Running glibc programs: Difference between revisions

From Alpine Linux
m (→‎Chroot method: Describe how and when to run the script)
m (→‎Chroot method: recommend putting the command at the top)
(39 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Draft}}
{{Draft}}


If you want to run glibc programs under alpine there are a few ways to do so.You could install glibc additional to uclibc (you would have to do this manualy) or you could do the easy way and use a chroot.<br>
If you want to run [https://www.gnu.org/software/libc/ glibc] programs in Alpine Linux, there are a few ways of doing so. You could install glibc as additional to [https://uclibc.org/about.html uclibc] (you would have to do this manually), or you could do it the easy way and use a chroot.<br>
Because there are different usecases I want to give a slight overview about what's possible and what is intelligent.<br>


==Your options==
Because there are different use cases, this is just a slight overview about what's possible and what's intelligent.<br>
===Using Busybox===
First the most simple approach for setting up a chroot is using a glibc build of busybox.<br>
This approach has just a few downsides:<br>
- You have to link most /bin/ and /usr/bin program against /bin/busybox and some busybox builds break if you don't configure it right.<br>
- You have to manually download every library you need for your program manually.<br><br>
But if you want a small enviroment for one simple use case this is the solution you want.


===Using a livecd===
If you prefer any special distri you can always download and extract a livecd and use it as a chroot enviroment.


===Using a stage3 gentoo archive===
= Your options =
This is the fastest approach and you have the advantage of controlling which package version of which library you will install.<br>
Drawbacks are as follow:<br>
- Big build.You have to install a portage tree which uses up a lot of space.(It's not 100% necessary if you don't have to install any additional content you don't need it)<br>
- On slow mashines not recommended because you have to compile your packages.<br>


===Using Archlinux or Debian===
== Using BusyBox ==
If you want a nice running system you can install Arch or Debian in a chroot.This approach isn't as easily executed as the other alternatives, but are in my opinion the cleanest and most recommended for the every day user.
 
First, the simplest approach for setting up a chroot is by using a glibc build of [https://www.busybox.net/about.html BusyBox].
 
This approach has just a few downsides:-
* You have to link most <code>/bin/</code> and <code>/usr/bin</code> programs against <code>/bin/busybox</code>, and some BusyBox builds break if you don't configure them correctly.
* You have to manually download every library you need for your program manually.
 
However, if you want a small environment for one simple use case, then this is the solution you want.
 
== Using a live CD ==
 
If you prefer using any special distro, you can always download and extract a live CD and use it as a chroot enviroment.
 
== Using an image ==
 
For Gentoo, it is the slowest approach especially on slow machines since it is not binary distribution and can be indecisive, but you have the advantage of controlling the package version of whichever library you will install. A drawback would be a big build. You have to install a Portage tree, which uses up a lot of space.  (It's not 100% necessary if you don't have to install any additional content that you won't need.)  Sometimes the package will fail on compilation phase of emerge.  You either end up patching it yourself or waiting for a fix to appear on their Bugzilla from an experienced user.
 
For Arch or Debian, it is recommended since packages are precompiled and better at unattended package installation. This approach isn't as easily executed as the other alternatives, but this may be the cleanest and most recommended one for the every day user.
 
= How to do it =
 
This is just a quick draft, so here it comes.
 
== Using BusyBox ==
 
First, we need to download BusyBox.  You can choose any of your favourite distros to download a prebuilt version.  For instance, you could use Arch Linux [https://www.archlinux.org/packages/?q=busybox packages], as follows:


==How to do it==
Like I said this is just a quick draft so here it comes.
===Using Busybox===
First we need to download busybox.You can choose any of your favourit distros to download a prebuild version.I for instance would use Archlinux packages from http://www.archlinux.org/packages/community/i686/busybox/.<br>
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
Line 39: Line 47:
  sudo chroot ~/chroot/ /bin/sh
  sudo chroot ~/chroot/ /bin/sh


This creates a simple chroot enviroment which we will expand through all commands included in busybox.
This creates a simple chroot enviroment, which we will expand through all the commands included in BusyBox:
 
  for i in $(busybox --list);do ln -s /bin/busybox /usr/bin/$i;done
  for i in $(busybox --list);do ln -s /bin/busybox /usr/bin/$i;done


===Using a livecd===
WIP


===Using a stage3 tar archive===
== Using a live CD ==
Select a mirror from http://www.gentoo.org/main/en/mirrors2.xml , switch to /releases/x86/current-stage3/ and download the latest tar ball (for me stage3-i686-20120124.tar.bz2 ).
{{Draft|Contributions welcome}}
  wget http://de-mirror.org/gentoo/releases/x86/current-stage3/stage3-i686-20120124.tar.bz2
 
 
== Using an image ==
 
=== Gentoo Linux ===
 
Select a stage3 from [https://www.gentoo.org/downloads/ here] and portage latest from [https://www.gentoo.org/downloads/mirrors/ here] at gentoo/snapshots/portage-latest.tar.xz.
 
