Hi,
I've been running Qubes for a few years now and I'd like to give
Spectrum a try, as I've been having some hardware and performance
problems with Qubes. Is there some up-to-date guide I can follow? I
found https://alyssa.is/using-virtio-wl/#demo and was able to see the
weston terminal. I also tried updating to the latest commit and was
able to get a nested wayfire window with:
nix-build . -A spectrumPackages && ./result-3/bin/spectrum-vm
(I'm fairly new to Nix, so not sure if this is the right way to do things)
I managed to change the keyboard layout, mount a tmpfs for home, and
increase the memory enough to start firefox, but I haven't managed to
get much further. Things I tried so far:
- I tried replacing wayfire with weston-terminal, to avoid the nested
session. But sommelier segfaults when I do that.
- I tried adding `--shared-dir /tmp/ff:ff:type=9p` to share a host
directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp`
in the VM seemed to work, but `ls /tmp` crashed the VM.
- I tried using `-d /dev/mapper/disk` to share an LVM partition, but
`mount -t ext4 /dev/vdb /tmp` refused to mount it.
- I tried enabling networking with `--host_ip 10.0.0.1`, etc, but it
said it couldn't create a tap device. I guess it needs more
privileges.
Ideally, I'd like to run a VM with each of my old Qubes filesystems,
to get back to where I was with my Qubes setup, before investigating
new spectrum stuff (e.g. one app per VM). Do you have any advice on
this? I see these lists are a bit quiet - I hope someone is still
working on this because it sounds great :-)
Thanks!
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
Since I started working on Spectrum, one of the things I've been most
excited about has been the potential of Wayland and related
technologies to provide a level of integration and cohesion that
hasn't been seen before in a compartmentalized operating system. It's
the main thing that people who are aware of Spectrum but are not
closely following its development know the project for. But people
who /have/ been following my work closely will have noticed that I
haven't had much to say about it for a while.
My original grant agreement covered some basic Wayland functionality.
With that funding, I was able to learn about, run (to my knowledge,
for the first time outside the context of Chromium OS development) and
experiment with virtio wayland. I produced documentation and a
portable demo, that helped give other developments like Thomas's
wayland-proxy-virtwl[1][2] their start. We're on a solid track to
have basic Wayland functionality for applications running in isolated
VMs, including things like inter-application copy/paste, and possibly
optional GPU acceleration.
But to have a system that provides the level of security I want
Spectrum to have, there's still a lot of work to do. New protocols
need to be designed, discussed, and implemented, not just in Spectrum,
but in the Wayland ecosystem in general, to make it possible to do
things like identify which application a Wayland window belongs to, or
manage access to the clipboard. None of this is so big it's
infeasible for Spectrum as a project, but it's a big time investment
not covered by my original grant agreement for Spectrum, and so I've
been shying away from it in favour of work with a more immediate
return on investment, like my recent work creating an installer and
live image for Spectrum, or figuring out how VM configuration will
work.
Recently, though, the stars aligned in a way that mean we should be
able to make a lot of progress on these bigger Wayland developments
much quicker than I was otherwise expecting. After a couple of months
of working to make it happen, I'm so excited to finally be able to
announce that we have secured a modest amount of additional funding to
enable Puck Meerburg to work on Spectrum with me, focusing entirely on
Wayland work. She will be designing the protocols we need, producing
reference implementations, discussing them with upstream with an aim
to get them standardised, and so on. One of the most exciting things
about the work we have planned for Puck is that none of it is
Spectrum-specific. In keeping with the general development philosophy
for Spectrum, we want to move the ecosystem forward for everyone,
rather than developing Spectrum-specific hacks that would be useless
if the project ever wasn't able to continue.
Puck is the ideal person to be working on this. She was already our
resident Wayland expert, being able to answer just about any question
I had when doing Wayland work, and even providing some patches of her
own[3]. She has experience with standards processes through her work
on ActivityPub. She has an amazing talent for finding bugs — just
look at her list of Nix discoveries[4], and experience doing security
researcher — she recently discovered a "critical"-rated security issue
in Mastodon[5]. And she's proven over and over her ability to jump
into an unfamiliar problem space and diagnose an issue at an amazing
speed. I'm confident that having Puck spending a lot of time working
with Spectrum is going to be a huge boon to the project even outside
of the Wayland work she's specifically funded to work on.
A final note: the grant funding for both Puck and myself expires at
the end of September. What happens after that point is yet to be
determined. Given the level of donations I currently receive, unless
there's a sudden drop in my donation income, I'll should still be able
to spend at least most of my time working on Spectrum, regardless of
what happens with other funding sources.
