EasyOS version 2.3.2, June 22, 2020

For talk and support relating specifically to Puppy derivatives
Message
Author
User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#661 Post by BarryK »

rufwoof wrote:
BarryK wrote:If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used
Browsing through the code I see that a container is created by faking root and chroot i.e. using unshare ... Obvious now! I'd missed that before however, lack of understanding and was blindly assuming just chroot.
A note about that. Script 'ec-chroot' is where you will see the action, unshare etc.

It is also able to run 'env -i' to clear the environment variables.

It has been mentioned, the convenience of running as 'root' in a container. The user can drag files from the host system into the container, and not have to worry about file ownership and permissions.

This has been one of the big things about Puppy, running as root, and I want to keep that convenience in containers.

I had in the back of my mind that the next step would be to utilize "Linux capabilities" to keep root in a container, but restrict it.

I have done some tests, and it is looking good. Using the 'capsh' utility. Now running containers, and able to selectively dis-empower the 'root' in the container.

Just a quick heads-up post, will post more details soon.

On holiday right now, have my baby laptop with me, external 1TB drive. Running Easy, however, frustrating with the Cherry Trail CPU. Even the 4.14.32 kernel does not work properly.

If I plugin the 1TB drive after bootup, it isn't recognized. If I plug it in before bootup, half the time the kernel crashes at bootup.

I have to buy another laptop! The Asus baby does have one thing in its favour, only 960gm, good for traveling.
[url]https://bkhome.org/news/[/url]

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#662 Post by BarryK »

For anyone who is interested, this is a simple introduction to "grass roots" containers, showing how 'capsh' can be used to reduce capabilities of root in a container:

https://ericchiang.github.io/post/conta ... m-scratch/
[url]https://bkhome.org/news/[/url]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

seamonkey as Rover in a container with capsh security

#663 Post by rufwoof »

Edit : have subsequently extended the capsh for additional hardening i.e capsh command now looks like

capsh --drop=cap_chown,cap_sys_admin,cap_sys_chroot,
cap_net_admin,cap_net_bind_service,cap_sys_boot,
cap_sys_module,cap_sys_resource,cap_setpcap,cap_setgid,
cap_setuid,cap_sys_rawio,cap_mknod,cap_net_raw,
cap_audit_control,cap_mac_override,cap_mac_admin,
cap_syslog,cap_audit_read,cap_audit_write,cap_fsetid --keep=1 --user=rover --uid=1003 -- -c /bin/sh --


EasyOS Pyro 0.9

Create a sakura container (see attached images and note in particular you have to untick the USER option when creating the container).

Once created a desktop icon will be shown for that new sakura container, click on that to open it and then cd /root and replace the current .bashrc file content with the following

Code: Select all

###################################################
#
# Rufwoof April 2018
#
# /root/.bashrc file for EasyOS Pyro 0.9 container
# set so that it runs a /bin/sh as restricted userid 
# 'rover' under capsh that restricts root from 
# from chown sys_admin and chroot i.e. running exit-chroot
# as root just puts you back to the / folder of the container
#
# Goes some way to thwart hacks such as escaping the chroot
# container and/or elevating privileges 
# 
###################################################

. /etc/profile

#v1.0.5 need to override TERM setting in /etc/profile...
#export TERM=xterm
# ...v2.13 removed.

#export HISTFILESIZE=2000
#export HISTCONTROL=ignoredups
#...v2.13 removed.