First,
 
sudo apk add xz
 
You also may need the vanilla kernel. If any time Gentoo decides to update PAM, you need it for it to emerge successfully without problems.
 
sudo apk add kernel-vanilla
 
Add the kernel-vanilla to Grub and reboot with the vanilla kernel if you are going to pull in both git and layman which they use to download user community supported packages.
 
Enter the chroot:
  mkdir ~/chroot
  mkdir ~/chroot
  tar xfj stage3-i686-*.tar.bz2 -C ~/chroot
cd ~/chroot
  sudo chroot ~/chroot
  tar -xvf stage3-*.tar.xz
And voila you got your working gentoo chroot.<br>
tar -xvf portage-latest.tar.xz
You can now take a look at http://www.gentoo.org/doc/en/?catid=desktop to find out how you can configure and install your system or simply extract/copy the program you need to run in your chroot enviroment and execute it.
mv portage usr
sudo mount --bind /dev dev
  sudo mount --bind /sys sys
sudo mount -t proc proc proc
cp /etc/resolv.conf etc
sudo chroot . /bin/bash


===Using Archlinux or Debian===
And voilà, you have your working Gentoo chroot!<br>
====Arch Linux====
 
Although pacstrap is included with the arch-install-scripts package it will not work unless the target directory is a mountpoint so the Arch bootstrap image must be used instead (the image is updated every month so change the date in the link as required):
You can now take a look at [https://wiki.gentoo.org/wiki/Handbook:Main_Page Gentoo's Handbook] to find out how you can configure and install your system, or simply extract/copy the program you need to run in your chroot enviroment and execute it.
 
Here is a wrapper script that is similar to <code>arch-chroot</code> when you frequently reuse this chroot:
 
Also, create an account with the same user name as host current user to the chroot or make changes to the userspec option to chroot line.
 
{{Cat|gentoo-chroot.sh|<nowiki>!/bin/bash
CHROOT_PATH="/home/$USER/chroot"
cd $CHROOT_PATH
mount | grep $CHROOT_PATH/dev || sudo mount --bind /dev dev
mount | grep $CHROOT_PATH/sys || sudo mount --bind /sys sys
mount | grep $CHROOT_PATH/proc || sudo mount -t proc proc proc
cp /etc/resolv.conf etc
sudo chroot --userspec=$USER:users . /bin/bash
echo "You must manually unmount $CHROOT_PATH/dev, $CHROOT_PATH/sys, $CHROOT_PATH/proc."
</nowiki>
}}
 
Do at <code>chmod +x gentoo-chroot.sh</code> to get it to work.
 
=== Arch Linux ===
 
Although '''pacstrap''' is included with the arch-install-scripts package, it will not work unless the target directory is a mountpoint, so the Arch bootstrap image must be used instead (the image is updated every month, so change the date in the link as required):


   sudo apk add arch-install-scripts
   sudo apk add arch-install-scripts
Line 67: Line 119:
   [chroot]# pacman-key --populate archlinux
   [chroot]# pacman-key --populate archlinux


Once that is done, update the system and install the desired package(s) (denoted by "foo" in this example):
Once that is done, update the system and install the desired package(s) (denoted by ''"foo"'' in this example):
    
    
   [chroot]# pacman -Syu foo
   [chroot]# pacman -Syu ''foo''
 
=== Debian ===
 
Use the provided debootstrap package to create the Debian chroot. <code>--arch</code> is optional, depending of your needs.


====Debian====
On the '''linux-grsec''' kernel, you will need to relax chroot limitations:
Use the provided debootstrap package to create the Debian chroot. --arch is optional depending of your needs.<br>
On linux-grsec kernel you'll need to relax chroot limitations.


   sudo apk add debootstrap
   sudo apk add debootstrap
Line 82: Line 136:
   sudo chroot ~/chroot /bin/bash
   sudo chroot ~/chroot /bin/bash


You can now use apt-get to install needed packages.
You can now use <code>apt-get</code> to install needed packages.
 
== Examples ==
 
=== Source dedicated server ===
 
Here is an easy example of how you can run [http://www.srcds.com srcds] in a simple BusyBox chroot.
 
For this server, you will only need the basic chroot and an advanced tar version (the BusyBox version is not sufficient because of the missing -U command):


==Example==
===Source Dedicated Server===
Here is an easy example of how you can run http://www.srcds.com in a simple busybox chroot.<br>
For this server you will only need the basic chroot and a advanced tar version (the busybox version is not sufficient because of the missing -U command).<br>
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
Line 99: Line 157:
  ln -s /bin/busybox ~/chroot/bin/ln
  ln -s /bin/busybox ~/chroot/bin/ln
  sudo chroot ~/chroot/ /bin/sh
  sudo chroot ~/chroot/ /bin/sh
Now that you are in a working chroot you can download the server and install it.You just have to execute the following self explaining commands.
 
