patches and low-level development discussion
 help / color / mirror / code / Atom feed
* Firefox appVM patches and appVM refactoring
@ 2022-12-04 22:42 Vadim Likholetov
  2022-12-06 11:42 ` Alyssa Ross
  2022-12-06 15:20 ` Alyssa Ross
  0 siblings, 2 replies; 18+ messages in thread
From: Vadim Likholetov @ 2022-12-04 22:42 UTC (permalink / raw)
  To: devel

[-- Attachment #1: Type: text/plain, Size: 1775 bytes --]

I've made an Firefox appVM for wayland using my waypipe patches.
To make this appVM I have had to refactor Spectrum OS appvm infrastructure.
The main idea of refactoring is enabling appvm to have a user with normal
priviledges, not superuser.
Running everything from root is not the best idea for secure OS :-)
So now the .nix file for appvm has two sections, one that is executed as
root and one as user.
Here is the sample of this definitions:

{ config ? import ../../../nix/eval-config.nix {} }:

import ../make-vm.nix { inherit config; } {
  providers.net = [ "netvm" ];

  run = config.pkgs.pkgsStatic.callPackage (
   { writeScript }:
    writeScript "run-root-shell" ''
      #!/bin/execlineb -P
      /bin/sh
    ''
  ) { };

  run-as-user = config.pkgs.pkgsStatic.callPackage (
    { writeScript, lynx }:
    writeScript "run-lynx" ''
      #!/bin/execlineb -P
      ${lynx}/bin/lynx https://spectrum-os.org
    ''
  ) { };

}

Cloud-hypervisor has virtual hardware limitations -- it supports only one
console device and only one serial device.
SpectrumOS is using serial device for kernel logs of appVM and console
device as a console.
To have access both to root-executed part and to user-executed part of the
VM payload, I installed a tmux on console.
Now, when you're running vm-console command  you get access to the tmux
 and have the ability to switch between root and user consoles,
that can be useful during debugging VM payload.

To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :)

I beleive that as soon as SpectrumOS features will cover basic user needs
it's popularity and community will grow and this will make positive impact
on SpectrumOS itself.
Using appvm-firefox prototype you may build another wayland-enabled appVMs.

[-- Attachment #2: Type: text/html, Size: 2098 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-04 22:42 Firefox appVM patches and appVM refactoring Vadim Likholetov
@ 2022-12-06 11:42 ` Alyssa Ross
  2022-12-06 13:56   ` Vadim Likholetov
  2022-12-06 15:20 ` Alyssa Ross
  1 sibling, 1 reply; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 11:42 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 3889 bytes --]

On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
> I've made an Firefox appVM for wayland using my waypipe patches.
> To make this appVM I have had to refactor Spectrum OS appvm infrastructure.
> The main idea of refactoring is enabling appvm to have a user with normal
> priviledges, not superuser.
> Running everything from root is not the best idea for secure OS :-)

In this case, the application running as root is the only thing running
in the VM, so it doesn't _really_ matter, but it is still a good idea to
fix, as some applications will refuse to run as root.

(cloud-hypervisor also runs on the /host/ as root, and that's something
that we'll definitely want to fix, but that's more complicated as just
statically assigning c-h processes to uids won't work when we want to
dynamically create and destroy VMs.  We'll likely want something akin to
systemd's DynamicUser=.)

> So now the .nix file for appvm has two sections, one that is executed as
> root and one as user.
> Here is the sample of this definitions:
>
> { config ? import ../../../nix/eval-config.nix {} }:
>
> import ../make-vm.nix { inherit config; } {
>   providers.net = [ "netvm" ];
>
>   run = config.pkgs.pkgsStatic.callPackage (
>    { writeScript }:
>     writeScript "run-root-shell" ''
>       #!/bin/execlineb -P
>       /bin/sh
>     ''
>   ) { };
>
>   run-as-user = config.pkgs.pkgsStatic.callPackage (
>     { writeScript, lynx }:
>     writeScript "run-lynx" ''
>       #!/bin/execlineb -P
>       ${lynx}/bin/lynx https://spectrum-os.org
>     ''
>   ) { };
>
> }

I'm not too sure about this part — it seems like quite a lot of
complexity in the app VM implementation, when dropping privileges
(unless there's something I haven't considered?) should be as simple as
putting "s6-applyuidgid -u 1000 -g 1000" in the VM run script at the
point where privileges can be dropped.

> Cloud-hypervisor has virtual hardware limitations -- it supports only one
> console device and only one serial device.
> SpectrumOS is using serial device for kernel logs of appVM and console
> device as a console.
> To have access both to root-executed part and to user-executed part of the
> VM payload, I installed a tmux on console.
> Now, when you're running vm-console command  you get access to the tmux
>  and have the ability to switch between root and user consoles,
> that can be useful during debugging VM payload.
>
> To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :)

Would it work with virtio-gpu?  I'm still not convinced on Waypipe —
where the previous discussion left off, we were talking about VMs over
the network.  That would be an interesting thing to look at (and it
would be really cool if we could make it work!), but doing it would take
a lot more than just network-transparent Wayland proxying, so if that's
the main thing we'd get out of Waypipe, I think it would only make sense
to add Waypipe support as part of that bigger work.  (And this point in
time, when how VMs work at all in Spectrum is a bit in flux, is probably
not the best time to start trying to massively expand their scope!)

> i beleive that as soon as spectrumOS features will cover basic user needs
> it's popularity and community will grow and this will make positive impact
> on SpectrumOS itself.
> Using appvm-firefox prototype you may build another wayland-enabled appVMs.

