Category Archives: LXC

Sandbox changes name to become Arkose

Posted on 2011/01/09 by Stéphane Graber

Sandbox started as a quick hack I wrote at the Ubuntu Developer Summit in Orlando, FL back in October.

Since then it evolved quite a bit, getting a decent user interface and even a nautilus plugin.

Only thing that really was missing before making it an “official” project is a “real” name.
After thinking about it for a while (trust me, I’m really bad at finding names), I finally ended up browsing sand-related pages on Wikipedia and chose to go ahead with “Arkose”.

Arkose (pronounced /ˈɑrkoʊz/) is a detrital sedimentary rock, specifically a type of sandstone containing at least 25% feldspar.

Arkose

I really liked “sandbox” as a name though, but it was a bit of a pain to Google for, apt-cache was returning multiple results too and finding relevant dent/tweet was a really difficult. So instead, I’ll mostly be using “Arkose – desktop sandboxing”. The name itself being a lot less common and “desktop sandboxing” is already giving very good Google results.

I finally created a Launchpad project and moved the branch to it. I’m expecting packages to hit the archive over the next few days.

PPA is available at: https://launchpad.net/~arkose-devel/+archive/stable

Posted in Arkose, LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

Getting ready for IPV6

Posted on 2010/12/31 by Stéphane Graber

I’ve been regularly playing with IPV6 since mid-2006 when I first opened an account at SixXS ang got my first IPV6 tunnel up and running. Sadly at that point, there wasn’t much Point of Presence for tunnels, not even mentioning the state of native IPV6 networks…

Relatively recently my dedicated server provider started offering native IPV6 connectivity in their Nuremberg-based datacenter. They offer a /64 per server which should be plenty enough for most users and allows for stateless configuration of a single network. Unfortunately in my case, I’m running OpenVZ, LXC and KVM on that box, meaning multiple distinct networks with bridging and firewalls.

As I also wanted IPV6 connectivity for my home network and would rather have a single provider for both, I started looking at the current state of tunnel brokers to end up choosing Hurricane Electric who offer free IPV6 tunnels and one /48 network per subnet which is exactly what I needed. They have Point of Presence pretty much all around the world which means very low latency IPV6 for all my networks.
They also happen to be one of the two upstream providers of the ISP we use at the office.

So I started configuring my Vyatta (Debian-based router distribution) routers to handle the IPV6 tunnel, send Router Advertisement to all my networks (radvd), relay DHCPv6 to my DHCP server and firewall incoming traffic.
That was surprisingly easy, taking only a few minutes, copy/pasting the configuration provided by the tunnel broker and setting up the firewall rules.

I then made sure all my main services are working properly with IPV6, for now that includes, DNS servers, Web servers, Mail servers and shell access. Backported Natty’s isc-dhcp-server to 10.04 LTS and moved my DHCP to using it and created a minimal configuration to get stateless DHCPv6 to announce my NTP and DNS servers.
I also updated my public DNS to include AAAA records for all services that have dual-stack support and got my registar to add IPV6 glue records to my domain.

I’ve now been running that setup for a week or so for my home network, dedicated server and office network. Running wireshark for a few hours showed that almost half of my connections are IPV6 (mostly on my own networks).

I’ve been surprised to see how well Ubuntu Natty’s NetworkManager copes with IPV6 network. In my case, it successfully noticed the “other-config” flag in the router advertisement and started dhclient to grab the DNS and NTP configuration from the DHCPv6 server.

So I now have a working environment to developer the next generation LTSP-Cluster which is supposed to have complete IPV6 support from the first release.

Let’s hope we’ll see more IPV6 deployment in 2011.
Happy new year everyone !

Posted in LTSP, LXC, Planet Revolution-Linux, Planet Ubuntu | Tagged | Leave a comment

Having fun with containers

Posted on 2010/12/12 by Stéphane Graber

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

sandbox 0.2 released and packaged !

