Showing posts from 2016

Let systemd manage your running of unprivileged scripts

let's save a text file named "" having the following content

#! /bin/bash for i in `seq 50` do    echo $i    sleep 1 done

it just print number from 1 to 50 second by second (you can change 50 to any number) now as regular user type

chmod +x ./ systemd-run --user --unit=my-test ./ 
the above command will run the script as a user service called my-test
at any time you can trace it with systemctl and see the logs using journalctl like this

journalctl -ln 100 -f --user-unit=my-test systemctl --user status my-test
you can abort it using

systemctl --user stop my-test

Use cases
Let's assume you have a web interface that trigger something and you want to trace it later just make your unprivileged web application (written in php/python and running as regular non-root user) called "systemd-run --user" and query the status and follow the logs using systemctl and journactl
for example if you have a web interface that triggers building…

playing with "unc" the unprivileged user containers

If you are familiar with docker then you are going to love this little hack. UNC is a tool to demonstrate how to launch containers without being root.

Getting the code and compiling it git clone
cd unc
mkdir -p gopath/src/
ln -s ../.. gopath/src/unc
export GOPATH=$PWD/gopath
cd gopath/src/unc
go get
go build
cd unet
go build
cd ..
sudo cp unc unet/unet /usr/local/bin/
sudo chmod u+s /usr/local/bin/unet

What is SetUID for? "unet" is a tool used "unc" that creates veth pairs and assign one of them to container. Root user (via setuid) is needed to be able to assign a network interface for the user container.

Creating some minimal root filesystems sudo dnf install busybox # as regular unprivileged user type mkdir -p roots/busybox1/{bin,sbin,proc,dev,etc} cp /sbin/busybox roots/busybox1/sbin/ echo "root:x:0:0:root:/root:/bin/bash" > roots/busybox1/etc/passwd echo "root:x:0:" > roots/busybox1/etc/gr…

Be aware! Docker is a trap.

UPDATE: docker inc. addressed those concerns by donating its runtime to Cloud Native Computing Foundation  (CNCF) and by making moby a community project.

Yes, I'm  claiming that Docker is just a hyped vendor lock-in. Don't get me wrong, Linux containers, micro-services, DevOPs,... are all very cool and they are cool for a reason. On the other hand docker is just an overrated vendor lock-in.

Linux containers is a new term for old technologies like namespace and control groups, used in production maybe for more than a decade.

LXC is one way to access those kernel feature in a boring way. OpenVZ and the newly hyped LXD is virtualization hypervisor based on Linux containers. SystemD do use containers for all of spawned services and can be used to spawn containers (using nspawn). In other words Docker did not invent containers.

I was warned about that more than a year ago but then it was not that obvious.

What's wrong with docker? So many things! At every single level! But the r…