Recent Features
| |||||||||||||
Bedrock LinuxBedrock LinuxPosted Sep 14, 2012 22:40 UTC (Fri) by paradigm (guest, #86730)Parent article: Bedrock Linux
Hello, I am the founder/lead dev of Bedrock Linux. I was initially extremely anxious when I learned that LWN had an article on my project, as I have a tremendous amount of respect for wonderful folks at LWN, and couldn't bear to hear a negative response from them. Suffice it to say my worry was for naught. The article is, like usual, spot on.
Well, baring one extremely minor issue with the article: I am utilizing Linux capabilities in place of full setuid binaries for the one Bedrock-specific area it is needed. I typically see Linux capabilities contrasted against setuid, and thus unless I am mistaken it would be technically incorrect to describe a Linux capability'd executable as setuid. For what it is worth, the only capability needed (both in the current and upcoming release) is CAP_SYS_CHROOT.
I experimented with utilizing namespaces to handle the unusual filesystem layout requirements but ran into some difficulties. I might revisit the possibility in the future, if not for filesystem then for process isolation, such that I could have multiple init programs each think they are PID 1. This could be a reasonable start for automating boot items, and as the article pointed out automating boot scripts from clients is one area that needs a lot of work.
I'm not sure I follow why the discussed FAQ entry is an amusing read. If I've done something silly, I'm read to admit fault and try to remedy it, if it could be stated more directly. The main issue is limited developer time - I haven't yet had time to write an installer, and I am not confident I will be able to stay on top of pushing out updates for upstream security issues (most notably the kernel). I'm hoping to eventually find a way to use a client's kernel for Bedrock, and just let the client update the kernel as it normally would.
I'd also like to note that, despite being in alpha, Bedrock Linux is quite functional. I have been using it as my primary system on all of my machines (baring the VPS that hosts the website) for quite a while before it ever went public. However, it is certainly very do-it-yourself right now, subject to big changes at this point, and has a few more known issues than I feel comfortable with in a stable release.
Thank you Mr. Corbert for the well written article.
(Log in to post comments)
Bedrock Linux Posted Sep 15, 2012 1:22 UTC (Sat) by paradigm (guest, #86730) [Link]
s/Corbert/Corbet
I've read the name a few times a week for years; I should get it right >.<
My apologies.
Bedrock Linux Posted Sep 15, 2012 20:41 UTC (Sat) by cmccabe (guest, #60281) [Link]
> I'm not sure I follow why the discussed FAQ entry is an amusing
> read. If I've done something silly, I'm read to admit fault and > try to remedy it, if it could be stated more directly.
Doesn't it seem silly not to have an installer? Might limit the number of, um, installs.
Sounds like a fun project, though. I bet you'll learn a lot at the very least.
Bedrock Linux Posted Sep 15, 2012 22:14 UTC (Sat) by paradigm (guest, #86730) [Link]
> Doesn't it seem silly not to have an installer? Might limit the number of, um, installs.
Well yes, of course. I most definitely want one and expect Bedrock Linux will have one eventually - almost certainly before the first stable release. However, I remain concerned about the items listed in the FAQ entry. The items listed are non-issues for most other distros as they either (1) have a large team including dedicated security update people, or (2) are based on and heavily pull from an existing distribution. Bedrock Linux isn't really in that position. From what I can tell, other small-team non-derived distros in Bedrock's position just don't worry about the things I am. Perhaps I am setting my standards to high.
> Sounds like a fun project, though. I bet you'll learn a lot at the very least.
Oh, it most certainly is, and I can happily say I've already learned quite a bit.
Bedrock Linux Posted Sep 15, 2012 23:19 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]
Just curious. Is there a reason you are not using namespaces?
Bedrock Linux Posted Sep 16, 2012 0:05 UTC (Sun) by paradigm (guest, #86730) [Link]
A combination of the following three things:
1. I had difficulties with early experimentation with namespaces, mostly due to gaps in my knowledge about them.
2. I wanted to get something functional done by certain self-imposed deadlines, even if it is built on work which would later be scrapped. I simply reached the point where I could do what is being done in the current release of Bedrock Linux before I learned enough to do something comparable with namespaces. Bedrock Linux is the OS I've wanted for years. Despite the issues pointed out in the article above (all of which I agree with), its very nice to finally have and use it.
3. Insufficient knowledge in how namespaces would be preferable to what I already know how to do for the upcoming release (namely, going into and breaking out of chroots with a capabilities/setuid'd executable). While there are issues with the current system, the new system should fix most if not all of them fairly cleanly, and will likely be faster for me to implement than anything with namespaces.
If there are good reasons for using namespaces over the plans for the next release, I'd be happy to switch tracks, or stay on track for the upcoming release and plan to move to namespaces for the next one. The issue could simply be a failure on my part to learn enough about namespaces - perhaps my google-fu is simply to weak. I would be greatly appreciative if someone could point me in the right direction to learn more.
|
|||||||||||||