[Rpm-ecosystem] lua, unprivileged rpm, and rpm-ostree
walters at verbum.org
Thu Aug 11 15:27:18 UTC 2016
Hi, more lua discussion.
A bit of background: for the https://github.com/projectatomic/rpm-ostree
project, we are basically reimplementing parts of RPM to use a more
modern approach. For example, all disk IO is done using OSTree, which
gives us dedup, a model for atomic updates, and in general much cleaner file IO (it's all fd relative,
we use O_TMPFILE etc.)
In the long term, particularly with work on higher level libraries like
libdnf, I think from librpm we'll retain:
- GPG signature checking (though this is all duplicated in librepo, not to mention ostree and other projects too...)
- Writing the RPM database
Now specifically on the subject of this mail, rpm-ostree takes over running
scripts too, for multiple reasons. One of them is that because the design has
updates always operating on a *new* root, we run the scripts in a bubblewrap
A neat thing about all of this is that it enables fully *unprivileged* rootfs
construction from RPMs. You can try this today with the `rpm-ostree container`
command. The constructed roots all transparently share storage, and are
fast to construct because we're just hardlinking, etc. And further, it lays
the groundwork to be safe against untrusted RPM content.
This approach contrasts with what pretty much everyone else does
with rpm, which is containerize the rootfs construction too (e.g. yum-in-Docker).
But this separate approach disallows the optimizations rpm-ostree makes.
So finally, a problem is right now we aren't implementing lua:
I'd actually like to avoid implementing lua for as long as possible -
from my readings in Fedora, most of the usage is for legacy updates
or workarounds. glibc is however using it in a %posttrans, which
we could easily port to shell. I might submit a patch to do so.
However, given that I suspect in the future we might hit more
packages that do this, we *can* implement lua if we had something like
`rpm exec-lua <script>` or so. (I was surprised to realize that the "posix."
bits that many packages use is actually implemented in rpm itself).
The downside of this is that it would force rpm+lua itself into the rootfs
transaction - which bloats otherwise minimal containers, but that's
something we can deal with by fixing packages to not use lua.
For constructing roots that include rpm already (e.g. a host rpm-ostree system,
not a container), any thoughts on basically exposing the lua
executor via command line or so?
More information about the Rpm-ecosystem