From: Vadim Likholetov <vadim.likholetov@unikie.com>
To: Alyssa Ross <alyssa.ross@unikie.com>
Cc: devel@spectrum-os.org
Subject: Re: Firefox appVM patches and appVM refactoring
Date: Tue, 6 Dec 2022 22:12:49 +0200 [thread overview]
Message-ID: <DBCA6781-08B9-4850-A162-49459EEA2C36@unikie.com> (raw)
In-Reply-To: <20221206171022.5kwkddpjet3q7ks4@x220>
I’ll try to explain — running as user is not just dropping the priviledges, it is about preparing the environment - making home directory, fixing permissions, allocating pty-s in case of interactive sessions, setting environment variables.
Many system daemons like dbus, pipewire , etc has their system-level and user-level parts and we should manage this separately — and it is our nearest future if we want some complex user environments to run on Spectrum, and possibly the packages for this daemons will extend this environment transparent to the user.
So it’s s another form of encapsulation like we discussed about making a separate layer for wayland.
I’ve published the cloud-hypervisor patches for extra user console device in my repository under -userconsole branch.
I’ll test it (or anyone can) for side effects and then we can discuss if it worth to be used in Spectrum or pushed upstream of C-H.
Here is the URL — https://github.com/vadika/cloud-hypervisor/tree/userconsole
> On 6 Dec 2022, at 19:10, Alyssa Ross <alyssa.ross@unikie.com> wrote:
>
> On Tue, Dec 06, 2022 at 05:57:19PM +0200, Vadim Likholetov wrote:
>> I’ve done this — I have patched cloud-hypervisor to have
>> three console devices — serial, console and user-console, but than
>> decided that this patches will never go to C-H mainline so got back
>> with more traditional approach with tmux :)
>
> I'd be pretty optimistic about the chances of a patch that just made it
> so you could provide multiple consoles the same way you can provide
> multiple block devices. Like "--console pty file=/path/to/console.out"
> on the command like to make two consoles, one going to a pty and the
> other to a file.
>
> In Spectrum, the way I'd see such an approach working is that by default
> there'd be a single console that gave you a shell inside the VM, and if
> you needed other consoles for other reasons (e.g. if you had an
> application running on the console, like Lynx) you'd configure another
> console in the VM configuration. But as we move more towards graphical
> applications, it will probably become rare to need a secondary console
> for application interaction like that.
>
> To get a non-root shell from the root console though, I think it
> should be enough to just:
>
> # s6-applyuidgid -u 1000 -g 1000 sh
>
> (Adding tmux to the VM in development to be able to hop between multiple
> shell sessions would be a reasonable thing to do, of course.)
>
>>> On 6 Dec 2022, at 17:20, Alyssa Ross <alyssa.ross@unikie.com> wrote:
>>>
>>> On Mon, Dec 05, 2022 at 12:42:35AM +0200, Vadim Likholetov wrote:
>>>> Cloud-hypervisor has virtual hardware limitations -- it supports only one
>>>> console device and only one serial device.
>>>> SpectrumOS is using serial device for kernel logs of appVM and console
>>>> device as a console.
>>>> To have access both to root-executed part and to user-executed part of the
>>>> VM payload, I installed a tmux on console.
>>>> Now, when you're running vm-console command you get access to the tmux
>>>> and have the ability to switch between root and user consoles,
>>>> that can be useful during debugging VM payload.
>>>
>>> I wonder what it would take to make cloud-hypervisor support multiple
>>> virtio-console devices… I suspect it wouldn't be too hard, since it
>>> already supports multiples of every other virtio device just fine…
>>
>>
next prev parent reply other threads:[~2022-12-06 20:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-04 22:42 Vadim Likholetov
2022-12-06 11:42 ` Alyssa Ross
2022-12-06 13:56 ` Vadim Likholetov
2022-12-06 15:18 ` Alyssa Ross
2022-12-06 15:20 ` Alyssa Ross
2022-12-06 15:57 ` Vadim Likholetov
2022-12-06 17:10 ` Alyssa Ross
2022-12-06 20:12 ` Vadim Likholetov [this message]
2022-12-06 20:25 ` Alyssa Ross
2022-12-07 7:41 ` vadik likholetov
2022-12-06 20:19 ` Vadim Likholetov
2022-12-06 20:31 ` Developer-friendliness Alyssa Ross
2022-12-07 7:46 ` Developer-friendliness vadik likholetov
2022-12-06 20:59 ` Developer-friendliness Michael Raskin
2022-12-06 21:14 ` Developer-friendliness Alyssa Ross
2022-12-06 22:05 ` Developer-friendliness Michael Raskin
2022-12-07 8:04 ` Firefox appVM patches and appVM refactoring Ville Ilvonen
2022-12-07 11:09 ` vadik likholetov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBCA6781-08B9-4850-A162-49459EEA2C36@unikie.com \
--to=vadim.likholetov@unikie.com \
--cc=alyssa.ross@unikie.com \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).