{"id":24,"date":"2009-09-29T13:30:44","date_gmt":"2009-09-29T12:30:44","guid":{"rendered":"http:\/\/paguilar.org\/?p=24"},"modified":"2009-09-29T13:30:44","modified_gmt":"2009-09-29T12:30:44","slug":"creating-a-sandbox-or-jail-for-cross-compiling","status":"publish","type":"post","link":"https:\/\/paguilar.org\/?p=24","title":{"rendered":"Creating a sandbox or jail for cross-compiling"},"content":{"rendered":"

When cross-compiling dynamic libraries like GTK+ we normally have a couple of issues that complicate the compilation and later the execution of apps that depend on those libraries.
\nFirst, we have to be very careful with the includes -I<\/em> and libraries -L<\/em> paths since they must point to the target, otherwise we risk to overwrite the host files.
\nSecond, after compiling we normally end up with libraries and\/or apps that require the whole path that we used during the process.
\nFor example, if we installed GTK+ in our target’s filesystem, let’s say \/opt\/STM\/STLinux-2.3\/devkit\/sh4\/target\/usr\/local<\/em>, then when we execute an app in the target that is dynamically linked to GTK+, it will search the libraries in that path, instead of \/usr\/local<\/em>.
\nThis issue can be solved creating ugly symbolic links or modifying the .la files, but neither of them are a clean\/good solution.<\/p>\n

One method for completely eliminating these problems is to cross-compile in a protected environment in which we can install, modify and remove files without causing any damage.
\nSuch an environment is called a jail or sandbox.<\/p>\n

There are several ways for implementing a sandbox (like the jail package for Debian),
\nbut the procedure shown below is quite simple and illustrates how a sandbox works.<\/p>\n

There are two main concepts behind a sandbox: chroot<\/strong> and unionfs<\/strong>.
\nchroot changes the root directory of the calling process to another specified in the given path. This directory will be used for pathnames beginning with \/<\/em>. The new root directory is inherited by all children of the calling process.
\nUnionfs gives the possibility of creating a filesystem that is the union of at least two others. For example, consider that the new unionfs is the union of our host’s root filesytem mounted in read-only mode, and of a temporary filesystem mounted in read-write mode.
\nThe result is a filesystem which looks exactly like the host’s root filesystem,
\nbut in which you can install, modify and\/or delete files without touching anything in the root filesystem.<\/p>\n

The following procedure and script show step by step how to create the sandbox:<\/p>\n

First we create a dedicated user that will have read\/write access to the sandbox.
\nYou can do it with any graphical interface or using the shell:<\/p>\n

