#spectrum on 2019-12-23

2019-08-29 20:55 qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/

01:47 <qyliss> I expanded a bit on how VM->VM communication will work on the website: https://spectrum-os.org/git/www/commit/

01:48 <qyliss> https://spectrum-os.org/git/www/commit/?id=7557138bad3f3284dba1bdf0f6e00305b4a63a33

01:48 <qyliss> give nlnet something to read

05:27 <MichaelRaskin> I wonder what is the good way to manage the export list of an FS VM

05:49 <MichaelRaskin> Maybe just dynamically launching a filtering process that adds a prefix to all requests…

05:50 <MichaelRaskin> I think VM machine migration often means things that cannot be done as «migrated as source code»

05:51 <MichaelRaskin> (I also think that a VM-per-application-instance implies that you have a very limited amount of VM images that are then given different connections to store)

05:54 <MichaelRaskin> I think it is cheap to have multiple storage VMs, so you can still divide data into sensitivity domains, but without an obligation to align this perfectly with application VM allocation

06:03 <MichaelRaskin> BTW, how long does it take to spin up and shutdown an empty CrosVM in your test runs?

06:04 <MichaelRaskin> Hmm. If we need to mount different subsets of a single tree, and probably want to do it with a single server and filtering proxies, we might just as well ask the proxies to make sure the paths are well-formed and have no .. and are UTF-8-clean etc.

06:37 <MichaelRaskin> Good question what happens to symlinks in all the mess

07:00 <qyliss> I think the server doesn't need to care much about symlinks

07:08 <MichaelRaskin> The server doesn't, but the system design doe

07:08 <MichaelRaskin> does

07:09 <MichaelRaskin> Do we imply that we mount just different subsets of the same tree (split into multiple parts by sensitivity etc.), or is layout customisable?

07:11 <qyliss> I don't see why it shouldn't be customisable

07:12 <MichaelRaskin> Neither do I, but then the user will need some reminder of how symlinks work

07:17 <qyliss> I think if you're using symlinks you're responsible for understanding how they work.

07:17 <qyliss> if this work has any impact, a very small proportion of users know what a symlink is

07:21 <MichaelRaskin> Maybe. We are going to break a nontrivial amount of assumptions, though

07:25 <qyliss> how so?

07:25 <qyliss> mount points will work the same as any other unix systetm

07:25 <MichaelRaskin> Kind of

07:25 <MichaelRaskin> A typical unix system doesn't have the same subtree mounted at different paths all the time

07:27 <MichaelRaskin> And to get to thepoint where nobody knows what a symlink is, you need to get through the phase where people who do know use and like the system

07:29 <MichaelRaskin> Hm. I wonder at what level do we want to enforce read-only subtrees

07:33 <qyliss> that would be done by the fs server

07:39 <MichaelRaskin> Not sure what is the exact plan.

07:39 <MichaelRaskin> The FS server will have a socket per subtree and per its read-only status?

07:40 <qyliss> something like that

07:41 <MichaelRaskin> If we can get cheap enough VMs, there is a benefit in having a single FS server socket for the actual FS server, and then multiple filtering VMs that enforce RO and subtrees

07:43 <MichaelRaskin> Advantages: no dynamic reconfiguration of VMs and no dynamic reconfiguration of servers

07:44 <MichaelRaskin> (Also, if we have dead-simple filtering proxies, we can skip «reinvent the filesystem»)

07:45 <MichaelRaskin> (And looking at BtrFS history, reinventing the FS is not what you want to do in a single year)

08:07 <qyliss> MichaelRaskin: oh, btw, takes 1.5 seconds or so to get to the point of a terminal appearing

08:08 <MichaelRaskin> I guess you have a better CPU than I do.

08:08 <qyliss> actually, that time it took more like 3s

08:08 <qyliss> not slow, anyway

08:09 <qyliss> this is on 2012 hardware

08:10 <MichaelRaskin> Not sure what is the CPU year for Thinkpad W530

08:10 <qyliss> this is a 220

08:10 <qyliss> x220

08:10 <qyliss> so probably 1 generation later

08:10 <qyliss> how long does it take for you?

08:11 <MichaelRaskin> Well, I do have an extra layer of container around

08:11 pie_ has quit [Ping timeout: 260 seconds]

08:11 <qyliss> Yeah we should be comparing like for like

08:11 <MichaelRaskin> But purely the dmesg part takes strictly more than 2 seconds, every time

08:12 <qyliss> Yeah, at the moment I'm getting 2s of that, and then 1s later the window appears

08:13 <MichaelRaskin> But this is just to 9p-mount and exit

08:15 <qyliss> I've tagged mktuntap 1.0, btw. Seems like the thing to do since it has another user.

08:16 <qyliss> If somebody else wants to submit to Nixpkgs they're most welcome to, but I won't self-submit.

08:51 <MichaelRaskin> In a sense, as long as all the ChromiumOS stuff from SpectrumOS repo is not submitted upstream, mktuntap is a small thing (as it seems to be most useful for CrosVM: Qemu can select interface name on its own)

08:52 <qyliss> I'm sure there are other use-cases

08:52 <qyliss> execline-style tap/tun device configuration feels generally useful to me

08:56 <MichaelRaskin> I wonder what is safer by now, wlroots or libvncclient

13:59 pie_ has joined #spectrum

20:21 pie_ has quit [Ping timeout: 258 seconds]

20:25 pie_ has joined #spectrum

22:04 tilpner_ has joined #spectrum

22:06 tilpner has quit [Ping timeout: 268 seconds]

22:16 <MichaelRaskin> BTW: re: 9P over IPv6: in principle, if for non-containerised VMs you want IPv6, one could also do a connect() then mount via an FD

22:20 <MichaelRaskin> I think authenticated 9P mounts work like that anyway