Having fun with containers

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

Want your own Edubuntu weblive ?

Since I announced Edubuntu WebLive 8000 users have been testing Edubuntu using it.

Edubuntu WebLive

After a bit of cleaning up and packaging, I’m now pleased to announce that the source code for both our Drupal plugin and the XML-RPC daemon is available on Launchpad: https://code.launchpad.net/vmmanager.

Drupal plugin

Features:

  • Provider the user interface for Weblive, like the one on: http://www.edubuntu.org/vmmanager
  • Gives a basic administration interface to enable/disable the NX servers and update all the text shown in the user interface
  • Code is PHP using the Drupal form APIs and php-xmlrpc to contact the ltsp-cluster-agent plugin

Installation is relatively trivial, just follow the README file in the branch.

ltsp-cluster-agent plugin

Features:

  • XML-RPC service (authenticated and using HTTPS) that Drupal uses to create new users
  • Database of all accounts ever created, their status and expiry time
  • Support for multiple SSH servers
  • Client to query the database (also over xml-rpc) to gather statistics or manually create/remove accounts
  • Code is python, using paramiko for SSH and storm+sqlite as ORM

Installation is straightforward as everything is packaged here: https://launchpad.net/~stgraber/+archive/experimental

ltsp-cluster-agent is a python daemon designed for use by LTSP and LTSP-Cluster. More on that in a later post.

The VM itself

For Edubuntu, our VMs are entirely automatically generated using debian-installer preseeding and KVM.
Unfortunately these scripts are not clean enough yet for me to release them, I’d expect to have them out very soon though.

The basic requirement for the VM is to have these packages installed:

  • ltsp-cluster-accountmanager (used to cleanup session leftovers)
  • freenx-server (the NX server)

We have recent versions of both in Revolution Linux’s PPA. ltsp-cluster-accountmanager is also in the archive since karmic and I’m hoping for freenx-server to enter the archive soon.

I’d also recommend removing the following packages as they caused some issues with Edubuntu WebLive:

  • network-manager, network-manager-gnome, network-manager-pptp, network-manager-pptp-gnome
  • jockey-common, jockey-gtk
  • rtkit

As usual, comments, patches and bug reports are welcome. I’d also be happy to hear from other deployments of WebLive !

Posted in Edubuntu, LTSP, Planet Revolution-Linux, Planet Ubuntu | Tagged , | 3 Comments

Announcing LDM 2.2 and LTSP 5.2.5

Today, I’m pleased to announce the release of both LTSP 5.2.5 and LDM 2.2.

Quite a lot of changes went in over the past few months, 25 commits since the last ltsp release and 82 for ldm.
Here’s a quick overview of what’s new.

Big LDM refactoring and cleanup

Almost a year ago, my company got some funding from the NLNet foundation to work on a few LTSP and LTSP-Cluster related projects. One of them was to make LDM extensible, moving it to a plugin infrastructure and making it’s interface a bit more flexible.

I’m glad to announce that all of that work landed upstream almost two months ago and since then has been cleaned up and tested.
From a user experience point of view, the only noticeable change should be that the same login screen can now be used for Linux (ssh), Windows (rdp) login and for fat clients.

From a sysadmin/developer point of view, a lot changed:

  • Support for multiple backends. The old SSH backend as been ported to the plugin infrastructure and an RDP plugin has been written. A pam/libssh plugin should soon replace the current SSH plugin
  • Switched to using multiple windows and a window manager instead of our old fullscreen window. It should make it a lot easier to add more widgets to the login screen.
  • New logging functions with different logging levels and standardized logging output with syslog support

LDM 2.2

Remote apps support

It’s now been a few years since we have local applications supported in LTSP. It’s greatly improved over the years to get to what we currently have in LTSP.
The biggest issue of it was that if you start a software like firefox as a localapp and click on a .pdf/.odt/… document in it, it won’t be able to open them unless the required viewer is also a localapp.

That’s now been fixed thanks to the work done by Marc Gariépy and Gideon Romm during the last LTSP hackfest in Southwest Harbor, ME.
ltsp-remoteapps is a new command that can be assigned to mimetypes on the thin client and will open the viewer on the application server.

For the user, this means that if they click on a .odt document in their local firefox, it’ll now automatically open it in OpenOffice Writer on the application server.
Giving the desktop-like experience that was missing for local applications.

Other than these two big changes, we had our usual set of bug fixes, cleanup and translation updates.

Packages for Ubuntu Natty are already available and a backport for Ubuntu 10.10 (Maverick) is available in my PPA: https://launchpad.net/~stgraber/+archive/ppa

Posted in LTSP, Planet Revolution-Linux, Planet Ubuntu | 3 Comments

sandbox 0.2 released and packaged !

Yesterday, while enjoying the snow falling outside (finally!) I went through my TODO list for sandbox and implemented most of what was on it.

Ext4 support for the copy-on-write partition

You can now have the copy-on-write stored on disk instead of RAM memory (tmpfs).
The tmpfs support is still available as an option for these who have plenty of RAM or don’t have a separate /home (due to the aufs limitation).

Nautilus extension

sandbox now has a nautilus extension which lets you start any executable binary/script directly in a sandbox.
sandbox nautilus integration

Updated GUI

The GUI is no longer showing any option by default and just “does the right thing” (in most cases).
sandbox new gui

All the options being hidden behind “Show sandbox options”.
sandbox new gui advanced

Released and packaged it

Finally, I released sandbox 0.2 (0.1 wasn’t in a packagable state) and packaged it for Ubuntu Natty Narwhal.
It’s made of 3 different packages:

  • sandbox: The command line utility and the C part.
  • sandbox-gui: The python GUI and .desktop file (Applications -> System Tools -> sandbox)
  • sandbox-nautilus: The nautilus extension, you need to restart nautilus to have it to load

The packages (for natty) can be found in my experimental PPA: https://launchpad.net/~stgraber/+archive/experimental/
and code is still available at: https://code.launchpad.net/~stgraber/+junk/sandbox

sandbox running software

For now, everything is called “sandbox” which is more of a concept than an actual project name. As it’s becoming more and more of an actual project and I’m quite bad at finding good names, I’m open for suggestions of a better name for that thing.

Update: Release 0.2.1 which auto-detect separate /home partition and fall-back to tmpfs when necessary. Packages are available for Natty (Ubuntu 11.04) and Maverick (Ubuntu 10.10).

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment

Sandbox gets a GUI

Last Friday at work enjoying the fact that most of the US weren’t working, I spent a few hours working on my current pet project, sandbox.

Most of the code has now been moved from the C code to a shell script, keeping only what’s really needed in C.
I also added the possibility of directly starting a command in a container (once the command ends, the container is destroyed).

On top of that, I played a bit with Glade and pygtk to implement a basic GUI on top of Sandbox as shown below:
Sandbox GUI screenshot

This is still very basic but should be a lot more user friendly than having to start the tool from the command line.

Next on the TODO list is support for saving/restoring containers and some kind of nautilus integration (Right-Click => “Run in a container” would be sweet).

As always, the code can be found in a bzr branch:
bzr get lp:~stgraber/+junk/sandbox
Or from: https://code.launchpad.net/~stgraber/+junk/sandbox

Posted in Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment