TheJollyRoger has quit [Ping timeout: 268 seconds]
TheJollyRoger has joined #spectrum
edadqr_ has joined #spectrum
jpds has quit [Remote host closed the connection]
jpds has joined #spectrum
moonloo has joined #spectrum
<moonloo>
so i was able to get my diy vm jail working. firecracker, waypipe, socat, vsock. coincidentally just last month, socat added vsock support. startup times far less than a second. can even watch flawless 1080p content. 4k too perhaps if the cpu is good. software rendering of course. certainly sufficient to jail browsers and even mpv for my usecases.
<moonloo>
with some bash scripting and the provided firecracker jailer binary everything can be made very seamless too. one command and an application appears. you do have to use NFS though if you want to have easy access to files from host (or rely on passing firecracker block devices) - but with anonymous network namespaces it really is no issue imo.
cole-h has joined #spectrum
multiplexd has joined #spectrum
manveru_ has joined #spectrum
tazjin_ has joined #spectrum
nyaanotech has joined #spectrum
mx08_ has joined #spectrum
ashkitte1 has joined #spectrum
tazjin has quit [*.net *.split]
multi has quit [*.net *.split]
nyanotech has quit [*.net *.split]
manveru has quit [*.net *.split]
ashkitten has quit [*.net *.split]
mx08 has quit [*.net *.split]
manveru_ is now known as manveru
multiplexd is now known as multi
ashkitte1 is now known as ashkitten
jpds has quit [Remote host closed the connection]
jpds has joined #spectrum
<philipp[m]1>
Cool! I'd love to read a longer article about it if you want to write one.
cole-h has quit [Ping timeout: 256 seconds]
tilpner has quit [Quit: tilpner]
<v0idify>
moonloo, that's super cool, how is the userspace inside the vm made/generated?
<moonloo>
v0idify: it is a generic 5.11 self compiled kernel and a small static void rootfs, the script starts an anonymous netns, connects it to the internet (or not) with veth and starts an NFS that supplies a container rootfs and another NFS that supplies the /home for that specific application to keep state. then a container is started inside the vm and
<moonloo>
runs the application. socat, waypipe, pulseaudio, etc are namespace-jailed runnit services.
<moonloo>
I don't actually use pulseaudio, just the socket. the vm has a fake pulseaudio socket redirected to the host through socat vsock, so applications are talking pulseaudio. but the host uses Pipewire.
<v0idify>
moonloo, why are they namespace-jailed?
<moonloo>
waypipe does have to run on the host so namespace-jail is the best that can be done. and on the vm too because why not.
<v0idify>
so it assumes waypipe is unsafe? but it's still connecting to wayland directly
<v0idify>
it confuses me xD
<moonloo>
well, there is cage. the wayland kiosk? the sits in between. cage receives the wayland protocol from waypipe. but that is also not the problem per se. the problem is that waypipe might be exploited and start executing code.
<v0idify>
hmm. well if you can eventually post source code / instructions i might be able to understand it better
<v0idify>
sounds very cool though
tazjin_ is now known as tazjin
pinkieval has quit [Quit: We're here, we're queer, connection reset by peer.]