allow --mode= unshare AND chrootless
On Ubuntu 20.04, am able to
mmdebstrap --mode=unshare --variant=apt buster buster-unshare-dir as an unprivileged user (ie non-root) but I would like to be able to do
mmdebstrap --mode=unshare --mode=chrootless --variant=custom --include=mawk also as an unprivileged user. This would allow building a minimal "microservice system" that is not self-hosted (no apt or dpkg), without root privileges, similar to (my limited understanding of) Docker, but with mostly standard Debian packages.
Did you do experiments with
--mode=chrootlessalready? We are far, far away from that mode being really useful. There are quite a number of blockers and for now you cannot really create any useful chroot with
--mode=chrootless. Some fundamental blockers:
If you don't mind the existance of dpkg you can already create a very small chroot today by using busybox like this:
mmdebstrap --mode=unshare --variant=custom \ --dpkgopt='path-exclude=/usr/lib/*/gconv/*' \ --dpkgopt='path-exclude=/usr/lib/*/C.UTF-8/*' \ --dpkgopt='path-exclude=/usr/share/man/*' \ --dpkgopt='path-exclude=/usr/share/locale/*' \ --dpkgopt='path-exclude=/usr/share/doc/*' \ --include=base-files,base-passwd,busybox,debianutils,dpkg,libc-bin,mawk,tar \ --setup-hook='mkdir -p "$1/bin"' \ --setup-hook='echo root:x:0:0:root:/root:/bin/sh > "$1/etc/passwd"' \ --setup-hook='printf "root:x:0:\nmail:x:8:\nutmp:x:43:\n" > "$1/etc/group"' \ --extract-hook='chroot "$1" busybox --install -s' \ unstable debian-chroot.sqfs
The resulting squashfs image will be 3.4M small -- do you need to go smaller than that? Removing dpkg and /var/lib/dpkg/info only removes a few kb.
Another bug report that will be useful to you is https://bugs.debian.org/910685 If you are interested in all of this and would like to invest some of your time, then please contribute to the various tools that have to be enhanced to support
DPKG_ROOT. For example dpkg-maintscript-helper and update-alternatives are major blockers (there is a branch in the dpkg upstream git with some work on them). In your example you want to install mawk. This fails because
DPKG_ROOTsupport is missing from debconf which is used by libc6. This means that currently only arch:all packages can potentially be installed with
Furthermore, it's not yet clear what the semantics of dependencies should be in the context of chrootless installations. It's probably safest to assume that the package versions outside of the chroot have to be the same as the ones inside of it. For this reason it is probably sanest to run
mmdebstrap --mode=unsharelike this:
mmdebstrap --mode=unshare --variant=apt \ --include=mmdebstrap \ --customize-hook='chroot "$1" mmdebstrap --aptopt="APT::Sandbox::User root" --mode=chrootless --variant=custom --include=doc-debian unstable /doc-debian.tar' \ unstable | tar --extract ./doc-debian.tar
doc-debian.tarin your current directory will then contain the result of
mmdebstrap --mode=chrootlesseven with the correct ownership information (root):
tar tvf doc-debian.tar | grep doc-debian drwxr-xr-x 0/0 0 2020-04-30 16:33 ./usr/share/doc/doc-debian/ -rw-r--r-- 0/0 10561 2016-08-28 17:33 ./usr/share/doc/doc-debian/changelog.gz -rw-r--r-- 0/0 6295 2013-12-24 11:13 ./usr/share/doc/doc-debian/copyright -rw-r--r-- 0/0 1244 2020-04-30 16:33 ./var/lib/dpkg/info/doc-debian.list -rw-r--r-- 0/0 2000 2016-08-28 17:37 ./var/lib/dpkg/info/doc-debian.md5sums
Note that I chose to install
doc-debianbecause it's an arch:all package and does not require libc6. If you would like to join on the efforts to make chrootless mode useful it's probably best to join the #debian-dpkg irc channel or the dpkg mailing list to find other people working on the effort (guillem and helmut).
Yes, I have tried "chrootless" inside "unshared", it did seem to work for mawk, but I agree it is far from complete.
I was going to open other issues based on my observations of that and other cases. In general, the trend towards containerization seems to require re-thinking things from first principles. I would like to join the efforts so I will read up the mentioned bugs, irc and mailing list.
No, it did not work for mawk. The reason why it seemed to work for mawk is, that you ran
mmdebstrap --mode=chrootlesswith root privileges and thus debconf was able to modify files outside of the chroot which is wrong and disastrous if that were to happen on your real system. If you want to see the error, then run
mmdebstrap --mode=chrootlessas a non-root user like this:
mmdebstrap --mode=unshare --variant=apt \ --include=mmdebstrap \ --customize-hook='chroot "$1" adduser --gecos user --disabled-password user' \ --customize-hook='chroot "$1" runuser -u user -- mmdebstrap --mode=chrootless --variant=custom --include=mawk unstable /home/user/mawk.tar' \ unstable
You will then see the problem that everybody else sees who tries out chrootless package installation with any package depending on libc6 today:
Preparing to unpack .../libc6_2.30-4_amd64.deb ... debconf: DbDriver "passwords" warning: could not open /var/cache/debconf/passwords.dat: Permission denied debconf: DbDriver "config": could not write /var/cache/debconf/config.dat-new: Permission denied dpkg: error processing archive /tmp/mmdebstrap.3SsZiEPbY2/var/cache/apt/archives/libc6_2.30-4_amd64.deb (--unpack): new libc6:amd64 package pre-installation script subprocess returned error exit status 1
The reason that you didn't see this problem before is because you ran the inner mmdebstrap with root privileges, so debconf had no problem modifying the outside debconf database. Obviously this must never happen!
Hmm, now that you mention it, I did sort of "clobber" my way past that with
chmod. It was already in an unprivileged container, so the damage to my system isn't significant, I was just experimenting to get familiar with the intricacies of it all. I will continue reading up so I can help with implementing
DPKG_ROOTso things work correctly and cleanly. I'm not in a rush to start layering hack on top of hack.