Yeah, having a Firefox example VM would be really great for
demonstrating how Spectrum works and what it can do, and I'm pleased
that we're even getting to a point where it would work!  Firefox is a
big application that does a lot of stuff, so it would also be useful for
testing all sorts of other features, like audio or XDG desktop portals.
I'd be very happy to accept a Firefox VM that used virtio-gpu. :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 11:42 ` Alyssa Ross
@ 2022-12-06 13:56   ` Vadim Likholetov
  2022-12-06 15:18     ` Alyssa Ross
  0 siblings, 1 reply; 18+ messages in thread
From: Vadim Likholetov @ 2022-12-06 13:56 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel



> On 6 Dec 2022, at 13:42, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> 
> On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
>> I've made an Firefox appVM for wayland using my waypipe patches.
>> To make this appVM I have had to refactor Spectrum OS appvm infrastructure.
>> The main idea of refactoring is enabling appvm to have a user with normal
>> priviledges, not superuser.
>> Running everything from root is not the best idea for secure OS :-)
> 
> In this case, the application running as root is the only thing running
> in the VM, so it doesn't _really_ matter, but it is still a good idea to
> fix, as some applications will refuse to run as root.

I don’t agree there — there are many reasons application should not have unnecessary privileges, even assuming the case where someone attacks the  application using kernel/processor vulnerabilities to get out of the virtualisation fencing is more fantastic than real :)
Also in it is never “the only" application in the VM — we always have those binutils, init stuff and other supplemental software — except the situation we’re running something like bare kernel.
So if we have really talking about *secure* OS — drop the <s>gun</s> priviledges ! :-)


> (cloud-hypervisor also runs on the /host/ as root, and that's something
> that we'll definitely want to fix, but that's more complicated as just
> statically assigning c-h processes to uids won't work when we want to
> dynamically create and destroy VMs.  We'll likely want something akin to
> systemd's DynamicUser=.)


We can ran C-H as non-root on the host — I don’t see any huge problems there, it’s designed not to be run as root. 
But the idea to assign an unique UID to each VM is secure enough :-)



> 
>> So now the .nix file for appvm has two sections, one that is executed as
>> root and one as user.
>> Here is the sample of this definitions:
>> 
>> { config ? import ../../../nix/eval-config.nix {} }:
>> 
>> import ../make-vm.nix { inherit config; } {
>>  providers.net = [ "netvm" ];
>> 
>>  run = config.pkgs.pkgsStatic.callPackage (
>>   { writeScript }:
>>    writeScript "run-root-shell" ''
>>      #!/bin/execlineb -P
>>      /bin/sh
>>    ''
>>  ) { };
>> 
>>  run-as-user = config.pkgs.pkgsStatic.callPackage (
>>    { writeScript, lynx }:
>>    writeScript "run-lynx" ''
>>      #!/bin/execlineb -P
>>      ${lynx}/bin/lynx https://www.google.com/url?q=https://spectrum-os.org&source=gmail-imap&ust=1670931764000000&usg=AOvVaw3fPCahT573bNMQKMWAGTEW
>>    ''
>>  ) { };
>> 
>> }
> 
> I'm not too sure about this part — it seems like quite a lot of
> complexity in the app VM implementation, when dropping privileges
> (unless there's something I haven't considered?) should be as simple as
> putting "s6-applyuidgid -u 1000 -g 1000" in the VM run script at the
> point where privileges can be dropped.

I think it’s more flexibility rather than complexity. 
Also because of immature nature of the Spectrum OS it is good to have some extra tools for developers to debug the stuff and to have extra controls.
I can think of refactoring	this on the /img/vm level — I’m using su and not s6-tools,  if you’re interested in this patchset in general.



> 
>> Cloud-hypervisor has virtual hardware limitations -- it supports only one
>> console device and only one serial device.
>> SpectrumOS is using serial device for kernel logs of appVM and console
>> device as a console.
>> To have access both to root-executed part and to user-executed part of the
>> VM payload, I installed a tmux on console.
>> Now, when you're running vm-console command  you get access to the tmux
>> and have the ability to switch between root and user consoles,
>> that can be useful during debugging VM payload.
>> 
>> To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :)
> 
> Would it work with virtio-gpu?  I'm still not convinced on Waypipe —
> where the previous discussion left off, we were talking about VMs over
> the network.  That would be an interesting thing to look at (and it
> would be really cool if we could make it work!), but doing it would take
> a lot more than just network-transparent Wayland proxying, so if that's
> the main thing we'd get out of Waypipe, I think it would only make sense
> to add Waypipe support as part of that bigger work.  (And this point in
> time, when how VMs work at all in Spectrum is a bit in flux, is probably
> not the best time to start trying to massively expand their scope!)

I think it’s the wrong question	:-)
Both implementations of wayland passthru ( virtio-gpu and waypipe) are ugly right now but they both allow to move the development forward. But someday I believe they’ll become nice. I really believe! :-)

The thing is definitely needed in the mainline is abstraction layer for wayland apps — to move all proxying and other system or hardware dependant details out of VM’s descriptions — we define that is an wayland appVM ( like it’s defined it’s networking appVM) and the mechanisms of how the WAYLAND_DISPLAY gets to the is covered by this abstraction layer.



