Running testing/unstable applications in Debian stable

Share your own howto's etc. Not for support questions!

Running testing/unstable applications in Debian stable

Postby Head_on_a_Stick » 2016-08-06 23:37

As we already know, adding testing/unstable repositories to a Debian stable system is unwise.
https://wiki.debian.org/DontBreakDebian ... nkenDebian

However, those who have elected to run systemd as their init system can take advantage of it's inbuilt namespace isolation scheme, systemd-nspawn, to run a Debian sid system in a lightweight, simple container within the stable system.

To set this up, first create the necessary directories for machinectl(1):
Code: Select all
# mkdir -p /var/lib/container/sid

`btrfs subvolume create` could be used instead for the sid system root directory.

Then install a basic sid system there:
Code: Select all
# debootstrap sid /var/lib/container/sid http://httpredir.debian.org/debian

https://packages.debian.org/jessie/debootstrap

Now start a root shell in the container:
Code: Select all
# systemd-nspawn --directory=/var/lib/container/sid

From there, add a new user:
Code: Select all
# adduser $user

Replace $user with the desired username, make sure that this (along with the UID & GID) matches the username for the "host" Debian stable system.

Now install sudo and add the user to that group:
Code: Select all
apt install sudo
gpasswd -a $user sudo

The shell can then be closed by holding down <Ctrl> and pressing the "]" key three times in quick succession (or by running `poweroff`).

Once this is done, log in to the system as the normal user with:
Code: Select all
# systemd-nspawn --boot --directory=/var/lib/container/sid

From there, the desired package(s) can be installed safely without disturbing the stable host.
:)

To run a program from the container, simply set $DISPLAY explicitly; for example, to run `foobar`:
Code: Select all
DISPLAY=:0 foobar

The container can be started automatically at boot with:
Code: Select all
# systemctl enable systemd-nspawn@sid.service


Once the container is running, $application can be started with this general format:
Code: Select all
# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user $application

Here is a usage example for running Mandelbulber2:
https://forums.bunsenlabs.org/viewtopic ... 230#p34230

Further parameters may be needed depending on the application, consult systemd-nspawn(1)

For users who elect not to run systemd as their init system, see this guide by @fsmithred:
viewtopic.php?p=622055#p622055
Last edited by Head_on_a_Stick on 2016-08-10 07:28, edited 1 time in total.
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Running testing/unstable applications in Debian stable

Postby dasein » 2016-08-07 00:43

Even though I'm not a huge fan of stickys, someone with a Green Hammer or above really ought to sticky this, IMO.
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Running testing/unstable applications in Debian stable

Postby JLloyd13 » 2016-08-07 01:23

Excellent! I second the call for a sticky
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.
User avatar
JLloyd13
 
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

Postby dilberts_left_nut » 2016-08-07 01:36

Another wish granted ... (only one left :D)

Been meaning to look into systemd-nspawn , cheers HOAS!
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4658
Joined: 2009-10-05 07:54
Location: enzed

Re: Running testing/unstable applications in Debian stable

Postby stevepusser » 2016-08-07 23:42

A nice trick for unbackportable applications!

But I took a look at mandelbulber2 from upstream, and it turns out that all the libgsl contortions can be avoided by building it against the stock libgls0-dev in Jessie, either by replacing libgsl-dev with that in the Build-Depends in debian/control, or adding it as an alternate B-D:
Code: Select all
libgsl-dev | libgsl0-dev,


The program builds and runs, even though the Qt 5 interface comes out as the fugly win95 Raleigh-type interface, when the rest of my Qt 5 apps are respecting my GTK theme in xfce.

Edit: weirdly, it looks OK when started from the menu; it has the funky old look only when I start it from the command line, as I did when first testing it to look for any messages or errors.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: AzPainter 2.1.0, Pale Moon 27.5.0, Liquorix kernel 4.12-10, mpv 0.27.0, Kodi 17.3, 0ad 0.0.22, Mesa 13.0.6
User avatar
stevepusser
 
Posts: 8792
Joined: 2009-10-06 05:53

Re: Running testing/unstable applications in Debian stable

Postby Head_on_a_Stick » 2016-08-08 07:55

stevepusser wrote:The program builds and runs, even though the Qt 5 interface comes out as the fugly win95 Raleigh-type interface, when the rest of my Qt 5 apps are respecting my GTK theme in xfce.

Yes, that happened when I built it manually under Arch :?

Thanks for the information!
:)

I feel I should note that this method is *inherently insecure* and should not be used with untrusted applications.

For such programs, an unprivileged container using LXC would be the way to go:
https://www.stgraber.org/2014/01/17/lxc ... ontainers/
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Running testing/unstable applications in Debian stable

Postby golinux » 2016-08-08 15:15

Head_on_a_Stick wrote:However, those who have elected to run systemd as their init system can take advantage of it's inbuilt namespace isolation scheme, systemd-nspawn, to run a Debian sid system in a lightweight, simple container within the stable system.
FYI . . . an interesting discussion of systemd-nspawn in relation to the world of virtualization. The punch line:

But for a whole package, use lxc. It will configure all of the above for
you. systemd-nspawn is merely a NIH copy of it.
May the FORK be with you!
User avatar
golinux
 
Posts: 1248
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: Running testing/unstable applications in Debian stable

Postby Head_on_a_Stick » 2016-08-08 20:34

golinux wrote:FYI

Yes indeed, very interesting -- thanks :)

But for a whole package, use lxc.systemd-nspawn is merely a NIH copy of it.