\n$ adduser sandbox\n<\/pre>\n
Give sudo permissions to this user.
\nWARNING: Under some circumstances this is not safe, but in our case in which we just
\nwant to cross-compile it’s sufficient.<\/p>\n
\n$ sudoedit \/etc\/sudoers\n\nAdd the following line at the end of the sudoers file:\n    sandbox ALL=(ALL) ALL \n<\/pre>\n
Set the default shell, that is the last token in a line of the \/etc\/passwd<\/em> file, of the sandbox user to the script \/bin\/sandbox.sh<\/em> that is explained later:<\/p>\n
\nsandbox:x:1001:1001:sandbox user,,,:\/home\/sandbox:\/bin\/sandbox.sh\n<\/pre>\n
Now we create the temporary filesystem.<\/p>\n
Create a 1GB file called sandbox.img filled with zeroes:<\/p>\n
\n$ dd if=\/dev\/zero of=\/opt\/sandbox.img bs=1M count=1000\n<\/pre>\n
Create an ext3 filesystem in that file:<\/p>\n
\n$ mkfs.ext3 \/opt\/sandbox.img\n<\/pre>\n
Create the empty temporary directory:<\/p>\n
\n$ mkdir \/opt\/sandbox\n<\/pre>\n
Mount the ext3 formatted file filled with zeroes in the empty directory:<\/p>\n
\n$ mount -o loop \/opt\/sandbox.img \/opt\/sandbox\n<\/pre>\n
Change it’s permissions so everybody can read\/write to\/from it.<\/p>\n
\n$ chmod 777 \/opt\/sandbox\n<\/pre>\n
Create the directory \/opt\/unionfs<\/p>\n
\n$ mkdir \/opt\/unionfs\n<\/pre>\n
In the \/opt\/unionfs<\/em> directory we will mount the zeroed ext3 filesystem altogether with the host’s root filesystem taking advantage of the unionfs.
\nThis operation takes place in the \/bin\/sandbox.sh script that will be executed each time
\nwe log in as the sandbox user:<\/p>\n
In the function mount_unionfs()<\/em> in which we take one element of the mdirs list at a time, we mount the unionfs filesystem that is the union of the zeroed ext3 filesystem and the host’s root filesystem mounted in read only mode. This is the most important part of the mounting procedure.
\nThen we mount in the unionfs the necessary filesystem for having a working system such as \/dev<\/em>, \/sys<\/em>, \/proc<\/em> and \/tmp<\/em>
\nThe last element is the path of the cross-toolchain that can vary.
\nEg. The openmoko toolchain is located in \/usr\/local\/openmoko\/arm\/bin<\/em>
\nwhilst the STM toolchain for the sh4 arch is located in \/opt\/STM\/STLinux-2.3\/devkit\/sh4\/bin<\/em><\/p>\n
The chroot command is the other important part: it changes the root from \/<\/em> to \/opt\/unionfs<\/em> executing the su<\/em> command that contains the –shell<\/em> and –login<\/em> parameters.<\/p>\n
At this point we’re logged in as the user sandbox in a safe filesystem that is the union of
\nthe host’s filesystem and the empty ext3 filesystem. What we see in the unionfs is the host’s filesystem that was mounted in read-only mode:<\/p>\n
\n$ ls \/\nboot dev    initrd.img  lib     media       opt  root  selinux  sys  usr  vmlinuz\nbin  cdrom  etc         home    lost+found  mnt  proc  sbin     srv  tmp  var\n<\/pre>\n
and we can happily start compiling libraries like GTK+ in default paths such as \/usr\/local<\/em> without risking our host filesystem integrity.<\/p>\n
After compilation, we can log out and check out the compilation results in \/opt\/sandbox<\/em>
\nWe’ll see something like this:<\/p>\n
\n$ ls \/opt\/sandbox\/\ngtkdfb  lost+found  usr  var\n<\/pre>\n
Before we logged in as the sandbox user this directory was empty (lost+found is not considered), but now it contains three new directories: the gtkdfb contains all the GTK+ sources that we compiled.
\nThe var directory contains the cache and run with temporal information that was different than the one in the host filesystem.
\nThe usr directory contains the local directory with all the libraries, includes, shares and everything that was generated as a result of the GTK+ compilation:<\/p>\n
\n$ ls \/opt\/sandbox\/usr\/local\/\nbin  etc  include  lib  share  var\n<\/pre>\n
Now we can safely copy this directoy to our \/usr\/local\/<\/em> of the target filesystem!
\nThis avoids ugly logical links or other dirty solutions.<\/p>\n
Finally, the function umount_unionfs()<\/em> does the same steps as the mount_unionfs()<\/em> function
\nbut in reverse order. This is executed when the user sandbox logs out.<\/p>\n
Here’s the script:<\/p>\n
\n#!\/bin\/bash\n\n# Mount a source directory or fs type $i in destination mount point $j \n# using options $k\n#\n#     i               j                  k\nmdirs=( \n  \"unionfs\"   \"\/opt\/unionfs\"         \"-t unionfs -o dirs=\/opt\/sandbox:\/=ro\"\n  \"\/dev\"      \"\/opt\/unionfs\/dev\"     \"--bind\"\n  \"devpts\"    \"\/opt\/unionfs\/dev\/pts\" \"-t devpts\"\n  \"shm\"       \"\/opt\/unionfs\/dev\/shm\" \"-t tmpfs\"\n  \"sysfs\"     \"\/opt\/unionfs\/sys\"     \"-t sysfs\"\n  \"proc\"      \"\/opt\/unionfs\/proc\"    \"-t proc\"\n  \"\/tmp\"      \"\/opt\/unionfs\/tmp\"     \"--bind\"\n  \"\/dev\/sda6\" \"\/opt\/unionfs\/opt\"     \"-t ext3\"\n      )\n\nmount_unionfs()\n{\n    mdir_size=${#mdirs[*]}\n\n    i=0; j=1; k=2\n    while [ \"$i\" -lt \"$mdir_size\" ]; do\n        if [ -z \"$(mount | grep -w ${mdirs[$j]})\" ]; then\n            echo \"Mounting ${mdirs[$j]}\"\n            sudo \/bin\/mount ${mdirs[$k]} ${mdirs[$i]} ${mdirs[$j]}\n        fi\n        i=$((i + 3)); j=$((j + 3)); k=$((k + 3))\n    done\n}\n\numount_unionfs()\n{\n    mdir_size=${#mdirs[*]}\n\n    j=$((mdir_size - 2))\n    while [ \"$j\" -gt \"0\" ]; do\n        if [ -n \"$(mount | grep -w ${mdirs[$j]})\" ]; then\n            echo \"Umounting ${mdirs[$j]}\"\n            sudo \/bin\/umount ${mdirs[$j]} 2> \/dev\/null\n        fi\n        j=$((j - 3))\n    done\n}\n\nmount_unionfs\n\nsudo \/usr\/sbin\/chroot \/opt\/unionfs \/bin\/su --shell \/bin\/bash --login $USER\n\numount_unionfs\n<\/pre>\n
References:
\nchroot info page
\nhttp:\/\/www.filesystems.org\/project-unionfs.html<\/a>
\nhttp:\/\/www.howtoforge.com\/safe_mirror_unionfs_chroot<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
When cross-compiling dynamic libraries like GTK+ we normally have a couple of issues that complicate the compilation and later the execution of apps that depend on those libraries. First, we have to be very careful with the includes -I and libraries -L paths since they must point to the target, otherwise we risk to overwrite\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,10],"tags":[18,22,32,42],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-command-line-interface","category-compiling","category-gtk","tag-chroot","tag-cross-compiling","tag-sandbox","tag-unionfs"],"_links":{"self":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24"}],"version-history":[{"count":0,"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts\/24\/revisions"}],"wp:attachment":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}