Consider this advice for choosing and working with a cloud service provider that keeps sysadmins—and their responsibility for improving, troubleshooting, and maintaining infrastructure—at the forefront.
I recently blogged about how to run a volatile systemd-nspawn container from your host's /usr/ tree, for quickly testing stuff in your host environment, sharing your home drectory, but all that without making a single modification to your host, and on an isolated node.
The one-liner discussed in that blog story is great for testing during system software development. Let's have a look at another systemd tool that I regularly use to test things during systemd development, in a relatively safe environment, but still taking full benefit of my host's setup.
Since a while now, systemd has been shipping with a simple component called systemd-sysext. It's primary usecase goes something like this: on one hand OS systems with immutable /usr/ hierarchies are fantastic for security, robustness, updating and simplicity, but on the other hand not being able to quickly add stuff to /usr/ is just annoying.
systemd-sysext is supposed to bridge this contradiction: when invoked it will merge a bunch of "system extension" images into /usr/ (and /opt/ as a matter of fact) through the use of read-only overlayfs, making all files shipped in the image instantly and atomically appear in /usr/ during runtime — as if they always had been there. Now, let's say you are building your locked down OS, with an immutable /usr/ tree, and it comes without ability to log into, without debugging tools, without anything you want and need when trying to debug and fix something in the system. With systemd-sysext you could use a system extension image that contains all this, drop it into the system, and activate it with systemd-sysext so that it genuinely extends the host system.
Red Hat OpenShift Service on AWS is a version of the Red Hat OpenShift hosting service managed by Amazon Web Services (AWS). Although your cluster's own integrity is secure in that environment, communicating safely outside the cluster requires considerable setup. In this article, you'll learn how to connect securely through a firewall to the internet while keeping your cluster in a private workspace. We use Amazon's Virtual Private Cloud (VPC), Security Token Service (STS), and AWS Transit Gateway to effect secure connections.
I lead an engineering services team that is responsible for a lot of custom development. In my experience, when engineers think about diversity, we tend to focus on skill sets.
Real-time Ubuntu 22.04 LTS Beta - Now Available
Based on upstream v5.15, the 22.04 LTS kernel integrates the out-of-tree PREEMPT_RT patch for x86_64 and AArch64 architectures. Once in GA, the new real-time kernel will power the next generation of robotics, IoT, and telco innovations by providing a deterministic response time to their extreme low-latency requirements.
Security Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation
Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.
Microsoft finds Linux desktop flaw that gives root to untrusted users [Ed: As if local privilege escalation is anywhere as severe as remotely-reachable back doors in Windows. Microsoft is "concerned" about Linux security like wolves are concerned about the safety of sheep.]
Vulnerabilities recently discovered by Microsoft make it easy for people with a toehold on many Linux desktop systems to quickly gain root system rights— the latest elevation of privileges flaw to come to light in the open source OS.
New Nimbuspwn Linux vulnerability gives hackers root privileges [Ed: While CISA admits Microsoft is full of holes that are actively exploited Microsoft and its faithful media operative try to shift attention to "Linux"]
Security researchers at Microsoft disclosed the issues in a report today noting that they can be chained together to achieve root privileges on a vulnerable system.
“Dirty Pipe” Linux vulnerability now being exploited [Ed: This was patched a very long time ago; meanwhile, there are dozen of zero-day flaws in Windows that are remotely exploitable, not local privilege escalation]
The Linux vulnerability dubbed Dirty Pipe is now being actively exploited in the wild, CISA has confirmed. (Assigned CVE-2022-0847 and first publicly disclosed on March 7, the escalation of privileges (EOP) vulnerability exists in all Linux kernel versions from 5.8 forward and lets a read-only attacker gain root.)
New EasyOS and Other Development News
EasyOS was created in 2017, derived from Quirky Linux, which in turn was derived from Puppy Linux in 2013. Easy is built in woofQ, which takes as input binary packages from any distribution, and uses them on top of the unique EasyOS infrastructure.
Throughout 2020, the official release for x86_64 PCs was the Buster-series, built with Debian 10.x Buster DEBs.
EasyOS has also been built with packages compiled from source, using a fork of OpenEmbedded (OE). Currently, the Dunfell release of OE has been used, to compile two sets of binary packages, for x86_64 and aarch64.
The latter have been used to build EasyOS for the Raspberry Pi4, and first official release, 2.6.1, was in January 2021.
The page that you are reading now has the release notes for EasyOS Dunfell-series on x86_64 PCs, also debuting in 2021.
Ongoing development is now focused on the x86_64 Dunfell-series. The last version in the x86_64 Buster-series is 2.6.2, on June 29, 2021, and that is likely to be the end of that series. Releases for the Pi4 Dunfell-series are still planned but very intermittent.
The version number is for EasyOS itself, independent of the target hardware; that is, the infrastructure, support-glue, system scripts and system management and configuration applications.
The latest version is becoming mature, though Easy is an experimental distribution and some parts are under development and are still considered as beta-quality. However, you will find this distro to be a very pleasant surprise, or so we hope.
These are the project tarballs used to build the upcoming EasyOS version 3.4.7.
These can also be setup to stream video onto a computer screen.
I was thinking of buying a USB webcam; however, all of these considerations are overlooking something -- the modern smartphone.
Phones these days have incredible optics. This is despite the thin physical constraints -- that they are getting around by having multiple lenses. The pixel sizes are enormous, and the processing power is incredible. A lot of research goes into developing the cameras in phones, and mass production means relatively cheap.
I have compiled two dependencies in OpenEmbedded, 'libplist' and 'libusbmuxd', as well as the userland executable for 'droidcam'.
The executable is 'droidcam-cli' and I intend to include it in the upcoming Easy 3.4.7. Running 'droidcam-cli --help' shows the commandline options, and we can play with it in a terminal, and see if can get it working with phones.
