9.6, x86 32-bit, PC:
http://bkhome.org/news/201808/easyos-32-bit-version-096.html

0.9.6, x86_64, PC:
http://bkhome.org/news/201808/easyos-version-096-released.html

Feedback
Feedback is welcome, hosted on the Puppy Forum:

http://murga-linux.com/puppy/viewtopic.php?t=109958

Tags: easy