pid_eins

pid_eins, 8 days ago to random

Kernel breaking userspace episode nr. 43858262:

https://github.com/torvalds/linux/commit/a1912f712188291f9d7d434fba155461f1ebef66

Hacking around it:

https://github.com/systemd/systemd/pull/32892

pid_eins, 10 days ago to random

1️⃣5️⃣ Here's the 15th installment of posts highlighting key new features of the upcoming v256 release of systemd.

systemd integrates with many components of the OS. Due to this it links against various external libraries. Generic distributions – which typically enable all features a package provides – usually have to deal with relatively large dependency trees in cases like this.

pid_eins, 12 days ago (edited 12 days ago) to random

1️⃣4️⃣ Here's the 14th installment of posts highlighting key new features of the upcoming v256 release of systemd.

This one is going to be quick one. Previously, you had to specify a block device name when invoking systemd-cryptenroll, to specify which encrypted volume to enroll your PKCS11/TPM2/FIDO2 device to. This is now optional. If no device is specified, then the tool will now automatically look for the device behind the /var/ directory and operate on that.

pid_eins, 16 days ago to random

1️⃣3️⃣ Here's the 13th installment of posts highlighting key new features of the upcoming v256 release of systemd.

ssh is widely established as the mechanism for controlling Linux systems remotely, both interactively and with automated tools. It not only provides means for secure authentication and communication for a tty/shell, but also does this for file transfers (sftp), and IPC communication (D-Bus or Varlink).

pid_eins, 17 days ago to random

Even though Fedora probably is kinda popular among developers, it sometimes baffles me what is and what isn't packaged in Fedora.

I mean come on, how is it possible that there's no meson mode packaged for emacs on Fedora?

I mean, it's pretty obvious: if Fedora wants to be taken seriously as a developer platform, I think it's pretty obvious that this is a glaring omission, like no other! 🤓

pid_eins, 18 days ago to random

1️⃣2️⃣ Here's the 12th installment of posts highlighting key new features of the upcoming v256 release of systemd.

Putting a PC to sleep is complicated business and there are different mechanisms available to achieve this on Linux. Broadly speaking there is suspend-to-ram and suspend-to-disk, as well as combinations of this: one where we suspend to both, and one where we first suspend-to-ram and then later change to suspend-to-disk, if we have slept for a long time, or the battery is running empty.

pid_eins, 18 days ago to random

Look at this:

https://blogs.gnome.org/chergert/2024/05/07/system-extensions-from-flatpak/

Love it! 👌

pid_eins, 19 days ago to random

1️⃣1️⃣ Here's the 11th installment of posts highlighting key new features of the upcoming v256 release of systemd.

There are multiple network management services in popular use on Linux. In systemd we ship systemd-networkd, and of course think it's the best choice. Weirdly, some people disagree though, and that creates problems of ownership: you either have to use one or the other network management service (i.e. either systemd-networkd OR NetworkManager), or you have to carefully make…

pid_eins, 20 days ago to random

1️⃣0️⃣ Here's the 10th installment of posts highlighting key new features of the upcoming v256 release of systemd.

You might be aware of systemd-sysext: a component of systemd that can overlay immutable disk images (DDIs) on top of /usr/, to extend it in a secure, and again, immutable fashion. It has a companion tool systemd-confext that does the same over /etc/.

pid_eins, 23 days ago to random

9️⃣ Here's the 9th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am sure you are aware of systemd-nspawn, systemd's minimal container manager focussed on full OS containers, that can boot up a Linux image from an OS in a disk image or from a directory. systemd-nspawn was originally a development tool, to make it easy for us to develop the service manager without constantly having to reboot.

Nowadays it's a lot more than that, …

pid_eins, 24 days ago to random

8️⃣ Here's the 8th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

You might be aware of systemd-homed, a small service in systemd which can manage encrypted, portable home directories for you. It supports multiple storage backends, but the most relevant maintains a per-user LUKS disk image for each home directory, and ties the encryption of it to your user's authentication credentials. It supports FIDO2 and PKCS11 (in addition…

pid_eins, 24 days ago to random

Seems its that season of the year again, where I get to populate my blocklists of assholes on the Internet.

