Lightweight privacy-focused desktop operating system based on Devuan and LXC.
A project for self-education, and yet another attempt to make an alternative
to Qubes OS.
This is not a distro yet and probably never will.
This is a set of files and patches, a simple makecex script,
and an instruction à la LFS.
Work in progress.
At the moment, this system reflects my experience and is full of personal preferences. Some of them are quite baseless. I swear I'll get rid of them as soon as the number of users will go beyond 1.5. But in general, the rationale is as follows:
A bootable media with live system can be generated with makecex. You'll need a PPA which can be created with prepare and build scripts.
Only legacy boot mode is supported for amd64 for now.
The script contains parameters at the beginning, revise them carefully before running.
You can write modified parameters to makecex.conf instead of making changes to the script.
Drafts/Sandbox section.
Since LXCex moved to idmapped mounts, file permissions became more important.
With uidmapshift all container data was inaccessible from unprivileged user on the base system.
That's no longer the case with idmapped mounts because unprivileged users
across base system and containers have common ids.
Make sure all subdirectories in /var/lib/lxc have minimal permissions and are not readable by other at least.
The same applies to the container data stored elsewhere.
However, for idmapped mounts to work, the minimal permissions must include directory traversal for others.
This could be worked around using setfacl, but that comlication overweights the convenience.
If all the above is a security concern, do not use idmapped mounts.
/dev/ptmx after a while.sh
if Weston is started by runit, where parent shell is sh.lxcex, let the user to customize that?uidmapshift around for now.
As a replacement for ls -l /var/lib/lxc that showed ids of uidmapshifted, containers,
there's an lxcex-idmap script now that shows subordinate user ids for each container
that use idmap.Okay, dropping a line here. I still seem to be a single user of all this shit and, as my African friends say, "daz good!"
Lots of features wanted. Number one is to get rid of runit. Number two is UI utils. All others wishes are just a little things.
So far so good. New Chapter 8 is out.
Three months since inception, and now I can say farewell, linuxmint. LXCex is on all my laptops from now onwards.
Major updates:
Yet another milestone: makecex is out! This script generates bootable media. Not excessively tested, it just works just for me.
Packages repo is out. For now the only package there is uidmapshift. Planning to add patched version of libpulse, thus getting rid of file permission fixer.
Although death from laugh is not my ultimate goal, I had to add signing key for me, anonymous.
Automation is on the way. Commenced after I managed to crash the system simply by remounting /var/lib/lxc with running containers. Did not realize it's so dangerous. This action destroyed all mounted partitions including backup USB stick which had nothing to do with that. Why???
It plays music! Initial version of Chapter 6 is out, to be updated.
XFCE desktop environment is working!
Tag: 0.0.2
Initial commit and release.
You may wonder how to issue apt upgrade for a dozen of containers including the base system.
That's what
dist-upgrade
script is for.
It is based on
lxcex-chroot
which runs arbitraty command, properly chrooting to the container's rootfs.
They lauched apt repository, so it's worth to follow their instructions
At the time of writing, firefox (version 123) uses wayland by default. If you remember, WAYLAND_DISPLAY is reset in /home/user/.config/sv/xfce4/run and this makes firefox to enter infinite loop saying
Warning: ConnectToCompositor() try again : Connection refused
There are two options:
I tried both. Initially I chose the latter, using a script:
#!/bin/sh
if [ -n "$X_WAYLAND_DISPLAY" ] ; then
export WAYLAND_DISPLAY=$X_WAYLAND_DISPLAY
else
# fallback
export WAYLAND_DISPLAY=wayland-1
fi
firefoxHowever, this makes copy-paste troublesome so I returned to X mode for now.
My initial setups were weird and fragile simply because of lack of understanding of shared subtrees.
Here's the solution:
Make some mount point recursively shared. You can't make an arbitrary directory in the file system rshared (that was my point of misunderstanding), it should be an actual mount point, i.e. a directory where some filesystem is mounted.
I want to use /mnt/autofs for autofs so let's mount a tmpfs there and rshare it:
mkdir -p /mnt/autofs
mount -t tmpfs -o size=64K --make-rshared tmpfs /mnt/autofs
mkdir /mnt/autofs/myserverCreate autofs configuration:
mkdir /etc/auto.maps
echo "/mnt/autofs/myserver /etc/auto.maps/myserver" >/etc/auto.master.d/myserver.autofs
echo "shared-dir myserver.example.com:/var/share/top-secret" >/etc/auto.maps/myserverand restart autofs.
