pid_eins

pid_eins, 1 month ago to random

5️⃣ Here's the 5th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am pretty sure all of you are well aware of the venerable "sudo" tool that is a key component of most Linux distributions since a long time. At the surface it's a tool that allows an unprivileged user to acquire privileges temporarily, from within their existing login sessions, for just one command, or maybe for a subshell.

"sudo" is very very useful, as it…

pid_eins, 2 months ago to random

Credit where credit is due! I'd really like to take a minute and thank Jia Tan how they helped us to finally get sd_notify() support merged into OpenSSH upstream!

https://bugzilla.mindrot.org/show_bug.cgi?id=2641

Thank you, Jia, you rock!

pid_eins, 1 month ago to random

6️⃣ Here's the 6th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

In the 2nd installment of this series we have already discussed system and service credentials in systemd a bit. Quick recap: these are smallish blobs of data that can be passed into a service in a secure way, to parameterize, configure it, and in particular to pass secrets to it (passwords, PINs, private keys, …).

pid_eins, 1 month ago to random

1️⃣3️⃣ Here's the 13th installment of posts highlighting key new features of the upcoming v256 release of systemd.

ssh is widely established as the mechanism for controlling Linux systems remotely, both interactively and with automated tools. It not only provides means for secure authentication and communication for a tty/shell, but also does this for file transfers (sftp), and IPC communication (D-Bus or Varlink).

pid_eins, 5 months ago to random

Here's a fun little thing we commited to systemd the other day: the concept of .v/ directories. What do we mean by that? Many of systemd's commands that take big resource files that are often versioned (e.g. a disk image file you could pass to sysemd-nspawn's --image= switch) now learnt a magic trick if you pass a path whose last component has the suffix ".v" and is a directory. If so, the tool will iterate through the dir's contents, do a version sort and automatically pick the newest version.

pid_eins, 27 days ago to random

1️⃣5️⃣ Here's the 15th installment of posts highlighting key new features of the upcoming v256 release of systemd.

systemd integrates with many components of the OS. Due to this it links against various external libraries. Generic distributions – which typically enable all features a package provides – usually have to deal with relatively large dependency trees in cases like this.

pid_eins, 5 months ago to random

Here's another little feature we scheduled for the next systemd release. Everyone knows SSH well, and it's great to connect to hosts remotely, and even do file transfer. It's probably the single most relevant way to talk to some host for administration and various other tasks. It's a bit fragile though: it requires networking, and that even if we talk to a local VM or full OS container. But precisely networking is one of the things you might want to administer via SSH, hence you have a cyclic…

pid_eins, 1 month ago to random

7️⃣ Here's the 7th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

In systemd we put a lot of focus on operating with disk images, specifically file system images that carry an expressive GPT partition table – something that we call DDIs ("Discoverable Disk Images").

pid_eins, 11 months ago to random

Quick! Only three more days, and the All Systems Go! 2023 CfP ends! Submit now! https://cfp.all-systems-go.io/all-systems-go-2023/cfp ← ⚡️🏃🏻💨💨

siosm, 5 months ago to fedora

sudo without a setuid binary or SSH over a UNIX socket: https://tim.siosm.fr/blog/2023/12/19/ssh-over-unix-socket/

I have been working on this setup as part of my investigation to reduce our reliance on setuid binaries and trying to figure out alternative for common use cases.

#Fedora #ConfinedUsers #UnixLegacy

pid_eins, 3 months ago to random

Quiz: How many inode types are there on Linux?

You might think the answer to this is 7, i.e. regular files, directories, symlinks, block device nodes, char device nodes, fifos, and sockets. But you are actually are wrong: there's an 8th one. There's the concept of an anonymous inode on Linux which has the file type of zero. You can easily acquire fds to inodes of this type via eventfd(). If you call fstat() on such fds, then (.st_mode & S_IFMT) == 0 will hold. 🤯

pid_eins, 1 month ago (edited 1 month ago) to random

2️⃣ Here's the 2nd installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

This time we'll talk about encrypted credentials. Credentials are these little pieces of information that you can pass into systemd systems and into system services. They can carry secrets but also other kinds of parameters. One key feature is that they can be encrypted while at rest, locked against the system's TPM…

pid_eins, 4 months ago to random

I reposted @bluca's FOSDEM talk about soft reboot earlier already. Unfortunately Mastodon doesn't allow reposting with a comment, so let's post the video a 2nd time here so that I can comment on it: I think this talk is particularly interesting as it shows a soft-reboot based online OS update on the actual Azure fleet. And that's not just technically exciting I think, but also a first: that you can actually look over Microsoft's shoulder how they make Azure work. Enjoy!

https://fosdem.org/2024/schedule/event/fosdem-2024-3282-soft-reboot-keep-your-containers-running-while-your-image-based-linux-host-gets-updated/

pid_eins, 6 months ago to random

This is the good stuff:

→ https://fedoramagazine.org/create-images-directly-from-rhel-and-rhel-ubi-package-using-mkosi/

written by @zbyszek

pid_eins, 1 month ago to random

9️⃣ Here's the 9th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

I am sure you are aware of systemd-nspawn, systemd's minimal container manager focussed on full OS containers, that can boot up a Linux image from an OS in a disk image or from a directory. systemd-nspawn was originally a development tool, to make it easy for us to develop the service manager without constantly having to reboot.

Nowadays it's a lot more than that, …

pid_eins, 11 months ago to random

interesting: https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/

pid_eins, 29 days ago (edited 29 days ago) to random

1️⃣4️⃣ Here's the 14th installment of posts highlighting key new features of the upcoming v256 release of systemd.

This one is going to be quick one. Previously, you had to specify a block device name when invoking systemd-cryptenroll, to specify which encrypted volume to enroll your PKCS11/TPM2/FIDO2 device to. This is now optional. If no device is specified, then the tool will now automatically look for the device behind the /var/ directory and operate on that.

pid_eins, 1 month ago to random

1️⃣1️⃣ Here's the 11th installment of posts highlighting key new features of the upcoming v256 release of systemd.

There are multiple network management services in popular use on Linux. In systemd we ship systemd-networkd, and of course think it's the best choice. Weirdly, some people disagree though, and that creates problems of ownership: you either have to use one or the other network management service (i.e. either systemd-networkd OR NetworkManager), or you have to carefully make…

pid_eins, 7 months ago to random

Woohoo, we just released systemd v255-rc1:

https://github.com/systemd/systemd/releases/tag/v255-rc1

What an awesome release!

pid_eins, 2 months ago to random

This is such a bad bad API compat breakage:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e81cd5a983bb35dabd38ee472cf3fea1c63e0f23

It's used all over the place in userspace. In systemd we use it:

1. to detect if a block device has partition scanning off or on
2. In our udev test suite, to validate devices are in order
3. udev rules use it for some feature checks (in older versions of systemd).

And it's even a frickin documented userspace API:

https://www.kernel.org/doc/html/v5.5/block/capability.html

So much about that nonsensical "we don't break userspace" kernel mantra.