#Number   SIG   Meaning
#0   0   On exit from shell
#1   SIGHUP   Clean tidyup
#2   SIGINt   Interrupt
#3   SIGQUIT   Quit
#6   SIGABRT   Abort
#15   SIGTERM   Terminate

trap finish 0 1 2 3 6 15
finish()
{
  exit
}

chmod 700 /root
chmod 000 /usr/sbin/gparted
chmod 000 /sbin/fdisk
# ... etc for any other individual file/folders you wish to restrict

HOME=/home/rover export HOME
DISPLAY=:0 export DISPLAY
XDG_DATA_HOME=/home/rover/.local/share
GTK2_RC_FILES=/home/rover/.gtkrc-2.0
USER=rover
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
XFINANSDIR=/home/rover/.xfinans
XDG_CONFIG_HOME=/home/rover/.config
XDG_CACHE_HOME=/home/rover/.cache
LOGNAME=rover
cd /home/rover
capsh --drop=cap_chown,cap_sys_admin,cap_sys_chroot --user=rover --uid=1003 -- -c /bin/sh --

# For root level (testing) uncomment the following and comment out the above
#capsh --drop=cap_chown,cap_setuid,cap_sys_admin,cap_sys_chroot  -- -c /bin/sh --
exit
Add rover to the audio group so that you'll hear sounds when playing videos in your browser

Code: Select all

groupadd rover audio
Also navigate to /usr/bin and edit seamonkey to change the code that looks like

Code: Select all

if [ "$NAMEOFUSER" == "spot" ];then
 HOMEDIR="/root/spot/.mozilla/seamonkey"
 NAMEEXE='seamonkey.bin'
else #called as seamonkey or mozilla...
 HOMEDIR="/root/.mozilla/seamonkey"
 NAMEEXE='seamonkey'
fi
to look like

Code: Select all

if [ "$NAMEOFUSER" == "spot" ];then
 HOMEDIR="/root/spot/.mozilla/seamonkey"
 NAMEEXE='seamonkey.bin'
else
  if [ "$NAMEOFUSER" == "rover" ];then
     HOMEDIR="/home/spot/.mozilla/seamonkey"
     NAMEEXE='seamonkey.bin'
  else #called as seamonkey or mozilla...
    HOMEDIR="/root/.mozilla/seamonkey"
    NAMEEXE='seamonkey'
  fi
fi
EDIT : THERE IS A ISSUE WITH THE ORANGE SEAMONKEY SPLASH SCREEN SHOWING FOR A LONG TIME ... SEE NEXT POST

Also edit /etc/profile.d/pup_gtk and change the content from

Code: Select all

export GTK2_RC_FILES=/root/.gtkrc-2.0
to

Code: Select all

export GTK2_RC_FILES=~/.gtkrc-2.0
Exit the container ... and then open the container again by clicking the desktop icon. The first time you opened the container you were running as root, as you will be the second/subsequent times, however root .bashrc is now set to throw you into rover, along with having set up restrictions i.e. dropping root out of certain operations and commands etc.

At the command prompt type seamonkey and press enter. Seamonkey will open and you'll be running it inside a container, running as user 'rover' and having capsh and other file/executable permissions that would make it more difficult for hackers to penetrate your system via seamonkey. Note however that if you save/download files etc then they are saved inside the container (as per any other container).

Once initially set up, if you create a snapshot of that sakura container, you can simply roll back to that whenever you want a nice clean container again (see the 'containers' section in Menu, FileSystem, Easy Version Control).

So now you can run a shell prompt session inside a container... and start seamonkey and be running as rover that has limited permissions. If a known vulnerability in your browser is exploited when visiting a dubious web site then they'll drop to the userid that the browser was running under i.e. rover ... which is a restricted user. They might try and elevate their permissions by using weaknesses in the main filesystem ... and if they do find one and gain root access then they're still locked into the container and where root also has restrictions as what it can do - including being blocked from chroot'ing out of the chroot container.
Attachments
1.jpg
Open Easy Container Manager
(50.19 KiB) Downloaded 772 times
2.jpg
Select sakura untick the USER option, click Create
(42.99 KiB) Downloaded 786 times
3.jpg
confirm the creation
(15.09 KiB) Downloaded 721 times
Last edited by rufwoof on Fri 27 Apr 2018, 23:37, edited 5 times in total.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#664 Post by rufwoof »

I also commented out /usr/bin/seamonkey MAGICDIR section so it now looks like (you could just delete that code) as otherwise the orange splash screen just hung around for 80 seconds (2 second pauses, 40 iterations of sleep).

