Schroot combined with bubblejail

[Nonie689]

Description

I want to use

https://wiki.debian.org/Schroot combined with bubblejail

is it better to bubblejail Schroot or is it better bubblejail the application in the Schroot??

[igo95862]

I think you want to schroot first. Bubblejail will block a lot of the syscalls.

[Nonie689]

hmmm have you maybe an idea how to get wayland in schroot?

and do you think that schroot are an security enhancement or do you think bubblejail with an extra user account is enough?

Or is https://wiki.archlinux.org/title/Systemd-nspawn better??

[igo95862]

Hmmm. Thinking about this, schroot is probably be superseded by debootstrap new root file system and modifying bubblejail to use custom root. This will give full access to bubblejail services and independent file system.

[Nonie689]

I have wrote today with Roger,

he said

Hi,

First thing to mention, schroot is retired and unsupported. The project is archived, and no further development is planned. I would advise migrating to a supported tool.

https://gitlab.com/codelibre/schroot#end-of-life

Wayland has not been tested, is not supported, and will not be supported due to the project retirement. You are welcome to add this yourself, but code changes will no longer be integrated upstream.

Kind regards, Roger

so nspawn is better??

[Nonie689]

I have read this... but not testet yet..

To run Wayland applications in docker without X, you need a running wayland compositor like Gnome-Wayland or Weston. You have to share the Wayland socket. You find it in XDG_RUNTIME_DIR and its name is stored in WAYLAND_DISPLAY. As XDG_RUNTIME_DIR only allows access for its owner, you need the same user in container as on host. Example:

source:

https://unix.stackexchange.com/questions/330366/how-can-i-run-a-graphical-application-in-a-container-under-wayland

so if I understand this correct [but not testet..] its need to make a softlink from the xdg runtime dir to the chroot??? or I am wrong?

[Nonie689]

and I have found this..

https://laurentschneider.com/wordpress/2007/03/xhost-is-a-huge-security-hole.html

[igo95862]

make a softlink from the xdg runtime dir to the chroot???

You need to create the xdg runtime dir inside the chroot and then link the wayland socket. (this is what bubblejail does for wayland)

BTW I feel like this issue went of topic. Sorry I can't help with schroot or systemd-nspawn because I am not familiar with either one of them. Should I close the issue?

[Nonie689]

No... what do you think to use unionfs to make the root fs secure instead of chroot?

[igo95862]

No... what do you think to use unionfs to make the root fs secure instead of chroot?

Bubblejail already makes root secured.

[Nonie689]

Can you make a description what bubblejail currently do?

[igo95862]

Can you make a description what bubblejail currently do?

I had plans to make a document with architecture explanation.