Trying to run caddy rootless/jailed, utrace not available

hirnsushi · May 24, 2024, 9:17am

I’m trying to package caddy for my Omnia running 7.0.0 RC. Since I don’t want to run it as root I’m following these instructions which would involve running /sbin/utrace /usr/bin/caddy to check the capabilities it needs.

On my regular OpenWrt systems utrace is part of the procd-seccomp package, but that package has been removed by the Turris team because seccomp is apparently not available for arm64?!
Is that still the case? Would running utrace even help my in this case if seccomp isn’t available?

This is my first adventure into OpenWrt packaging so I’m mostly trying to figure out if what I’m doing is pointless and running caddy as root is the only option for now, or am I missing something completely here?

vcunat · May 24, 2024, 10:33am

Running in a container is another way to increase isolation. I’d say it’s better than seccomp, but perhaps depends… on your priorities, etc.

EDIT: for containers on Turris you’d typically use LXC: LXC - Turris Documentation

hirnsushi · May 24, 2024, 11:01am

That’s true, I thought about that before starting to dive into packaging, but I’d really like to avoid the added complexity.
The nice thing about caddy is that it’s just a single go binary, running it inside a container kinda defeats the purpose for my usecase (internal CA / reverse proxy).

LXC would need external storage (or should have) and I don’t have that enabled/available.

AreYouLoco · May 24, 2024, 4:22pm

Some time ago I asked to bring back SECCOMP in kernel and finally Turris team responded:

There is a merge request milestoned for 7.1.0

hirnsushi · May 24, 2024, 4:39pm

That’s great news!

So I’m just going to package it as root for now and revisit this at a later point once the next version gets released.

You saved me a lot of time, thanks

system · May 27, 2024, 4:40pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.