systemd-nspawn FTP container use case

hendry · 2015-07-20 10:43:23

Hi guys,

I need to run an FTP service for an old Webcam to upload snapshots to me with. I want it sandboxed from the rest of my system.

Currently IIUC from https://wiki.archlinux.org/index.php/Systemd-nspawn I need to install an entire OS and configure an FTP daemon like bftpd to receive the files.

But that seems like a bit of headache and waste of disk space to install an ENTIRE OS for that.

Or am I missing a trick? Could I for example use `--share-system`??

Has anyone managed to just run for example a Golang binary? `I keep getting Directory FOOBAR lacks the binary to execute or doesn't look like a binary tree. Refusing.`

Furthermore does systemd-cgls work for anyone? How do I check for example the bandwidth my "arch" container is taking?

X1C3:~$ machinectl
MACHINE CLASS     SERVICE
arch    container nspawn

1 machines listed.
X1C3:~$ systemd-cgls -M arch
Failed to query ControlGroup: Unknown property or interface.

I'm on systemd 222-1

Many thanks,

Last edited by hendry (2015-07-20 10:48:45)

Stebalien · 2015-07-20 16:17:48

1. nspawn does not provide a *secure* sandbox. It's only suitable for debugging, packaging, testing, and keeping your base install clean.
2. You can use btrfs with dedup to reduce disk usage. Alternatively, you could create some base read-only image and use overlayfs to overlay a writeable filesystem but this is fairly tricky to get right. Also, you don't actually need to pacstrap all of base.

> `I keep getting Directory FOOBAR lacks the binary to execute or doesn't look like a binary tree. Refusing.`

I highly doubt that's the exact error you're getting (binary generally refers to an ELF executable, binary tree is a data structure). Did you install go in the container? How are you trying to run the program?

> Furthermore does systemd-cgls work for anyone? How do I check for example the bandwidth my "arch" container is taking?

That's a bug (https://github.com/systemd/systemd/pull/632).

Last edited by Stebalien (2015-07-20 16:20:26)

hendry · 2015-07-21 02:05:17

1. It's not secure? Surely the whole idea of containers (chroot 2.0) is to be a sandbox? Can you explain your assertion please?

Can you propose an alternative strategy for my FTP use case?

2. lol, not using bloatware btrfs :}

3. For example:

git clone git@github.com:kaihendry/dc.git
X1C3:/tmp/dc$ go build -a -tags netgo -installsuffix netgo .
X1C3:/tmp/dc$ file ./dc
./dc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped

I can't seem to run dc via systemd-nspawn!

Thanks for your work on systemd integration in Archlinux. Really awesome.

Last edited by hendry (2015-07-21 02:05:54)

Stebalien · 2015-07-21 16:12:30

hendry wrote:

1. It's not secure? Surely the whole idea of containers (chroot 2.0) is to be a sandbox? Can you explain your assertion please?

man systemd-nspawn, paragraph 3.

hendry wrote:

Can you propose an alternative strategy for my FTP use case?

Use a different container system (LXC, docker, etc.) and/or use a mandatory access control system.

hendry wrote:

2. lol, not using bloatware btrfs :}

BTRFS is actually quite a nice filesystem. Regardless, please don't bash other people's software.

hendry wrote:

3. For example:

git clone git@github.com:kaihendry/dc.git
X1C3:/tmp/dc$ go build -a -tags netgo -installsuffix netgo .
X1C3:/tmp/dc$ file ./dc
./dc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped

I can't seem to run dc via systemd-nspawn!

What's the *exact* error? How are you running this via nspawn? Can you run it outside of the container? Do non-go binaries work inside the container?

hendry wrote:

Thanks for your work on systemd integration in Archlinux. Really awesome.

Thanks but, as of right now, I've only written a total of one patch (the one I linked) .

hendry · 2015-07-23 05:36:25

RE security, isn't systemd-nspawn based on LXC?! I reckon they posted that statement on the man page to ease off the pressure of asserting security.

I'm not sure what you mean by "mandatory access control system" in practice. Can you give me an example? Hopefully you are not going to recommend something nutty like SElinux. I want something usable and easy.

RE btrfs, it does have a high SLOC and tbh ext4 is getting that way too with jbd2 & encryption into the mix. Sigh.

