Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Pythonless" container connections #223

Open
dw opened this Issue Apr 27, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@dw
Copy link
Owner

dw commented Apr 27, 2018

For chroot, LXC and Jails, and probably Docker with enough fighting, it's possible to take a Python interpreter from the host machine and hoist it inside the container. The ability to do this would avoid the need to have Python installed within the container, with a few conditions:

  • The interpreter would lose access to its standard library, and
    • would require all known standard library shared objects to be pre-imported prior to attachment, since even if temp files were used to load shared objects later, the container OS may not have the same dependencies (e.g. OpenSSL, stdc++) as the parent
    • require the parent context to serve standard library modules to it as they are loaded by user code
  • The parent would need something like master's ModuleResponder, but a much simpler version listening on a separate handle and doesn't bother with any kind of dependency scanning or processing. Possibly this could just be handled by an enhanced version of FileService that also supported directory listings and lived in the immediate parent

The approach would vary according to the container type:

  • chroot: reimplement the (30 lines worth of) coreutils binary. Python has everything needed. This could be done as a subclass of parent.Stream with a new "on_after_connect()" method that could be overridden.
  • LXC: Look up the leader PID via lxc-info utility then simply setns() and chroot() into it. The setns() call requires a tiny ctypes wrapper.
  • Docker: same as LXC.
  • systemd-nspawn: same as LXC.
  • Jail: similar to LXC, use jls utility to find the JID then jail_attach(), which also needs a single function ctypes wrapper.

Need to arrange for process capability bits to be dropped when calling setns() on a privileged container, as those containers have access to ptrace() and can hijack the interpreter to make use of the bits.

This would lay the groundwork for something else I've wanted for years: integrating seccomp.py as a connection method

@dw dw added the feature label Apr 27, 2018

dw added a commit that referenced this issue Apr 28, 2018

issue #223: implement setns connection type
machinectl does not support any sensible form of pipe to the child
process, so it is necessary to bypass it when talking to a systemd
container (see systemd/systemd#8850).

This can also form the basis for issue #223, where the post-fork
namespace switching dance required to connect to the Pythonless
container will be the same.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.