Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Running testing/unstable applications in Debian stable

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Running testing/unstable applications in Debian stable

#1 Post by Head_on_a_Stick »

As we already know, adding testing/unstable repositories to a Debian stable system is unwise.
https://wiki.debian.org/DontBreakDebian ... nkenDebian

However, those who have elected to run systemd as their init system can take advantage of it's inbuilt namespace isolation scheme, systemd-nspawn, to run a Debian sid system in a lightweight, simple container within the stable system.

To set this up, first install the necessary packages:

Code: Select all

# apt install debootstrap systemd-container
Next create the necessary directories for machinectl(1):

Code: Select all

# mkdir -p /var/lib/container/sid
`btrfs subvolume create` could be used instead for the sid system root directory.

Then install a basic sid system there:

Code: Select all

# debootstrap sid /var/lib/container/sid https://deb.debian.org/debian
Now start a root shell in the container:

Code: Select all

# systemd-nspawn --directory=/var/lib/container/sid
From there, add a new user:

Code: Select all

# adduser $user
Replace $user with the desired username, make sure that this (along with the UID & GID) matches the username for the "host" Debian stable system.

Now install sudo and add the user to that group:

Code: Select all

apt install sudo
gpasswd -a $user sudo
The shell can then be closed by holding down <Ctrl> and pressing the "]" key three times in quick succession (or by running `poweroff`).

Once this is done, log in to the system as the normal user with:

Code: Select all

# systemd-nspawn --boot --directory=/var/lib/container/sid
From there, the desired package(s) can be installed safely without disturbing the stable host.
:)

To run a program from the container, simply set $DISPLAY explicitly; for example, to run `foobar`:

Code: Select all

DISPLAY=:0 foobar
The container can be started automatically at boot with:

Code: Select all

# systemctl enable systemd-nspawn@sid.service
Once the container is running, $application can be started with this general format:

Code: Select all

# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user $application
Here is a usage example for running Mandelbulber2:
https://forums.bunsenlabs.org/viewtopic ... 230#p34230

Further parameters may be needed depending on the application, consult systemd-nspawn(1)

For users who elect not to run systemd as their init system, see this guide by @fsmithred:
http://forums.debian.net/viewtopic.php?p=622055#p622055
Last edited by Head_on_a_Stick on 2016-08-10 07:28, edited 1 time in total.
deadbang

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Running testing/unstable applications in Debian stable

#2 Post by dasein »

Even though I'm not a huge fan of stickys, someone with a Green Hammer or above really ought to sticky this, IMO.

User avatar
JLloyd13
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

#3 Post by JLloyd13 »

Excellent! I second the call for a sticky
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Running testing/unstable applications in Debian stable

#4 Post by dilberts_left_nut »

Another wish granted ... (only one left :D)

Been meaning to look into systemd-nspawn , cheers HOAS!
AdrianTM wrote:There's no hacker in my grandma...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Running testing/unstable applications in Debian stable

#5 Post by stevepusser »

A nice trick for unbackportable applications!

But I took a look at mandelbulber2 from upstream, and it turns out that all the libgsl contortions can be avoided by building it against the stock libgls0-dev in Jessie, either by replacing libgsl-dev with that in the Build-Depends in debian/control, or adding it as an alternate B-D:

Code: Select all

libgsl-dev | libgsl0-dev,
The program builds and runs, even though the Qt 5 interface comes out as the fugly win95 Raleigh-type interface, when the rest of my Qt 5 apps are respecting my GTK theme in xfce.

Edit: weirdly, it looks OK when started from the menu; it has the funky old look only when I start it from the command line, as I did when first testing it to look for any messages or errors.
MX Linux packager and developer

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#6 Post by Head_on_a_Stick »

stevepusser wrote:The program builds and runs, even though the Qt 5 interface comes out as the fugly win95 Raleigh-type interface, when the rest of my Qt 5 apps are respecting my GTK theme in xfce.
Yes, that happened when I built it manually under Arch :?