>> i beleive that as soon as spectrumOS features will cover basic user needs
>> it's popularity and community will grow and this will make positive impact
>> on SpectrumOS itself.
>> Using appvm-firefox prototype you may build another wayland-enabled appVMs.
> 
> Yeah, having a Firefox example VM would be really great for
> demonstrating how Spectrum works and what it can do, and I'm pleased
> that we're even getting to a point where it would work!  Firefox is a
> big application that does a lot of stuff, so it would also be useful for
> testing all sorts of other features, like audio or XDG desktop portals.
> I'd be very happy to accept a Firefox VM that used virtio-gpu. :)




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 13:56   ` Vadim Likholetov
@ 2022-12-06 15:18     ` Alyssa Ross
  0 siblings, 0 replies; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 15:18 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 4166 bytes --]

> >> So now the .nix file for appvm has two sections, one that is executed as
> >> root and one as user.
> >> Here is the sample of this definitions:
> >>
> >> { config ? import ../../../nix/eval-config.nix {} }:
> >>
> >> import ../make-vm.nix { inherit config; } {
> >>  providers.net = [ "netvm" ];
> >>
> >>  run = config.pkgs.pkgsStatic.callPackage (
> >>   { writeScript }:
> >>    writeScript "run-root-shell" ''
> >>      #!/bin/execlineb -P
> >>      /bin/sh
> >>    ''
> >>  ) { };
> >>
> >>  run-as-user = config.pkgs.pkgsStatic.callPackage (
> >>    { writeScript, lynx }:
> >>    writeScript "run-lynx" ''
> >>      #!/bin/execlineb -P
> >>      ${lynx}/bin/lynx https://www.google.com/url?q=https://spectrum-os.org&source=gmail-imap&ust=1670931764000000&usg=AOvVaw3fPCahT573bNMQKMWAGTEW
> >>    ''
> >>  ) { };
> >>
> >> }
> >
> > I'm not too sure about this part — it seems like quite a lot of
> > complexity in the app VM implementation, when dropping privileges
> > (unless there's something I haven't considered?) should be as simple as
> > putting "s6-applyuidgid -u 1000 -g 1000" in the VM run script at the
> > point where privileges can be dropped.
>
> I think it’s more flexibility rather than complexity.
> Also because of immature nature of the Spectrum OS it is good to have some extra tools for developers to debug the stuff and to have extra controls.
> I can think of refactoring	this on the /img/vm level — I’m using su and not s6-tools,  if you’re interested in this patchset in general.

Would you mind explaining what makes run-as-user more flexible?
As far as I can tell, run-as-user doesn't make it possible to do
anything that wasn't possible before.

> >> Cloud-hypervisor has virtual hardware limitations -- it supports only one
> >> console device and only one serial device.
> >> SpectrumOS is using serial device for kernel logs of appVM and console
> >> device as a console.
> >> To have access both to root-executed part and to user-executed part of the
> >> VM payload, I installed a tmux on console.
> >> Now, when you're running vm-console command  you get access to the tmux
> >> and have the ability to switch between root and user consoles,
> >> that can be useful during debugging VM payload.
> >>
> >> To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :)
> >
> > Would it work with virtio-gpu?  I'm still not convinced on Waypipe —
> > where the previous discussion left off, we were talking about VMs over
> > the network.  That would be an interesting thing to look at (and it
> > would be really cool if we could make it work!), but doing it would take
> > a lot more than just network-transparent Wayland proxying, so if that's
> > the main thing we'd get out of Waypipe, I think it would only make sense
> > to add Waypipe support as part of that bigger work.  (And this point in
> > time, when how VMs work at all in Spectrum is a bit in flux, is probably
> > not the best time to start trying to massively expand their scope!)
>
> I think it’s the wrong question	:-)
> Both implementations of wayland passthru ( virtio-gpu and waypipe) are ugly right now but they both allow to move the development forward. But someday I believe they’ll become nice. I really believe! :-)
>
> The thing is definitely needed in the mainline is abstraction layer for wayland apps — to move all proxying and other system or hardware dependant details out of VM’s descriptions — we define that is an wayland appVM ( like it’s defined it’s networking appVM) and the mechanisms of how the WAYLAND_DISPLAY gets to the is covered by this abstraction layer.

Agreed on that.  I want to get to the place soon where we can run
arbitrary applications on Spectrum, without having to create custom VM
definitions for each one.  To be able to do that, we'll need the
environment an application it runs in to be set up as common
applications expect.  So WAYLAND_DISPLAY, etc. will need to be set up.
And then if you want to use Waypipe instead of virtio-gpu, you just need
to make a custom template that does that.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-04 22:42 Firefox appVM patches and appVM refactoring Vadim Likholetov
  2022-12-06 11:42 ` Alyssa Ross
@ 2022-12-06 15:20 ` Alyssa Ross
  2022-12-06 15:57   ` Vadim Likholetov
  1 sibling, 1 reply; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 15:20 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 819 bytes --]

On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
> Cloud-hypervisor has virtual hardware limitations -- it supports only one
> console device and only one serial device.
> SpectrumOS is using serial device for kernel logs of appVM and console
> device as a console.
> To have access both to root-executed part and to user-executed part of the
> VM payload, I installed a tmux on console.
> Now, when you're running vm-console command  you get access to the tmux
>  and have the ability to switch between root and user consoles,
> that can be useful during debugging VM payload.