Code: Select all

#MAGICDIR="$(ls -1 ${HOMEDIR} | grep 'default$' | tail -n 1)"
#if [ ! -f ${HOMEDIR}/${MAGICDIR}/places.sqlite ];then
# SMSPLASH='yaf-splash -bg orange -fg black -close never -fontsize medium -text "SeaMonkey is starting for the very first time!
#This will take awhile, as SeaMonkey creates setup and cache files in folder ${HOMEDIR}.
#All future startups of SeaMonkey will be much faster.
#
#Technical note:
#SeaMonkey is not usable on PCs with less than 256MB RAM, minimum 512MB recommended.
#
#Please wait..." &'
# 
# echo "#!/bin/sh
#HOMEDIR=${HOMEDIR}
#${SMSPLASH}
# YAFPID=\$!
# CNT=0
# while [ ! -f ${HOMEDIR}/${MAGICDIR}/places.sqlite ];do
#  sleep 2
#  CNT=\`expr \$CNT + 2\`
#  [ \$CNT -gt 40 ] && break
# done
# sleep 2
# pupkill \$YAFPID
# if [ -f /usr/lib/seamonkey/seamonkey ];then
#  ln -snf ../lib/seamonkey/seamonkey /usr/bin/${NAMEEXE}
# else
#  ln -snf ../lib64/seamonkey/seamonkey /usr/bin/${NAMEEXE}
# fi
#" > /tmp/sm-startup-wait-script
# chmod 755 /tmp/sm-startup-wait-script
# /tmp/sm-startup-wait-script &
# 
#fi

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#665 Post by rufwoof »

Should say that the above wont fully mitigate Spectre and Meltdown type vulnerabilities (although it might go a long way as they do require access). Only full virtualisation can achieve that. Browser providers have coded to reduce the risk, however if you leave scripts open even that can be circumvented. Generally have scripts turned off and maybe only turn them on for sites you trust. In SeaMonkey ... Edit, Preferences, Advanced, Scripts and Plugins and untick the Enable Javascript for Browser option.

Personally I tend to leave scripts active as security and functionality are inverse correlated and the web is hard work without javascript being active. EasyOS being able to just rollback easily to a clean version is generally good enough for me as I also keep disconnected backups and generally couldn't care less if what was on my PC was seen by others. I could regret that if hardware had some kind of hack installed ... but only a isolated setup is truly safe. For more important stuff such as online banking I use alternatives.

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#666 Post by BarryK »

rufwoof wrote: Looks like line 479 in /usr/sbin/easy-version-control

Code: Select all

busybox mount -t squashfs -o loop,noatime /mnt/${WKG_DEV}/${WKG_DIR}containers/${EC_NAME}/rw-${EC_SNAP}.sfs /tmp/easy_version_control/tmpmnt
should not include the .sfs after {EC_SNAP} ???

Removing that .sfs in my installation (frugal HDD) ... and it rolls back containers OK.
Thanks for reporting that.

I found a couple of bugs in that script, now fixed.

The problem you reported above, is because EC_SNAP was wrong, had ".sfs" in it, it is just supposed to be the selected rollback date. Fixed that earlier in the script.
[url]https://bkhome.org/news/[/url]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Running Firefox-ESR and sound in Pyro container as rover

#667 Post by rufwoof »

EasyOS Pyro 0.9 - firefox-ESR downloaded inside a sakura container, moved the tar file to /usr/lib and extracted it and running /usr/lib/firefox/firefox works fine except no sound as no pulse audio installed

