Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support baking processes on Linux in more restrictive environments out-of-the-box #152

Open
kylewlacy opened this issue Dec 23, 2024 · 0 comments

Comments

@kylewlacy
Copy link
Member

Currently, when baking a process recipe on Linux, Brioche always tries to create a new user namespace along with a mount namespace (plus some others). Some distros prevent unprivileged user namespaces out of the box, including Ubuntu 23.10+. It's usually possible for the machine to be configured to re-allow unprivileged user namespaces using a custom kernel, AppArmor profiles, or custom sysctl config (see e.g. #151), but these custom configurations require root permissions to set up.

To allow Brioche to be installed and used without root permissions, we need an alternative way to bake processes that doesn't use namespaces and can be used out-of-the-box.

Here are some alternative ways that we could support baking processes:

  • Unsandboxed builds. This is the simplest option, but unsandboxed builds may be less reliable as we can't enforce hermeticity
  • Use a subset of namespaces. Ubuntu 24.04 does allow unprivileged user namespaces by default, but restricts what they can do (I believe mount namespaces within a user namespace are disallowed, for example). As a slight step up from unsandboxed builds, we could try to set up whatever subset of namespaces we're allowed to use.
  • PRoot. PRoot emulates chroot by using ptrace. This would definitely have a performance hit, but might still have enough performance to be a good default in a pinch.
  • Qemu. Instead of using namespaces, we could run a qemu VM. This probably has a pretty major performance hit, but with user space emulation, it may give enough performance to be usable day-to-day. We'll also probably want Qemu to emulate other platforms too, of course
  • Pre-installed container runtime. Many users will likely have Docker, Podman, Bubblewrap, or another container runtime / sandboxing solution already installed. If it's installed with their system package manager, this could be a sort of gateway to allow for fully sandbox builds out-of-the-box for free. Not really suitable as a "final" fallback, but might be a good middle-ground.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant