Profile

Cover photo
Diego Call.
173,900 views
AboutPosts

Stream

Diego Call.

Shared publicly  - 
 
 
+Lennart Poettering just posted the 21st part of the systemd For Administrator series, this time covering container integration. Enjoy!
2
Add a comment...

Diego Call.

Shared publicly  - 
 
El motor javascript de Firefox es el más rápido

http://robert.ocallahan.org/2014/10/are-we-fast-yet-yes-we-are.html
 ·  Translate
Spidermonkey has passed V8 on Octane performance on arewefastyet, and is now leading V8 and JSC on Octane, Sunspider and Kraken. Does this matter? Yes and no. On one hand, it's just a few JS benchmarks, real-world performance is much more complicated, and it's entirely possible that V8 (or even ...
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
Minimal Fedora installation with:
  /usr/share/factory/
and
  $ rm -rf /etc/* /var/*
support.

The first boot with an empty /etc will trigger this:
  Initializing machine ID from random generator.
  ...
  Starting Create System Users...
  Starting Rebuild Hardware Database...
  Starting Rebuild Dynamic Linker Cache...
  Starting Rebuild Journal Catalog...
  ...

"Broken" facilities regarding files in /etc are: pam, pki, yum; they need to be re-created from /usr/share/factory/etc/ at the first bootstrap boot. Details are in the installer.sh script.
sudo ./installer.sh /dev/sdb ### installing Fedora rawhide at /dev/sdb [...] $ sudo mount /dev/sdb2 /mnt $ sudo make install DESTDIR=/mnt $ sudo rm -rf /mnt/etc/* /mnt/etc/.* /mnt/var/* $ sudo umount /mnt $ sudo systemd-nspawn -b -i /dev/sdb Spawning container sdb on /dev/sdb.
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
I just added two new service sandboxing features to +systemd: the ReadOnlySystem= and ProtectedHome= settings for services. The former mounts /usr and /boot read-only for the specific service, the latter mounts /home and /run/user either read-only or replaces it with an empty, inaccessible directory. With these easy options we hence can make sure now that specific services don't get the chance to modify the operating system itself, or to get access to the user's personal data.

I have also now enabled this functionality for all of systemd's own long-running services. Of course, ideally we get all of Fedora to enable these settings for all long-running services. This should improve our security quite a bit by default, in particular for network-facing services.

Of course, if you know systemd well you know that something like this was already possible with appropriate settings for ReadOnlyDirectores= and InaccessibleDirectories=. Internally, these options build on the same mechanisms, however, our intention here is to make these simple booleans, so that they can be one-stop, simple solutions to making the system more secure.

And yupp, of course, if your daemon retains CAP_SYS_ADMIN then it can undo the effect, so best is to combine these settings with CapabilityBoundingSet=~CAP_SYS_ADMIN. But even without that these settings should be an improvement.

This of course works on top of other ways to protect the OS and user data, for example on top of classic UNIX access controls or SELinux. While these mostly focus on individual files and fine-grained access control to them, with pretty big holes for the root user, our new settings are very simple, broad lever that even affect the root user fully (well, modulo the CAP_SYS_ADMIN thing)...
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
It was pointed out to me that if you go look at the list of components in the recent webOS based TV from LG, you'll find Wayland and QtWayland there.
Model, Description, License, Source, Inquiry. 105UC9-CA, webOS AH LGE Open Source - Chromium1. webOS AH LGE Open Source - Chromium2. webOS AH LGE Open Source 1. webOS AH LGE Open Source 2. webOS AH LGE Open Source 3. 105UC9-NA, webOS AH LGE Open Source - Chromium1 ...
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
Look closely! Our Curiosity Mars rover and its tracks are visible in this view from orbit, acquired on April 11 by the High Resolution Imaging Science Experiment (HiRISE) camera on our Mars Reconnaissance Orbiter. The rover is near the largest butte in the lower left quadrant of the image, at about a two o'clock position relative to the butte. It appears bright blue in the exaggerated color of this image. Curiosity entered the area included in this image on March 12, along the tracks visible near the upper left corner.

The multi-layered location filling much of the left half of this image is called "the Kimberley." Curiosity's science team chose it, based on other HiRISE images, as a potential gold mine for the rover mission. Black gold, that is, as organic material that, if found at the Kimberley could be a biomarker (sign of past life) -- the holy grail of Mars exploration.

Image credit: NASA/JPL-Caltech/Univ. of Arizona

#mars #marscuriosity #msl #hirise #uarizona #planets #space #nasa #science

1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
More people have been asking me when this would be submitted, than any other bit of kernel code I have ever worked on.

The wait is now over.
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
Seems the Skype team over at Microsoft have released a new version and are dropping support for non-PulseAudio setups on Linux.
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
systemd-nspawn sucessfully booting a rootfs directory containing nothing but a /usr directory:

  # mkdir /tmp/newsystem
  # cp -ax /usr /tmp/newsystem
  # ./systemd-nspawn -b -D /tmp/newsystem
  Spawning container newsystem on /tmp/newsystem.
  ...

For everybody who was questioning why we needed to move /bin, /sbin, /lib, /lib64 to /usr instead of spreading the installed operating system over many directories, here is your use case.

PAM, yum, pki, dbus-1 are still broken regarding the "empty /etc model", and need to be fixed.
mkdir /tmp/newsystem # cp -ax /mnt/usr /tmp/newsystem # ./systemd-nspawn -b -D /tmp/newsystem Spawning container newsystem on /tmp/newsystem. Press ^] three times within 1s to kill container. Failed to correct timezone of container: No such file or directory systemd 214 running in system mode.
1
Add a comment...

Diego Call.

Shared publicly  - 
 
 
Orbaneja del Castillo, #Burgos. 15/05/2014 a las 11:45. Gracias a nuestros amigos de La Morada del Cid por sus sabios consejos.
 ·  Translate
2
Add a comment...

Diego Call.

Shared publicly  - 
 
4chan ha empezado a implementar la capacidad de usar vídeo .webm como sustituto de .gifs

This kills the gif
 ·  Translate
3
Add a comment...
Links
Contributor to