Now that you are in a working chroot, you can download the server and install it. You just have to execute the following self-explaining commands...
 
  mkdir ~/work
  mkdir ~/work
  cd ~/work
  cd ~/work
Line 105: Line 165:
  chmod +x hldsupdatetool.bin
  chmod +x hldsupdatetool.bin
  ln -s /bin/busybox ./uncompress
  ln -s /bin/busybox ./uncompress
  cp /bin/tar . #right now executing programs from $PATH is buggy soon to be fixed (no bug in busybox but in my script)
  cp /bin/tar . #right now executing programs from $PATH is buggy, soon to be fixed (no bug in BusyBox, but in my script)
  ./hdsupdatetool.bin #you can accept it or not ;)
  ./hdsupdatetool.bin #you can accept it or not ;)
  ./steam
  ./steam
  ./steam
  ./steam
And you should have a working chroot with srcds installed in it.<br>
 
If you think you are clever or elegant you can use the server with a bash script.
...and you should have a working chroot with '''srcds''' installed in it.
 
If you think you are clever or elegant, you can use the server with a bash script:
 
  #!/bin/bash
  #!/bin/bash
  chroot ~/chroot /root/work/steam $@
  chroot ~/chroot /root/work/steam $@
Just save it (in your alpine installation) under /usr/bin/steam do a chmod +x /usr/bin/steam and have phun.<br>
WARNING:<br>
This script would let steam run with root priviliges.This is not recommended.


===MegaCli===
Just save it (in your Alpine installation) under <code>/usr/bin/steam</code>, do a <code>chmod +x /usr/bin/steam</code> and have fun!
So let's run MegaCli in a chroot to shall we? ;)<br>
 
First we set up a uclibc chroot :)<br>
{{Warning|This script would let '''Steam''' run with root priviliges.  This is not recommended.}}
MegaCli needs more than just glibc it needs ncurses and the gcc-libs.
 
=== MegaCli ===
 
So let's run [https://wikitech.wikimedia.org/wiki/MegaCli MegaCli] in a chroot too, shall we? ;)
 
First we set up a uclibc chroot :)
 
'''MegaCli''' needs more than just glibc.  It needs [https://www.gnu.org/software/ncurses/ ncurses] and the gcc-libs:
 
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
  wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
Line 133: Line 201:
  ln -s /bin/busybox ~/chroot/bin/ln
  ln -s /bin/busybox ~/chroot/bin/ln


After this we visit this site http://www.lsi.com/downloads/Public/MegaRAID%20Common%20Files/8.02.16_MegaCLI.zip and download 8.02.16_MegaCLI.zip.<br>
After this, we visit [http://www.lsi.com/downloads/Public/MegaRAID%20Common%20Files/8.02.16_MegaCLI.zip this] site and download '''8.02.16_MegaCLI.zip'''.
 
  mkdir tmp
  mkdir tmp
  cd tmp
  cd tmp
Line 155: Line 224:
  rm opt/MegaRAID/MegaCli/MegaCli64 # who needs 64bit?
  rm opt/MegaRAID/MegaCli/MegaCli64 # who needs 64bit?
  cp -r opt/ ~/chroot/
  cp -r opt/ ~/chroot/
Now we got a working MegaCli client in our chroot.<br>
 
Like with srcds we don't want to operate from inside the chroot so here is a little script that should ease you up. (use at your own risk)
Now we have a working '''MegaCli''' client in our chroot.
 
As with '''srcds''', we do not want to operate from inside the chroot, so here is a little script that should ease you up (use at your own risk):


  #!/bin/bash
  #!/bin/bash
Line 172: Line 243:
  umount ~/chroot/dev
  umount ~/chroot/dev
  umount ~/chroot/sys
  umount ~/chroot/sys
Save it under /usr/bin/MegaCli .Do a chmod +x /usr/bin/MegaCli and good luck.
 
Hf
Save it under <code>/usr/bin/MegaCli</code>. Do a <code>chmod +x /usr/bin/MegaCli</code> and good luck.
PS
 
This method takes around 50mb.If you need something smaller you can strip a few files from glibc (not recommended) or work on a squashfs.<br>
Note:  This method takes around 50mb. If you need something smaller, then you can strip a few files from glibc (not recommended), or work on a squashfs.
With
 
With the following, you can create a squashfs that is around 15mb small:
  mksquashfs ~/chroot/ /chroot.sfs -b 65536
  mksquashfs ~/chroot/ /chroot.sfs -b 65536
you can create a squashfs that is around 15mb small.When you add an unionfs layer you can even use it with write access or you can bind some dirs to the writeable dirs before you chroot into it.<br>
I will look into it later on.<br>
You can save the chroot in another dir than your home dir and you an even install a chroot through a APKBUILD (after someone wrote it).<br>
Through this you could use many glibc dependend programs through one chroot, but be aware that running programs like this should not be standard but only be used in extreme situations like for _closed source_ tools linked against glibc.


===Skype on Debian chroot===
When you add a [https://en.wikipedia.org/wiki/UnionFS unionfs] layer, you can even use it with write access, or you can bind some directories to the writeable directories before you chroot into it.
WIP - Not yet validated<br>
 
This is an example on how to run Skype from a Debian 32b chroot.
I will look into it later on.
 
