Easy Containers for Puppy Linux
Posted: Wed 25 Jan 2017, 05:35
Well, this is "cutting edge" for me, but sandboxes, chroot-jails and containers for Linux have been around for years, with many different ways of doing it.
jamesbond has done a lot of work in this area for Fatdog, and I posted an email he sent me yesterday:
http://barryk.org/news/?viewDetailed=00501
After studying a lot of online documentation, I have put together something very simple, that I have named "Easy Containers". I have just now posted about it on my blog:
http://barryk.org/news/?viewDetailed=00502
The basic idea of containers is to run an app in isolation, with far greater security than the normal running as a non-root user.
But it also has uses other than for security, for example, compile a package in a container, and test it, without messing up the main filesystem.
But, I am new to this, and I am wondering what security holes still exist with what I have done.
Also, there are a couple of issues, a crash-at-first-X-app-run, and no dbus.
This topic is extremely interesting, with enormous potential for our puplets, so I thought I would post to the forum and invite feedback.
One thing, most Puppy kernels do not have overlayfs enabled, though it is part of the kernel source. Instead, they use the third-party aufs. So my instructions for mounting a layered filesystem will be slightly different in the case of aufs.
jamesbond has done a lot of work in this area for Fatdog, and I posted an email he sent me yesterday:
http://barryk.org/news/?viewDetailed=00501
After studying a lot of online documentation, I have put together something very simple, that I have named "Easy Containers". I have just now posted about it on my blog:
http://barryk.org/news/?viewDetailed=00502
The basic idea of containers is to run an app in isolation, with far greater security than the normal running as a non-root user.
But it also has uses other than for security, for example, compile a package in a container, and test it, without messing up the main filesystem.
But, I am new to this, and I am wondering what security holes still exist with what I have done.
Also, there are a couple of issues, a crash-at-first-X-app-run, and no dbus.
This topic is extremely interesting, with enormous potential for our puplets, so I thought I would post to the forum and invite feedback.
One thing, most Puppy kernels do not have overlayfs enabled, though it is part of the kernel source. Instead, they use the third-party aufs. So my instructions for mounting a layered filesystem will be slightly different in the case of aufs.