Add the following line to the container's config:
lxc.mount.entry = /mnt/autofs mnt/autofs none create=dir,rbind 0 0Start the container. Inside, ls /mnt/myserver/shared-dir should work as expected.
However, user:group will be nobody:nogroup and I have no idea how to setup correct id mapping.
menulibre looks kinda bloatware and currently is totally broken in excalibur.
However, its quite easy to edit menus manually:
.config/menus/xfce-applications.menu.local/share/applicationsContainers are great to isolate workspaces as if they were running on separate machines. This greatly simplifies such things as networking which are too error-prone or impossible to maintain within a single system.
But at container level everything is still the same: single home directory where all applications have full access to user's data.
This is dangerous. Potentially, every program that use network may leak your sensitive data, even unintentially.
Basically, all programs that work with your data should be run in a container with disabled networking, and probably I'll end up with such arrangement.
But for now I have a few legacy XFCE environments each running in its own container. A temporary solution I deployed within those containers is restricted network access for the main user and running all networking software as a different users. This software includes Firefox, Chromium, Mullvad, and Tor browsers, plus Thunderbird. Of course, some do support Wayland already but LXCex still has copy-pasting issues and it's a blocking factor to run them natively.
Here's the setup, on the example of Firefox, which can be used as a boilerplate for other programs.
First, create a separate user:
useradd -g users --skel /etc/skel --shell /bin/bash --create-home firefoxThen, move directories:
mkdir /home/firefox/.cache
mv /home/user/.mozilla /home/firefox/
mv /home/user/.cache/firefox /home/firefox/.cache/
chown -R firefox /home/firefoxNext, prepare a script /usr/local/bin/start-firefox:
#!/bin/sh
USER=firefox
if [ -z "$1" ] ; then
xhost +SI:localuser:$USER
exec sudo $0 dosu
elif [ "$1" = "dosu" ] ; then
exec su -l -c "$0 run" $USER
elif [ "$1" = "run" ] ; then
cd /home/$USER
. /usr/local/share/lxcex-xdg.sh
export DISPAY=:0.0
exec firefox --display=:0.0
fiActually, DISPLAY environment variable is not necessary here, but this script
can be used as a boilerplate to run other apps so I intentionally left it.
Finally, create /etc/sudoers.d/50-start-firefox (alas, sudo is required):
user ALL = NOPASSWD: /usr/local/bin/start-firefox dosuYou may need to modify XFCE start menu entry. And to add -P option for the first time, otherwise firefox may start with a blank profile.
It's a good idea to share Downloads directory.
Previous approach was a group-writeable directory with symlinks to it, but the best way is lxces-share.
Let Downloads direcroty be in user's home directory, as it used to.
Then, create the following sharetab for the container:
/var/lib/lxc/<container-name>/rootfs/home/user/Downloads firefox /home/firefox/DownloadsAnd use hooks in container configuration, as shown in Chapter 8:
lxc.hook.pre-start = /usr/local/bin/lxcex-share
lxc.hook.mount = /usr/local/bin/lxcex-share
lxc.hook.start = /usr/local/bin/lxcex-share
lxc.hook.post-stop = /usr/local/bin/lxcex-shareDiscovered this article when wrote chapter 6: https://discuss.linuxcontainers.org/t/audio-via-pulseaudio-inside-container/8768 They use LXD and it's worth to take a look at the implementation od socket proxies. Can we use them to retain container socket and reconnect to the host socket when the base compositor gets restarted? Or when a container resumes from hibernation?
Again,
I didn't get why I had to
mount --make-shared /runi.e. /run, not /run/user if I did mount --rbind /run/user "${LXC_ROOTFS_MOUNT}/run/host/run/user"
in containers and wanted all uid submounts to propagate.
After re-reading that a few times it should be clear, eventually.
smartd is the most reliable tool to disable HDD spindowns thus far:
/etc/default/smartmontools:
smartd_opts="--interval=10 --attributelog=- --savestate=-"Key option is --interval, others disable saving state which I never needed.
-n option is never in etc/smartd.conf, i.e.:
DEVICESCAN -d removable -n never -m root -M exec /usr/share/smartmontools/smartd-runnerMy extra packages, just for the record.
gnome-font-viewer, looks unnecessarygthumbbreeze-icon-theme.systemsettings: installed just in case, zero profit so far.libnss3, libasound2