[Buildd-tools-devel] schroot suggestions

Roger Leigh rleigh at debian.org
Tue Apr 15 20:31:50 UTC 2008


On Wed, Apr 09, 2008 at 10:45:02AM -0600, Martin Fick wrote:

[schroot]
> I have a few suggestions/questions about improving it though.  I am using debian
> schroot 1.1.6-1.
> 
> 1) First, I found that I have a problem with the default 50chrootname setup script. 
> The script seems to assume that chroots will have an /etc directory!  Mine don't,
> they are very minimal chroots to simply run a single program/filter.  Might I
> suggest a simple patch such as the at the end of this email to fix this?

Yes, this is a great idea.  I think the patch as is might want to use
"-f" rather than "-d" if you want to check for /etc/debian_chroot, or
just use -d to check for /etc, otherwise it will never return true.

> 2) I would like to have real session support for directory schroots (i.e. copying
> the directory to a mount point before using it), is that something that I should be
> able to add myself by modifying the setup scripts?  Perhaps by adding a source= key
> which would replace the location= key.

You could possibly add this to the setup scripts, but I would suggest
that it might be better to add this as a new chroot type.  I can
certainly do this quite easily--we just derive a new chroot class from
sbuild::chroot_directory with the extra properties you want in the
config file, and then add/modify one of the setup scripts to do the
copying.

> 3) I would like to potentially add a new type of schroot, a "link" type which would
> be similar to the "session directory" type suggested in #2, but instead of copying
> the directory structure, for efficiency's sake, it would hard link every file into a
> new directory tree (not quite as safe, but much faster and more space efficient!)

This would be potentially easy to do, I think probably as a special case
of the directory copying as above.  This could be as simple as a
"hardlink=true" property in the config file.

> 4) I would like to potentially add some support for additional vserver isolation
> mechanisms since I use vservers and my kernel is therefore vserver enabled.
> 
> Primarily, a) I am thinking about "chbind" support so that a schroot invocation can
> be network isolated making it impossible for programs in the schroot to use the
> network at all!  This seems like it would require the ability to run a process
> inline with session executions?  i.e. the process running in the schroot would need
> to be a child of the "inline" process which would be run for every 'schroot -r'
> execution.  Is there a mechanism to do something like this?  Would you consider
> adding support for something like this?

Certainly.  I don't personally know anything about vservers, however, so
I would need some help here.  I don't fully understand what an "inline"
process is, for example.

> Additional vserver features that could be useful:
> 
> b) COW support.  Make a COW type which is like the "link" type suggested in #3, but
> it uses the COW support from the vserver project to ensure that the original files
> are never overwritten!
> 
> c) Perhaps adding a chroot barrier startup script which would isolate the chroot
> more safely.  (this should be an easy one)

I'll happily accept any patches or instructions for how to implement
these.  However, I can't really test it or write it myself without
getting a better understanding of vservers.

> d) Some form of vserver context support, this could mean putting sessions into their
> own context making them real sessions with persistent process abilities.  More than
> I would need, but it might be useful at some point for someone else.
> 
> I realize that the vserver framework could be used directly for many of these
> things, but schroot has two major advantages (that I see so far) over straight
> vservers: the non-root user invocation and sessions!  The simplicity and
> light-weightness are added benefits.
> 
> 5) Have you considered making packages that contain schroot bundles?  i.e perhaps
> debian could distribute packages which would get installed under
> /var/lib/schroot/schroots or somewhere similar.  This would allow programs to be
> installed ready for use as schroots.  If such bundles contained an "schroot.conf"
> file, they could automatically be appended to /etc/schroot/schroot.conf!

I have considered doing this.  In fact, the code is already there to do
this; it's just a 2-3 line change to add the ability.  We could for
example add a /etc/schroot/conf.d directory, into which one could drop a
file containing one or more chroot definitions, just like in
schroot.conf.  (This is already done for reloading the sessions from
/var/lib/schroot/session, so the code is already well tested.)

> Thanks for you time, and for the great product.  Extra background info: I plan on
> using schroot to embed filter type programs (such as gnuplot/pic2plot) into pmwiki
> to make them safer for web usage.

Cool.  I'm glad it's been useful for you.


Many thanks for all of the very interesting suggestions.  I'll be able
to implement some of the easier ones quite quickly, but the vserver
stuff might take a little more time, and collaboration to get going.


Kind regards,
Roger


-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.



More information about the Buildd-tools-devel mailing list