README.md - ns-tools - Namespace utilities to reuse Open Source packaging efforts.
(HTM) git clone git://r-36.net/ns-tools
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
README.md (2693B)
---
1 # Namespace tools
2
3 ## Namespaces
4
5 Namespaces are basically installations of whatever Linux distribution
6 you can find. Ns‐tools is using capchroot(1) to allow chroot into them
7 based on group and user authentication. Some wrapper utilities allow the
8 generation of wrapper scripts in /bin to run utilities in the names‐
9 paces.
10
11 ### Namespace configuration
12
13 The NSROOT variable is not yet implemented. For now /ns is the base
14 path. You can configure every namespace using an »rc.conf« file in
15 /ns/$namespace/.ns/. There the variables showin in ns‐prepare(1) are
16 shown.
17
18 When a command is run, it is checked, whether a namespace is prepared.
19 The ONBOOT=1 variable defines, if the namespace should be prepared on
20 boot. The ns‐boot(1) script should be run in your init scripts, if this
21 is required.
22
23 Alos look at the different variables to define which configuration files
24 should be copied over, linked or run over.
25
26 ## Installation (pre-alpha)
27
28 # Base installation
29 mkdir /ns
30 cp bin/* /bin
31
32 # Install capchroot as stated below.
33
34 # Install a Debian 7.0 image
35 imageuri="$(ns-vzinit list | grep "debian-7.0-$(uname -m)")"
36 ns-vzinit install "$imageuri" /ns/debian
37
38 ns-chroot debian
39 debian shell> apt-get install nmap
40 debian shell> exit
41
42 ns-wrapper-install debian nmap
43 /bin/nmap -h
44 ns-chroot debian man nmap
45
46 ### Capchroot
47
48 Here are the links to install capchroot. For now this isn't automated.
49
50 https://dev.archlinux.org/~thomas/capchroot/
51 http://bedrocklinux.org/1.0alpha1/install.html#DOWNLOAD%20Capchroot
52
53 After you have a capchroot(1) binary, copy it to your PATH. Set cap_sys_chroot
54 by running:
55
56 setcap cap_sys_chroot=ep /bin/capchroot
57
58 Then create the /etc/capchroot.allow file to define users which are allowed to
59 run capchroot and where. On my setup there is a »ns« group, which members
60 are allowed to chroot to the defined namespaces.
61
62 cat /etc/capchroot.allow
63 /ns/debian @ns
64 ...
65
66 ### Kernel configuration
67
68 Depending on the filesystem you use make sure the following options are
69 enabled in the kernel (for example for ext4):
70
71 These are defined in the kernel .config as:
72 Ext4 security labels - EXT4_FS_SECURITY=y
73 Ext4 extended attributes - EXT4_FS_XATTR=y (deprecated, this is now enabled
74 by default for ext4).
75
76 ## Issues in the concept
77 * Unchroot is not yet implemented, so a complete linking in of X11 is not
78 possible.
79 * Manpage paths are not global.
80 * Installation is weird.
81 * No Makefiles.
82 * Should be run on top of a static OS, but can be run everywhere, where chroot
83 is allowed.
84
85 ## Links
86
87 git://git.r-36.net/ns-tools
88 http://git.r-36.net/ns-tools
89 Bugs + Patches: 20h@r-36.net
90
91
92 Have fun!
93
94 Christoph Lohmann <20h@r-36.net>
95