Posted on 2010/12/05 by Stéphane Graber

Yesterday, while enjoying the snow falling outside (finally!) I went through my TODO list for sandbox and implemented most of what was on it.

Ext4 support for the copy-on-write partition

You can now have the copy-on-write stored on disk instead of RAM memory (tmpfs).
The tmpfs support is still available as an option for these who have plenty of RAM or don’t have a separate /home (due to the aufs limitation).

Nautilus extension

sandbox now has a nautilus extension which lets you start any executable binary/script directly in a sandbox.
sandbox nautilus integration

Updated GUI

The GUI is no longer showing any option by default and just “does the right thing” (in most cases).
sandbox new gui

All the options being hidden behind “Show sandbox options”.
sandbox new gui advanced

Released and packaged it

Finally, I released sandbox 0.2 (0.1 wasn’t in a packagable state) and packaged it for Ubuntu Natty Narwhal.
It’s made of 3 different packages:

  • sandbox: The command line utility and the C part.
  • sandbox-gui: The python GUI and .desktop file (Applications -> System Tools -> sandbox)
  • sandbox-nautilus: The nautilus extension, you need to restart nautilus to have it to load

The packages (for natty) can be found in my experimental PPA: https://launchpad.net/~stgraber/+archive/experimental/
and code is still available at: https://code.launchpad.net/~stgraber/+junk/sandbox

sandbox running software

For now, everything is called “sandbox” which is more of a concept than an actual project name. As it’s becoming more and more of an actual project and I’m quite bad at finding good names, I’m open for suggestions of a better name for that thing.

Update: Release 0.2.1 which auto-detect separate /home partition and fall-back to tmpfs when necessary. Packages are available for Natty (Ubuntu 11.04) and Maverick (Ubuntu 10.10).

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment

A week in Orlando (Ubuntu Developer Summit – Natty Narwhal)

Posted on 2010/10/30 by Stéphane Graber

Currently flying from Orlando, FL where I had an awesome Ubuntu Developer Summit I wanted to quickly share what happened this week.

Ubuntu and Linaro banners

I had the chance of being able to participate in plenty of very different and interesting sessions over the week.

Here’s a quick overview of my interests for the Natty development cycle.

Edubuntu
I received a LOT of feedback regarding Edubuntu. There was a lot interest for Edubuntu WebLive.
I gave a plenary on Tuesday about what’s Edubuntu, why we are doing it and what are our plans for Natty as well as announce the availability of daily Edubuntu builds on WebLive.
For Natty we mostly plan on growing our user community and getting more feedback from. Our installation process should be a lot faster and let the user choose what kind of education software he wants.
We also reviewed around 20 new applications, most of them are already available in Edubuntu in Natty, two will need to be packaged.

Containers
For this UDS, we were lucky to have Daniel Lezcano from LXC attending.
So we had a few very interesting sessions on what needs to be done to get LXC to the point where it can be used as a replacement of OpenVZ.
We also discussed how we could use containers and similar technologies on ARM and on a regular desktop as a way to sandbox applications.

Desktop in the cloud
Following my demo of Edubuntu WebLive during Tuesday’s plenary, we had two cloud track related to it.
One on how to let users test Ubuntu (awstrial) and another on the Desktop in the Cloud image. We discussed the various technologies available for remote desktop and will try to get an official desktop in the cloud image for Natty.

Community
Being an Application Review Board member, I attended the 3 sessions on the topic. We discussed the application review process as well as the technical implementation and the current limitations the ARB noticed. We should soon have a clear process for reviewing new applications and will be able to start getting new applications in Ubuntu 10.10’s extra repository.

It was really great seeing everyone, discussing and working together this week. I’m now flying to Bangor, ME for the yearly LTSP by the sea meeting, then driving back to Sherbrooke, QC to start implementing everything we discussed!

See you all in Budapest next year!

Posted in Conferences, Edubuntu, LXC, Planet Revolution-Linux, Planet Ubuntu | 1 Comment