Created a ~/.config/gtk-3.0/settings.ini file with content

Code: Select all

[Settings]
gtk-theme-name=Adwaita
gtk-icon-theme-name=Adwaita
gtk-font-name=Sans 12
gtk-cursor-theme-size=18
gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ
gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=1
gtk-enable-input-feedback-sounds=1
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle=hintslight
gtk-xft-rgba=rgb
primarily just so I can set the size of the menu fonts inside firefox-esr (i.e. Sans 12 works well for me).

downloaded this 64bit apulse from smokey/OscarTalksmain list and as root inside my sakura container I ran petget ./apulse-0.1.11-x86_64.pet to install it. And in ~/.mozilla/firefox/xxxx.default folder (where xxxx is a bunch of characters unique to each profile), created a user.js containing

Code: Select all

// sound fix for alsa through apulse 0.1.10 :
user_pref("security.sandbox.content.write_path_whitelist", "/dev/snd/");
I created that in my rover /home/rover/.mozilla/firefox/lgmgd3o8.default/user.js file - as I use rover to run firefox-esr. Rebooted and fired up the container and running firefox-esr with sound now.

I'm running as rover inside the container and the capsh capping

Code: Select all

capsh --drop=cap_chown,cap_sys_admin,cap_sys_chroot,
cap_net_admin,cap_net_bind_service,cap_sys_boot,
cap_sys_module,cap_sys_resource,cap_setpcap,cap_setgid,
cap_setuid,cap_sys_rawio,cap_mknod,cap_net_raw,
cap_audit_control,cap_mac_override,cap_mac_admin,
cap_syslog,cap_audit_read,cap_audit_write,cap_fsetid --keep=1 --user=rover --uid=1003 -- -c /bin/sh -- 
seems to be OK, still allowing firefox, seamonkey and libreoffice to work as expected - at least to the extent of the things I've tried/used.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Only Office

#668 Post by rufwoof »

Downloaded a portable version of Only Office from here (I opted for the Debian 8, Ubuntu 14.04, 16.04, Centos 7, Redhat 7, Fedora 23, 24, OpenSUSE 42.1, 42.2, etc. choice) as user rover running in a container and extracted the tarball (tar xvf onlyoffice.....tar.gz) in my home folder, cd to desktopeditors and ran ./onlyoffice-desktopeditors.sh and it opens up doc, spreadsheet or presentation choices.

They do charge for collaborative working, but as a single user desktop only ... its free.

making a sfs of the folder produced a filesize of around 250MB.

Sneekylinux has a video for it

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

namespaces

#669 Post by rufwoof »

The container creation help text for namespaces is yet unavailable. Here is some filler text for the interim.

Image

Namespaces for Process Isolation

In a single-user computer, a single system environment may be fine. But on a server, where you want to run multiple services, it is essential to security and stability that the services are as isolated from each other as possible.

namespaces allow aspects of the operating system to be independently modified. This includes the process tree, networking interfaces, mount points, inter-process communication resources and more.

Namespaces :

Mount

Creating separate mount namespace has an effect similar to doing a chroot(). chroot() is good, but it does not provide complete isolation, and its effects are restricted to the root mountpoint only. Creating a separate mount namespace allows each of these isolated processes to have a completely different view of the entire system’s mountpoint structure from the original one. This allows you to have a different root for each isolated process, as well as other mountpoints that are specific to those processes. One use of mount namespaces is to create environments that are similar to chroot jails. However, by contrast with the use of the chroot() system call, mount namespaces are a more secure and flexible tool for this task


UTS

Hostname and NIS domain name. In the context of containers, the UTS namespaces feature allows each container to have its own hostname and NIS domain name.


IPC

Isolates certain interprocess communication (IPC) resources. System V IPC, POSIX message queues


Network

Network namespaces make containers useful from a networking perspective. Each container can have its own (virtual) network device and its own applications that bind to the per-namespace port number space


PID

With the introduction of PID namespaces, a single process can now have multiple PIDs associated with it, one for each namespace it falls under.