Good to get a personal refresher on how the wider audience on the Internet behaves. 🤮

pid_eins, 25 days ago to random

7️⃣ Here's the 7th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

In systemd we put a lot of focus on operating with disk images, specifically file system images that carry an expressive GPT partition table – something that we call DDIs ("Discoverable Disk Images").

pid_eins, 26 days ago to random

6️⃣ Here's the 6th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

In the 2nd installment of this series we have already discussed system and service credentials in systemd a bit. Quick recap: these are smallish blobs of data that can be passed into a service in a secure way, to parameterize, configure it, and in particular to pass secrets to it (passwords, PINs, private keys, …).

pid_eins, 27 days ago to random

5️⃣ Here's the 5th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am pretty sure all of you are well aware of the venerable "sudo" tool that is a key component of most Linux distributions since a long time. At the surface it's a tool that allows an unprivileged user to acquire privileges temporarily, from within their existing login sessions, for just one command, or maybe for a subshell.

"sudo" is very very useful, as it…

pid_eins, 28 days ago (edited 28 days ago) to random

4️⃣ Here's the 4th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

You might be aware of systemd's per-service setting "ProtectSystem=". When used it ensures the service lives in its own mount namespace, detached from the host's and various key directories become read-only to the service, in particular /usr/. This reflects the fact there's very little code that should ever be able to to write to /usr/.

pid_eins, 29 days ago to random

3️⃣ Here's the 3rd installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

You might have heard of the sd_notify() protocol that services running on systemd can use to notify the service manager about status changes, in particular about service readiness. systemd uses that to synchronize start, reload and stop operations between daemon code and service manager (as well as a multitude of other things).

pid_eins, 1 month ago (edited 29 days ago) to random

2️⃣ Here's the 2nd installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

This time we'll talk about encrypted credentials. Credentials are these little pieces of information that you can pass into systemd systems and into system services. They can carry secrets but also other kinds of parameters. One key feature is that they can be encrypted while at rest, locked against the system's TPM…

pid_eins, 1 month ago (edited 29 days ago) to random

1️⃣ So let's try something new. As we are closing in on tagging systemd v256-rc1, let's see if I manage to post a brief mastodon item about major new features of the upcoming release, every few days until the final release of v256. I figure not everyone reads NEWS files, even if curious. Hence let's start today with the 1st post: the new .v/ directories. You know those .d/ directories that are quite popular in low-level Linux packages these days? While .d/ dirs never have been formalized properly…

pid_eins, 1 month ago to random

A while back we started to turn many of the library dependencies of systemd from regular ELF dependencies (which you can explore with tools like lddtree or readelf -d … | grep NEEDED) into dlopen() deps, in order to minimize the dep footprint of systemd. The primary reason for this was to make it easier to build small disk images without optional components, in particular for the purpose of initrds or container deployments. Recently, another reason for doing this came into focus:

pid_eins, 1 month ago to random

This is such a bad bad API compat breakage:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e81cd5a983bb35dabd38ee472cf3fea1c63e0f23

It's used all over the place in userspace. In systemd we use it:

1. to detect if a block device has partition scanning off or on
2. In our udev test suite, to validate devices are in order
3. udev rules use it for some feature checks (in older versions of systemd).

And it's even a frickin documented userspace API:

https://www.kernel.org/doc/html/v5.5/block/capability.html

So much about that nonsensical "we don't break userspace" kernel mantra.

pid_eins, 1 month ago to random

Credit where credit is due! I'd really like to take a minute and thank Jia Tan how they helped us to finally get sd_notify() support merged into OpenSSH upstream!

https://bugzilla.mindrot.org/show_bug.cgi?id=2641

Thank you, Jia, you rock!

pid_eins, 1 month ago to random

As you might guess I get a certain amount of "fan" mail regularly. It's usually pretty dumb and not worth to mention. But sometimes it's so funny, that I just have to share the good parts of it. So here some comments from a recent mail I got (sorry, in German):

Subject: Tja, schade! War definitiv die falsche Entscheidung zu Microsoft zu wechseln

Hi Lennart!

Das war schon eine ziemliche Überraschung für uns alle!!!

…

pid_eins, 1 month ago to random

PSA: In context of the xzpocalypse we now added an example reimplementation of sd_notify() to our man page:

https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes

It's pretty comprehensive (i.e. uses it for reload notification too), but still relatively short.

In the past, I have been telling anyone who wanted to listen that if all you want is sd_notify() then don't bother linking to libsystemd, since the protocol is stable and should be considered the API, not our C wrapper around it. After all, the protocol is so trivial

pid_eins, 1 month ago to random

@grawity actually i tell people usually to just implement the proto on their own, its trivial and documented. In particular non-C projects really should use something native rather than wrap libsystemd.

Interestingly, libsystemd in git main doesn't pull in liblzma anymore, as we turned all compression deps into dlopen ones.

Also note that libselinux also pulls in liblzma and libselinux is pulled in by about everything... In particular via libpam.