site  news  contact

Using Easy Containers

September 13, 2019 — BarryK

Running an application in a container, is a mechanism to achieve isolation from the rest of the system and higher security than if the application were run in the normal way.

There is another web-page which is a technical overview of EasyOS from the user-perspective, including an introduction to Easy Containers (EC):

https://easyos.org/tech/how-easy-works-part-2.html 

...please read the section that introduces Easy Containers, as it provides the basis to understand what follows.

This page is intended to provide addition usage notes. As described in the above link, containerized apps show on the desktop with a "lock" symbol at top-left, for example:

img1

Clicking on one of these will run the app in a container. In the case of "www", it will start the SeaMonkey web browser, and it will be just like the normal SeaMonkey. From the user-perspective, you will notice some differences though:

  1. A tiny bit slower to startup.
  2. Open and Save files can only be within the container.
  3. Extensions/add-ons/themes not shared with the system-SeaMonkey.
  4. There may be issues with Internet connection.

You are, in fact, running SeaMonkey in it's own private operating system, running as "crippled root". Although a container is isolated from the main desktop, it is not perfect isolation. There has to be some interaction, for example to achieve Internet connection via the connection already established on the main desktop.

This required interaction also means potential security weaknesses, however, we try to make it very difficult to break out of a container. So yes, you are considerably more secure.

Regarding point-4, there are sometimes issues with network access from within a container, especially as we attempt to tighten up the security (isolation) settings. Generally, ethernet network connection is better than wi-fi in this regard.

Sharing files with the main desktop

That is point-2 in above list, but that is from the point of view of being inside the container. From the main desktop, you can see inside all of the containers, and do anything that you want in them, including read and write files.

Regardless whether running an app on the main desktop or inside a container, most apps will default to open|save|download to /home, or a sub-folder inside /home. For example, SeaMonkey defaults to download files to /home/downloads.

On the main desktop, the home folder is actually in the working-partition, and /home is a symlink to it. In other words, /home is a link to /mnt/wkg/home.

However, inside a container there is no access to drive partitions, everything is in RAM, and so is /home. This is for security reasons.

However, by a bit of magic, folder /home/shared on the main desktop is the same as /home/shared inside the container. So, if, for example you download a file while running the web browser inside a container, to make that file available to the main desktop, just save it to /home/shared.

And vice-versa. Though, as already stated, you can read and write anywhere in a container from the main desktop. For example, if the "www" container is running (SeaMonkey), then if you point the file-manager at /mnt/wkg/containers/www/container, you can access everything inside the container.

Run SFSs of other distributions

There is something very nice about SFSget, the SFS downloader and installer, run by clicking the icon labeled "sfsget" on the desktop. That niceness is that you can run any SFSs, regardless of what Linux distribution it is created for.

An app is compiled to work on a particular distribution, and version of that distribution, and may not work on other distributions. This could be due to wrong versions of libraries, or missing dependencies. However, with Easy Containers, that is not a problem.

At the time of writing, the latest version of EasyOS is 2.1.3, the "Buster" series. The Buster series, that started with 2.0, is built with binary packages from the Debian Buster 10 distribution. There is also an older series of EasyOS, known as the "Pyro" series, version numbers 1.x and the latest is 1.2.3. Easy Pyro is built with packages compiled from source using a fork of OpenEmbedded. Pyro is in maintenance-mode, and there are still occasional releases.

The point is, Buster and Pyro are really two different distributions, and the same principle will apply, that an app compiled for Pyro might not work in Buster. However, Easy Containers fixes that.

If you are running Buster, and click on the "sfsget" icon, this is the window:

img2

...you can see various SFS files, that can be downloaded, and you can choose to run them in a container or on the main desktop.

See the other path "easyos/oe/pyro". That has SFS files for Pyro. If you click that radiobutton:

img3

...take "pingus" for example. That is a game, compiled to run on Easy Pyro. If you were to download and install it, it can only be run in a container, in a layered filesystem with easy_1.2.2_amd64.sfs on the bottom. So you are really running the complete Pyro distro, but just the one app in it.

However, if you select "easy_1.2.2_amd64.sfs", as shown in the above snapshot, and click the "Download" button. it will install as a complete Easy Pyro desktop. In other words, after installing, this is what you would see on the desktop:

img4

...yes, you can run either Buster or Pyro as complete desktops in a container. If you click on "pyro", you get the familiar desktop of that series;

img6

A detail note: If you had previously installed "Pingus", then easy_1.2.2_amd64.sfs would already have been downloaded, so the above SFSget window would show "Install" in the button, instead of "Download". You can then proceed to install Easy Pyro as a containerised desktop.

Flipping and killing containers

Click on "pyro" icon will launch the Easy Pyro containerized desktop. ALT-F6 will flip you back to the main desktop. On the main desktop, click either the "pyro" icon or the entry in the tray to flip back into the Pyro container.

But how to kill a container? If running a single app in a container, such as Pingus, closing the app will also kill the container.

There is another way to kill a container, and this method is required if you want to kill the Pyro container. On the main desktop, right-click on the tray entry, and choose "Kill":

img8


more coming... 


Tags: user