User

User namespaces isolate the user and group ID number spaces. In other words, a process's user and group IDs can be different inside and outside a user namespace. For instance a process could have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace. This means that the process has full root privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Re: Running Firefox-ESR and sound in Pyro container as rover

#670 Post by rufwoof »

rufwoof wrote:EasyOS Pyro 0.9 - firefox-ESR downloaded inside a sakura container....
firefox-esr working fine, however console was showing

Code: Select all

libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: r600
messages on startup. Adding rover to group video gets rid of the messages.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#671 Post by rufwoof »

Along with the capsh parameters I outlined earlier for my sakura container, adding

chmod 700 /root
chmod 000 /usr/sbin
chmod 000 /sbin
chmod 000 /bin/busybox
chmod 700 /bin/chmod

EDIT : I've since changed that last line to
chmod 000 /bin/chmod. So the only way to
reactivate that is to delete /mnt/wkg/containers/sakura/.session/chmod so that the q.sfs level
chmod (and its permissions) show through.


... inside the container and rover can still run firefox-esr, whilst being restricted (can't su/sudo ....etc and severely restricted by the likes of the above file permissions).

If stacked q.sfs at the bottom, the above in another sfs stacked on top of that (ro), and if the topmost rw stack level (folder in EasyOS) could somehow be aufs mounted exclusive or style, such as no .wh files - so only new files/changes could be added/delete, no changes (such as overwriting permissions) on existing files at the top level, then the containered program would be extremely limited in what it could do, which could be a root user authority, but where in effect it was a totally knackered root system, whilst functional in that it was still able to run a program such as firefox-esr; And where still being 'root' would mitigate file permission issues when copying/moving/accessing files between the non containered and containered levels.

That is however still similar to seccomp/pledge - specific to each thing that was being containered. i.e. whilst the above might be appropriate for a browser, if you were containering another task/process/program then the 'rules' might be-desired/have-to be different. Whilst those security 'rules' sfs stacked on top of q.sfs might individually be relatively light (small in byte size), in collective numbers (one for leafpad container, another for geany container ....etc) 'rules'.sfs's could sum up to a large number/collective byte size (and of course effort in creating/testing each of those). For Puppy like single user/root purposes however, perhaps the number of containers might be limited i.e. primarily just for internet facing type security purposes (container for firefox, another for seamonkey (that could very well be near identical or even the same one as firefox ....etc.). Or a more generic choice(s) might suffice, for instance not only can I operate firefox-esr in my sakura container with the above file permissions, but it can also run swriter, scalc, seamonkey ...etc. So the security rules sfs middle layer could be a generic choice, such as the above, perhaps with another sfs replacing or stacked on top of that if there was a specific need for greater refinement for a particular situation/task/program.

Main question is can aufs mounting be arranged (or some other mechanism) such that there are no .wh files, nor being permitted to allow changes in the permissions/content of existing files that show through from lower layers? If so then such a container-security-rules.sfs stacking (or whatever) on top of the main q.sfs could be viable. Something like a monitoring process along the lines of

Code: Select all

inotifywait -mr --timefmt '%H:%M' --format '%T %w %e %f' /mnt/sda2/easy/easy-0.9/.session | grep .wh
i.e. monitoring for all .wh file transitions in the .session folder (recursively) along with appropriate action processing ... seems somewhat heavy handed.