You can save the chroot in another directory than your home directory, and you can even install a chroot through an APKBUILD (after someone wrote it).
 
With this, you could use many glibc-dependent programs through one chroot, but be aware that running programs like this should not be standard.  This should only be used in extreme situations, as in _closed source_ tools linked against glibc.
 
=== Skype on Debian chroot ===
 
{{Draft|Not yet validated}}
 
This is an example on how to run '''Skype''' from a Debian 32b chroot.
 
   sudo chroot ~/chroot
   sudo chroot ~/chroot
   wget http://www.skype.com/go/getskype-linux-deb
   wget http://www.skype.com/go/getskype-linux-deb
   dpkg -i getskype-linux-deb
   dpkg -i getskype-linux-deb
To fix missings deps you'll want to use:
 
To fix missing dependencies, you will want to use:
 
   apt-get -f install
   apt-get -f install
Then exit the chroot
 
Then, exit the chroot:
 
   exit
   exit
Fix PAX flags on Skype binary - linux-grsec only.<br>
 
ELF marking with paxctl cannot be used cause Skype binary refuses to run if modified<br>
Fix PAX flags on Skype binary - '''linux-grsec''' only.
CONFIG_PAX_XATTR_PAX_FLAGS is NOT yet available in linux-grsec
 
ELF marking with paxctl cannot be used because Skype binary refuses to run if modified.
 
<code>CONFIG_PAX_XATTR_PAX_FLAGS</code> is NOT yet available in '''linux-grsec'''.
 
   sudo apk add attr
   sudo apk add attr
   sudo setfattr -n user.pax.flags -v "em" ~/chroot/usr/bin/skype
   sudo setfattr -n user.pax.flags -v "em" ~/chroot/usr/bin/skype
Mount needed directories in the chroot read-only to limit access to the system devices.<br>
 
Give write access to /dev/v4l and /dev/snd to let Skype use webcam device - Skype is not compatible with Alsa anymore and requires Pulseaudio running.
Mount needed directories in the chroot read-only to limit access to the system devices.
 
Give write access to <code>/dev/v4l</code> and to <code>/dev/snd</code> in order to let Skype use the webcam deviceSkype is not compatible with Alsa anymore and requires Pulseaudio to be running.
 
   sudo mount -o bind /proc ~/chroot/proc
   sudo mount -o bind /proc ~/chroot/proc
   sudo mount -o bind,ro,remount /proc ~/chroot/proc
   sudo mount -o bind,ro,remount /proc ~/chroot/proc
Line 208: Line 298:
   sudo mount -o bind /dev/v4l ~/chroot/dev/v4l
   sudo mount -o bind /dev/v4l ~/chroot/dev/v4l
   sudo mount -t tmpfs -o nodev,nosuid,noexec shm $CHROOT_PATH/dev/shm
   sudo mount -t tmpfs -o nodev,nosuid,noexec shm $CHROOT_PATH/dev/shm
Enter the chroot and create a user
 
Enter the chroot and create a user:
 
   sudo chroot ~/chroot
   sudo chroot ~/chroot
   useradd -G audio,video <username>
   useradd -G audio,video <username>
   exit
   exit
Then run skype as your newly created user
 
Then run Skype as your newly created user:
 
   sudo chroot ~/chroot /bin/su - <username> -c /usr/bin/skype
   sudo chroot ~/chroot /bin/su - <username> -c /usr/bin/skype


===Dungeon Crawl (Stone Soup) on Arch===
 
Once the Arch system is laid down (to ~/chroot/root.x86_64 in this example), install the game:
=== Dungeon Crawl (Stone Soup) on Arch ===
 
Once the Arch system is laid down (to <code>~/chroot/root.x86_64</code> in this example), install the game:
 
   sudo arch-chroot ~/chroot/root.x86_64
   sudo arch-chroot ~/chroot/root.x86_64
   [chroot]# pacman -Syu crawl-tiles
   [chroot]# pacman -Syu crawl-tiles
Then exit the chroot and run it with this command:
Then exit the chroot and run it with this command:
   sudo arch-chroot ~/chroot/root.x86_64 /bin/su -c 'DISPLAY=:0 crawl-tiles'
   sudo arch-chroot ~/chroot/root.x86_64 /bin/su -c 'DISPLAY=:0 crawl-tiles'
A separate user can also be created to run the game, if preferred.
A separate user can also be created to run the game, if preferred.