Thanks for the information!
:)

I feel I should note that this method is *inherently insecure* and should not be used with untrusted applications.

For such programs, an unprivileged container using LXC would be the way to go:
https://www.stgraber.org/2014/01/17/lxc ... ontainers/
deadbang

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Running testing/unstable applications in Debian stable

#7 Post by golinux »

Head_on_a_Stick wrote:However, those who have elected to run systemd as their init system can take advantage of it's inbuilt namespace isolation scheme, systemd-nspawn, to run a Debian sid system in a lightweight, simple container within the stable system.
FYI . . . an interesting discussion of systemd-nspawn in relation to the world of virtualization. The punch line:
But for a whole package, use lxc. It will configure all of the above for
you. systemd-nspawn is merely a NIH copy of it.
May the FORK be with you!

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#8 Post by Head_on_a_Stick »

golinux wrote:FYI
Yes indeed, very interesting -- thanks :)
But for a whole package, use lxc.systemd-nspawn is merely a NIH copy of it.
I would agree with the general point that systemd-nspawn is not a complete container solution and lacks a lot of the features of LXC (as intimated in my post immediately above yours) but for me the main advantage of systemd-nspawn is it's simplicity and the automatic integration of the host network (although this can be disabled) with no need for bridges or any of that nonsense.

In respect of the "NIH" comment, I would note that systemd-nspawn is primarily intended for debugging and testing and also that I would prefer to use the systemd-supplied components (systemd-boot, systemd-networkd, systemd-resolved, etc) wherever available as I believe this offers a more cohesive, UNIX-like working environment.
:mrgreen:
deadbang

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Running testing/unstable applications in Debian stable

#9 Post by golinux »

Yes, I did see your post above mine. As to your last para conclusion . . . that would depend on your definition of a "UNIX-like working environment" which many argue that systemd is NOT and in fact files in the face of! ;)
May the FORK be with you!

User avatar
JLloyd13
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

#10 Post by JLloyd13 »

golinux wrote:Yes, I did see your post above mine. As to your last para conclusion . . . that would depend on your definition of a "UNIX-like working environment" which many argue that systemd is NOT and in fact files in the face of! ;)
The OP made it very clear this is simply a guide for an option for those who chose to use systemd as their init system. Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Running testing/unstable applications in Debian stable

#11 Post by golinux »

JLloyd13 wrote:Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Really? Everyone? Unlikely. So I think it's always a good idea to present a differing opinion. Otherwise 'opinion' can easily turn into fact and the rewriting of history becomes a fait accompli.
May the FORK be with you!

User avatar
JLloyd13
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

#12 Post by JLloyd13 »

golinux wrote:
JLloyd13 wrote:Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Really? Everyone? Unlikely. So I think it's always a good idea to present a differing opinion. Otherwise 'opinion' can easily turn into fact and the rewriting of history becomes a fait accompli.
everyone is a poor word choice, which is my bad, but on this forum I think at least most users are well aware of the controversy. My point is this isn't the place to continue to debate systemd. Maybe a moderator would disagree, but I think your comments are both nonconstructive and off topic. If you wanted to do something that is actually constructive, you could perhaps create a systemd-less guide yourself as an alternative.
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.

fsmithred
Posts: 1873
Joined: 2008-01-02 14:52

Re: Running testing/unstable applications in Debian stable

#13 Post by fsmithred »

Here's an alternate way to do the same thing without systemd-nspawn:

Do the debootstrap install and create a user as described above. (Note: in this case, the user does not need to be the same as the user on the host system. Edit: Looks like the uid and gid do need to be the same, but the name can be different.)
Set a root password. (You could probably set up sudo as described above, but I've never done that.)

Instead of a debootstrap install, you could use an existing installation on another partition. If so, mount that partition somewhere. For the purpose of this guide, $chrootdir is either the mount point of that other system, or it's the directory where you debootstrapped sid. (i.e. /var/lib/container/sid in the OP.)