EDIT : wondering about something like :

Code: Select all

We currently have now something like :

    /q_sfs: read only
    /.session: read/write (disk folder)
    /.work: the overlay of /q_sfs and /.session

Add to that ...

mkdir -p /.tmpfs

	/.tmpfs: that we'll make read only once loaded

Inside /.tmpfs, we create those dirs we don't want to preserve:

mkdir -p /.tmpfs/{bin,sbin,etc}
# ....etc i.e I've keeping this brief but basically just preserve say /home
# so all other root level folders created here

and then make it ro so no changes can occur

chmod -wx /.tmpfs

We do one aufs mount per directory that shouldn't be preserved:

mount -t aufs -o dirs=/.tmpfs/bin=ro:/.session/bin=ro none /.work/bin
mount -t aufs -o dirs=/.tmpfs/sbin=ro:/.session/sbin=ro none /.work/sbin
mount -t aufs -o dirs=/.tmpfs/etc=ro:/.session/etc=ro none /.work/etc
# ... etc for all other root level folders except for /home

We now have a directory tree in /.work where you can write files everywhere, 
but when you write into /etc for example, it will attempt to be written into 
/.tmpfs/etc, which is ro, and so wont be recorded. Other files in /home for 
example are written to /.session/home, which is a read-writeable filesystem
and therefore survives/persist.
Last edited by rufwoof on Sun 29 Apr 2018, 19:05, edited 3 times in total.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#672 Post by rufwoof »

BarryK wrote:I want it to end up very simple to use, and that problem with dragging files owned by root to a rover-container, was something that I wanted to avoid. But, it might be possible to hack Rox and have a popup, or even an automatic ownership conversion.

It would also be possible to use inotify to watch files in a container, or at least certain folders, and automatically fix any ownership/permission problem.

...Just thinking off the top of my head.
Increasingly its become common practice to disable root. Another userid can after all be elevated to the equivalent of root privileges and used instead. I guess having a 'root' user but under a different name (userid) and root userid being disabled adds additional security (have to know both the userid and password, not just the password). Provided the same userid is used for both the main system and inside containers, but with different abilities for both (highly restricted inside containers, but pretty much standard root equivalent in the main system), then file permissions for copying ...etc. between the both the main system and container remains 'transparent' (but where perhaps being restricted for that user to copy in one direction only i.e. main to container direction).

That could also alleviate some of the 'Puppy runs as root' type alienation (best not call that userid 'admin' or suchlike either due to those common fears).

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

File ownership when copying from container to main

#673 Post by rufwoof »

I want it to end up very simple to use, and that problem with dragging files owned by root to a rover-container, was something that I wanted to avoid. But, it might be possible to hack Rox and have a popup, or even an automatic ownership conversion
As part of my sakura container I'm thinking of disabling /usr/local/bin/rox in that, so the only rox choice is to open rox in the main session (outside of the container). That opens /mnt/wkg/containers/sakura/container/home/rover (or whatever) i.e. as though it were a rox inside the container.

Along with modifying copy (cp) and move (mv) commands to test for rover:netshare owner/group on files/folders and if copying from within the container to outside the container or not, and if inside to outside then copy (or move) the files/folders, but change the owner/group as part of that i.e. use rsync ... something like

Code: Select all

rsync \
  --remove-source-files \
  --chown=root:root \
    /mnt/wkg/containers/sakura/container/.... /home/....
for moving (and similar but without the remove-source-files switch for copying).

As rover is extremely limited in functionality/permissions could even be similar going the other way, outside to inside container and change the permissions to rover:netshare

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

htop

#674 Post by rufwoof »

Couldn't get htop 2.2 to compile however 1.0 compiled/installed and runs OK

Download Pyro DevX.sfs using sfsget desktop icon and set it to load at startup in bootmanager (Menu, System, Bootmanager) and reboot.

Download the 1.0 version of htop source code from http://hisham.hm/htop/releases/

Extract it using tar xvf htop-1.0.tar.gz

cd htop-1.0 and run

./configure
make
make install

Or just use the following/attached binary
Attachments
htop.gz
gzip -d htop.gz
and move htop to /usr/local/bin
and make it executable
(218.42 KiB) Downloaded 143 times

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Firefox Quantum 59.02 in a container

#675 Post by rufwoof »

Firefox Quantum 59.02 running fine, including sound (even when sandbox level 3 is activated in about:config), within a sakura container running as rover and with the containers root userid knackered (pretty much useless). http://www.murga-linux.com/puppy/viewto ... 210#990210

Ran it using Oscar's apulse i.e. cd to where the firefox excutable is as run

Code: Select all

./apulse ./firefox

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

Re: namespaces

#676 Post by BarryK »

rufwoof wrote:The container creation help text for namespaces is yet unavailable. Here is some filler text for the interim.
A heads-up about easy-containers.

