Preferred Program

Webinars

Special Interest Groups

RDK-B Working Groups
RDK-V Working Groups
UI-UX Research and Development
DAC

Conferences

[Americas Summit]
[Euro Summit]
[Technology Summit]

Preferred Resources

Skip to end of metadata
Go to start of metadata

It would be advantageous to ensure Dobby can run OCI images based on the Alpine linux distribution (https://alpinelinux.org/). Initial testing shows a few potential issues with Alpine based images that need further investigation.

Images based on alpine that may be applicable to embedded devices:

Plugin Issues

The startContainer hook runs inside the container namespace, meaning the Dobby PluginLauncher, all plugin .so files and any dependant libraries must be available within the container namespace for the hook to execute and run. This causes an issue with alpine as it uses musl libc and the host uses glibc. There are also issues with overriding libraries in the container with ones from the host - e.g. libstdc++.so, as they likely have different symbols.

Static Link Plugins & Plugin Launcher

Statically linking both plugins & plugin launcher would remove the need to mount in all the dependant libs into the container.

Downsides:

Mount Plugin Libs in private location

Mount the dependencies for all plugins into a non-standard directory, and set the LD_LIBRARY_PATH env var in the startContainer hook to this directory. This means the hook would use the libraries bind mounted from the host over any included in the container

Downsides:

  • Still need to enumerate a list of all dependencies needed by plugins for bundlegen
  • Could miss a necessary dependency, causing failure to run plugins

^^ Fixed by removing the startContainer hook https://github.com/rdkcentral/Dobby/pull/66

Permissions

Initial testing shows a potential issue with alpine images where the user in the container shows as root, but does not actually have root permissions. Commands that require root permissions fail. User namespaces were disabled for this test container, so the container is running as root:

root     10226  0.0  0.1   2880  1080 pts/0    S+   14:19   0:00      \_ crun run foo
root     10237  0.0  0.0   2836   560 pts/0    Ss   14:19   0:00          \_ /usr/libexec/DobbyInit /bin/sh
root     10259  0.0  0.1   1336   856 pts/0    S+   14:19   0:00              \_ sh
/ # whoami
root
/ # touch /etc/foo.txt
touch: /etc/foo.txt: Permission denied
/ # apk add strace
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied

This is possibly related to not having enough UID/GIDs available within the container - need to investigate shadow-utils (https://github.com/shadow-maint/shadow and https://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-extended/shadow)


  • No labels