Mount some stuff:

Code: Select all

mount --bind /sys $chrootdir/sys
mount --bind /proc $chrootdir/proc
mount --bind /dev $chrootdir/dev
mount --bind /dev/pts $chrootdir/dev/pts
Then go into the chroot:

Code: Select all

chroot $chrootdir
You now have a root shell in the chrooted system (sid). You can run commands as root or 'su $user' to run commands or graphical applications as user.

To run a window manager, you can install the xserver-xephyr package in the chroot. I'll use icewm here for example.*

Code: Select all

apt-get install xserver-xephyr icewm
Switch to unprivileged user and start Xephyr and icewm:

Code: Select all

su $user
Xephyr :1 -screen 1024x768 -resizeable & sleep 2 ; icewm --display=:1
Have fun!

* I know icewm and jwm work. I couldn't get xfce4 to run, and I didn't see how to set the display number with openbox in the five seconds I looked at the man page.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#14 Post by Head_on_a_Stick »

^ That's brilliant, thanks fsmithred!
:)

I have added a link to your post in the OP.
deadbang

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#15 Post by Head_on_a_Stick »

Head_on_a_Stick wrote:Once the container is running, $application can be started with this general format:

Code: Select all

# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user $application
For use with untrusted programs, try this command instead:

Code: Select all

# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user --drop-capabilities=CAP_SYS_ADMIN $application
This drops CAP_SYS_ADMIN within the container and should increase security significantly.

Thanks to Mr. Poettering for that tip:
https://lists.freedesktop.org/archives/ ... 28140.html

:D
deadbang

fsmithred
Posts: 1873
Joined: 2008-01-02 14:52

Re: Running testing/unstable applications in Debian stable

#16 Post by fsmithred »

Oh, that's pretty cool. I didn't know about capabilities. Nice that they added an option to use it with systemd-nspawn.

This is probably not equivalent, but similar -

In the chroot, install firejail, then run (as user)

Code: Select all

firejail --seccomp Xephyr :1 -screen 1024x768 -resizeable & sleep 2 ; icewm --display=:1
I'm really hoping someone will come along and explain how to use lxc in a few easy steps, so I don't have to figure it out.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#17 Post by Head_on_a_Stick »

fsmithred wrote:explain how to use lxc in a few easy steps
Unfortunately, LXC is a complex beastie :?

The Debian wiki guide is pretty good:
https://wiki.debian.org/LXC

However, it lacks instructions for use on a laptop with a wireless connection; for that, see the ArchWiki:
https://wiki.archlinux.org/index.php/Li ... ss_network

My favorite LXC guides are this series:
https://www.stgraber.org/2013/12/20/lxc ... st-series/

These include the unprivileged container guide I linked to above and a section on running X applications from an LXC container.
deadbang

User avatar
Danielsan
Posts: 659
Joined: 2010-10-10 22:36
Has thanked: 5 times

Re: Running testing/unstable applications in Debian stable

#18 Post by Danielsan »

Hi guys this topic is supercool, I am one of those systemd haters :mrgreen: anyway we must use it untill debian decides to change for something else (sheppard init?).

I found this two links from the DebConf I hope can be useful for you:

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Running testing/unstable applications in Debian stable

#19 Post by bester69 »

Head,
Installing kodi (sid), Ive got this error, any idea how can i fix it? :?

i followed:

Code: Select all

debootstrap sid /var/lib/container/sid http://httpredir.debian.org/debian
systemd-nspawn --boot --directory=/var/lib/container/sid
DISPLAY=:0 kodi
libGL error: failed to open drm device: No such file or directory
libGL error: failed to load driver: i965
libEGL warning: DRI2: could not open /dev/dri/card0 (No such file or directory)
Terminated
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Running testing/unstable applications in Debian stable

#20 Post by Head_on_a_Stick »

bester69 wrote:Ive got this error, any idea how can i fix it?
You need to add some extra flags to systemd-npawn to allow hardware acceleration in the container.

This guide explains how:

https://maci0.wordpress.com/2014/05/02/ ... idgin-vlc/
deadbang

Post Reply