On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote: > I've made an Firefox appVM for wayland using my waypipe patches. > To make this appVM I have had to refactor Spectrum OS appvm infrastructure. > The main idea of refactoring is enabling appvm to have a user with normal > priviledges, not superuser. > Running everything from root is not the best idea for secure OS :-) In this case, the application running as root is the only thing running in the VM, so it doesn't _really_ matter, but it is still a good idea to fix, as some applications will refuse to run as root. (cloud-hypervisor also runs on the /host/ as root, and that's something that we'll definitely want to fix, but that's more complicated as just statically assigning c-h processes to uids won't work when we want to dynamically create and destroy VMs. We'll likely want something akin to systemd's DynamicUser=.) > So now the .nix file for appvm has two sections, one that is executed as > root and one as user. > Here is the sample of this definitions: > > { config ? import ../../../nix/eval-config.nix {} }: > > import ../make-vm.nix { inherit config; } { > providers.net = [ "netvm" ]; > > run = config.pkgs.pkgsStatic.callPackage ( > { writeScript }: > writeScript "run-root-shell" '' > #!/bin/execlineb -P > /bin/sh > '' > ) { }; > > run-as-user = config.pkgs.pkgsStatic.callPackage ( > { writeScript, lynx }: > writeScript "run-lynx" '' > #!/bin/execlineb -P > ${lynx}/bin/lynx https://spectrum-os.org > '' > ) { }; > > } I'm not too sure about this part — it seems like quite a lot of complexity in the app VM implementation, when dropping privileges (unless there's something I haven't considered?) should be as simple as putting "s6-applyuidgid -u 1000 -g 1000" in the VM run script at the point where privileges can be dropped. > Cloud-hypervisor has virtual hardware limitations -- it supports only one > console device and only one serial device. > SpectrumOS is using serial device for kernel logs of appVM and console > device as a console. > To have access both to root-executed part and to user-executed part of the > VM payload, I installed a tmux on console. > Now, when you're running vm-console command you get access to the tmux > and have the ability to switch between root and user consoles, > that can be useful during debugging VM payload. > > To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :) Would it work with virtio-gpu? I'm still not convinced on Waypipe — where the previous discussion left off, we were talking about VMs over the network. That would be an interesting thing to look at (and it would be really cool if we could make it work!), but doing it would take a lot more than just network-transparent Wayland proxying, so if that's the main thing we'd get out of Waypipe, I think it would only make sense to add Waypipe support as part of that bigger work. (And this point in time, when how VMs work at all in Spectrum is a bit in flux, is probably not the best time to start trying to massively expand their scope!) > i beleive that as soon as spectrumOS features will cover basic user needs > it's popularity and community will grow and this will make positive impact > on SpectrumOS itself. > Using appvm-firefox prototype you may build another wayland-enabled appVMs. Yeah, having a Firefox example VM would be really great for demonstrating how Spectrum works and what it can do, and I'm pleased that we're even getting to a point where it would work! Firefox is a big application that does a lot of stuff, so it would also be useful for testing all sorts of other features, like audio or XDG desktop portals. I'd be very happy to accept a Firefox VM that used virtio-gpu. :)