I have extensively enhanced it. Now has checkboxes for Linux Capabilities, and a lot of help -- help buttons placed in each section.

The next Easy is on the way, maybe 4-5 days away.
[url]https://bkhome.org/news/[/url]

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#677 Post by BarryK »

scsijon wrote:Do I need another driver or something for a Blu-ray drive (LG M-disc BH16NS55) with Pyro64 0.9? It's only working as a basic CD Drive at present.
Is that when you are using a multimedia player? Xine-ui or Gnome-MPV?

The build in OpenEmbedded was missing libbluray. I have now remedied that, and in a couple of days plan to do a complete recompile in OE, so will have a new set of binary packages for building EasyOS in woofQ.
[url]https://bkhome.org/news/[/url]

wiak
Posts: 2040
Joined: Tue 11 Dec 2007, 05:12
Location: not Bulgaria

#678 Post by wiak »

Haven't tried this out yet, but will test the next release.

wiak

foxpup
Posts: 1132
Joined: Fri 29 Jul 2016, 21:08

#679 Post by foxpup »

rufwoof wrote:I've also frugal installed Xerus 0.6.8. Having trouble with the graphics. Since much of video management has been migrated into kernels so pretty graphics can be displayed during bootup or whatever, more usually that finishes early in the boot phase. Mostly on my boots I have large/normal sized boot text that usually quite quickly switches over to being small text ... way before X startup starts to run. So X-Org configuration in effect runs later and replaces the kernel X configuration. In EasyOS Xerus however there's such a lag between my boot text switching over to smaller text that X has already started. For a second or two I see a nice EasyOS desktop, and then zap its all corrupted/unusable as the kernel X overrides Xorg.

The only solution I seem to be able to use is to add q-fix=nox as a menu.lst kernel boot parameter, which gives enough time for the kernel X to have done its thing before I xwin and X-org kicks in.

EDIT :

I've added

Code: Select all

COLS=`tput cols`
STALLED=0
while [ $COLS -lt 100 ]; do
   sleep 0.1
   COLS=`tput cols`
   STALLED=1
done
if [ $STALLED = 1 ]; then
   sleep 1 # give extra time to settle
fi
near the top of /usr/bin/xwin
right after the

Code: Select all

export TEXTDOMAIN=xwin
export OUTPUT_CHARSET=UTF-8
. gettext.sh
part.

So I no longer have to boot with qfix=nox.

Fixes things in my case, but not generic i.e. my boot process transitions from 80 column console text initially over to 180 columns once the kernel graphics mode has kicked in. The above code just defers running the rest of xorg (xwin) until after that 180 column kernel graphics mode is at least up/running.
Hello rufwoof
At last some good explanation/understanding of what happens! :)
On my dualcore with nvidia graphic card I cannot run any EasyOS without the stop on the command prompt (nox), except now with 0.9 I can go straight to X on vesa.
I wondered if it would help to use the nvidia propriety driver. I am running into troubles compiling it though: it is the 304 driver (old) on the very recent kernel from Easy.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#680 Post by rufwoof »

foxpup wrote:I wondered if it would help to use the nvidia propriety driver. I am running into troubles compiling it though: it is the 304 driver (old) on the very recent kernel from Easy.
I removed my nvidia which was also 304 as I also dual boot OpenBSD (that I also use for our home server) and the onboard Radeon/ATI works better with that. Have no desire to purchase either Intel or Nvidia in future. Don't miss having to compile nvidia as it always seemed a bit of a chore/awkward.

Post Reply