===Spotify===


====Docker method====
=== Spotify ===


Read the [[Docker]] page to install it.  Then, clone the repository below.  It will automate the process of pulling all the dependencies and PaX mark it for the hardened kernel.  The advantage of this container is that it is ready to use and has stripped down many of the /usr/bin executables.  The bad thing is that is unstable.
==== Docker method ====
 
Read the [[Docker]] page to install it.  Then clone the repository, as shown below.  It will automate the process of pulling all the dependencies, and '''PaX''' marks it for the hardened kernel.  The advantage of this container is that it is ready-to-use and has stripped down many of the <code>/usr/bin</code> executables.  The downside is that is unstable.


  git clone https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked
  git clone https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked


Follow the instructions in the README.md
Follow the instructions in the <code>README.md</code>


====Chroot method====
==== Chroot method ====


The Chroot method the preferred method and doesn't have the black screen bug and more stable.  Just translate the Dockerfile instructions (https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked/blob/master/Dockerfile) into native sh (Bourne shell).  The trick again is to run Spotify as root inside the chroot not as regular user.  Use aplay -l to verify that the soundcard is detected.  When you use this or the docker method which relies on ALSA, there could be a conflict on who grabs the sound card.  Stop all browsers or programs using the sound device outside the chroot or the docker image so that Spotify can use it.
The Chroot method the preferred method;  it doesn't have the black screen bug and is more stable.  Just translate the [https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked/blob/master/Dockerfile Dockerfile instructions] into native '''sh''' (Bourne shell).  The trick again is to run Spotify as root with sudo inside the chroot not as regular user.   


I did some translationYou may need make changes.
Use <code>sudo aplay -l</code> to verify that the soundcard is detectedWhen you use either this or the Docker method, which relies on ALSA, there could be a conflict depending on who grabs the sound card.  Stop all browsers or programs using the sound device outside of the chroot or the docker image so that Spotify can use it.


To update, just delete it and call alpine-spotify-installer.sh again.  You still need the Arch Linux bootstrap image.  You extract the image, the run `sudo arch-chroot`.  Then, you copy paste below, chmod+x it, then run `./alpine-spotify-installer.sh`
I did some translation.  You may need to make changes.


{{Cat|alpine-spotify-installer.sh|
To update, just delete it and call <code>alpine-spotify-installer.sh</code> again.  You will still need the Arch Linux bootstrap image.  Extract the image.  Next, copy and paste the code shown below into root.x86_64;  <code>chmod +x alpine-spotify-installer.sh</code>. Then, run <code>sudo arch-chroot root.x86_64</code>.  Then, run <code>./alpine-spotify-installer.sh</code>.
<nowiki>
 
{{Cat|alpine-spotify-installer.sh|<nowiki>
# Copyright (c) 2018 Orson Teodoro <orsonteodoro@hotmail.com>
# Copyright (c) 2018 Orson Teodoro <orsonteodoro@hotmail.com>
#
#
Line 287: Line 389:
echo "switching to spotify nix account"
echo "switching to spotify nix account"
su spotify
su spotify
useradd -m spotify


cd /home/spotify
cd /home/spotify
Line 309: Line 409:
sudo paxctl -m /usr/share/spotify/spotify
sudo paxctl -m /usr/share/spotify/spotify


sudo pacman --noconfirm -S pulseaudio
sudo pacman --noconfirm -S pulseaudio-alsa
sudo pacman --noconfirm -S alsa-lib
sudo pacman --noconfirm -S alsa-lib
   
   
sudo pacman --noconfirm -S alsa-utils
sudo pacman --noconfirm -S alsa-utils


echo "set the root password for this chroot"
#confirm that the sound card(s) shows up
sudo passwd
sudo aplay -l
echo "switching to root"
su root


#confirm that the sound card(s) shows up
sudo spotify
aplay -l
</nowiki>
}}
 
To make this easier, create a launcher script:


spotify  
{{Cat|run.sh|<nowiki>!/bin/bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd $DIR
sudo arch-chroot -u spotify root.x86_64 /bin/sh -c "sudo spotify"
</nowiki>
</nowiki>
}}
}}


If it shows <code>(spotify:4): Gtk-WARNING **: cannot open display: :0.0</code> Before running Spotify try:
  xhost +local:
You could insert it at the very top in the above wrapper script.


You may want to look at https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked/blob/master/deflate.sh to learn how to lock it down remove the unnecessary cruft in your chroot collections which may be abused.
You may want to look at [https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked/blob/master/deflate.sh this script] to learn how to lock it down by removing the unnecessary cruft in your chroot collections that may be abused.


[[Category:Development]]
[[Category:Development]]
[[Category:Installation]]
[[Category:Installation]]

Revision as of 06:51, 12 March 2018

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Orson Teodoro on 12 Mar 2018.)

If you want to run glibc programs in Alpine Linux, there are a few ways of doing so. You could install glibc as additional to uclibc (you would have to do this manually), or you could do it the easy way and use a chroot.

Because there are different use cases, this is just a slight overview about what's possible and what's intelligent.


Your options

Using BusyBox

First, the simplest approach for setting up a chroot is by using a glibc build of BusyBox.

This approach has just a few downsides:-

  • You have to link most /bin/ and /usr/bin programs against /bin/busybox, and some BusyBox builds break if you don't configure them correctly.
  • You have to manually download every library you need for your program manually.

However, if you want a small environment for one simple use case, then this is the solution you want.

Using a live CD

If you prefer using any special distro, you can always download and extract a live CD and use it as a chroot enviroment.