I wonder what it would take to make cloud-hypervisor support multiple
virtio-console devices… I suspect it wouldn't be too hard, since it
already supports multiples of every other virtio device just fine…

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 15:20 ` Alyssa Ross
@ 2022-12-06 15:57   ` Vadim Likholetov
  2022-12-06 17:10     ` Alyssa Ross
  0 siblings, 1 reply; 18+ messages in thread
From: Vadim Likholetov @ 2022-12-06 15:57 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel

I’ve done this — I have patched   cloud-hypervisor to have three console devices — serial, console and user-console, but than decided that this patches will never go to C-H mainline so got back with more traditional approach with tmux :)


> On 6 Dec 2022, at 17:20, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> 
> On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
>> Cloud-hypervisor has virtual hardware limitations -- it supports only one
>> console device and only one serial device.
>> SpectrumOS is using serial device for kernel logs of appVM and console
>> device as a console.
>> To have access both to root-executed part and to user-executed part of the
>> VM payload, I installed a tmux on console.
>> Now, when you're running vm-console command  you get access to the tmux
>> and have the ability to switch between root and user consoles,
>> that can be useful during debugging VM payload.
> 
> I wonder what it would take to make cloud-hypervisor support multiple
> virtio-console devices… I suspect it wouldn't be too hard, since it
> already supports multiples of every other virtio device just fine…



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 15:57   ` Vadim Likholetov
@ 2022-12-06 17:10     ` Alyssa Ross
  2022-12-06 20:12       ` Vadim Likholetov
                         ` (2 more replies)
  0 siblings, 3 replies; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 17:10 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 2327 bytes --]

On Tue, Dec 06, 2022 at 05:57:19PM +0200, Vadim Likholetov wrote:
> I’ve done this — I have patched   cloud-hypervisor to have
> three console devices — serial, console and user-console, but than
> decided that this patches will never go to C-H mainline so got back
> with more traditional approach with tmux :)

I'd be pretty optimistic about the chances of a patch that just made it
so you could provide multiple consoles the same way you can provide
multiple block devices.  Like "--console pty file=/path/to/console.out"
on the command like to make two consoles, one going to a pty and the
other to a file.

In Spectrum, the way I'd see such an approach working is that by default
there'd be a single console that gave you a shell inside the VM, and if
you needed other consoles for other reasons (e.g. if you had an
application running on the console, like Lynx) you'd configure another
console in the VM configuration.  But as we move more towards graphical
applications, it will probably become rare to need a secondary console
for application interaction like that.

To get a non-root shell from the root console though, I think it
should be enough to just:

    # s6-applyuidgid -u 1000 -g 1000 sh

(Adding tmux to the VM in development to be able to hop between multiple
shell sessions would be a reasonable thing to do, of course.)

> > On 6 Dec 2022, at 17:20, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> >
> > On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
> >> Cloud-hypervisor has virtual hardware limitations -- it supports only one
> >> console device and only one serial device.
> >> SpectrumOS is using serial device for kernel logs of appVM and console
> >> device as a console.
> >> To have access both to root-executed part and to user-executed part of the
> >> VM payload, I installed a tmux on console.
> >> Now, when you're running vm-console command  you get access to the tmux
> >> and have the ability to switch between root and user consoles,
> >> that can be useful during debugging VM payload.
> >
> > I wonder what it would take to make cloud-hypervisor support multiple
> > virtio-console devices… I suspect it wouldn't be too hard, since it
> > already supports multiples of every other virtio device just fine…
>
>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 17:10     ` Alyssa Ross
@ 2022-12-06 20:12       ` Vadim Likholetov
  2022-12-06 20:25         ` Alyssa Ross
  2022-12-06 20:19       ` Vadim Likholetov
  2022-12-07  8:04       ` Firefox appVM patches and appVM refactoring Ville Ilvonen
  2 siblings, 1 reply; 18+ messages in thread
From: Vadim Likholetov @ 2022-12-06 20:12 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel

I’ll try to explain — running as user is not just dropping the priviledges, it is about preparing the environment - making home directory, fixing permissions, allocating pty-s in case of interactive sessions, setting environment variables.
Many system daemons like dbus, pipewire , etc has their system-level  and user-level parts and we should manage this separately — and it is our nearest future if we want some complex user environments to run on Spectrum, and possibly the packages for this daemons will extend this environment transparent to the user.

 So it’s s another form of encapsulation like we discussed about making a separate layer for wayland. 

I’ve published the cloud-hypervisor patches for extra user console device in my repository under -userconsole branch. 
I’ll test it (or anyone can) for side effects  and then we can discuss if it worth to be used in Spectrum or pushed upstream of C-H.
Here is the URL — https://github.com/vadika/cloud-hypervisor/tree/userconsole


> On 6 Dec 2022, at 19:10, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> 
> On Tue, Dec 06, 2022 at 05:57:19PM +0200, Vadim Likholetov wrote:
>> I’ve done this — I have patched   cloud-hypervisor to have
>> three console devices — serial, console and user-console, but than
>> decided that this patches will never go to C-H mainline so got back
>> with more traditional approach with tmux :)
> 
> I'd be pretty optimistic about the chances of a patch that just made it
> so you could provide multiple consoles the same way you can provide
> multiple block devices.  Like "--console pty file=/path/to/console.out"
> on the command like to make two consoles, one going to a pty and the
> other to a file.
> 
> In Spectrum, the way I'd see such an approach working is that by default
> there'd be a single console that gave you a shell inside the VM, and if
> you needed other consoles for other reasons (e.g. if you had an
> application running on the console, like Lynx) you'd configure another
> console in the VM configuration.  But as we move more towards graphical
> applications, it will probably become rare to need a secondary console
> for application interaction like that.
> 
> To get a non-root shell from the root console though, I think it
> should be enough to just:
> 
>    # s6-applyuidgid -u 1000 -g 1000 sh
> 
> (Adding tmux to the VM in development to be able to hop between multiple
> shell sessions would be a reasonable thing to do, of course.)
> 
>>> On 6 Dec 2022, at 17:20, Alyssa Ross <alyssa.ross@unikie.com> wrote:
>>> 
>>> On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
>>>> Cloud-hypervisor has virtual hardware limitations -- it supports only one
>>>> console device and only one serial device.
>>>> SpectrumOS is using serial device for kernel logs of appVM and console
>>>> device as a console.
>>>> To have access both to root-executed part and to user-executed part of the
>>>> VM payload, I installed a tmux on console.
>>>> Now, when you're running vm-console command  you get access to the tmux
>>>> and have the ability to switch between root and user consoles,
>>>> that can be useful during debugging VM payload.
>>> 
>>> I wonder what it would take to make cloud-hypervisor support multiple
>>> virtio-console devices… I suspect it wouldn't be too hard, since it
>>> already supports multiples of every other virtio device just fine…
>> 
>> 