Here is how I've been trying to run just a binary in a container:

X1C3:~$ cd /tmp
X1C3:/tmp$ git clone git@github.com:kaihendry/dc.git
Cloning into 'dc'...
remote: Counting objects: 21, done.
remote: Total 21 (delta 0), reused 0 (delta 0), pack-reused 21
Receiving objects: 100% (21/21), done.
Resolving deltas: 100% (4/4), done.
Checking connectivity... done.
X1C3:/tmp$ cd dc
X1C3:/tmp/dc$ go build -a -tags netgo -installsuffix netgo .
X1C3:/tmp/dc$ ./dc
http://localhost:3000
^CX1C3:/tmp/dc$ file ./dc
./dc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
X1C3:/tmp/dc$ sudo systemd-nspawn ./dc
Directory /tmp/dc lacks the binary to execute or doesn't look like a binary tree. Refusing.
X1C3:/tmp/dc$ sudo systemd-nspawn .
Directory /tmp/dc lacks the binary to execute or doesn't look like a binary tree. Refusing.
X1C3:/tmp/dc$

What am I missing?

Stebalien · 2015-07-23 13:30:50

hendry wrote:

RE security, isn't systemd-nspawn based on LXC?! I reckon they posted that statement on the man page to ease off the pressure of asserting security.

No. systemd-nspawn creates linux containers but LXC is a different project. Lennart has actually stated in public (there's a video on youtube but I can't find it) that systemd-nspawn is not intended as a replacement for docker, LXC, etc. Instead, it's intended for testing software (especially systemd itself) and containers, and packaging.

hendry wrote:

I'm not sure what you mean by "mandatory access control system" in practice. Can you give me an example? Hopefully you are not going to recommend something nutty like SElinux. I want something usable and easy.

Actually, I was going to recommend TOMOYO. It's has a nice learning mode and is much easier to configure than SELinux.

hendry wrote:

Here is how I've been trying to run just a binary in a container:

X1C3:~$ cd /tmp
X1C3:/tmp$ git clone git@github.com:kaihendry/dc.git
Cloning into 'dc'...
remote: Counting objects: 21, done.
remote: Total 21 (delta 0), reused 0 (delta 0), pack-reused 21
Receiving objects: 100% (21/21), done.
Resolving deltas: 100% (4/4), done.
Checking connectivity... done.
X1C3:/tmp$ cd dc
X1C3:/tmp/dc$ go build -a -tags netgo -installsuffix netgo .
X1C3:/tmp/dc$ ./dc
http://localhost:3000
^CX1C3:/tmp/dc$ file ./dc
./dc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
X1C3:/tmp/dc$ sudo systemd-nspawn ./dc
Directory /tmp/dc lacks the binary to execute or doesn't look like a binary tree. Refusing.
X1C3:/tmp/dc$ sudo systemd-nspawn .
Directory /tmp/dc lacks the binary to execute or doesn't look like a binary tree. Refusing.
X1C3:/tmp/dc$

What am I missing?

systemd-nspawn expects a basic filesystem hierarchy in the container directory (it needs to mount things like proc, dev, sys, etc...). You can install it with pacstrap (`pacstrap -idc /tmp/dc filesystem`). You will probably also need packages like glibc.

hendry · 2015-07-28 00:41:57

Still unable to run just a binary in a container. I've sinced file a bug in desperation: https://github.com/systemd/systemd/issues/750

I'm going to try btrfs: https://www.youtube.com/watch?v=F2Apl7CSYhg

IIUC I can run my static binaries in a template of my existing system?

Arch Linux

#1 2015-07-20 10:43:23

systemd-nspawn FTP container use case

#2 2015-07-20 16:17:48

Re: systemd-nspawn FTP container use case

#3 2015-07-21 02:05:17

Re: systemd-nspawn FTP container use case

#4 2015-07-21 16:12:30

Re: systemd-nspawn FTP container use case

#5 2015-07-23 05:36:25

Re: systemd-nspawn FTP container use case

#6 2015-07-23 13:30:50

Re: systemd-nspawn FTP container use case

#7 2015-07-28 00:41:57

Re: systemd-nspawn FTP container use case

Board footer