Since I last reinstalled my laptop, I try to keep my usually insanely long list of installed packages to a bare minimum. I’d usually have hundreds if not thousands of libraries and development packages as these are required by a bunch of packages I maintain or code I work on.
To achieve this and still be as productive as before (if not more), I’m using arkose quite a lot to generate temporary dev/build environment that are wiped as soon as I close the shell.
This helps maintain the number of extra libraries to a minimum, avoiding situations where something mysteriously works fine on my laptop but not on another machine and avoids the maintenance needed when dealing with chroots.
An example of this is when I’m working on ubiquity (the Ubuntu graphical installer).
Ubiquity depends on quite a few libraries and development packages that are required even if you just want to build its source package.
So having arkose installed on my system, I usually start working on a bug with:
sudo arkose -n -h -c "cd $PWD; $SHELL"
You can make that an alias if you use it quite often. At this point, you’ll see your shell showing a different hostname, like “arkose-tmpaF9yqa”, that’s how you know you’re in a container.
The command above creates a new container using copy-on-write for all the file system but your home directory and lets the container access the network without any restriction.
I then install all the packages I’ll need to work
sudo apt-get build-dep ubiquity
Then work as usual in that container, run debuild, dput, … everything should work as usual as it has direct access to my home directory.
Once I’m done and I don’t need all these packages anymore, I just exit that shell and all the changes done outside of /home will be lost.
Github
Twitter
LinkedIn
Mastodon
RSS feed
Have you explored doing something with
screenandarkose, if you needed to keep a sandbox around for more than a few days/hours?Starting screen from arkose won’t work because the sandbox gets destroyed as soon as the parent process exits.
The current problem I have is that I can’t move a sandbox into the background and spawn new processes in it. This is actually a kernel limitation that’s being fixed with the lxc-attach patches that are currently up for review on LKML.
These should then allow me to spawn new processes in an existing container that should allow users to keep running sandboxes in the background (but will need quite substantial code changes for that).
In the mean time, my usual recommendation for long running sandboxes is to directly use LXC and run a full LXC container that you can ssh into.
Thanks for that suggestion, I’ll take a look at it.
how could one use this to sandbox one’s interweb browser (mozilla flavor)?
Create a file called firefox.conf (for example) containing:
[container]cmd="firefox -no-remote"
runas=user
network=true
xserver=direct
dbus=session
pulseaudio=true
video=true
root=/
mount_bind=/sys
mount_cow=
mount_restrict=
mount_bind=/tmp/orbit-$USER
mount_cow=
mount_restrict=
Then do: arkose-wrapper-gui firefox.conf
That will show you an overview of the profile, prompt for your password and then start firefox in the container.
Hi Stéphane Graber!
I question whether arkose can be wrapped the child process created by the parent process?
for example:
A process wrapping by sandbox, boot process A process B, so process B is wrapped?
Not sure I understand the question, but I’ll try to answer based on my interpretation:
“arkose blah”
If blah then forks and spawns sub-procesesses, all of them will still be in the container, as long as “blah” runs as root, there’s no way for one of its children to exit the container.
And we’re working on making this reliable even when “blah” runs as root (though the work on LXC).
I’m using Ubuntu 11.10, and this is my demo.
Console 1:
—————————
root@tuph-virtual-machine:/home/tuph# arkose
To run a command as administrator (user “root”), use “sudo “.
See “man sudo_root” for details.
tuph@arkose-tmpkvsuRj:~$ mkdir /home/tuph/arkose
tuph@arkose-tmpkvsuRj:~$ ls /home/tuph
arkose
tuph@arkose-tmpkvsuRj:~$ gnome-terminal
_IceTransSocketUNIXConnect: Cannot connect to non-local host tuph-virtual-machine
_IceTransSocketUNIXConnect: Cannot connect to non-local host tuph-virtual-machine
** (gnome-terminal:11): WARNING **: Failed to connect to the session manager: Could not open network socket
tuph@arkose-tmpkvsuRj:~$
————————————-
“New terminal window is appear, i set it console 2”
Console 2:
————————————-
tuph@tuph-virtual-machine:~$ ls /home/tuph
;;;;;
Some thing wrong ??? Console 2 is out of container of arkose ?? From console 2, i can’t see folder arkose from console 1 created.
Process A bot process B, then process B is out container ???
Looking at what you pasted, my guess is that gnome-terminal isn’t actually running in the container.
The fact that it returned immediately points toward it using dbus to talk to a gnome-terminal outside of the container which then spawned your new window.
Try calling xterm instead, I’m pretty sure you’ll get the right result then.
Thank you…
Why xterm and not gnome-terminal?
Because gnome-terminal uses dbus to talk to existing gnome-terminal instances and launch the new window from the existing instance.
xterm is a standard app so it doesn’t do any crazy dbus stuff and just starts the process from where it’s called.
Running “gnome-terminal –disable-factory” might work from Arkose though, according to it’s –help this bypasses the use of existing gnome-terminals.
Ohh ! I’m understand.
I try use command firefox or arkose-wrapper-gui firefox.conf but the Firefox is crash[Quit/Restart]. After click restart Firefox, the windows firefox is appear. This is BUG?
# arkose-wrapper-gui firefox.conf
Traceback (most recent call last):
File “/usr/bin/arkose-wrapper-gui”, line 91, in
refresh_config()
File “/usr/bin/arkose-wrapper-gui”, line 42, in refresh_config
config=configobj.ConfigObj(StringIO.StringIO(running_config))
File “/usr/lib/python2.7/dist-packages/configobj.py”, line 1230, in __init__
self._load(infile, configspec)
File “/usr/lib/python2.7/dist-packages/configobj.py”, line 1320, in _load
raise error
configobj.ConfigObjError: Parsing failed with several errors.
First error at line 13.
I’m probably doing something wrong 🙂
What version of arkose is that exactly and what’s in your firefox.conf file?
The error indicates a syntax errror on line 13 of firefox.conf, not sure what’s wrong there though.
Exact same error. The file in firefox.conf is the one you provided (some comments earlier), only I changed “user” with my user name, and the arkose version is 1.5.1-0ubuntu1.
Hello
I have a question about using the -h home directory command from the command line, I need to use it in order to keep my settings e.g. plugins, general settings or I end up with a default config Firefox each time I run it. My question is, is there a way of copying my normal non Arkose firefox profile settings to memory with all my settings, without using the -h. Or is it the case that using the -h still goes protection on the home directory anyway. Sorry a bit of a newbie.
Thanks for your time.
Dave
How to get the global menu working for applications like Google Chrome? It does not matter which options I pass to the applications, global menu does not work. Is this because root applications (which arkose is) can not use the global menu?
I thought you had implemented global menu support?
I would be very thankful for an answer!