Using an image

For Gentoo, it is the slowest approach especially on slow machines since it is not binary distribution and can be indecisive, but you have the advantage of controlling the package version of whichever library you will install. A drawback would be a big build. You have to install a Portage tree, which uses up a lot of space. (It's not 100% necessary if you don't have to install any additional content that you won't need.) Sometimes the package will fail on compilation phase of emerge. You either end up patching it yourself or waiting for a fix to appear on their Bugzilla from an experienced user.

For Arch or Debian, it is recommended since packages are precompiled and better at unattended package installation. This approach isn't as easily executed as the other alternatives, but this may be the cleanest and most recommended one for the every day user.

How to do it

This is just a quick draft, so here it comes.

Using BusyBox

First, we need to download BusyBox. You can choose any of your favourite distros to download a prebuilt version. For instance, you could use Arch Linux packages, as follows:

wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc}
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
done
cp /etc/resolv.conf ~/chroot/etc/
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln
sudo chroot ~/chroot/ /bin/sh

This creates a simple chroot enviroment, which we will expand through all the commands included in BusyBox:

for i in $(busybox --list);do ln -s /bin/busybox /usr/bin/$i;done


Using a live CD

This material is work-in-progress ...

Contributions welcome
(Last edited by Orson Teodoro on 12 Mar 2018.)


Using an image

Gentoo Linux

Select a stage3 from here and portage latest from here at gentoo/snapshots/portage-latest.tar.xz.

First,

sudo apk add xz

You also may need the vanilla kernel. If any time Gentoo decides to update PAM, you need it for it to emerge successfully without problems.

sudo apk add kernel-vanilla

Add the kernel-vanilla to Grub and reboot with the vanilla kernel if you are going to pull in both git and layman which they use to download user community supported packages.

Enter the chroot:

mkdir ~/chroot
cd ~/chroot
tar -xvf stage3-*.tar.xz
tar -xvf portage-latest.tar.xz
mv portage usr
sudo mount --bind /dev dev
sudo mount --bind /sys sys
sudo mount -t proc proc proc
cp /etc/resolv.conf etc
sudo chroot . /bin/bash

And voilà, you have your working Gentoo chroot!

You can now take a look at Gentoo's Handbook to find out how you can configure and install your system, or simply extract/copy the program you need to run in your chroot enviroment and execute it.

Here is a wrapper script that is similar to arch-chroot when you frequently reuse this chroot:

Also, create an account with the same user name as host current user to the chroot or make changes to the userspec option to chroot line.

Contents of gentoo-chroot.sh

!/bin/bash CHROOT_PATH="/home/$USER/chroot" cd $CHROOT_PATH mount | grep $CHROOT_PATH/dev || sudo mount --bind /dev dev mount | grep $CHROOT_PATH/sys || sudo mount --bind /sys sys mount | grep $CHROOT_PATH/proc || sudo mount -t proc proc proc cp /etc/resolv.conf etc sudo chroot --userspec=$USER:users . /bin/bash echo "You must manually unmount $CHROOT_PATH/dev, $CHROOT_PATH/sys, $CHROOT_PATH/proc."

Do at chmod +x gentoo-chroot.sh to get it to work.

Arch Linux

Although pacstrap is included with the arch-install-scripts package, it will not work unless the target directory is a mountpoint, so the Arch bootstrap image must be used instead (the image is updated every month, so change the date in the link as required):

 sudo apk add arch-install-scripts
 mkdir ~/chroot && cd ~/chroot
 curl -O https://mirrors.kernel.org/archlinux/iso/latest/archlinux-bootstrap-2018.01.01-x86_64.tar.gz
 tar xzf archlinux-bootstrap-2018.01.01-x86_64.tar.gz && rm archlinux-bootstrap-2018.01.01-x86_64.tar.gz
 sed -i '/evowise/s/^#//' root.x86_64/etc/pacman.d/mirrorlist
 sudo arch-chroot root.x86_64
 [chroot]# pacman-key --init
 [chroot]# pacman-key --populate archlinux

Once that is done, update the system and install the desired package(s) (denoted by "foo" in this example):

 [chroot]# pacman -Syu foo

Debian

Use the provided debootstrap package to create the Debian chroot. --arch is optional, depending of your needs.

On the linux-grsec kernel, you will need to relax chroot limitations:

 sudo apk add debootstrap
 for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 0 | sudo tee $i; done
 mkdir ~/chroot
 sudo debootstrap --arch=i386 wheezy ~/chroot http://http.debian.net/debian/
 for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 1 | sudo tee $i; done
 sudo chroot ~/chroot /bin/bash

You can now use apt-get to install needed packages.

Examples

Source dedicated server

Here is an easy example of how you can run srcds in a simple BusyBox chroot.

