[pkg-lxc-devel] Bug#847491: lxc: please put the lxc-unshare and lxc-usernsexec tools into their own binary package

[Johannes Schauer]

Package: lxc
Version: 1:2.0.5-1
Severity: wishlist
Tags: patch

Hi,

with this bug I want to propose a patch against the lxc source package
which splits out the lxc-unshare and lxc-usernsexec utilities into their
own binary package. It follows the rationale.

The lxc package currently contains the two tools lxc-unshare and
lxc-usernsexec. The only thing that these tools have in common with the
other lxc tools is that they are prefixed with "lxc-". They are not
manipulating any lxc containers. Still, these two binaries provide some
very powerful facilities which are so far unique in Debian: they allow
to easily enter a new user namespace and unshare several other
namespaces from within it. There exists the "unshare" utility from the
util-linux binary package, but that one doesn't offer all the
functionality that the lxc-unshare and lxc-usernsexec tools offer. One
important limitation of the unshare tool is, that it doesn't yet allow
mounting /proc which is a crucial drawback. So even though the
lxc-unshare tool is described as "mainly provided for testing purposes"
in its man page, it is so far the only tool in Debian which allows
easily setting up fully-fledged (including /proc) unprivileged chroots
from within shell scripts.

One problem right now is, that to acquire the lxc-unshare and
lxc-usernsexec utilities, one has to install the full lxc package. Due
to its dependencies, that can mean up to 95.5 MB of additional disk
space being required for 74 new packages. Even when installing with
--no-install-recommends, still 33.2 MB of additional disk space will be
used for 22 new packages. It would make things much more light-weight if
the two tools would live in their own binary package because that would
limit the amount of additionally required disk space to 1172 kB for just
5 more packages on top of a minimal installation.

The attached patch adds the lxc-userns-tools binary package. The name is
obviously free to be changed to something else. I also let the lxc
package depend on the lxc-userns-tools package. That way, existing users
of the lxc package will not see a difference in provided functionality.
The main overhead and complication that this patch adds are much longer
*.install files but since you are also using "dh_install --fail-missing"
there is no way that the list in lxc.install could become outdated in
the future without you noticing via a build failure.

What do you think?

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Move-lxc-unshare-and-lxc-usernsexec-to-a-new-binary-.patch
Type: text/x-diff
Size: 6159 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lxc-devel/attachments/20161208/7481118f/attachment.patch>