I would agree with the general point that systemd-nspawn is not a complete container solution and lacks a lot of the features of LXC (as intimated in my post immediately above yours) but for me the main advantage of systemd-nspawn is it's simplicity and the automatic integration of the host network (although this can be disabled) with no need for bridges or any of that nonsense.

In respect of the "NIH" comment, I would note that systemd-nspawn is primarily intended for debugging and testing and also that I would prefer to use the systemd-supplied components (systemd-boot, systemd-networkd, systemd-resolved, etc) wherever available as I believe this offers a more cohesive, UNIX-like working environment.
:mrgreen:
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Running testing/unstable applications in Debian stable

Postby golinux » 2016-08-08 21:53

Yes, I did see your post above mine. As to your last para conclusion . . . that would depend on your definition of a "UNIX-like working environment" which many argue that systemd is NOT and in fact files in the face of! ;)
May the FORK be with you!
User avatar
golinux
 
Posts: 1248
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: Running testing/unstable applications in Debian stable

Postby JLloyd13 » 2016-08-08 22:43

golinux wrote:Yes, I did see your post above mine. As to your last para conclusion . . . that would depend on your definition of a "UNIX-like working environment" which many argue that systemd is NOT and in fact files in the face of! ;)


The OP made it very clear this is simply a guide for an option for those who chose to use systemd as their init system. Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.
User avatar
JLloyd13
 
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

Postby golinux » 2016-08-09 01:33

JLloyd13 wrote:Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Really? Everyone? Unlikely. So I think it's always a good idea to present a differing opinion. Otherwise 'opinion' can easily turn into fact and the rewriting of history becomes a fait accompli.
May the FORK be with you!
User avatar
golinux
 
Posts: 1248
Joined: 2010-12-09 00:56
Location: not a 'buntard!

Re: Running testing/unstable applications in Debian stable

Postby JLloyd13 » 2016-08-09 01:51

golinux wrote:
JLloyd13 wrote:Everyone is well aware of the systemd vs Unix arguments and we don't need to rehash them in a howto.
Really? Everyone? Unlikely. So I think it's always a good idea to present a differing opinion. Otherwise 'opinion' can easily turn into fact and the rewriting of history becomes a fait accompli.


everyone is a poor word choice, which is my bad, but on this forum I think at least most users are well aware of the controversy. My point is this isn't the place to continue to debate systemd. Maybe a moderator would disagree, but I think your comments are both nonconstructive and off topic. If you wanted to do something that is actually constructive, you could perhaps create a systemd-less guide yourself as an alternative.
Laptop: Debian GNU/Linux 9 'Stretch' 64bit
Read: https://wiki.debian.org/DontBreakDebian/
We are the Universal OS. Be patient, give help, teach the Debian way.
User avatar
JLloyd13
 
Posts: 394
Joined: 2012-06-29 04:08
Location: Halifax NS Canada

Re: Running testing/unstable applications in Debian stable

Postby fsmithred » 2016-08-10 01:09

Here's an alternate way to do the same thing without systemd-nspawn:

Do the debootstrap install and create a user as described above. (Note: in this case, the user does not need to be the same as the user on the host system. Edit: Looks like the uid and gid do need to be the same, but the name can be different.)
Set a root password. (You could probably set up sudo as described above, but I've never done that.)

Instead of a debootstrap install, you could use an existing installation on another partition. If so, mount that partition somewhere. For the purpose of this guide, $chrootdir is either the mount point of that other system, or it's the directory where you debootstrapped sid. (i.e. /var/lib/container/sid in the OP.)

Mount some stuff:
Code: Select all
mount --bind /sys $chrootdir/sys
mount --bind /proc $chrootdir/proc
mount --bind /dev $chrootdir/dev
mount --bind /dev/pts $chrootdir/dev/pts


Then go into the chroot:
Code: Select all
chroot $chrootdir


You now have a root shell in the chrooted system (sid). You can run commands as root or 'su $user' to run commands or graphical applications as user.

To run a window manager, you can install the xserver-xephyr package in the chroot. I'll use icewm here for example.*
Code: Select all
apt-get install xserver-xephyr icewm


Switch to unprivileged user and start Xephyr and icewm:
Code: Select all
su $user
Xephyr :1 -screen 1024x768 -resizeable & sleep 2 ; icewm --display=:1


Have fun!

* I know icewm and jwm work. I couldn't get xfce4 to run, and I didn't see how to set the display number with openbox in the five seconds I looked at the man page.
fsmithred
 
Posts: 1862
Joined: 2008-01-02 14:52

Re: Running testing/unstable applications in Debian stable

Postby Head_on_a_Stick » 2016-08-10 07:27

^ That's brilliant, thanks fsmithred!
:)

I have added a link to your post in the OP.
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Running testing/unstable applications in Debian stable

Postby Head_on_a_Stick » 2016-08-10 07:51

Head_on_a_Stick wrote:Once the container is running, $application can be started with this general format:
Code: Select all
# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user $application

For use with untrusted programs, try this command instead:
Code: Select all
# systemd-nspawn --directory=/var/lib/container/sid --setenv=DISPLAY=:0 --user=$user --drop-capabilities=CAP_SYS_ADMIN $application

This drops CAP_SYS_ADMIN within the container and should increase security significantly.

Thanks to Mr. Poettering for that tip:
https://lists.freedesktop.org/archives/ ... 28140.html

:D
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable