70 lines
2.6 KiB
Markdown
70 lines
2.6 KiB
Markdown
# ISSUE
|
|
|
|
OpenBSD filesystem doesn't allow hard link with directories, this is essential for the thing to work. Until a solution is imagined, it can't be done as designed.
|
|
|
|
A solution would be to use a local NFS to share directories and mount them anywhere in the file hierarchy, but this would require a lot more work.
|
|
|
|
# Introduction
|
|
|
|
`pocker` is a tool to mimic `docker` on OpenBSD using chroot. Each step of the `Pockerfile` create a separate file hierarchy until the last instruction that will be used on the latest incremental version of the hierarchy. Using hard links on the filesystem, it will allow grafting a local directory into the chroot for persistency.
|
|
|
|
# Usage
|
|
|
|
Create a `Pockerfile` with:
|
|
|
|
```
|
|
PROOT
|
|
PKG nginx
|
|
RUN /etc/rc.d/nginx
|
|
```
|
|
|
|
Then run using local `/var/pocker/volumes/www` in the chroot at `/var/www/htdocs/`:
|
|
|
|
```
|
|
pocker create nginx
|
|
pocker -d /var/pocker/volumes/www/:/var/www/htdocs/ nginx
|
|
```
|
|
|
|
At the create step in `/var/pocker/chroot/nginx/` multiples directories will be created: `step1-${line1 checksum}` then a rsync from `step1-${line1 checksum}` will be done into `step2-${line2 checksum}` and so fort until the last run command creating a last environment still using rsync, allowing to easily clean the pocker enviroment upon restart.
|
|
|
|
```
|
|
ls /var/pocker/chroot/nginx/
|
|
step1-b559bfe9f2d456b96fa836bba713169b5e9a3480e9d67bfb30afc9c38fa5f8bb
|
|
step2-5a8ab23cdfb2240ece269ddcffe26c0750d56cb84adb054ae8bcdad51e5841e2
|
|
run-0a5f640ed9c98aca444c675f34ef7ee57da0a07d0f20b3565595a42baf2664a4
|
|
run -> run-0a5f640ed9c98aca444c675f34ef7ee57da0a07d0f20b3565595a42baf2664a4
|
|
```
|
|
|
|
# Pockerfile syntax
|
|
|
|
- `PROOT`: create a chroot using the current system as a model using `proot` command
|
|
- `PKG`: will run pkg_add in the chroot
|
|
- `RUN`: command run when the pocker is started
|
|
|
|
# Ideas
|
|
|
|
- using hard links for each environment step for speed and disk usage efficiency
|
|
- allow exporting / importing chroots
|
|
- allow replacing `proot` with a list of OpenBSD base sets for a more reproducible environment
|
|
|
|
# Use cases
|
|
|
|
This is a list of use case I have, and without heavy automation it's complicated to proceed using virtual machines.
|
|
|
|
- running an email server in its own chroot with lmtp delivery over TCP, if the environment is compromised it shouldn't be able to escape
|
|
- running a python app from pip that can't be considered fully trusted
|
|
|
|
# FAQ
|
|
|
|
## Why the name pocker
|
|
|
|
Because it bluffs about the environment.
|
|
|
|
## Why not docker
|
|
|
|
Because it's complicated and not easily reproducible on all operating systems.
|
|
|
|
## Why pocker
|
|
|
|
Because it allows low cost sandboxing without any special requirement.
|