For this server, you will only need the basic chroot and an advanced tar version (the BusyBox version is not sufficient because of the missing -U command):

wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/tar/download/ -O tar.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc}
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
done
cp /etc/resolv.conf ~/chroot/etc/
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln
sudo chroot ~/chroot/ /bin/sh

Now that you are in a working chroot, you can download the server and install it. You just have to execute the following self-explaining commands...

mkdir ~/work
cd ~/work
busybox wget http://www.steampowered.com/download/hldsupdatetool.bin
chmod +x hldsupdatetool.bin
ln -s /bin/busybox ./uncompress
cp /bin/tar . #right now executing programs from $PATH is buggy, soon to be fixed (no bug in BusyBox, but in my script)
./hdsupdatetool.bin #you can accept it or not ;)
./steam
./steam

...and you should have a working chroot with srcds installed in it.

If you think you are clever or elegant, you can use the server with a bash script:

#!/bin/bash
chroot ~/chroot /root/work/steam $@

Just save it (in your Alpine installation) under /usr/bin/steam, do a chmod +x /usr/bin/steam and have fun!

Warning: This script would let Steam run with root priviliges. This is not recommended.


MegaCli

So let's run MegaCli in a chroot too, shall we? ;)

First we set up a uclibc chroot :)

MegaCli needs more than just glibc. It needs ncurses and the gcc-libs:

wget http://www.archlinux.org/packages/community/i686/busybox/download/ -O busybox.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/glibc/download/ -O glibc.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/ncurses/download/ -O ncurses.pkg.tar.xz
wget http://www.archlinux.org/packages/core/i686/gcc-libs/download/ -O gcc-libs.pkg.tar.xz
mkdir -p ~/chroot/usr/bin/ ~/chroot/{dev,proc,root,etc,sys}
cp /etc/resolv.conf ~/chroot/etc/
for i in *.pkg.tar.xz;do
bsdtar xfJ $i -C ~/chroot
done
ln -s /bin/busybox ~/chroot/bin/sh
ln -s /bin/busybox ~/chroot/bin/ln

After this, we visit this site and download 8.02.16_MegaCLI.zip.

mkdir tmp
cd tmp
unzip ../8.02.16_MegaCLI.zip
cd LINUX
unzip MegaCliLin.zip
#Now comes code stolen from rpm2cpio
o=`expr 96 + 8`
set `od -j $o -N 8 -t u1 MegaCli-8.02.16-1.i386.rpm`
il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
sigsize=`expr 8 + 16 \* $il + $dl`
o=`expr $o + $sigsize + \( 8 - \( $sigsize \% 8 \) \) \% 8 + 8`
set `od -j $o -N 8 -t u1 MegaCli-8.02.16-1.i386.rpm`
il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
hdrsize=`expr 8 + 16 \* $il + $dl`
o=`expr $o + $hdrsize`
dd if=MegaCli-8.02.16-1.i386.rpm ibs=$o skip=1 2>/dev/null |bsdtar -xf -
#wow ...
rm opt/MegaRAID/MegaCli/MegaCli64 # who needs 64bit?
cp -r opt/ ~/chroot/

Now we have a working MegaCli client in our chroot.

As with srcds, we do not want to operate from inside the chroot, so here is a little script that should ease you up (use at your own risk):

#!/bin/bash
user=$(whoami)
if [ "$user" != "root" ];then
echo "This script needs root access"
exit
fi
mount -t proc proc ~/chroot/proc/
mount --bind /dev/ ~/chroot/dev/
mount --bind /sys/ ~/chroot/sys/
#we may need dev and maybe proc too to use this program
chroot ~/chroot /opt/MegaRAID/MegaCli/MegaCli $@
umount ~/chroot/proc
umount ~/chroot/dev
umount ~/chroot/sys

Save it under /usr/bin/MegaCli. Do a chmod +x /usr/bin/MegaCli and good luck.

Note: This method takes around 50mb. If you need something smaller, then you can strip a few files from glibc (not recommended), or work on a squashfs.

With the following, you can create a squashfs that is around 15mb small:

mksquashfs ~/chroot/ /chroot.sfs -b 65536

When you add a unionfs layer, you can even use it with write access, or you can bind some directories to the writeable directories before you chroot into it.

I will look into it later on.

You can save the chroot in another directory than your home directory, and you can even install a chroot through an APKBUILD (after someone wrote it).

With this, you could use many glibc-dependent programs through one chroot, but be aware that running programs like this should not be standard. This should only be used in extreme situations, as in _closed source_ tools linked against glibc.

Skype on Debian chroot

This material is work-in-progress ...

Not yet validated
(Last edited by Orson Teodoro on 12 Mar 2018.)

This is an example on how to run Skype from a Debian 32b chroot.

 sudo chroot ~/chroot
 wget http://www.skype.com/go/getskype-linux-deb
 dpkg -i getskype-linux-deb

To fix missing dependencies, you will want to use:

 apt-get -f install

Then, exit the chroot:

 exit

Fix PAX flags on Skype binary - linux-grsec only.

ELF marking with paxctl cannot be used because Skype binary refuses to run if modified.

CONFIG_PAX_XATTR_PAX_FLAGS is NOT yet available in linux-grsec.

 sudo apk add attr
 sudo setfattr -n user.pax.flags -v "em" ~/chroot/usr/bin/skype

Mount needed directories in the chroot read-only to limit access to the system devices.

