[systemd-devel] help with portable service

Chuck Tuffli ctuffli at gmail.com
Tue Apr 18 18:43:22 UTC 2023


On Tue, Apr 18, 2023 at 8:37 AM Chuck Tuffli <ctuffli at gmail.com> wrote:
>
> On Tue, Apr 18, 2023 at 1:43 AM Lennart Poettering
> <lennart at poettering.net> wrote:
> ...
> > > # losetup --find --show /tmp/portable-walkthrough-go.raw
> > > /dev/loop1
> > > # mount /dev/loop1 /mnt
> > > # cd /mnt
> > > # ls -l usr/bin
> > > total 6172
> > > -rwxrwxr-x 1 ctuffli ctuffli 6319344 Apr  2 16:05 portable-walkthrough-go
> > > # usr/bin/portable-walkthrough-go &
> >
> > Hmm, is this a dynamic binary? what does ldd say on it? are all listed
> > dep .so also included in the portable service image?
>
> There are a few dependencies like libc. I would have guessed these
> would have been picked up from the system, but perhaps I misunderstand
> how this works.
>
> # ldd usr/bin/portable-walkthrough-go
>     linux-vdso.so.1 (0x00007ffe4c37a000)
>     libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0e400000)
>     /lib64/ld-linux-x86-64.so.2 (0x00007fcb0e697000)
> #

I see where I went wrong. Adding the above libc and ld-linux shared
objects to the squashfs image makes the walkthrough work as expected.

The documentation is correct. It says, “Portable Services are a nicer
way to manage chroot() environments", but then I mistakenly
interpreted the section:
    The trusted profile is the least strict of them all. In fact it
makes almost no restrictions at all.
    A service run with this profile has basically full access to the
host system.
along with mentions of over-mounting from the host to imply the
service could/would access libraries etc. from the host. My hope was I
could package the libraries / executables that were unique to the
service compared to the host image. Re-reading the "Extension Images"
section, it sounds like what I wanted would work, but instead I would
also need to provide a base image with all of the common libraries
etc.

--chuck


More information about the systemd-devel mailing list