As I've said before, donation income is also extremely important to
provide a level of stability and flexibility that grant funding just
can't — it's important to know that I'm not going to be broke because
it's taking longer than expected to implement something, or there's
something unanticipated I need to do first that I don't have funding
for. It would be really helpful if we could get some of that
stability and flexibility for Puck as well, especially looking towards
what happens once our grant funding is up. So Puck is now also
accepting donations, and if you'd like to help Spectrum push forward
Wayland security, please consider sponsoring her.
https://github.com/sponsors/puckipedia
I'm so excited for where things go from here.
[1]: https://github.com/talex5/wayland-proxy-virtwl/
[2]: https://roscidus.com/blog/blog/2021/03/07/qubes-lite-with-kvm-and-wayland/
[3]: https://spectrum-os.org/git/nixpkgs/tree/pkgs/os-specific/linux/chromium-os…
[4]: https://github.com/NixOS/nix/issues?q=author%3Apuckipedia+is%3Aissue
[5]: https://github.com/mastodon/mastodon/releases/tag/v3.4.6
Hi all, I thought I'd try a different format of update. It's
difficult to find the time for the big This Week in Spectrum updates
I've tried to do before, but I'd like to provide some sort of account
of what I've been doing.
So, here's an overview of what I did in March. I'm happy to expand on
any of it that sounds interesting — just hit Reply All and tell me
what you'd like to hear more about!
I'm also interested to hear what you think of this status update
format. I'd like to get better about communicating what I'm working
on, in a sustainable way. Let me know if you have any suggestions!
Miscellaneous
-------------
• Edited and published demo video[1]
• Set up an IRC bot to post incoming mailing list messages
• Switched from Busybox's modprobe to kmod
• Removed unused dependencies
• Various other cleanups and fixes
• Started work towards CI for Spectrum
• Prototyped a shared base image for application VMs
[1]: https://diode.zone/w/dWAWHR38Zu3feRtDKjVEJb
virtiofs investigation
----------------------
• Prototyped virtiofs VM filesystem access
• Reported a bug: "Can't run unprivileged any more due to setgroups"[2]
• Participated in discussion and testing of Musl port[3][4][5]
[2]: https://gitlab.com/virtio-fs/virtiofsd/-/issues/36
[3]: https://github.com/slp/capng/pull/2#issuecomment-1059976861
[4]: https://github.com/slp/capng/pull/3
[5]: https://github.com/rust-lang/libc/pull/2713
Spectrum-related upstream Nixpkgs commits
-----------------------------------------
• lvm2: don't use targetPlatform (05a6c124e65)
• coreutils: add debug output (e30f0f31e8d)
• pkgsMusl.systemd: fix build for 250.4 (39eee39fd92)
• nghttp2: only run tests on GNU (8685cea963b)
• python3.pkgs.importlib-metadata: fix cross (3c7b77e638b)
• spidermonkey: use the same LLVM as rustc (3ff5f0eb764)
• pkgsStatic.stdenv.cc.cc: put static libs in $lib (12c37aec377)
• Revert "gcc: Always pass `--enable-shared` by default" (c6dd11ca39a)
• libudev-zero: 1.0.0 -> 1.0.1 (c7b7ad77985)
• linux_latest: 5.16.14 -> 5.17 (58ae11758e8)
• crosvm: 81.12871.0.0-rc1 -> 99.14468.0.0-rc1 (6aefdafbed9)
• shadow: 4.8.1 -> 4.8.11 (8d35d7e2bf1)
• pkgsMusl.libnetfilter_conntrack: fix build (2cc5ec86571)
• pkgsMusl.systemdMinimal: fix build (b8734c50e29)
• linux.configfile: fix alts containing "/m" (fb079c3110d)
• cloud-hypervisor: 21.0 -> 22.0 (36a211e1ee3)
• edk2: 202108 -> 202202 (9222b68380e)
• kmod: add dev and lib outputs (dc1303185f8)
• systemd: update patchShebangs comment (a0bfc8e7c1f)
• systemd: fix a whole bunch of typos (479b1cb510b)
Pending Spectrum related Nixpkgs PRs
------------------------------------
• crosvm: add support for virgl_renderer{,_next} (#165128)
• qemu: 6.2.0 -> 7.0.0 (#165291)
Spectrum infra related upstream Nixpkgs commits
-----------------------------------------------
• irccat: init at 0.4.8 (ce8cbe3c01f)
• git: enable debug info (4345b27dedf)
• cgit-pink: init at 1.3.0 (deab83e1167)
• mailman-web: fix django version check removal (3512f5b7075)
Demo video related upstream Nixpkgs commits
-------------------------------------------
• ccsymbols: init at 2020-04-19 (cf7556eea5a)