Give write access to /dev/v4l and to /dev/snd in order to let Skype use the webcam device: Skype is not compatible with Alsa anymore and requires Pulseaudio to be running.

 sudo mount -o bind /proc ~/chroot/proc
 sudo mount -o bind,ro,remount /proc ~/chroot/proc
 sudo mount -o bind /sys ~/chroot/sys
 sudo mount -o bind,ro,remount /sys ~/chroot/sys
 sudo mount -o bind /dev ~/chroot/dev
 sudo mount -o bind,ro,remount /dev ~/chroot/dev
 sudo mount -o bind /dev/v4l ~/chroot/dev/v4l
 sudo mount -t tmpfs -o nodev,nosuid,noexec shm $CHROOT_PATH/dev/shm

Enter the chroot and create a user:

 sudo chroot ~/chroot
 useradd -G audio,video <username>
 exit

Then run Skype as your newly created user:

 sudo chroot ~/chroot /bin/su - <username> -c /usr/bin/skype


Dungeon Crawl (Stone Soup) on Arch

Once the Arch system is laid down (to ~/chroot/root.x86_64 in this example), install the game:

 sudo arch-chroot ~/chroot/root.x86_64
 [chroot]# pacman -Syu crawl-tiles

Then exit the chroot and run it with this command:

 sudo arch-chroot ~/chroot/root.x86_64 /bin/su -c 'DISPLAY=:0 crawl-tiles'

A separate user can also be created to run the game, if preferred.


Spotify

Docker method

Read the Docker page to install it. Then clone the repository, as shown below. It will automate the process of pulling all the dependencies, and PaX marks it for the hardened kernel. The advantage of this container is that it is ready-to-use and has stripped down many of the /usr/bin executables. The downside is that is unstable.

git clone https://github.com/orsonteodoro/docker-arch-spotify-PaXmarked

Follow the instructions in the README.md

Chroot method

The Chroot method the preferred method; it doesn't have the black screen bug and is more stable. Just translate the Dockerfile instructions into native sh (Bourne shell). The trick again is to run Spotify as root with sudo inside the chroot – not as regular user.

Use sudo aplay -l to verify that the soundcard is detected. When you use either this or the Docker method, which relies on ALSA, there could be a conflict depending on who grabs the sound card. Stop all browsers or programs using the sound device outside of the chroot or the docker image so that Spotify can use it.

I did some translation. You may need to make changes.

To update, just delete it and call alpine-spotify-installer.sh again. You will still need the Arch Linux bootstrap image. Extract the image. Next, copy and paste the code shown below into root.x86_64; chmod +x alpine-spotify-installer.sh. Then, run sudo arch-chroot root.x86_64. Then, run ./alpine-spotify-installer.sh.

Contents of alpine-spotify-installer.sh

# Copyright (c) 2018 Orson Teodoro <orsonteodoro@hotmail.com> # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. pacman --noconfirm -Syu pacman --noconfirm -S base-devel pacman --noconfirm -S xorg-server pacman --noconfirm -S shadow pacman --noconfirm -S sudo pacman --noconfirm -S git chmod 0660 /etc/sudoers sed -i -e 's|# %wheel ALL=(ALL) NOPASSWD: ALL|%wheel ALL=(ALL) NOPASSWD: ALL\nspotify ALL=(ALL:ALL) NOPASSWD:ALL\n|g' /etc/sudoers || return 1 chmod 0440 /etc/sudoers echo "Creating user spotify" useradd -m spotify echo "Deleting password for spotify" passwd -d spotify gpasswd -a spotify users gpasswd -a spotify audio gpasswd -a spotify video gpasswd -a spotify wheel echo "switching to spotify nix account" su spotify cd /home/spotify mkdir aur cd aur cd /home/spotify/aur git clone https://aur.archlinux.org/spotify.git cd /home/spotify/aur/spotify sudo -u spotify makepkg --noconfirm -si cd /home/spotify/aur/ git clone https://aur.archlinux.org/paxctl.git cd /home/spotify/aur/paxctl sudo -u spotify makepkg --noconfirm -si #for grsecurity kernels like Alpine sudo paxctl -C /usr/share/spotify/spotify sudo paxctl -z /usr/share/spotify/spotify sudo paxctl -m /usr/share/spotify/spotify sudo pacman --noconfirm -S alsa-lib sudo pacman --noconfirm -S alsa-utils #confirm that the sound card(s) shows up sudo aplay -l sudo spotify

To make this easier, create a launcher script:

Contents of run.sh

!/bin/bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd $DIR sudo arch-chroot -u spotify root.x86_64 /bin/sh -c "sudo spotify"

If it shows (spotify:4): Gtk-WARNING **: cannot open display: :0.0 Before running Spotify try:

 xhost +local:

You could insert it at the very top in the above wrapper script.

You may want to look at this script to learn how to lock it down by removing the unnecessary cruft in your chroot collections that may be abused.