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 17:10     ` Alyssa Ross
  2022-12-06 20:12       ` Vadim Likholetov
@ 2022-12-06 20:19       ` Vadim Likholetov
  2022-12-06 20:31         ` Developer-friendliness Alyssa Ross
  2022-12-06 20:59         ` Developer-friendliness Michael Raskin
  2022-12-07  8:04       ` Firefox appVM patches and appVM refactoring Ville Ilvonen
  2 siblings, 2 replies; 18+ messages in thread
From: Vadim Likholetov @ 2022-12-06 20:19 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel



> On 6 Dec 2022, at 19:10, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> 
> (Adding tmux to the VM in development to be able to hop between multiple
> shell sessions would be a reasonable thing to do, of course.)

It may sound like religious point of view, but I strongly believe that developers is the number one priority to support with Spectrum OS now — as easier and friendlier the OS will be to the developer as faster it will be delivered to the common users. It, from my point of view, includes two main aspects — ease of development giving the developer proper “bricks” (well encapsulated OS services) and examples, that coveres main use cases/use patterns of the operating system. 
 

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 20:12       ` Vadim Likholetov
@ 2022-12-06 20:25         ` Alyssa Ross
  2022-12-07  7:41           ` vadik likholetov
  0 siblings, 1 reply; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 20:25 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 4468 bytes --]

On Tue, Dec 06, 2022 at 10:12:49PM +0200, Vadim Likholetov wrote:
> I’ll try to explain — running as user is not just dropping the priviledges, it is about preparing the environment - making home directory, fixing permissions, allocating pty-s in case of interactive sessions, setting environment variables.
> Many system daemons like dbus, pipewire , etc has their system-level  and user-level parts and we should manage this separately — and it is our nearest future if we want some complex user environments to run on Spectrum, and possibly the packages for this daemons will extend this environment transparent to the user.
>
>  So it’s s another form of encapsulation like we discussed about making a separate layer for wayland.

Ah, thanks for the explanation.  I understand now!

You're quite right about running user daemons like PipeWire.
I think to manage those, we'd want to run a user-level s6(-rc) instance,
so that the services are supervised, and can therefore be restarted if
they crash, and dependencies can be taken care of, and logs can be
managed however that should work.

Let's try adding PipeWire, D-Bus etc. daemons straight to the img/app
image?  It's intended to be the default image for running applications,
so anything that an application is likely to expect to be running should
be provided by that image by default.  And then later on, when it comes
up, we can figure out how to support adding extra services, or whether
we should support removing default services from the image, etc.  How
does that sound?

> I’ve published the cloud-hypervisor patches for extra user console device in my repository under -userconsole branch.
> I’ll test it (or anyone can) for side effects  and then we can discuss if it worth to be used in Spectrum or pushed upstream of C-H.
> Here is the URL — https://github.com/vadika/cloud-hypervisor/tree/userconsole
>
> > On 6 Dec 2022, at 19:10, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> >
> > On Tue, Dec 06, 2022 at 05:57:19PM +0200, Vadim Likholetov wrote:
> >> I’ve done this — I have patched   cloud-hypervisor to have
> >> three console devices — serial, console and user-console, but than
> >> decided that this patches will never go to C-H mainline so got back
> >> with more traditional approach with tmux :)
> >
> > I'd be pretty optimistic about the chances of a patch that just made it
> > so you could provide multiple consoles the same way you can provide
> > multiple block devices.  Like "--console pty file=/path/to/console.out"
> > on the command like to make two consoles, one going to a pty and the
> > other to a file.
> >
> > In Spectrum, the way I'd see such an approach working is that by default
> > there'd be a single console that gave you a shell inside the VM, and if
> > you needed other consoles for other reasons (e.g. if you had an
> > application running on the console, like Lynx) you'd configure another
> > console in the VM configuration.  But as we move more towards graphical
> > applications, it will probably become rare to need a secondary console
> > for application interaction like that.
> >
> > To get a non-root shell from the root console though, I think it
> > should be enough to just:
> >
> >    # s6-applyuidgid -u 1000 -g 1000 sh
> >
> > (Adding tmux to the VM in development to be able to hop between multiple
> > shell sessions would be a reasonable thing to do, of course.)
> >
> >>> On 6 Dec 2022, at 17:20, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> >>>
> >>> On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
> >>>> Cloud-hypervisor has virtual hardware limitations -- it supports only one
> >>>> console device and only one serial device.
> >>>> SpectrumOS is using serial device for kernel logs of appVM and console
> >>>> device as a console.
> >>>> To have access both to root-executed part and to user-executed part of the
> >>>> VM payload, I installed a tmux on console.
> >>>> Now, when you're running vm-console command  you get access to the tmux
> >>>> and have the ability to switch between root and user consoles,
> >>>> that can be useful during debugging VM payload.
> >>>
> >>> I wonder what it would take to make cloud-hypervisor support multiple
> >>> virtio-console devices… I suspect it wouldn't be too hard, since it
> >>> already supports multiples of every other virtio device just fine…
> >>
> >>
>
>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Developer-friendliness
  2022-12-06 20:19       ` Vadim Likholetov
@ 2022-12-06 20:31         ` Alyssa Ross
  2022-12-07  7:46           ` Developer-friendliness vadik likholetov
  2022-12-06 20:59         ` Developer-friendliness Michael Raskin
  1 sibling, 1 reply; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 20:31 UTC (permalink / raw)
  To: Vadim Likholetov; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 1559 bytes --]

