Lightweight privacy-focused desktop operating system based on Devuan and LXC.
A project for self-education, and yet another attempt to make an alternative
to Qubes OS.
This is not a distro yet and probably never will.
This is a set of files and patches, a simple makecex script,
and an instruction à la LFS.
Work in progress.
At the moment, this system reflects my experience and is full of personal preferences. Some of them are quite baseless. I swear I'll get rid of them as soon as the number of users will go beyond 1.5. But in general, the rationale is as follows:
A bootable media with live system can be generated with makecex. You'll need a PPA which can be created with prepare and build scripts.
Only legacy boot mode is supported for amd64 for now.
The script contains parameters at the beginning, revise them carefully before running.
You can write modified parameters to makecex.conf instead of making changes to the script.
Drafts/Sandbox section.
Which is better in terms of security, if some malicious software, say, a python package from notorious pypi, breaks out of container? Or nothing will help then?
Ideally, I'd like to get rid of all custom packages so uidmapshift would be unnecessary, but...
/dev/ptmx after a while.sh
if Weston is started by runit, where parent shell is sh.lxcex, let the user to customize that?So far so good. New Chapter 8 is out.
Three months since inception, and now I can say farewell, linuxmint. LXCex is on all my laptops from now onwards.
Major updates:
Yet another milestone: makecex is out! This script generates bootable media. Not excessively tested, it just works just for me.
Packages repo is out. For now the only package there is uidmapshift. Planning to add patched version of libpulse, thus getting rid of file permission fixer.
Although death from laugh is not my ultimate goal, I had to add signing key for me, anonymous.
Automation is on the way. Commenced after I managed to crash the system simply by remounting /var/lib/lxc with running containers. Did not realize it's so dangerous. This action destroyed all mounted partitions including backup USB stick which had nothing to do with that. Why???
It plays music! Initial version of Chapter 6 is out, to be updated.
XFCE desktop environment is working!
Tag: 0.0.2
Initial commit and release.
You may wonder how to issue apt upgrade for a dozen of containers including the base system.
That's what
dist-upgrade
script is for.
It is based on
lxc-chroot
which runs arbitraty command, properly chrooting to the container's rootfs.
They lauched apt repository, so it's worth to follow their instructions
At the time of writing, firefox (version 123) uses wayland by default. If you remember, WAYLAND_DISPLAY is reset in /home/user/.config/sv/xfce4/run and this makes firefox to enter infinite loop saying
Warning: ConnectToCompositor() try again : Connection refused
There are two options:
I tried both. Initially I chose the latter, using a script:
#!/bin/sh
if [ -n "$X_WAYLAND_DISPLAY" ] ; then
export WAYLAND_DISPLAY=$X_WAYLAND_DISPLAY
else
# fallback
export WAYLAND_DISPLAY=wayland-1
fi
firefoxHowever, this makes copy-paste troublesome so I returned to X mode for now.
As long as NFS client is implemented in kernel, it's troublesome to use it from unprivileged containers. The only working recipe is to mount necessary shares on the host system and then bind them to containers.
Let's create autofs configuration:
mkdir /etc/auto.maps
echo "/mnt/myserver /etc/auto.maps/myserver" >/etc/auto.master.d/myserver.autofs
echo "shared-dir myserver.example.com:/var/share/top-secret" >/etc/auto.maps/myserverand restart autofs.
Then, add the following lines to container's config:
lxc.hook.start-host = mount --make-rshared /mnt/myserver
lxc.mount.entry = /mnt/myserver mnt/myserver none create=dir,rbind 0 0Start the container. Inside, ls /mnt/myserver/shared-dir
should work as expected.
The solution is fragile. If autofs is restarted, it remounts top directories and containers do not see them anymore.
Another approach could be a NFS client in userspace, but there are not so many implementations in the wild.
I gave this one a try but it failed.
Yes, I tried to play with /dev/fuse and read all those hints on the Internet. No luck.
menulibre looks kinda bloatware and currently is totally broken in excalibur.
However, its quite easy to edit menus manually:
.config/menus/xfce-applications.menu.local/share/applicationsContainers are great to isolate workspaces as if they were running on separate machines. This greatly simplifies such things as networking which are too error-prone or impossible to maintain within a single system.
But at container level everything is still the same: single home directory where all applications have full access to user's data.
This is dangerous. Potentially, every program that use network may leak your sensitive data, even unintentially.
Basically, all programs that work with your data should be run in a container with disabled networking, and probably I'll end up with such arrangement.
But for now I have a few legacy XFCE environments each running in its own container. A temporary solution I deployed within those containers is restricted network access for the main user and running all networking software as a different users. This software includes Firefox, Chromium, Mullvad, and Tor browsers, plus Thunderbird. Of course, some do support Wayland already but LXCex still has copy-pasting issues and it's a blocking factor to run them natively.
Here's the setup, on the example of Firefox, which can be used as a boilerplate for other programs.
First, create a separate user:
useradd -g users --skel /etc/skel --shell /bin/bash --create-home firefoxThen, move directories:
mkdir /home/firefox/.cache
mv /home/user/.mozilla /home/firefox/
mv /home/user/.cache/firefox /home/firefox/.cache/
chown -R firefox /home/firefoxCreate shared directory for downloads:
mkdir -p /var/share
chgrp users /var/share
chmod 710 /var/share
mv /home/user/Downloads /var/share/
chmod 777 /var/share/Downloads
ln -s /var/share/Downloads /home/user/
ln -s /var/share/Downloads /home/firefox/Next, prepare a script /usr/local/bin/start-firefox:
#!/bin/sh
USER=firefox
if [ -z "$1" ] ; then
xhost +SI:localuser:$USER
exec sudo $0 dosu
elif [ "$1" = "dosu" ] ; then
exec su -l -c "$0 run" $USER
elif [ "$1" = "run" ] ; then
cd /home/$USER
. /usr/local/share/lxcex-xdg.sh
export DISPAY=:0.0
exec firefox --display=:0.0
fiActually, DISPLAY environment variable is not necessary here, but this script
can be used as a boilerplate to run other apps so I intentionally left it.
Finally, create /etc/sudoers.d/50-start-firefox (alas, sudo is required):
user ALL = NOPASSWD: /usr/local/bin/start-firefox dosuYou may need to modify XFCE start menu entry. And to add -P option for the first time, otherwise firefox may start with a blank profile.
Discovered this article when wrote chapter 6: https://discuss.linuxcontainers.org/t/audio-via-pulseaudio-inside-container/8768 They use LXD and it's worth to take a look at the implementation od socket proxies. Can we use them to retain container socket and reconnect to the host socket when the base compositor gets restarted? Or when a container resumes from hibernation?
Still don't get why I have to
mount --make-shared /runi.e. /run, not /run/user if I mount --rbind /run/user "${LXC_ROOTFS_MOUNT}/run/host/run/user"
in containers and want all uid submounts to propagate.
smartd is the most reliable tool to disable HDD spindowns thus far:
/etc/default/smartmontools:
smartd_opts="--interval=10 --attributelog=- --savestate=-"Key option is --interval, others disable saving state which I never needed.
-n option is never in etc/smartd.conf, i.e.:
DEVICESCAN -d removable -n never -m root -M exec /usr/share/smartmontools/smartd-runnerMy extra packages, just for the record.
gnome-font-viewer, looks unnecessarygthumbbreeze-icon-theme.systemsettings: installed just in case, zero profit so far.libnss3, libasound2