[Vm-dev] How to create headless VM without some primitives?
Pierce Ng
pierce at samadhiweb.com
Sun Apr 19 02:27:04 UTC 2020
On Fri, Apr 17, 2020 at 01:11:54AM -0500, Erik Stel wrote:
> This would limit the ability to write, but you can't prohibit reading the
> filesystem I think. The VM needs to read the image for one thing. If the VM
> would allow FFI or OSProcess, would it be possible to limit application
> execution using container configuration? Because with FFI/OSProcess a
> (naughty) user could try to gain access to applications or data.
Hi Erik,
My VM is built on Alpine Linux. The official Alpine Linux Docker image
is about 5MB. Adding the VM and plugins (including my own custom
libsqlite3.so and some other shared libraries) gives a Docker image
under 20MB. The size of your application - Smalltalk image, changes if
required, other artefacts - is in your control of course.
While running the application using a non-root dedicated UID does not
prohibit the VM from reading the filesystem (assuming your code allows
it), using Alpine Linux means there is very little in the filesystem to
be read at all.
See https://www.samadhiweb.com/tags/Alpine%20Linux for some blog posts.
Github here: https://github.com/pharo-contributions/Docker-Alpine
It should be possible to implement more stringent controls using Linux
filesystem ACLs or Docker configuration.
HTH.
Pierce
More information about the Vm-dev
mailing list