On Tue, Dec 06, 2022 at 10:19:58PM +0200, Vadim Likholetov wrote:
>
>
> > On 6 Dec 2022, at 19:10, Alyssa Ross <alyssa.ross@unikie.com> wrote:
> >
> > (Adding tmux to the VM in development to be able to hop between multiple
> > shell sessions would be a reasonable thing to do, of course.)
>
> It may sound like religious point of view, but I strongly believe
> that developers is the number one priority to support with Spectrum OS
> now — as easier and friendlier the OS will be to the developer as
> faster it will be delivered to the common users. It, from my point of
> view, includes two main aspects — ease of development giving the
> developer proper “bricks” (well encapsulated OS services) and
> examples, that coveres main use cases/use patterns of the operating
> system.

Yes, that's a compelling argument.  I wonder if it would make sense to
add some special configuration option for development, that would enable
extra development tools and other goodies?  (I often find myself adding
strace…)

(I think they probably shouldn't be present by default, because then it
could be difficult to be sure nothing was depending on them in future
when it came time to remove them.  But something that any given
developer could set once and then always have developer stuff available,
and toggle off when they wanted to test a production build, could make
things a lot nicer.)

And BTW, thanks so much for spending all this time engaging with this
stuff!  The project will be much better off for your efforts. :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Developer-friendliness
  2022-12-06 20:19       ` Vadim Likholetov
  2022-12-06 20:31         ` Developer-friendliness Alyssa Ross
@ 2022-12-06 20:59         ` Michael Raskin
  2022-12-06 21:14           ` Developer-friendliness Alyssa Ross
  2022-12-06 22:05           ` Developer-friendliness Michael Raskin
  1 sibling, 2 replies; 18+ messages in thread
From: Michael Raskin @ 2022-12-06 20:59 UTC (permalink / raw)
  To: alyssa.ross, vadim.likholetov; +Cc: devel

>> It may sound like religious point of view, but I strongly believe
>> that developers is the number one priority to support with Spectrum OS
>> now — as easier and friendlier the OS will be to the developer as
>> faster it will be delivered to the common users. It, from my point of
>> view, includes two main aspects — ease of development giving the
>> developer proper “bricks” (well encapsulated OS services) and
>> examples, that coveres main use cases/use patterns of the operating
>> system.
>
>Yes, that's a compelling argument.  I wonder if it would make sense to
>add some special configuration option for development, that would enable
>extra development tools and other goodies?  (I often find myself adding
>strace…)
>
>(I think they probably shouldn't be present by default, because then it
>could be difficult to be sure nothing was depending on them in future
>when it came time to remove them.  But something that any given
>developer could set once and then always have developer stuff available,
>and toggle off when they wanted to test a production build, could make
>things a lot nicer.)

Well, one could have VM generator functions, so that you can easily 
generate a development-like VM or a reasonable-setup like VM or minimal
VM (without D-Bus etc.), and so the developers can just use the dev 
version and always get the good stuff included?

>And BTW, thanks so much for spending all this time engaging with this
>stuff!  The project will be much better off for your efforts. :)





^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Developer-friendliness
  2022-12-06 20:59         ` Developer-friendliness Michael Raskin
@ 2022-12-06 21:14           ` Alyssa Ross
  2022-12-06 22:05           ` Developer-friendliness Michael Raskin
  1 sibling, 0 replies; 18+ messages in thread
From: Alyssa Ross @ 2022-12-06 21:14 UTC (permalink / raw)
  To: Michael Raskin; +Cc: vadim.likholetov, devel

[-- Attachment #1: Type: text/plain, Size: 3135 bytes --]

On Tue, Dec 06, 2022 at 09:59:22PM +0100, Michael Raskin wrote:
> >> It may sound like religious point of view, but I strongly believe
> >> that developers is the number one priority to support with Spectrum OS
> >> now — as easier and friendlier the OS will be to the developer as
> >> faster it will be delivered to the common users. It, from my point of
> >> view, includes two main aspects — ease of development giving the
> >> developer proper “bricks” (well encapsulated OS services) and
> >> examples, that coveres main use cases/use patterns of the operating
> >> system.
> >
> >Yes, that's a compelling argument.  I wonder if it would make sense to
> >add some special configuration option for development, that would enable
> >extra development tools and other goodies?  (I often find myself adding
> >strace…)
> >
> >(I think they probably shouldn't be present by default, because then it
> >could be difficult to be sure nothing was depending on them in future
> >when it came time to remove them.  But something that any given
> >developer could set once and then always have developer stuff available,
> >and toggle off when they wanted to test a production build, could make
> >things a lot nicer.)
>
> Well, one could have VM generator functions, so that you can easily
> generate a development-like VM or a reasonable-setup like VM or minimal
> VM (without D-Bus etc.), and so the developers can just use the dev
> version and always get the good stuff included?

Yes, that's true.

Just as a quick refresher, currently if you want to make a Spectrum VM,
these are your options:

 - Lay out the VM configuration directory manually in the user data
   partition, and bring your own kernel/rootfs.

 - As above, but use the rootfs and kernel in /usr/img/appvm.  These aim
   to provide a "standard" environment that can be shared between
   application VMs, so it comes with mesa, and in future virtio-gpu set
   up, as well as D-Bus, PipeWire, etc.  It mounts a second block device
   that contains your application, as well as any dependencies not
   included in the base image, and then runs your application from
   there.  This way, big stuff like mesa only has to exist once on disk.

 - Create an application VM that uses /usr/img/appvm with Nix, using
   vm-lib/make-vm.nix.

So what we're missing is a way to create, with Nix, a VM that isn't
based on the /usr/img/appvm "template".  The reason we don't currently
have such a function is that I don't think it's clear yet how it should
work — what should be customisable, what should be part of the base
image vs. not, etc.?  For a while, how make-vm.nix should work was
similarly unclear, which is why it only recently came into existence.
After I'd manually created my third or so application VM, it became
clear what could be part of the base image, and what had to be
customisable.  Currently, we only have one VM in the tree that doesn't
use the /usr/img/appvm template, netvm.  Once we have more, I think
it'll be easier to evaluate how a more minimal VM builder function
should work.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Developer-friendliness
  2022-12-06 20:59         ` Developer-friendliness Michael Raskin
  2022-12-06 21:14           ` Developer-friendliness Alyssa Ross
@ 2022-12-06 22:05           ` Michael Raskin
  1 sibling, 0 replies; 18+ messages in thread
From: Michael Raskin @ 2022-12-06 22:05 UTC (permalink / raw)
  To: alyssa.ross; +Cc: vadim.likholetov, devel

>> Well, one could have VM generator functions, so that you can easily
>> generate a development-like VM or a reasonable-setup like VM or minimal
>> VM (without D-Bus etc.), and so the developers can just use the dev
>> version and always get the good stuff included?
>
>Yes, that's true.
>
>Just as a quick refresher, currently if you want to make a Spectrum VM,
>these are your options:
>
> - Lay out the VM configuration directory manually in the user data
>   partition, and bring your own kernel/rootfs.
>
> - As above, but use the rootfs and kernel in /usr/img/appvm.  These aim
>   to provide a "standard" environment that can be shared between
>   application VMs, so it comes with mesa, and in future virtio-gpu set
>   up, as well as D-Bus, PipeWire, etc.  It mounts a second block device
>   that contains your application, as well as any dependencies not
>   included in the base image, and then runs your application from
>   there.  This way, big stuff like mesa only has to exist once on disk.
>
> - Create an application VM that uses /usr/img/appvm with Nix, using
>   vm-lib/make-vm.nix.

Yes, sorry, I have still not tried all this (I am going to avoid Wayland
as the main UI as long as practical, and I am not going to commit enough
time to Spectrum-adjacent things to make it worth your time to ask how 
would I set up things for Spectrum-like isolation of single things into
Weston-inside-Xorg or whatever on host).

>So what we're missing is a way to create, with Nix, a VM that isn't
>based on the /usr/img/appvm "template".  The reason we don't currently
>have such a function is that I don't think it's clear yet how it should
>work — what should be customisable, what should be part of the base
>image vs. not, etc.?  For a while, how make-vm.nix should work was
>similarly unclear, which is why it only recently came into existence.
>After I'd manually created my third or so application VM, it became
>clear what could be part of the base image, and what had to be
>customisable.  Currently, we only have one VM in the tree that doesn't
>use the /usr/img/appvm template, netvm.  Once we have more, I think
>it'll be easier to evaluate how a more minimal VM builder function
>should work.

Hm, I would say that I have a good experience solving such a problem
with a Nixpkgs-overlay-like structure, i.e. a makeExtensible with all
possible tunables defined as attributes, and then more complex data
structures built out of them, as well as packages for the things.







^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 20:25         ` Alyssa Ross
@ 2022-12-07  7:41           ` vadik likholetov
  0 siblings, 0 replies; 18+ messages in thread
From: vadik likholetov @ 2022-12-07  7:41 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 2097 bytes --]

On ti, joulu 6 2022 at 20.25.45 +00:00:00, Alyssa Ross 
<alyssa.ross@unikie.com> wrote:
> On Tue, Dec 06, 2022 at 10:12:49PM +0200, Vadim Likholetov wrote:
>>  I’ll try to explain — running as user is not just dropping the 
>> priviledges, it is about preparing the environment - making home 
>> directory, fixing permissions, allocating pty-s in case of 
>> interactive sessions, setting environment variables.
>>  Many system daemons like dbus, pipewire , etc has their 
>> system-level  and user-level parts and we should manage this 
>> separately — and it is our nearest future if we want some complex 
>> user environments to run on Spectrum, and possibly the packages for 
>> this daemons will extend this environment transparent to the user.
>> 
>>   So it’s s another form of encapsulation like we discussed about 
>> making a separate layer for wayland.
> 
> Ah, thanks for the explanation.  I understand now!
> 
> You're quite right about running user daemons like PipeWire.
> I think to manage those, we'd want to run a user-level s6(-rc) 
> instance,
> so that the services are supervised, and can therefore be restarted if
> they crash, and dependencies can be taken care of, and logs can be
> managed however that should work.
> 
> Let's try adding PipeWire, D-Bus etc. daemons straight to the img/app
> image?  It's intended to be the default image for running 
> applications,
> so anything that an application is likely to expect to be running 
> should
> be provided by that image by default.  And then later on, when it 
> comes
> up, we can figure out how to support adding extra services, or whether
> we should support removing default services from the image, etc.  How
> does that sound?

  Sounds good if we add both user and system parts of dbus or pipewire 
subsystem -- the system part when the system    starts and the user 
part when the user "logs in".
 Adding it only to system part doesn't make sense IMO.
  I can try to prototype it on the basis of s6 features if we agree 
about architecure :)
-- 
vadik likholetov


[-- Attachment #2: Type: text/html, Size: 2270 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Developer-friendliness
  2022-12-06 20:31         ` Developer-friendliness Alyssa Ross
@ 2022-12-07  7:46           ` vadik likholetov
  0 siblings, 0 replies; 18+ messages in thread
From: vadik likholetov @ 2022-12-07  7:46 UTC (permalink / raw)
  To: Alyssa Ross; +Cc: devel

[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]

On ti, joulu 6 2022 at 20.31.48 +00:00:00, Alyssa Ross 
<alyssa.ross@unikie.com> wrote:
> Yes, that's a compelling argument.  I wonder if it would make sense to
> add some special configuration option for development, that would 
> enable
> extra development tools and other goodies?  (I often find myself 
> adding
> strace…)
> 
> (I think they probably shouldn't be present by default, because then 
> it
> could be difficult to be sure nothing was depending on them in future
> when it came time to remove them.  But something that any given
> developer could set once and then always have developer stuff 
> available,
> and toggle off when they wanted to test a production build, could make
> things a lot nicer.)

 I often add strace and ltrace :-) Logging and extra access to the 
internals of host/VM are also good.
 I agree about thati it's good idea to have developer-support features 
in place and have an ability to make production and development builds 
with a simple switch between them.

-- 
vadik likholetov


[-- Attachment #2: Type: text/html, Size: 1275 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-06 17:10     ` Alyssa Ross
  2022-12-06 20:12       ` Vadim Likholetov
  2022-12-06 20:19       ` Vadim Likholetov
@ 2022-12-07  8:04       ` Ville Ilvonen
  2022-12-07 11:09         ` vadik likholetov
  2 siblings, 1 reply; 18+ messages in thread
From: Ville Ilvonen @ 2022-12-07  8:04 UTC (permalink / raw)
  To: Alyssa Ross, Vadim Likholetov; +Cc: devel

On 12/6/22 19:10, Alyssa Ross wrote:
> On Tue, Dec 06, 2022 at 05:57:19PM +0200, Vadim Likholetov wrote:
>> I’ve done this — I have patched   cloud-hypervisor to have
>> three console devices — serial, console and user-console, but than
>> decided that this patches will never go to C-H mainline so got back
>> with more traditional approach with tmux :)
> 
> I'd be pretty optimistic about the chances of a patch that just made it
> so you could provide multiple consoles the same way you can provide
> multiple block devices.  Like "--console pty file=/path/to/console.out"
> on the command like to make two consoles, one going to a pty and the
> other to a file.

Vadim, please go ahead and create a PR to C-H upstream. There's good 
chance your work would get accepted. Let's see their comments and and 
feedback.

-Ville



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: Firefox appVM patches and appVM refactoring
  2022-12-07  8:04       ` Firefox appVM patches and appVM refactoring Ville Ilvonen
@ 2022-12-07 11:09         ` vadik likholetov
  0 siblings, 0 replies; 18+ messages in thread
From: vadik likholetov @ 2022-12-07 11:09 UTC (permalink / raw)
  To: Ville Ilvonen; +Cc: Alyssa Ross, devel

[-- Attachment #1: Type: text/plain, Size: 345 bytes --]

On ke, joulu 7 2022 at 10.04.28 +02:00:00, Ville Ilvonen 
<ville.ilvonen@unikie.com> wrote:
> 
> Vadim, please go ahead and create a PR to C-H upstream. There's good 
> chance your work would get accepted. Let's see their comments and and 
> feedback.
> 
> -Ville

Ok, I will. It will take couple of days to clean them up.
-- 
vadik likholetov


[-- Attachment #2: Type: text/html, Size: 557 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2022-12-07 11:09 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-04 22:42 Firefox appVM patches and appVM refactoring Vadim Likholetov
2022-12-06 11:42 ` Alyssa Ross
2022-12-06 13:56   ` Vadim Likholetov
2022-12-06 15:18     ` Alyssa Ross
2022-12-06 15:20 ` Alyssa Ross
2022-12-06 15:57   ` Vadim Likholetov
2022-12-06 17:10     ` Alyssa Ross
2022-12-06 20:12       ` Vadim Likholetov
2022-12-06 20:25         ` Alyssa Ross
2022-12-07  7:41           ` vadik likholetov
2022-12-06 20:19       ` Vadim Likholetov
2022-12-06 20:31         ` Developer-friendliness Alyssa Ross
2022-12-07  7:46           ` Developer-friendliness vadik likholetov
2022-12-06 20:59         ` Developer-friendliness Michael Raskin
2022-12-06 21:14           ` Developer-friendliness Alyssa Ross
2022-12-06 22:05           ` Developer-friendliness Michael Raskin
2022-12-07  8:04       ` Firefox appVM patches and appVM refactoring Ville Ilvonen
2022-12-07 11:09         ` vadik likholetov

Code repositories for project(s) associated with this public inbox

	https://spectrum-os.org/git/crosvm
	https://spectrum-os.org/git/doc
	https://spectrum-os.org/git/mktuntap
	https://spectrum-os.org/git/nixpkgs
	https://spectrum-os.org/git/spectrum
	https://spectrum-os.org/git/ucspi-vsock
	https://spectrum-os.org/git/www

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).